[erlang-patches] TLS 1.2 hash fixes

Henrik Nord <>
Wed Nov 21 10:27:24 CET 2012


On 2012-11-18 12:30, Andreas Schultz wrote:
> Hi Henrik,
>
> Mail to  got reject, but I guess the patches ML should
> be ok for this.
>
> I have rebased both branches ssl-sha224-fixes and tls-psk-srp-suites.
>
> I moved the patch that enables the required hashes for the psk and
> srp TLS 1.2 ciphers to the proper branch. The ssl-sha224-fixes branch
> now only contains the bit that advertises sha224 for TLS 1.2 handshakes.

Nice!
Thank you
>
>
> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes.patch
>
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites
> https://github.com/RoadRunnr/otp/compare/master...tls-psk-srp-suites.patch
>
> Regards
> Andreas
>
> ----- Original Message -----
>> Hi
>>
>> Can you also rebase this on current master.
>>
>> as/tls-psk-srp-suites
>>
>> Thank you
>> On 2012-10-29 11:20, Henrik Nord wrote:
>>> Then I suggest you move that commit to the branch introducing those
>>> ciphers.
>>>
>>> And keep this branch as a advertise sha224 support branch
>>>
>>> /Henrik
>>>
>>> On 10/28/2012 04:25 PM, Andreas Schultz wrote:
>>>> Hi,
>>>>
>>>> Please disregard my last mail. The SRP and PSK patches introduce
>>>> TLS
>>>> 1.2 ciphers
>>>> that do default to sha384, so the extended hash_size method is
>>>> required should the
>>>> SPR and PSK ciphers be accepted.
>>>>
>>>> Andreas
>>>>
>>>> ----- Original Message -----
>>>>> Hi,
>>>>>
>>>>> Here is an update to the sha224 ssl branch:
>>>>> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
>>>>>
>>>>> Tree is correctly based on master now.
>>>>>
>>>>> I have dropped the hash_size changes. After reviewing the call
>>>>> patch
>>>>> for hash_size, it became apparent that the original comment is
>>>>> correct.
>>>>> I am absolutely sure that I did hit hash_size with a stronger
>>>>> hash,
>>>>> but
>>>>> I am unable to reproduce it. So it is probably better to leave
>>>>> that
>>>>> alone.
>>>>>
>>>>> The other change still applies.
>>>>>
>>>>> Andreas
>>>>>
>>>>> ----- Original Message -----
>>>>>> First and foremost:
>>>>>> You should not base any branches on a ' pu' branch, as they will
>>>>>> frequently be rebuilt from scratch on top of the current
>>>>>> development
>>>>>> branch.
>>>>>> Base branches upon 'master' or 'maint' depending on where we are
>>>>>> in
>>>>>> the release cycle and if it is a feature or a bug etc.
>>>>>> More information here:
>>>>>> https://github.com/erlang/otp/wiki/Submitting-patches
>>>>>>
>>>>>> Secondly: Thank you for your contribution, I have rebased your
>>>>>> branch
>>>>>> upon 'master' and included it in 'master-pu'
>>>>>>
>>>>>> If this are to be included in master, you will most likely have
>>>>>> to
>>>>>> add this in the documentation, and in the test.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Here are two changes to improve TLS 1.2 higher strength sha
>>>>>> hashes.
>>>>>>
>>>>>> There is this comment in ssl_cipher:
>>>>>>
>>>>>> %% Currently no supported cipher suites defaults to sha384 or
>>>>>> sha512
>>>>>> %% so these clauses are not needed at the moment.
>>>>>>
>>>>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash
>>>>>> being
>>>>>> used
>>>>>> can be negotiated and is not longer fixed to the one specified
>>>>>> in
>>>>>> the
>>>>>> cipher suite. So it is possible to end up with a stronger cipher
>>>>>> even
>>>>>> when we don't default to one.
>>>>>>
>>>>>> The other change adds sha224 to list of support and announced
>>>>>> ciphers.
>>>>>> It might not be as good as sha256, but should still be stronger
>>>>>> that
>>>>>> sha1.
>>>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
>>>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
>>>>>>
>>>>>> Both changes should apply cleanly on master and master-pu.
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> --
>>>>>> /Henrik Nord Erlang/OTP
>>>>>>
>>>>>> First and foremost:
>>>>>> You should *not* base any branches on a '|pu'| branch, as they
>>>>>> will
>>>>>> frequently be rebuilt from scratch on top of the current
>>>>>> development
>>>>>> branch.
>>>>>> Base branches upon 'master' or 'maint' depending on where we are
>>>>>> in
>>>>>> the
>>>>>> release cycle and if it is a feature or a bug etc.
>>>>>> More information here:
>>>>>> https://github.com/erlang/otp/wiki/Submitting-patches
>>>>>>
>>>>>> Secondly: Thank you for your contribution, I have rebased your
>>>>>> branch
>>>>>> upon 'master' and included it in 'master-pu'
>>>>>>
>>>>>> If this are to be included in master, you will most likely have
>>>>>> to
>>>>>> add
>>>>>> this in the documentation, and in the test.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Here are two changes to improve TLS 1.2 higher strength sha
>>>>>>> hashes.
>>>>>>>
>>>>>>> There is this comment in ssl_cipher:
>>>>>>>
>>>>>>> %% Currently no supported cipher suites defaults to sha384 or
>>>>>>> sha512
>>>>>>> %% so these clauses are not needed at the moment.
>>>>>>>
>>>>>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash
>>>>>>> being
>>>>>>> used
>>>>>>> can be negotiated and is not longer fixed to the one specified
>>>>>>> in
>>>>>>> the
>>>>>>> cipher suite. So it is possible to end up with a stronger
>>>>>>> cipher
>>>>>>> even
>>>>>>> when we don't default to one.
>>>>>>>
>>>>>>> The other change adds sha224 to list of support and announced
>>>>>>> ciphers.
>>>>>>> It might not be as good as sha256, but should still be stronger
>>>>>>> that
>>>>>>> sha1.
>>>>>>>
>>>>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
>>>>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
>>>>>>>
>>>>>>>
>>>>>>> Both changes should apply cleanly on master and master-pu.
>>>>>>>
>>>>>>> Andreas
>>>>>> --
>>>>>> /Henrik Nord Erlang/OTP
>>>>>>
>>>>>>
>>>>> --
>>>>> --
>>>>> Dipl. Inform.
>>>>> Andreas Schultz
>>>>>
>>>>> email: 
>>>>> phone: +49-391-819099-224
>>>>> mobil: +49-170-2226073
>>>>>
>>>>> ------------------ managed broadband access ------------------
>>>>>
>>>>> Travelping GmbH               phone:           +49-391-8190990
>>>>> Roentgenstr. 13               fax:           +49-391-819099299
>>>>> D-39108 Magdeburg             email:       
>>>>> GERMANY                       web:   http://www.travelping.com
>>>>>
>>>>> Company Registration: HRB21276 Handelsregistergericht Chemnitz
>>>>> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
>>>>> --------------------------------------------------------------
>>>>> _______________________________________________
>>>>> erlang-patches mailing list
>>>>> 
>>>>> http://erlang.org/mailman/listinfo/erlang-patches
>>>>>
>> --
>> /Henrik Nord Erlang/OTP
>>
>>

-- 
/Henrik Nord Erlang/OTP



More information about the erlang-patches mailing list