[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

Ingela Andin ingela.andin@REDACTED
Fri Jan 4 18:23:11 CET 2019


Hi Fred!

Agree that a mapping functions are good. That is sort of why we like to
accomplish with suite_to_str and we are working on the inverse. They will
use the RFC-names that are more general and  better documented. But most
of the code to create the OpenSSL names exist so maybe we will expose that
too as a utility function. Although we do not want to be dependent on
OpenSSL configuration, we only want to have dependencies to its cryptolib.

Regards Ingela Erlang/OTP team - Ericsson AB

Den fre 4 jan. 2019 kl 17:32 skrev Fred Hebert <mononcqc@REDACTED>:

> On 01/04, Ingela Andin wrote:
> >Hi again!
> >
> >Maybe I should add that using filters where you can access each logical
> >part of the cipher suite is a more powerful way to customize cipher suites
> >than regular expressions over complex strings.
> >Also see ssl User Guide http://erlang.org/doc/search/?q=ssl&x=0&y=0
> section
> >3.2
> >
>
> Agreed, it's more powerful.
>
> But when working with established teams and policies, having a unique
> format just for Erlang tends to be problematic as non-standard. In some
> places where I've been, if you can't get the security team to approve
> the list, you are not greenlit to go to prod.
>
> It's much, much simpler to work with non-erlang folks when we have a way
> to more easily communicate and review the lists -- mostly there may just
> be a list that will be adopted by all stacks, whether they're Erlang,
> Go, C#, ruby, or servers like nginx, and so on.
>
> At least getting the direct mapping between both can be very useful to
> validate filtering rules and everything else :)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190104/21444b25/attachment.htm>


More information about the erlang-questions mailing list