[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1
Sat Jan 5 00:34:24 CET 2019
On 2019-01-04 18:41, Nicholas Lundgaard wrote:
> Thanks for your insights, all.
> I've looked at Erlang/OTP 21 builds from our CentOS box that were built with no OPENSSL_NO_EC* set, and also just tried one built with OPENSSL_NO_EC2M set, as advised below. It looks like it's true that these options are ideal for my company's use, and in both cases we properly get an Erlang/OTP build that has a fine set of cipher suites that work with the underlying OpenSSL library on the OS.
> It seems like there is still some potential problem with this setup, though: both the ssl and crypto modules claim to support EC curves that the underlying SSL library does not, in fact, support. A simple function that wraps a key-generate/sign/verify process in a try-catch can be used to verify this:
Well, I'm not really an expert on this stuff, but as far as I
understand Andreas' fix, the OPENSSL_NO_EC2M (which is set in the
relevant OpenSSL header file on the RHEL/CentOS systems) will only
cause the sect* curves to be excluded (there is also a note to this
effect added in lib/crypto/doc/src/crypto.xml in the commit).
And in your tests, the sect* curves are actually completely absent,
which is not the case if you do the same thing in an OTP built with a
"normal" OpenSSL libcrypto. So it seems the OPENSSL_NO_EC2M is working
as expected for you, and that the failures you see are unrelated to
this. Perhaps there is some other limitation in the OpenSSL version
shipped with RHEL/CentOS that prevents them from working? No idea what
that might be though...
More information about the erlang-questions