[erlang-questions] self signed certs problem

Ingela Andin <>
Tue Oct 8 09:31:33 CEST 2013


Hi!

As it turns out, it looks no better than that there where several problems,
located both on the erlang side and on the other side. Problems that
however did not occur when using openssl.

You can find a patch for it here that will be included in the next OTP
release.

https://github.com/IngelaAndin/otp/tree/ia/ssl/ecc-gnutls

The good thing is that it should solve all the problems as it will
make forinstance gnu-tls take a different path through its code.


Regards Ingela Erlang/OTP team - Ericsson AB



2013/10/4 Wes James <>

> I also found a chromium 28.x for xubuntu and installed that.  It does not
> have the same issues as the current Chrome.  Chrome/firefox must be getting
> closer/stricter  (??) to the ssl specs?
>
> -wes
>
>
> On Fri, Oct 4, 2013 at 11:11 AM, Wes James <> wrote:
>
>> I found where to fix this for now in Loïc's ranch_ssl.erl:
>>
>> %% Unfortunately the implementation of elliptic-curve ciphers that
>> has
>> %% been introduced in R16B01 is incomplete.  Depending on the
>> particular
>> %% client, this can cause the TLS handshake to break during
>> key
>> %% agreement.  Depending on the ssl application version, this
>> function
>> %% returns a list of all cipher suites that are supported by
>> default,
>> %% minus the elliptic-curve
>> ones.
>>
>> -spec unbroken_cipher_suites() -> [ssl:erl_cipher_suite()].
>> unbroken_cipher_suites() ->
>>     case proplists:get_value(ssl_app, ssl:versions()) of
>>         "5.3" ->
>>             lists:filter(fun(Suite) ->
>>                 string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
>>             end, ssl:cipher_suites());
>>         _ ->
>> %io:format("~n cipher suites: ~p ~n",[ssl:cipher_suites()]),
>> %ssl:cipher_suites(),
>>
>> [{dhe_rsa,aes_256_cbc,sha256},
>>  {dhe_dss,aes_256_cbc,sha256},
>>  {rsa,aes_256_cbc,sha256},
>>  {dhe_rsa,aes_128_cbc,sha256},
>>  {dhe_dss,aes_128_cbc,sha256},
>>  {rsa,aes_128_cbc,sha256},
>>  {dhe_rsa,aes_256_cbc,sha},
>>  {dhe_dss,aes_256_cbc,sha},
>>  {rsa,aes_256_cbc,sha},
>>  {dhe_rsa,'3des_ede_cbc',sha},
>>  {dhe_dss,'3des_ede_cbc',sha},
>>  {rsa,'3des_ede_cbc',sha},
>>  {dhe_rsa,aes_128_cbc,sha},
>>  {dhe_dss,aes_128_cbc,sha},
>>  {rsa,aes_128_cbc,sha},
>>  {rsa,rc4_128,sha},
>>  {rsa,rc4_128,md5},
>>  {dhe_rsa,des_cbc,sha},
>>  {rsa,des_cbc,sha}]
>>     end.
>>
>>
>> Thanks,
>>
>> -wes
>>
>>
>>
>> On Fri, Oct 4, 2013 at 8:48 AM, Wes James <> wrote:
>>
>>> How would I do this in the .app.src?
>>>
>>> I have:
>>>
>>> {application, dbswui, [
>>>     {description, "database search web ui."},
>>>     {vsn, "0.1.0"},
>>>     {modules, []},
>>>     {registered, []},
>>>     {applications, [
>>>         kernel,
>>>         stdlib,
>>>        crypto,
>>>        public_key,
>>>        cowlib,
>>>         cowboy,
>>>         ssl
>>>     ]},
>>>     {mod, {dbswui_app, []}},
>>>     {env, []}
>>> ]}.
>>>
>>> I have this from a previous email from you on list.
>>>
>>> {ciphers, [{dhe_rsa,aes_256_cbc,sha256},
>>>  {dhe_dss,aes_256_cbc,sha256},
>>>  {rsa,aes_256_cbc,sha256},
>>>  {dhe_rsa,aes_128_cbc,sha256},
>>>  {dhe_dss,aes_128_cbc,sha256},
>>>  {rsa,aes_128_cbc,sha256},
>>>  {dhe_rsa,aes_256_cbc,sha},
>>>  {dhe_dss,aes_256_cbc,sha},
>>>  {rsa,aes_256_cbc,sha},
>>>  {dhe_rsa,'3des_ede_cbc',sha},
>>>  {dhe_dss,'3des_ede_cbc',sha},
>>>  {rsa,'3des_ede_cbc',sha},
>>>  {dhe_rsa,aes_128_cbc,sha},
>>>  {dhe_dss,aes_128_cbc,sha},
>>>  {rsa,aes_128_cbc,sha},
>>>  {rsa,rc4_128,sha},
>>>  {rsa,rc4_128,md5},
>>>  {dhe_rsa,des_cbc,sha},
>>>  {rsa,des_cbc,sha}]}
>>>
>>> I tried to put this in the env [] list, but it didn't help.
>>>
>>> Thanks,
>>>
>>> Wes
>>>
>>>
>>>
>>>
>>> On Fri, Oct 4, 2013 at 1:44 AM, Ingela Andin <>wrote:
>>>
>>>> Hi Wes!
>>>>
>>>> I have heard from several sources that they have problems connecting
>>>> with  Firefox and  Chrome
>>>> when Elliptic curve cipher suites are enabled.  Elliptic curve ciphers
>>>> where first supported at all in R16 and are by default enabled, although
>>>> will not be used if the client does not claim to be able to use them.
>>>> It does seem though that other clients can connect like curl, s_client
>>>> (openssl), some python client and now opera.  I also know that some ECC
>>>> ciphers are broken in openssl version 1.0.0 and 1.0.0.a.
>>>> So it seems like it is a client problem that you may workaround by
>>>> disabling Elliptic Curve cipher suites
>>>> until the clients get fixed. Also R16B02 fixes an ECC bug so R16B will
>>>> not be better then R16B02, going
>>>> back to R15 will work as the ECC ciphers where not supported at all,
>>>> but I can see other reasons you would not want to do that.
>>>>
>>>> Regards Ingela Erlang/OTP team - Ericsson AB
>>>>
>>>>
>>>>
>>>>
>>>> 2013/10/4 Wes James <>
>>>>
>>>>> Somewhere along the line I've started having issues with self-signed
>>>>> certs.
>>>>>
>>>>> On xubuntu I've:
>>>>>
>>>>> recently upgraded chrome and firefox (both having issues)
>>>>>
>>>>> recently upgraded cowboy to master
>>>>>
>>>>> recently upgrade to 16B02 (compiled then installed)
>>>>>
>>>>> I'm having issues accessing sites on https now.  I get an error from
>>>>> firefox, but try to accept but get a security error.  On chrome, it just
>>>>> says it can't get to the site.  I then tried opera.  I have to confirm some
>>>>> boxes on opera, but I can finally see the https sites.
>>>>>
>>>>> Anyone else having these issues?
>>>>>
>>>>> I've tried going back to 16B, but still have the issues so I'm not
>>>>> sure if it is erlang.  I've tried compiling code with 0.8.1 of cowboy with
>>>>> 16B, but still have the same issues (where it was working fine before), so
>>>>> I'm not sure where the problem is.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Wes
>>>>>
>>>>> _______________________________________________
>>>>> erlang-questions mailing list
>>>>> 
>>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131008/0b84d271/attachment.html>


More information about the erlang-questions mailing list