[erlang-patches] new version elliptic curve support
Andreas Schultz
aschultz@REDACTED
Thu Mar 21 18:17:17 CET 2013
Hi,
----- Original Message -----
> Hi!
>
> Andreas Schultz wrote:
> > Hi Ingela,
> >
> > ----- Original Message -----
> >
> >> Hi Andreas!
> >>
> >> Regarding the ciphers_dsa_signed_cert that fails on windows XP /7,
> >> solaris and powerpc. Old openssl versions 0.9.8-r and 0.9.8-o I have
> >> found the following
> >> statement from openssl:
> >>
> >> "Support for ECC is by default disabled in the stable 0.9.8 release, and
> >> is slated for production use with 0.9.9 "
> >>
> >> So I will disable ECC cipher tests for those openssl versions.
> >>
> >
> > I doubt that this will change anything.
> >
> > With the openssl cipher filter in the test suite
> > (https://github.com/RoadRunnr/otp/commit/9ef7c20be988faceb79ec7ecdb1e44f9673a1e5d)
> > only ciphers actually announced by openssl should be tested.
> > 'OpenSSL 0.9.8r 8 Feb 2011' on my system does not announce any EC ciphers,
> > so they should not be negotiated or tested in any case.
> >
> >
> The test case will offer only one cipher suite at the time and it is the
> suite {ecdhe_rsa,aes_256_cbc,sha} that
> causes the failiur, see also below.
>
> > Also, the way I understand RFC-4492, DSA signed certificates are not
> > compatible
> > with any of the EC cipher suites, only RSA or ECDSA signed certificates
> > are permitted, so the DSA test should not event attempt to use EC.
> >
> only the ciphers_rsa_signed is failing on other machins than the windows
> 7 machine.
>
> > The logs from the test suite do not offer much information on why the
> > test was actually aborted. The logged timeout is merely a result of the
> > real problem. So I was thinking about amending the test case with a bit
> > more diagnostic output, like cipher suite currently tested and also the
> > real abort message from the other party.
> >
> >
> Yes I changed ct:print to ct:log now the log says:
>
> **** User 2013-03-21 08:38:57.494 **** Testing CipherSuite
> {ecdhe_rsa,aes_256_cbc,sha}
uhm, OpenSSL 0.9.8-r should not support ECDHE, the openssl cipher filter from
https://github.com/RoadRunnr/otp/commit/9ef7c20be988faceb79ec7ecdb1e44f9673a1e5d
should have prevented this cipher suite being tried in the test.
could you check 'openssl ciphers' on the systems where this test is
failing?
A default 0.9.8r should have:
# ./openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5
Andreas
--
--
Dipl. Inform.
Andreas Schultz
email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073
------------------ managed broadband access ------------------
Travelping GmbH phone: +49-391-8190990
Roentgenstr. 13 fax: +49-391-819099299
D-39108 Magdeburg email: info@REDACTED
GERMANY web: http://www.travelping.com
Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------
More information about the erlang-patches
mailing list