[erlang-questions] bug : ssl losing ciphers
Nicolas Thauvin
nthauvin@REDACTED
Fri Apr 8 16:13:23 CEST 2016
Hi,
We've been trying to restrict SSL ciphers to a secure set in Yaws / OTP
R18, but only a few of them were actually taken into account (leading to
connection issues from old browsers).
According to the documentation, one can list the availables ciphers with
ssl:cipher_suites().
For example:
[...
{rsa,aes_256_gcm,null,sha384},
{rsa,aes_256_cbc,sha256},
...]
Note there are 3-tuples and 4-tuples in the result.
Now, when the customised 'ciphers' SSL option is set, its content is
processed by ssl:binary_cipher_suites/2
(Beam you up :
https://github.com/erlang/otp/blob/maint-18/lib/ssl/src/ssl.erl#L1092)
There comes the issue : this function expects all the entries to be the
same tuple size (3 or 4) according to a matching on the first element,
losing entries from the list when they don't match the tuple size.
The patch for ssl:binary_cipher_suites/2 is trivial, but why does
ssl_cipher:suite() still returns a mixed-size of tuples since 4-tuples
seems to be considered as backward compatible according to the comments ?
Cheers,
-- Nicolas
More information about the erlang-questions
mailing list