[erlang-patches] TLS 1.2 hash fixes

Henrik Nord henrik@REDACTED
Mon Oct 29 11:20:52 CET 2012


Then I suggest you move that commit to the branch introducing those ciphers.

And keep this branch as a advertise sha224 support branch

/Henrik

On 10/28/2012 04:25 PM, Andreas Schultz wrote:
> Hi,
>
> Please disregard my last mail. The SRP and PSK patches introduce TLS 1.2 ciphers
> that do default to sha384, so the extended hash_size method is required should the
> SPR and PSK ciphers be accepted.
>
> Andreas
>
> ----- Original Message -----
>> Hi,
>>
>> Here is an update to the sha224 ssl branch:
>> https://github.com/RoadRunnr/otp/compare/master...ssl-sha224-fixes
>>
>> Tree is correctly based on master now.
>>
>> I have dropped the hash_size changes. After reviewing the call patch
>> for hash_size, it became apparent that the original comment is
>> correct.
>> I am absolutely sure that I did hit hash_size with a stronger hash,
>> but
>> I am unable to reproduce it. So it is probably better to leave that
>> alone.
>>
>> The other change still applies.
>>
>> Andreas
>>
>> ----- Original Message -----
>>> First and foremost:
>>> You should not base any branches on a ' pu' branch, as they will
>>> frequently be rebuilt from scratch on top of the current
>>> development
>>> branch.
>>> Base branches upon 'master' or 'maint' depending on where we are in
>>> the release cycle and if it is a feature or a bug etc.
>>> More information here:
>>> https://github.com/erlang/otp/wiki/Submitting-patches
>>>
>>> Secondly: Thank you for your contribution, I have rebased your
>>> branch
>>> upon 'master' and included it in 'master-pu'
>>>
>>> If this are to be included in master, you will most likely have to
>>> add this in the documentation, and in the test.
>>>
>>>
>>>
>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
>>>
>>>
>>>
>>> Hi,
>>>
>>> Here are two changes to improve TLS 1.2 higher strength sha hashes.
>>>
>>> There is this comment in ssl_cipher:
>>>
>>> %% Currently no supported cipher suites defaults to sha384 or
>>> sha512
>>> %% so these clauses are not needed at the moment.
>>>
>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash being
>>> used
>>> can be negotiated and is not longer fixed to the one specified in
>>> the
>>> cipher suite. So it is possible to end up with a stronger cipher
>>> even
>>> when we don't default to one.
>>>
>>> The other change adds sha224 to list of support and announced
>>> ciphers.
>>> It might not be as good as sha256, but should still be stronger
>>> that
>>> sha1.
>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
>>> Both changes should apply cleanly on master and master-pu.
>>>
>>> Andreas
>>>
>>> --
>>> /Henrik Nord Erlang/OTP
>>>
>>> First and foremost:
>>> You should *not* base any branches on a '|pu'| branch, as they will
>>> frequently be rebuilt from scratch on top of the current
>>> development
>>> branch.
>>> Base branches upon 'master' or 'maint' depending on where we are in
>>> the
>>> release cycle and if it is a feature or a bug etc.
>>> More information here:
>>> https://github.com/erlang/otp/wiki/Submitting-patches
>>>
>>> Secondly: Thank you for your contribution, I have rebased your
>>> branch
>>> upon 'master' and included it in 'master-pu'
>>>
>>> If this are to be included in master, you will most likely have to
>>> add
>>> this in the documentation, and in the test.
>>>
>>>
>>>
>>> On 10/18/2012 07:24 PM, Andreas Schultz wrote:
>>>> Hi,
>>>>
>>>> Here are two changes to improve TLS 1.2 higher strength sha
>>>> hashes.
>>>>
>>>> There is this comment in ssl_cipher:
>>>>
>>>> %% Currently no supported cipher suites defaults to sha384 or
>>>> sha512
>>>> %% so these clauses are not needed at the moment.
>>>>
>>>> I'm afraid that this is wrong. With TLS 1.2 the actual hash being
>>>> used
>>>> can be negotiated and is not longer fixed to the one specified in
>>>> the
>>>> cipher suite. So it is possible to end up with a stronger cipher
>>>> even
>>>> when we don't default to one.
>>>>
>>>> The other change adds sha224 to list of support and announced
>>>> ciphers.
>>>> It might not be as good as sha256, but should still be stronger
>>>> that
>>>> sha1.
>>>>
>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes
>>>> https://github.com/RoadRunnr/otp/compare/master-pu...ssl-sha224-fixes.patch
>>>>
>>>> Both changes should apply cleanly on master and master-pu.
>>>>
>>>> Andreas
>>> --
>>> /Henrik Nord Erlang/OTP
>>>
>>>
>> --
>> --
>> Dipl. Inform.
>> Andreas Schultz
>>
>> email: as@REDACTED
>> phone: +49-391-819099-224
>> mobil: +49-170-2226073
>>
>> ------------------ managed broadband access ------------------
>>
>> Travelping GmbH               phone:           +49-391-8190990
>> Roentgenstr. 13               fax:           +49-391-819099299
>> D-39108 Magdeburg             email:       info@REDACTED
>> GERMANY                       web:   http://www.travelping.com
>>
>> Company Registration: HRB21276 Handelsregistergericht Chemnitz
>> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
>> --------------------------------------------------------------
>> _______________________________________________
>> erlang-patches mailing list
>> erlang-patches@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-patches
>>

-- 
/Henrik Nord Erlang/OTP




More information about the erlang-patches mailing list