<div dir="ltr">Hi!<div><br></div><div>I investigated it and as it turns out it is not a bug. RFC 5246 says, </div><div><br></div><div><pre class=""><span class=""><h6>7.4.1.4.1 Signature Algorithms</h6><h6>[...]</h6></span></pre></div><div><div><pre class=""> Note: this extension is not meaningful for TLS versions prior to 1.2.
Clients MUST NOT offer it if they are offering prior versions.</pre></div><div><br></div></div><div>However the initial client hello will now be sent with the TLS record protocol with lowest version supported, which it failed to do before and that is</div><div>why it happened to work before. Extensions are sent for the wanted version and should be ignored if a lower version is negotiated with exception of </div><div>signature algorithms, due to the sentence above. </div><div><br></div><div>Regards Ingela Erlang/OTP Team - Ericsson AB</div><div><br><div class="gmail_extra"><br><div class="gmail_quote">2016-08-08 17:42 GMT+02:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi!<div><br></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2016-07-13 17:27 GMT+02:00 André Cruz <span dir="ltr"><<a href="mailto:andre@cabine.org" target="_blank">andre@cabine.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello Fred.<br>
<span><br>
> On 13 Jul 2016, at 14:41, Fred Hebert <<a href="mailto:mononcqc@ferd.ca" target="_blank">mononcqc@ferd.ca</a>> wrote:<br>
><br>
> On 07/12, André Cruz wrote:<br>
>> As can be seen I cannot establish a connection using the container version of Erlang. Looking at the traffic I can see that the ClientHello message specifies SSLv3 ciphers, while the version that works uses TLS1.2. How can I influence this choice of ciphers? Is it a problem with the openssl lib in the container image?<br>
>><br>
><br>
> You should at the very least have some basic configuration of SSL in Erlang -- the one that ships stock isn't particularly great.<br>
<br>
</span>I've found the difference in the default SSL configuration between 18.3.1 and 18.3.2.<br>
<br>
18.3.1 uses TLS1.2 records:<br>
<br>
TLSv1.2 Record Layer: Handshake Protocol: Client Hello<br>
Content Type: Handshake (22)<br>
Version: TLS 1.0 (0x0301)<br>
Length: 279<br>
<br>
<br>
18.3.2 uses SSL records:<br>
<br>
SSL Record Layer: Handshake Protocol: Client Hello<br>
Content Type: Handshake (22)<br>
Version: TLS 1.0 (0x0301)<br>
Length: 249<br>
<br>
It's strange to change this default in a minor version upgrade. Is this something that can be configured? I've found that some SSL servers drop the connection immediately when SSL records are used.<br>
<br></blockquote><div><br></div></span><div>Huum ... I think this was suppose to be a bug fix, maybe I got it wrong I will investigate.</div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB</div><span class=""><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Thanks,<br>
André<br>
<div><div>______________________________<wbr>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br>
</div></div></blockquote></span></div><br></div></div>
</blockquote></div><br></div></div></div>