[erlang-questions] cipher negotiation problem in SSL application when using PFS only

Ingela Andin ingela.andin@REDACTED
Fri Jan 23 17:22:28 CET 2015


The alert you get means that the client and server had no cipher suites in

You can use

io:format("~p", [ssl:cipher_suites(openssl)]).
io:format("~p", [ssl:cipher_suites(erlang)]).

(io:format as the lists returned might be long and truncated)

to find out what cipher suites that are available on your erlang node.
It can differ depending on what openSSL crypto library that the crypto
application is linked to.

Regards Ingela Erlang/OTP team - Ericsson AB

2015-01-22 23:42 GMT+01:00 Bernd May <bm@REDACTED>:

> Hi List,
> I have spent the past two days fiddling with erlang for the first time
> in my life mainly because I want to use rabbitMQ in what seems to be a
> yet more unusual way. During that fiddling I have encountered an error
> that I have a hard time debugging. Here is the scenario:
> Whenever I try to configure RabbitMQ to use SSL with PFS ciphers (that
> is DHE and ECDHE) only I receive the following error:
> =ERROR REPORT==== 21-Jan-2015::20:16:30 ===
> SSL: hello: tls_handshake.erl:116:Fatal error: insufficient security
> Now I thought this might be some sort of error due to the source of
> rabbitMQ so to rule that out I wrote a small erlang program to test ssl
> according to the manual here
> http://www.erlang.org/doc/apps/ssl/using_ssl.html . Unfortunately to no
> avail. Whenever I set the ciphers option to only include PFS ciphers I
> receive the same error. If I include aes256,sha256 for example, the
> connection setup works, using that cipher.
> Some searching around the web and on the OpenSSL site about the error
> code got me the conclusion that there is something wrong with the cipher
> negotiation between client and server. So on to wireshark and let's see
> what happens there - nope the client sends the correct cipher set,
> whether I use openssl s_client or a sample erlang ssl program. The
> server hower simply sends the above tls alert and closes the connection.
> This led me to the conclusion that the server cipher list is either
> empty or the matching between my sent list and the serverlist does not
> work. (Yes i tested a simple openssl s_client to s_server connection
> with the PFS cipher only - that works flawlessly)
> Unfortunately I have so far been unsuccessfull in debugging said part of
> the connection setup. I have tried my way around the dbg application but
> since I am more or less a newbee to erlang my attempts have been in
> vain. Which is why I finally write to the list:
> * How can I further debug this problem? Maybe a suggestion on the server
> code I used so far, posted here http://pastebin.com/ZfAtnSbU
> * Anyone got a hint why this does not work? Please have a look at the
> pastebin.
> I am running R17.4 and R16B03, on Ubuntu 14.04. Both incur the described
> problem.
> Many thanks in advance.
> --
> Bernd May
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150123/d7d1ec66/attachment.htm>

More information about the erlang-questions mailing list