[erlang-patches] TLS 1.2 hash fixes

Andreas Schultz aschultz@REDACTED
Sun Oct 28 16:25:50 CET 2012


Hi,

Please disregard my last mail. The SRP and PSK patches introduce TLS 1.2 ciphers
that do default to sha384, so the extended hash_size method is required should the
SPR and PSK ciphers be accepted.

Andreas

----- Original Message -----
> Hi,
> 
> Here is an update to the sha224 ssl branch:
> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
> 
> Tree is correctly based on master now.
> 
> I have dropped the hash_size changes. After reviewing the call patch
> for hash_size, it became apparent that the original comment is
> correct.
> I am absolutely sure that I did hit hash_size with a stronger hash,
> but
> I am unable to reproduce it. So it is probably better to leave that
> alone.
> 
> The other change still applies.
> 
> Andreas
> 
> ----- Original Message -----
> > First and foremost:
> > You should not base any branches on a ' pu' branch, as they will
> > frequently be rebuilt from scratch on top of the current
> > development
> > branch.
> > Base branches upon 'master' or 'maint' depending on where we are in
> > the release cycle and if it is a feature or a bug etc.
> > More information here:
> > https://github.com/erlang/otp/wiki/Submitting-patches
> > 
> > Secondly: Thank you for your contribution, I have rebased your
> > branch
> > upon 'master' and included it in 'master-pu'
> > 
> > If this are to be included in master, you will most likely have to
> > add this in the documentation, and in the test.
> > 
> > 
> > 
> > On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> > 
> > 
> > 
> > Hi,
> > 
> > Here are two changes to improve TLS 1.2 higher strength sha hashes.
> > 
> > There is this comment in ssl_cipher:
> > 
> > %% Currently no supported cipher suites defaults to sha384 or
> > sha512
> > %% so these clauses are not needed at the moment.
> > 
> > I'm afraid that this is wrong. With TLS 1.2 the actual hash being
> > used
> > can be negotiated and is not longer fixed to the one specified in
> > the
> > cipher suite. So it is possible to end up with a stronger cipher
> > even
> > when we don't default to one.
> > 
> > The other change adds sha224 to list of support and announced
> > ciphers.
> > It might not be as good as sha256, but should still be stronger
> > that
> > sha1.
> > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> > Both changes should apply cleanly on master and master-pu.
> > 
> > Andreas
> > 
> > --
> > /Henrik Nord Erlang/OTP
> > 
> > First and foremost:
> > You should *not* base any branches on a '|pu'| branch, as they will
> > frequently be rebuilt from scratch on top of the current
> > development
> > branch.
> > Base branches upon 'master' or 'maint' depending on where we are in
> > the
> > release cycle and if it is a feature or a bug etc.
> > More information here:
> > https://github.com/erlang/otp/wiki/Submitting-patches
> > 
> > Secondly: Thank you for your contribution, I have rebased your
> > branch
> > upon 'master' and included it in 'master-pu'
> > 
> > If this are to be included in master, you will most likely have to
> > add
> > this in the documentation, and in the test.
> > 
> > 
> > 
> > On 10/18/2012 07:24 PM, Andreas Schultz wrote:
> > > Hi,
> > >
> > > Here are two changes to improve TLS 1.2 higher strength sha
> > > hashes.
> > >
> > > There is this comment in ssl_cipher:
> > >
> > > %% Currently no supported cipher suites defaults to sha384 or
> > > sha512
> > > %% so these clauses are not needed at the moment.
> > >
> > > I'm afraid that this is wrong. With TLS 1.2 the actual hash being
> > > used
> > > can be negotiated and is not longer fixed to the one specified in
> > > the
> > > cipher suite. So it is possible to end up with a stronger cipher
> > > even
> > > when we don't default to one.
> > >
> > > The other change adds sha224 to list of support and announced
> > > ciphers.
> > > It might not be as good as sha256, but should still be stronger
> > > that
> > > sha1.
> > >
> > > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
> > > https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
> > >
> > > Both changes should apply cleanly on master and master-pu.
> > >
> > > Andreas
> > 
> > --
> > /Henrik Nord Erlang/OTP
> > 
> > 
> 
> --
> --
> Dipl. Inform.
> Andreas Schultz
> 
> email: as@REDACTED
> phone: +49-391-819099-224
> mobil: +49-170-2226073
> 
> ------------------ managed broadband access ------------------
> 
> Travelping GmbH               phone:           +49-391-8190990
> Roentgenstr. 13               fax:           +49-391-819099299
> D-39108 Magdeburg             email:       info@REDACTED
> GERMANY                       web:   http://www.travelping.com
> 
> Company Registration: HRB21276 Handelsregistergericht Chemnitz
> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> --------------------------------------------------------------
> _______________________________________________
> erlang-patches mailing list
> erlang-patches@REDACTED
> http://erlang.org/mailman/listinfo/erlang-patches
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       info@REDACTED
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------




More information about the erlang-patches mailing list