[erlang-questions] bug : ssl losing ciphers

Ingela Andin ingela.andin@REDACTED
Fri Apr 8 20:53:06 CEST 2016 

Hi!

2016-04-08 16:13 GMT+02:00 Nicolas Thauvin <nthauvin@REDACTED>:

> Hi,
>
>  We've been trying to restrict SSL ciphers to a secure set in Yaws / OTP
> R18, but only a few of them were actually taken into account (leading to
> connection issues from old browsers).
>
> According to the documentation, one can list the availables ciphers with
> ssl:cipher_suites().
> For example:
>
> [...
>  {rsa,aes_256_gcm,null,sha384},
>  {rsa,aes_256_cbc,sha256},
> ...]
>
> Note there are 3-tuples and 4-tuples in the result.
>
> Now, when the customised 'ciphers' SSL option is set, its content is
> processed by ssl:binary_cipher_suites/2
>
> (Beam you up :
> https://github.com/erlang/otp/blob/maint-18/lib/ssl/src/ssl.erl#L1092)
>
> There comes the issue : this function expects all the entries to be the
> same tuple size (3 or 4) according to a matching on the first element,
> losing entries from the list when they don't match the tuple size.
>
> The patch for ssl:binary_cipher_suites/2 is trivial, but why does
> ssl_cipher:suite() still returns a mixed-size of tuples since 4-tuples
> seems to be considered as backward compatible according to the comments ?
>
>

As of TLS-1.2 ciphersuites are a set of 4 algorithms. In earlier versions
the set was three algorithms and the forth was implicitly hardcoded. So all
cipher suites
are represented as 4-tuples internaly but for backwards compatibility we
need to be able to input old cipher suites as 3-tuples.

However I thought the comment was a bit percuiler (it suggests its the
other way around), and I looked into it and it turns out a very long time
ago the cipher suites had a different forth element 'no_export', but then
we did decide not to implement any export ciphers and the tuples became
3-tuples.  And much later came TLS-1.2.  So we need to fix that bug and
remove that comment.

Acctualy I reasently fixed the  ssl:cipher_suites(), as it wrongly filtered
the new 4-tuple ciphers so it returned always 3-tuples, and I do not think
that will worked out greatly either.

Regards Ingela Erlang/OTP team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160408/ca09010f/attachment.htm>

More information about the erlang-questions mailing list