[erlang-patches] TLS 1.2 hash fixes
Andreas Schultz
aschultz@REDACTED
Sun Oct 28 16:25:50 CET 2012
Hi,
Please disregard my last mail. The SRP and PSK patches introduce TLS 1.2 ciphers
that do default to sha384, so the extended hash_size method is required should the
SPR and PSK ciphers be accepted.
Andreas
----- Original Message -----
> Hi,
>
> Here is an update to the sha224 ssl branch:
> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
>
> Tree is correctly based on master now.
>
> I have dropped the hash_size changes. After reviewing the call patch
> for hash_size, it became apparent that the original comment is
> correct.
> I am absolutely sure that I did hit hash_size with a stronger hash,
> but
> I am unable to reproduce it. So it is probably better to leave that
> alone.
>
> The other change still applies.
>
> Andreas
>
> ----- Original Message -----
> > First and foremost:
> > You should not base any branches on a ' pu' branch, as they will
> > frequently be rebuilt from scratch on top of the current
> > development
> > branch.
> > Base branches upon 'master' or 'maint' depending on where we are in
> > the release cycle and if it is a feature or a bug etc.
> > More information here:
> > https://github.com/erlang/otp/wiki/Submitting-patches
> >
> > Secondly: Thank you for your contribution, I have rebased your
> > branch
> > upon 'master' and included it in 'master-pu'
> >
> > If this are to be included in master, you will most likely have to
> > add this in the documentation, and in the test.
> >
> >
> >
> > On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> >
> >
> >
> > Hi,
> >
> > Here are two changes to improve TLS 1.2 higher strength sha hashes.
> >
> > There is this comment in ssl_cipher:
> >
> > %% Currently no supported cipher suites defaults to sha384 or
> > sha512
> > %% so these clauses are not needed at the moment.
> >
> > I'm afraid that this is wrong. With TLS 1.2 the actual hash being
> > used
> > can be negotiated and is not longer fixed to the one specified in
> > the
> > cipher suite. So it is possible to end up with a stronger cipher
> > even
> > when we don't default to one.
> >
> > The other change adds sha224 to list of support and announced
> > ciphers.
> > It might not be as good as sha256, but should still be stronger
> > that
> > sha1.
> > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> > Both changes should apply cleanly on master and master-pu.
> >
> > Andreas
> >
> > --
> > /Henrik Nord Erlang/OTP
> >
> > First and foremost:
> > You should *not* base any branches on a '|pu'| branch, as they will
> > frequently be rebuilt from scratch on top of the current
> > development
> > branch.
> > Base branches upon 'master' or 'maint' depending on where we are in
> > the
> > release cycle and if it is a feature or a bug etc.
> > More information here:
> > https://github.com/erlang/otp/wiki/Submitting-patches
> >
> > Secondly: Thank you for your contribution, I have rebased your
> > branch
> > upon 'master' and included it in 'master-pu'
> >
> > If this are to be included in master, you will most likely have to
> > add
> > this in the documentation, and in the test.
> >
> >
> >
> > On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> > > Hi,
> > >
> > > Here are two changes to improve TLS 1.2 higher strength sha
> > > hashes.
> > >
> > > There is this comment in ssl_cipher:
> > >
> > > %% Currently no supported cipher suites defaults to sha384 or
> > > sha512
> > > %% so these clauses are not needed at the moment.
> > >
> > > I'm afraid that this is wrong. With TLS 1.2 the actual hash being
> > > used
> > > can be negotiated and is not longer fixed to the one specified in
> > > the
> > > cipher suite. So it is possible to end up with a stronger cipher
> > > even
> > > when we don't default to one.
> > >
> > > The other change adds sha224 to list of support and announced
> > > ciphers.
> > > It might not be as good as sha256, but should still be stronger
> > > that
> > > sha1.
> > >
> > > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> > > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> > >
> > > Both changes should apply cleanly on master and master-pu.
> > >
> > > Andreas
> >
> > --
> > /Henrik Nord Erlang/OTP
> >
> >
>
> --
> --
> Dipl. Inform.
> Andreas Schultz
>
> email: as@REDACTED
> phone: +49-391-819099-224
> mobil: +49-170-2226073
>
> ------------------ managed broadband access ------------------
>
> Travelping GmbH phone: +49-391-8190990
> Roentgenstr. 13 fax: +49-391-819099299
> D-39108 Magdeburg email: info@REDACTED
> GERMANY web: http://www.travelping.com
>
> Company Registration: HRB21276 Handelsregistergericht Chemnitz
> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> --------------------------------------------------------------
> _______________________________________________
> erlang-patches mailing list
> erlang-patches@REDACTED
> http://erlang.org/mailman/listinfo/erlang-patches
>
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073
------------------ managed broadband access ------------------
Travelping GmbH phone: +49-391-8190990
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-patches
mailing list