[erlang-patches] TLS 1.2 hash fixes

Andreas Schultz <>
Sun Nov 18 12:30:14 CET 2012


Hi Henrik,

Mail to  got reject, but I guess the patches ML should
be ok for this.

I have rebased both branches ssl-sha224-fixes and tls-psk-srp-suites.

I moved the patch that enables the required hashes for the psk and
srp TLS 1.2 ciphers to the proper branch. The ssl-sha224-fixes branch
now only contains the bit that advertises sha224 for TLS 1.2 handshakes.


https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes.patch

https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch

Regards
Andreas

----- Original Message -----
> Hi
> 
> Can you also rebase this on current master.
> 
> as/tls-psk-srp-suites
> 
> Thank you
> On 2012-10-29 11:20, Henrik Nord wrote:
> > Then I suggest you move that commit to the branch introducing those
> > ciphers.
> >
> > And keep this branch as a advertise sha224 support branch
> >
> > /Henrik
> >
> > On 10/28/2012 04:25 PM, Andreas Schultz wrote:
> >> Hi,
> >>
> >> Please disregard my last mail. The SRP and PSK patches introduce
> >> TLS
> >> 1.2 ciphers
> >> that do default to sha384, so the extended hash_size method is
> >> required should the
> >> SPR and PSK ciphers be accepted.
> >>
> >> Andreas
> >>
> >> ----- Original Message -----
> >>> Hi,
> >>>
> >>> Here is an update to the sha224 ssl branch:
> >>> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
> >>>
> >>> Tree is correctly based on master now.
> >>>
> >>> I have dropped the hash_size changes. After reviewing the call
> >>> patch
> >>> for hash_size, it became apparent that the original comment is
> >>> correct.
> >>> I am absolutely sure that I did hit hash_size with a stronger
> >>> hash,
> >>> but
> >>> I am unable to reproduce it. So it is probably better to leave
> >>> that
> >>> alone.
> >>>
> >>> The other change still applies.
> >>>
> >>> Andreas
> >>>
> >>> ----- Original Message -----
> >>>> First and foremost:
> >>>> You should not base any branches on a ' pu' branch, as they will
> >>>> frequently be rebuilt from scratch on top of the current
> >>>> development
> >>>> branch.
> >>>> Base branches upon 'master' or 'maint' depending on where we are
> >>>> in
> >>>> the release cycle and if it is a feature or a bug etc.
> >>>> More information here:
> >>>> https://github.com/erlang/otp/wiki/Submitting-patches
> >>>>
> >>>> Secondly: Thank you for your contribution, I have rebased your
> >>>> branch
> >>>> upon 'master' and included it in 'master-pu'
> >>>>
> >>>> If this are to be included in master, you will most likely have
> >>>> to
> >>>> add this in the documentation, and in the test.
> >>>>
> >>>>
> >>>>
> >>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> >>>>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> Here are two changes to improve TLS 1.2 higher strength sha
> >>>> hashes.
> >>>>
> >>>> There is this comment in ssl_cipher:
> >>>>
> >>>> %% Currently no supported cipher suites defaults to sha384 or
> >>>> sha512
> >>>> %% so these clauses are not needed at the moment.
> >>>>
> >>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash
> >>>> being
> >>>> used
> >>>> can be negotiated and is not longer fixed to the one specified
> >>>> in
> >>>> the
> >>>> cipher suite. So it is possible to end up with a stronger cipher
> >>>> even
> >>>> when we don't default to one.
> >>>>
> >>>> The other change adds sha224 to list of support and announced
> >>>> ciphers.
> >>>> It might not be as good as sha256, but should still be stronger
> >>>> that
> >>>> sha1.
> >>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> >>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> >>>>
> >>>> Both changes should apply cleanly on master and master-pu.
> >>>>
> >>>> Andreas
> >>>>
> >>>> --
> >>>> /Henrik Nord Erlang/OTP
> >>>>
> >>>> First and foremost:
> >>>> You should *not* base any branches on a '|pu'| branch, as they
> >>>> will
> >>>> frequently be rebuilt from scratch on top of the current
> >>>> development
> >>>> branch.
> >>>> Base branches upon 'master' or 'maint' depending on where we are
> >>>> in
> >>>> the
> >>>> release cycle and if it is a feature or a bug etc.
> >>>> More information here:
> >>>> https://github.com/erlang/otp/wiki/Submitting-patches
> >>>>
> >>>> Secondly: Thank you for your contribution, I have rebased your
> >>>> branch
> >>>> upon 'master' and included it in 'master-pu'
> >>>>
> >>>> If this are to be included in master, you will most likely have
> >>>> to
> >>>> add
> >>>> this in the documentation, and in the test.
> >>>>
> >>>>
> >>>>
> >>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> >>>>> Hi,
> >>>>>
> >>>>> Here are two changes to improve TLS 1.2 higher strength sha
> >>>>> hashes.
> >>>>>
> >>>>> There is this comment in ssl_cipher:
> >>>>>
> >>>>> %% Currently no supported cipher suites defaults to sha384 or
> >>>>> sha512
> >>>>> %% so these clauses are not needed at the moment.
> >>>>>
> >>>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash
> >>>>> being
> >>>>> used
> >>>>> can be negotiated and is not longer fixed to the one specified
> >>>>> in
> >>>>> the
> >>>>> cipher suite. So it is possible to end up with a stronger
> >>>>> cipher
> >>>>> even
> >>>>> when we don't default to one.
> >>>>>
> >>>>> The other change adds sha224 to list of support and announced
> >>>>> ciphers.
> >>>>> It might not be as good as sha256, but should still be stronger
> >>>>> that
> >>>>> sha1.
> >>>>>
> >>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> >>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> >>>>>
> >>>>>
> >>>>> Both changes should apply cleanly on master and master-pu.
> >>>>>
> >>>>> Andreas
> >>>> --
> >>>> /Henrik Nord Erlang/OTP
> >>>>
> >>>>
> >>> --
> >>> --
> >>> Dipl. Inform.
> >>> Andreas Schultz
> >>>
> >>> email: 
> >>> phone: +49-391-819099-224
> >>> mobil: +49-170-2226073
> >>>
> >>> ------------------ managed broadband access ------------------
> >>>
> >>> Travelping GmbH               phone:           +49-391-8190990
> >>> Roentgenstr. 13               fax:           +49-391-819099299
> >>> D-39108 Magdeburg             email:       
> >>> GERMANY                       web:   http://www.travelping.com
> >>>
> >>> Company Registration: HRB21276 Handelsregistergericht Chemnitz
> >>> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> >>> --------------------------------------------------------------
> >>> _______________________________________________
> >>> erlang-patches mailing list
> >>> 
> >>> http://erlang.org/mailman/listinfo/erlang-patches
> >>>
> >
> 
> --
> /Henrik Nord Erlang/OTP
> 
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------


More information about the erlang-patches mailing list