[erlang-questions] cipher negotiation problem in SSL application when using PFS only

[Bernd May]

Hi List,

I have spent the past two days fiddling with erlang for the first time
in my life mainly because I want to use rabbitMQ in what seems to be a
yet more unusual way. During that fiddling I have encountered an error
that I have a hard time debugging. Here is the scenario:

Whenever I try to configure RabbitMQ to use SSL with PFS ciphers (that
is DHE and ECDHE) only I receive the following error:

=ERROR REPORT==== 21-Jan-2015::20:16:30 ===
SSL: hello: tls_handshake.erl:116:Fatal error: insufficient security

Now I thought this might be some sort of error due to the source of
rabbitMQ so to rule that out I wrote a small erlang program to test ssl
according to the manual here
http://www.erlang.org/doc/apps/ssl/using_ssl.html . Unfortunately to no
avail. Whenever I set the ciphers option to only include PFS ciphers I
receive the same error. If I include aes256,sha256 for example, the
connection setup works, using that cipher.

Some searching around the web and on the OpenSSL site about the error
code got me the conclusion that there is something wrong with the cipher
negotiation between client and server. So on to wireshark and let's see
what happens there - nope the client sends the correct cipher set,
whether I use openssl s_client or a sample erlang ssl program. The
server hower simply sends the above tls alert and closes the connection.
This led me to the conclusion that the server cipher list is either
empty or the matching between my sent list and the serverlist does not
work. (Yes i tested a simple openssl s_client to s_server connection
with the PFS cipher only - that works flawlessly)

Unfortunately I have so far been unsuccessfull in debugging said part of
the connection setup. I have tried my way around the dbg application but
since I am more or less a newbee to erlang my attempts have been in
vain. Which is why I finally write to the list:

* How can I further debug this problem? Maybe a suggestion on the server
code I used so far, posted here http://pastebin.com/ZfAtnSbU
* Anyone got a hint why this does not work? Please have a look at the
pastebin.

I am running R17.4 and R16B03, on Ubuntu 14.04. Both incur the described
problem.

Many thanks in advance.

-- 
Bernd May

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150122/9d1d72fc/attachment.bin>