[erlang-patches] new version elliptic curve support

Andreas Schultz <>
Thu Mar 21 18:17:17 CET 2013


Hi,

----- Original Message -----
> Hi!
> 
> Andreas Schultz wrote:
> > Hi Ingela,
> >
> > ----- Original Message -----
> >   
> >> Hi Andreas!
> >>
> >> Regarding the ciphers_dsa_signed_cert  that fails on windows XP /7,
> >> solaris and powerpc. Old openssl versions 0.9.8-r and 0.9.8-o I have
> >> found the following
> >> statement from openssl:
> >>
> >> "Support for ECC is by default disabled in the stable 0.9.8 release, and
> >> is slated for production use with 0.9.9 "
> >>
> >> So I will disable ECC cipher tests for those openssl versions.
> >>     
> >
> > I doubt that this will change anything.
> >
> > With the openssl cipher filter in the test suite
> > (https://github.com/RoadRunnr/otp/commit/9ef7c20be988faceb79ec7ecdb1e44f9673a1e5d)
> > only ciphers actually announced by openssl should be tested.
> > 'OpenSSL 0.9.8r 8 Feb 2011' on my system does not announce any EC ciphers,
> > so they should not be negotiated or tested in any case.
> >
> >   
> The test case will offer only one cipher suite at the time and it is the
> suite {ecdhe_rsa,aes_256_cbc,sha} that
> causes the failiur,  see also below.
> 
> > Also, the way I understand RFC-4492, DSA signed certificates are not
> > compatible
> > with any of the EC cipher suites, only RSA or ECDSA signed certificates
> > are permitted, so the DSA test should not event attempt to use EC.
> >   
> only the ciphers_rsa_signed is failing on other machins than the windows
> 7 machine.
> 
> > The logs from the test suite do not offer much information on why the
> > test was actually aborted. The logged timeout is merely a result of the
> > real problem. So I was thinking about amending the test case with a bit
> > more diagnostic output, like cipher suite currently tested and also the
> > real abort message from the other party.
> >
> >   
> Yes I changed ct:print to ct:log now the log says:
> 
> **** User 2013-03-21 08:38:57.494 **** Testing CipherSuite
> {ecdhe_rsa,aes_256_cbc,sha}

uhm, OpenSSL 0.9.8-r should not support ECDHE, the openssl cipher filter from 
https://github.com/RoadRunnr/otp/commit/9ef7c20be988faceb79ec7ecdb1e44f9673a1e5d
should have prevented this cipher suite being tried in the test.

could you check 'openssl ciphers' on the systems where this test is
failing?

A default 0.9.8r should have:
# ./openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Andreas

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: 
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------ managed broadband access ------------------

Travelping GmbH               phone:           +49-391-8190990
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       
GERMANY                       web:   http://www.travelping.com

Company Registration: HRB21276 Handelsregistergericht Chemnitz
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------



More information about the erlang-patches mailing list