<div dir="ltr"><br><div class="gmail_extra">Hi!<br><br></div><div class="gmail_extra">I have investigated and I found the problem, alas it was not local to the function ssl:cipher_suites/1. It is an internal filter function that has a problem. The patch is:<br><br><br>diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl<br>index 62a172c..59cf05f 100644<br>--- a/lib/ssl/src/ssl_cipher.erl<br>+++ b/lib/ssl/src/ssl_cipher.erl<br>@@ -2175,6 +2175,8 @@ is_acceptable_cipher(Cipher, Algos) -><br> <br> is_acceptable_hash(null, _Algos) -><br> true;<br>+is_acceptable_hash(aead, _Algos) -><br>+ true;<br> is_acceptable_hash(Hash, Algos) -><br> proplists:get_bool(Hash, Algos).<br><br><br></div><div class="gmail_extra">We will make a patch.<br><br></div><div class="gmail_extra">Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2018-03-15 9:38 GMT+01:00 Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi!<br><br></div><div>Well that was not intended, but I would not worry too much about it. We plan to deprecate the ssl:cipher_suites/1 function in 21 and this function is not used in runtime of the ssl application.<br></div><div>I have not investigated why yet but we will fix it. <br><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div><div class="gmail-h5"><div><div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-14 19:10 GMT+01:00 derek <span dir="ltr"><<a href="mailto:denc716@gmail.com" target="_blank">denc716@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I can reproduce the issue, while I change to call this<br>
<a href="http://erlang.org/doc/man/ssl.html#cipher_suites-2" rel="noreferrer" target="_blank">http://erlang.org/doc/man/ssl.<wbr>html#cipher_suites-2</a><br>
<br>
with 2nd argument 'tlsv1.2' it seems still have some gcm ciphers;<br>
wonder is this change intended ? I am not seeing the change in<br>
<a href="http://erlang.org/download/otp_src_20.3.readme" rel="noreferrer" target="_blank">http://erlang.org/download/otp<wbr>_src_20.3.readme</a><br>
<br>
13> ssl:cipher_suites(all, 'tlsv1.2').<br>
[#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,<br>
mac => aead,prf => sha384},<br>
#{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,<br>
prf => sha384},<br>
#{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,<br>
mac => sha384,prf => sha384},<br>
#{cipher => aes_256_cbc,key_exchange => ecdhe_rsa,<br>
mac => sha384,prf => sha384},<br>
#{cipher => aes_256_gcm,key_exchange => ecdh_ecdsa,<br>
mac => aead,prf => sha384},<br>
#{cipher => aes_256_gcm,key_exchange => ecdh_rsa,mac => aead,<br>
prf => sha384},<br>
#{cipher => aes_256_cbc,key_exchange => ecdh_ecdsa,<br>
mac => sha384,prf => sha384},<br>
#{cipher => aes_256_cbc,key_exchange => ecdh_rsa,<br>
mac => sha384,prf => sha384},<br>
#{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,<br>
mac => aead,prf => sha256},<br>
#{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,<br>
mac => aead,prf => sha256},<br>
#{cipher => chacha20_poly1305,key_exchange => dhe_rsa,<br>
mac => aead,prf => sha256},<br>
#{cipher => aes_256_gcm,key_exchange => dhe_rsa,mac => aead,<br>
prf => sha384},<br>
#{cipher => aes_256_gcm,key_exchange => dhe_dss,mac => aead,<br>
prf => sha384},<br>
<span class="gmail-m_-8823822850457253784im gmail-m_-8823822850457253784HOEnZb"><br>
<br>
<br>
On Wed, Mar 14, 2018 at 9:18 AM, Leo Liu <<a href="mailto:sdl.web@gmail.com" target="_blank">sdl.web@gmail.com</a>> wrote:<br>
> I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)<br>
> and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm<br>
> ciphers.<br>
><br>
<br>
> I have previously compiled 20.2 from source and it has gcm ciphers. I<br>
> wonder if this is an intended change in OTP 20.3? Thanks.<br>
</span><div class="gmail-m_-8823822850457253784HOEnZb"><div class="gmail-m_-8823822850457253784h5">______________________________<wbr>_________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/list<wbr>info/erlang-questions</a><br>
</div></div></blockquote></div><br></div></div></div></div></div></div>
</blockquote></div><br></div></div>