[erlang-questions] bug : ssl losing ciphers
Fri Apr 8 20:53:06 CEST 2016
2016-04-08 16:13 GMT+02:00 Nicolas Thauvin <nthauvin@REDACTED>:
> We've been trying to restrict SSL ciphers to a secure set in Yaws / OTP
> R18, but only a few of them were actually taken into account (leading to
> connection issues from old browsers).
> According to the documentation, one can list the availables ciphers with
> For example:
> Note there are 3-tuples and 4-tuples in the result.
> Now, when the customised 'ciphers' SSL option is set, its content is
> processed by ssl:binary_cipher_suites/2
> (Beam you up :
> There comes the issue : this function expects all the entries to be the
> same tuple size (3 or 4) according to a matching on the first element,
> losing entries from the list when they don't match the tuple size.
> The patch for ssl:binary_cipher_suites/2 is trivial, but why does
> ssl_cipher:suite() still returns a mixed-size of tuples since 4-tuples
> seems to be considered as backward compatible according to the comments ?
As of TLS-1.2 ciphersuites are a set of 4 algorithms. In earlier versions
the set was three algorithms and the forth was implicitly hardcoded. So all
are represented as 4-tuples internaly but for backwards compatibility we
need to be able to input old cipher suites as 3-tuples.
However I thought the comment was a bit percuiler (it suggests its the
other way around), and I looked into it and it turns out a very long time
ago the cipher suites had a different forth element 'no_export', but then
we did decide not to implement any export ciphers and the tuples became
3-tuples. And much later came TLS-1.2. So we need to fix that bug and
remove that comment.
Acctualy I reasently fixed the ssl:cipher_suites(), as it wrongly filtered
the new 4-tuple ciphers so it returned always 3-tuples, and I do not think
that will worked out greatly either.
Regards Ingela Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions