[erlang-questions] self signed certs problem

Wes James comptekki@REDACTED
Fri Oct 4 22:39:37 CEST 2013 

I also found a chromium 28.x for xubuntu and installed that.  It does not
have the same issues as the current Chrome.  Chrome/firefox must be getting
closer/stricter  (??) to the ssl specs?

-wes


On Fri, Oct 4, 2013 at 11:11 AM, Wes James <comptekki@REDACTED> wrote:

> I found where to fix this for now in Loïc's ranch_ssl.erl:
>
> %% Unfortunately the implementation of elliptic-curve ciphers that
> has
> %% been introduced in R16B01 is incomplete.  Depending on the
> particular
> %% client, this can cause the TLS handshake to break during
> key
> %% agreement.  Depending on the ssl application version, this
> function
> %% returns a list of all cipher suites that are supported by
> default,
> %% minus the elliptic-curve
> ones.
>
> -spec unbroken_cipher_suites() -> [ssl:erl_cipher_suite()].
> unbroken_cipher_suites() ->
>     case proplists:get_value(ssl_app, ssl:versions()) of
>         "5.3" ->
>             lists:filter(fun(Suite) ->
>                 string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
>             end, ssl:cipher_suites());
>         _ ->
> %io:format("~n cipher suites: ~p ~n",[ssl:cipher_suites()]),
> %ssl:cipher_suites(),
>
> [{dhe_rsa,aes_256_cbc,sha256},
>  {dhe_dss,aes_256_cbc,sha256},
>  {rsa,aes_256_cbc,sha256},
>  {dhe_rsa,aes_128_cbc,sha256},
>  {dhe_dss,aes_128_cbc,sha256},
>  {rsa,aes_128_cbc,sha256},
>  {dhe_rsa,aes_256_cbc,sha},
>  {dhe_dss,aes_256_cbc,sha},
>  {rsa,aes_256_cbc,sha},
>  {dhe_rsa,'3des_ede_cbc',sha},
>  {dhe_dss,'3des_ede_cbc',sha},
>  {rsa,'3des_ede_cbc',sha},
>  {dhe_rsa,aes_128_cbc,sha},
>  {dhe_dss,aes_128_cbc,sha},
>  {rsa,aes_128_cbc,sha},
>  {rsa,rc4_128,sha},
>  {rsa,rc4_128,md5},
>  {dhe_rsa,des_cbc,sha},
>  {rsa,des_cbc,sha}]
>     end.
>
>
> Thanks,
>
> -wes
>
>
>
> On Fri, Oct 4, 2013 at 8:48 AM, Wes James <comptekki@REDACTED> wrote:
>
>> How would I do this in the .app.src?
>>
>> I have:
>>
>> {application, dbswui, [
>>     {description, "database search web ui."},
>>     {vsn, "0.1.0"},
>>     {modules, []},
>>     {registered, []},
>>     {applications, [
>>         kernel,
>>         stdlib,
>>        crypto,
>>        public_key,
>>        cowlib,
>>         cowboy,
>>         ssl
>>     ]},
>>     {mod, {dbswui_app, []}},
>>     {env, []}
>> ]}.
>>
>> I have this from a previous email from you on list.
>>
>> {ciphers, [{dhe_rsa,aes_256_cbc,sha256},
>>  {dhe_dss,aes_256_cbc,sha256},
>>  {rsa,aes_256_cbc,sha256},
>>  {dhe_rsa,aes_128_cbc,sha256},
>>  {dhe_dss,aes_128_cbc,sha256},
>>  {rsa,aes_128_cbc,sha256},
>>  {dhe_rsa,aes_256_cbc,sha},
>>  {dhe_dss,aes_256_cbc,sha},
>>  {rsa,aes_256_cbc,sha},
>>  {dhe_rsa,'3des_ede_cbc',sha},
>>  {dhe_dss,'3des_ede_cbc',sha},
>>  {rsa,'3des_ede_cbc',sha},
>>  {dhe_rsa,aes_128_cbc,sha},
>>  {dhe_dss,aes_128_cbc,sha},
>>  {rsa,aes_128_cbc,sha},
>>  {rsa,rc4_128,sha},
>>  {rsa,rc4_128,md5},
>>  {dhe_rsa,des_cbc,sha},
>>  {rsa,des_cbc,sha}]}
>>
>> I tried to put this in the env [] list, but it didn't help.
>>
>> Thanks,
>>
>> Wes
>>
>>
>>
>>
>> On Fri, Oct 4, 2013 at 1:44 AM, Ingela Andin <ingela.andin@REDACTED>wrote:
>>
>>> Hi Wes!
>>>
>>> I have heard from several sources that they have problems connecting
>>> with  Firefox and  Chrome
>>> when Elliptic curve cipher suites are enabled.  Elliptic curve ciphers
>>> where first supported at all in R16 and are by default enabled, although
>>> will not be used if the client does not claim to be able to use them.
>>> It does seem though that other clients can connect like curl, s_client
>>> (openssl), some python client and now opera.  I also know that some ECC
>>> ciphers are broken in openssl version 1.0.0 and 1.0.0.a.
>>> So it seems like it is a client problem that you may workaround by
>>> disabling Elliptic Curve cipher suites
>>> until the clients get fixed. Also R16B02 fixes an ECC bug so R16B will
>>> not be better then R16B02, going
>>> back to R15 will work as the ECC ciphers where not supported at all, but
>>> I can see other reasons you would not want to do that.
>>>
>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>
>>>
>>>
>>>
>>> 2013/10/4 Wes James <comptekki@REDACTED>
>>>
>>>> Somewhere along the line I've started having issues with self-signed
>>>> certs.
>>>>
>>>> On xubuntu I've:
>>>>
>>>> recently upgraded chrome and firefox (both having issues)
>>>>
>>>> recently upgraded cowboy to master
>>>>
>>>> recently upgrade to 16B02 (compiled then installed)
>>>>
>>>> I'm having issues accessing sites on https now.  I get an error from
>>>> firefox, but try to accept but get a security error.  On chrome, it just
>>>> says it can't get to the site.  I then tried opera.  I have to confirm some
>>>> boxes on opera, but I can finally see the https sites.
>>>>
>>>> Anyone else having these issues?
>>>>
>>>> I've tried going back to 16B, but still have the issues so I'm not sure
>>>> if it is erlang.  I've tried compiling code with 0.8.1 of cowboy with 16B,
>>>> but still have the same issues (where it was working fine before), so I'm
>>>> not sure where the problem is.
>>>>
>>>> Thanks,
>>>>
>>>> Wes
>>>>
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131004/c23711f4/attachment.htm>

More information about the erlang-questions mailing list