[erlang-questions] self signed certs problem

Wes James <>
Fri Oct 4 19:11:31 CEST 2013


I found where to fix this for now in Loïc's ranch_ssl.erl:

%% Unfortunately the implementation of elliptic-curve ciphers that
has
%% been introduced in R16B01 is incomplete.  Depending on the
particular
%% client, this can cause the TLS handshake to break during
key
%% agreement.  Depending on the ssl application version, this
function
%% returns a list of all cipher suites that are supported by
default,
%% minus the elliptic-curve
ones.

-spec unbroken_cipher_suites() -> [ssl:erl_cipher_suite()].
unbroken_cipher_suites() ->
    case proplists:get_value(ssl_app, ssl:versions()) of
        "5.3" ->
            lists:filter(fun(Suite) ->
                string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
            end, ssl:cipher_suites());
        _ ->
%io:format("~n cipher suites: ~p ~n",[ssl:cipher_suites()]),
%ssl:cipher_suites(),
[{dhe_rsa,aes_256_cbc,sha256},
 {dhe_dss,aes_256_cbc,sha256},
 {rsa,aes_256_cbc,sha256},
 {dhe_rsa,aes_128_cbc,sha256},
 {dhe_dss,aes_128_cbc,sha256},
 {rsa,aes_128_cbc,sha256},
 {dhe_rsa,aes_256_cbc,sha},
 {dhe_dss,aes_256_cbc,sha},
 {rsa,aes_256_cbc,sha},
 {dhe_rsa,'3des_ede_cbc',sha},
 {dhe_dss,'3des_ede_cbc',sha},
 {rsa,'3des_ede_cbc',sha},
 {dhe_rsa,aes_128_cbc,sha},
 {dhe_dss,aes_128_cbc,sha},
 {rsa,aes_128_cbc,sha},
 {rsa,rc4_128,sha},
 {rsa,rc4_128,md5},
 {dhe_rsa,des_cbc,sha},
 {rsa,des_cbc,sha}]
    end.


Thanks,

-wes



On Fri, Oct 4, 2013 at 8:48 AM, Wes James <> wrote:

> How would I do this in the .app.src?
>
> I have:
>
> {application, dbswui, [
>     {description, "database search web ui."},
>     {vsn, "0.1.0"},
>     {modules, []},
>     {registered, []},
>     {applications, [
>         kernel,
>         stdlib,
>        crypto,
>        public_key,
>        cowlib,
>         cowboy,
>         ssl
>     ]},
>     {mod, {dbswui_app, []}},
>     {env, []}
> ]}.
>
> I have this from a previous email from you on list.
>
> {ciphers, [{dhe_rsa,aes_256_cbc,sha256},
>  {dhe_dss,aes_256_cbc,sha256},
>  {rsa,aes_256_cbc,sha256},
>  {dhe_rsa,aes_128_cbc,sha256},
>  {dhe_dss,aes_128_cbc,sha256},
>  {rsa,aes_128_cbc,sha256},
>  {dhe_rsa,aes_256_cbc,sha},
>  {dhe_dss,aes_256_cbc,sha},
>  {rsa,aes_256_cbc,sha},
>  {dhe_rsa,'3des_ede_cbc',sha},
>  {dhe_dss,'3des_ede_cbc',sha},
>  {rsa,'3des_ede_cbc',sha},
>  {dhe_rsa,aes_128_cbc,sha},
>  {dhe_dss,aes_128_cbc,sha},
>  {rsa,aes_128_cbc,sha},
>  {rsa,rc4_128,sha},
>  {rsa,rc4_128,md5},
>  {dhe_rsa,des_cbc,sha},
>  {rsa,des_cbc,sha}]}
>
> I tried to put this in the env [] list, but it didn't help.
>
> Thanks,
>
> Wes
>
>
>
>
> On Fri, Oct 4, 2013 at 1:44 AM, Ingela Andin <>wrote:
>
>> Hi Wes!
>>
>> I have heard from several sources that they have problems connecting
>> with  Firefox and  Chrome
>> when Elliptic curve cipher suites are enabled.  Elliptic curve ciphers
>> where first supported at all in R16 and are by default enabled, although
>> will not be used if the client does not claim to be able to use them.
>> It does seem though that other clients can connect like curl, s_client
>> (openssl), some python client and now opera.  I also know that some ECC
>> ciphers are broken in openssl version 1.0.0 and 1.0.0.a.
>> So it seems like it is a client problem that you may workaround by
>> disabling Elliptic Curve cipher suites
>> until the clients get fixed. Also R16B02 fixes an ECC bug so R16B will
>> not be better then R16B02, going
>> back to R15 will work as the ECC ciphers where not supported at all, but
>> I can see other reasons you would not want to do that.
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>>
>>
>>
>> 2013/10/4 Wes James <>
>>
>>> Somewhere along the line I've started having issues with self-signed
>>> certs.
>>>
>>> On xubuntu I've:
>>>
>>> recently upgraded chrome and firefox (both having issues)
>>>
>>> recently upgraded cowboy to master
>>>
>>> recently upgrade to 16B02 (compiled then installed)
>>>
>>> I'm having issues accessing sites on https now.  I get an error from
>>> firefox, but try to accept but get a security error.  On chrome, it just
>>> says it can't get to the site.  I then tried opera.  I have to confirm some
>>> boxes on opera, but I can finally see the https sites.
>>>
>>> Anyone else having these issues?
>>>
>>> I've tried going back to 16B, but still have the issues so I'm not sure
>>> if it is erlang.  I've tried compiling code with 0.8.1 of cowboy with 16B,
>>> but still have the same issues (where it was working fine before), so I'm
>>> not sure where the problem is.
>>>
>>> Thanks,
>>>
>>> Wes
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> 
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131004/a9ce1b88/attachment.html>


More information about the erlang-questions mailing list