[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

Guilherme Andrade <>
Fri Jan 4 00:08:22 CET 2019


Fair enough :-)

The intention behind my suggestion to Nicholas was not to misguide, but
rather to present an alternative in case everything else fails - one that
has worked for me in the past, albeit for different reasons (using EC
ciphers in Amazon Linux.)

However, this being cryptography and me a layman in it, I'll humbly atone
for my heresy in case I've given terrible advice (no sarcasm, truly.)

On Thu, 3 Jan 2019 at 22:11, Ingela Andin <> wrote:

> I say it would be a lot easier to configure the erlang cipher suites the
> way you like and skip trying to tweak OpenSSL.  Please see ERL382.
>
> Regards Ingela Erlang/OTP team
>
> Den tors 3 jan. 2019 kl 22:29 skrev Guilherme Andrade <>:
>
>> Hello,
>>
>> Some people have worked around the issue by building OpenSSL separately
>> and statically linking it against ERTS. This does have the disadvantage of
>> not benefiting from distro package upgrades, though.
>>
>> There's a tutorial that lists the appropriate steps[1].
>>
>> (I know this doesn't solve your particular problem, but it might work out
>> as an alternative in case you haven't considered it already - depending on
>> your particular requirements.)
>>
>> [1]: https://github.com/lrascao/erlang-ec2-build
>>
>> On Thu, 3 Jan 2019 at 20:18, Nicholas Lundgaard <>
>> wrote:
>>
>>> Hi,
>>>
>>> I wanted to call ERL-823 (https://bugs.erlang.org/browse/ERL-823) to
>>> this list's attention. My company operates Erlang microservices in AWS on a
>>> kerl-built OTP installation on Amazon Linux (RedHat/CentOS-based), and
>>> we've encountered a serious challenge to upgrading to OTP 21: When you
>>> disable OpenSSL EC ciphers during an OTP build, which is necessary to build
>>> an OTP installation that doesn't erroneously think it has a bunch of EC
>>> ciphers that aren't built into the underlying OpenSSL, you're no longer
>>> able to connect to google.com via https (not to mention many, many
>>> other web properties, like much of AWS infrastructure).
>>>
>>> It confuses me that there is not a simpler way to align the Erlang
>>> crypto/ssl cipher support with the underlying openssl installation it's
>>> linked to, but that notwithstanding, It would be really helpful to have a
>>> flag to build OTP with support for RedHat/Fedora's EC cipher subset, or
>>> something similar to this.
>>>
>>> Thanks,
>>> —Nicholas Lundgaard
>>> _______________________________________________
>>> erlang-questions mailing list
>>> 
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>
>>
>> --
>> Guilherme
>> _______________________________________________
>> erlang-questions mailing list
>> 
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>

-- 
Guilherme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190103/ab4a027a/attachment.html>


More information about the erlang-questions mailing list