[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

Ingela Andin ingela.andin@REDACTED
Thu Jan 3 23:11:09 CET 2019


I say it would be a lot easier to configure the erlang cipher suites the
way you like and skip trying to tweak OpenSSL.  Please see ERL382.

Regards Ingela Erlang/OTP team

Den tors 3 jan. 2019 kl 22:29 skrev Guilherme Andrade <g@REDACTED>:

> Hello,
>
> Some people have worked around the issue by building OpenSSL separately
> and statically linking it against ERTS. This does have the disadvantage of
> not benefiting from distro package upgrades, though.
>
> There's a tutorial that lists the appropriate steps[1].
>
> (I know this doesn't solve your particular problem, but it might work out
> as an alternative in case you haven't considered it already - depending on
> your particular requirements.)
>
> [1]: https://github.com/lrascao/erlang-ec2-build
>
> On Thu, 3 Jan 2019 at 20:18, Nicholas Lundgaard <nalundgaard@REDACTED>
> wrote:
>
>> Hi,
>>
>> I wanted to call ERL-823 (https://bugs.erlang.org/browse/ERL-823) to
>> this list's attention. My company operates Erlang microservices in AWS on a
>> kerl-built OTP installation on Amazon Linux (RedHat/CentOS-based), and
>> we've encountered a serious challenge to upgrading to OTP 21: When you
>> disable OpenSSL EC ciphers during an OTP build, which is necessary to build
>> an OTP installation that doesn't erroneously think it has a bunch of EC
>> ciphers that aren't built into the underlying OpenSSL, you're no longer
>> able to connect to google.com via https (not to mention many, many other
>> web properties, like much of AWS infrastructure).
>>
>> It confuses me that there is not a simpler way to align the Erlang
>> crypto/ssl cipher support with the underlying openssl installation it's
>> linked to, but that notwithstanding, It would be really helpful to have a
>> flag to build OTP with support for RedHat/Fedora's EC cipher subset, or
>> something similar to this.
>>
>> Thanks,
>> —Nicholas Lundgaard
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> --
> Guilherme
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190103/4866172b/attachment.htm>


More information about the erlang-questions mailing list