<div dir="ltr"><div><div>Hi!<br><br></div>As it turns out, it looks no better than that there where several problems, located both on the erlang side and on the other side. Problems that however did not occur when using openssl.<br>
<br></div>You can find a patch for it here that will be included in the next OTP release.<br><div><pre><a class="" href="https://github.com/IngelaAndin/otp/tree/ia/ssl/ecc-gnutls">https://github.com/IngelaAndin/otp/tree/ia/ssl/ecc-gnutls</a><br>
<br></pre><pre>The good thing is that it should solve all the problems as it will make forinstance gnu-tls take a different path through its code.<br></pre><pre><br>Regards Ingela Erlang/OTP team - Ericsson AB <br></pre></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/10/4 Wes James <span dir="ltr"><<a href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>I also found a chromium 28.x for xubuntu and installed that. It does not have the same issues as the current Chrome. Chrome/firefox must be getting closer/stricter (??) to the ssl specs?<span class="HOEnZb"><font color="#888888"><br>
<br></font></span></div><span class="HOEnZb"><font color="#888888">
-wes<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Oct 4, 2013 at 11:11 AM, Wes James <span dir="ltr"><<a href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I found where to fix this for now in <span><span name="Loïc Hoguin">Loïc's ranch_ssl.erl:<br><br>
%% Unfortunately the implementation of elliptic-curve ciphers that has <br>
%% been introduced in R16B01 is incomplete. Depending on the particular <br>%% client, this can cause the TLS handshake to break during key <br>
%% agreement. Depending on the ssl application version, this function <br>%% returns a list of all cipher suites that are supported by default, <br>
%% minus the elliptic-curve ones. <br>-spec unbroken_cipher_suites() -> [ssl:erl_cipher_suite()].<br>unbroken_cipher_suites() -><br>
case proplists:get_value(ssl_app, ssl:versions()) of<br> "5.3" -><br> lists:filter(fun(Suite) -><br> string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"<br>
end, ssl:cipher_suites());<br> _ -><br>%io:format("~n cipher suites: ~p ~n",[ssl:cipher_suites()]),<br>%ssl:cipher_suites(),<div><br>[{dhe_rsa,aes_256_cbc,sha256},<br> {dhe_dss,aes_256_cbc,sha256},<br>
{rsa,aes_256_cbc,sha256},<br> {dhe_rsa,aes_128_cbc,sha256},<br> {dhe_dss,aes_128_cbc,sha256},<br> {rsa,aes_128_cbc,sha256},<br> {dhe_rsa,aes_256_cbc,sha},<br> {dhe_dss,aes_256_cbc,sha},<br> {rsa,aes_256_cbc,sha},<br> {dhe_rsa,'3des_ede_cbc',sha},<br>
{dhe_dss,'3des_ede_cbc',sha},<br> {rsa,'3des_ede_cbc',sha},<br> {dhe_rsa,aes_128_cbc,sha},<br> {dhe_dss,aes_128_cbc,sha},<br> {rsa,aes_128_cbc,sha},<br> {rsa,rc4_128,sha},<br> {rsa,rc4_128,md5},<br> {dhe_rsa,des_cbc,sha},<br>
{rsa,des_cbc,sha}]<br></div> end.<br></span></span><table cellpadding="0"><tbody><tr><td colspan="2"></td><td colspan="2"><br><br></td></tr></tbody></table>Thanks,<br><br></div>-wes<br><br>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Oct 4, 2013 at 8:48 AM, Wes James <span dir="ltr"><<a href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>How would I do this in the .app.src?<br><br></div>I have:<br><br>{application, dbswui, [<br>
{description, "database search web ui."},<br> {vsn, "0.1.0"},<br> {modules, []},<br>
{registered, []},<br> {applications, [<br> kernel,<br> stdlib,<br> crypto,<br> public_key,<br> cowlib,<br> cowboy,<br> ssl<br> ]},<br> {mod, {dbswui_app, []}},<br>
{env, []}<br>]}.<br><br></div>I have this from a previous email from you on list.<br><br>{ciphers, [{dhe_rsa,aes_256_cbc,sha256},<br> {dhe_dss,aes_256_cbc,sha256},<br> {rsa,aes_256_cbc,sha256},<br> {dhe_rsa,aes_128_cbc,sha256},<br>
{dhe_dss,aes_128_cbc,sha256},<br> {rsa,aes_128_cbc,sha256},<br> {dhe_rsa,aes_256_cbc,sha},<br> {dhe_dss,aes_256_cbc,sha},<br> {rsa,aes_256_cbc,sha},<br> {dhe_rsa,'3des_ede_cbc',sha},<br> {dhe_dss,'3des_ede_cbc',sha},<br>
{rsa,'3des_ede_cbc',sha},<br> {dhe_rsa,aes_128_cbc,sha},<br> {dhe_dss,aes_128_cbc,sha},<br> {rsa,aes_128_cbc,sha},<br> {rsa,rc4_128,sha},<br> {rsa,rc4_128,md5},<br> {dhe_rsa,des_cbc,sha},<br> {rsa,des_cbc,sha}]}<br>
<br></div>I tried to put this in the env [] list, but it didn't help.<br><br>Thanks,<br><br>Wes<div><div><br><div><div><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Oct 4, 2013 at 1:44 AM, Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div dir="ltr">Hi Wes!<br><div class="gmail_extra"><br></div><div class="gmail_extra">
I have heard from several sources that they have problems connecting with Firefox and Chrome<br></div><div class="gmail_extra">when
Elliptic curve cipher suites are enabled. Elliptic curve ciphers where
first supported at all in R16 and are by default enabled, although will
not be used if the client does not claim to be able to use them.<br>
It does seem though that other clients can connect like curl, s_client
(openssl), some python client and now opera. I also know that some ECC
ciphers are broken in openssl version 1.0.0 and 1.0.0.a.<br></div><div class="gmail_extra">
So it seems like it is a client problem that you may workaround by disabling Elliptic Curve cipher suites<br></div><div class="gmail_extra">until the clients get fixed. Also R16B02 fixes an ECC bug so R16B will not be better then R16B02, going <br>
</div><div class="gmail_extra">back to R15 will work as the ECC ciphers where not supported at all, but I can see other reasons you would not want to do that. <br></div><div class="gmail_extra"><br></div><div class="gmail_extra">
Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div class="gmail_extra"><br></div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/10/4 Wes James <span dir="ltr"><<a href="mailto:comptekki@gmail.com" target="_blank">comptekki@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><div><div><div><div><div>Somewhere along the line I've started having issues with self-signed certs.<br>
<br></div>On xubuntu I've:<br><br></div>recently upgraded chrome and firefox (both having issues)<br>
<br></div>recently upgraded cowboy to master<br><br>recently upgrade to 16B02 (compiled then installed)<br><br>I'm having issues accessing sites on https now. I get an error from firefox, but try to accept but get a security error. On chrome, it just says it can't get to the site. I then tried opera. I have to confirm some boxes on opera, but I can finally see the https sites.<br>
<br></div>Anyone else having these issues?<br><br></div><div>I've tried going back to 16B, but still have the issues so I'm not sure if it is erlang. I've tried compiling code with 0.8.1 of cowboy with 16B, but still have the same issues (where it was working fine before), so I'm not sure where the problem is.<br>
</div><div><br>Thanks,<br><br></div>Wes<br></div>
<br></div></div><div>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></div></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>