<div dir="ltr"><div>Hi!</div><div><br></div><div>Well I would not say that explicitly writing a long lists of maps is the best way. For instance if you want to add the removed rsa -key exchange suite it would be done like.</div><div><br></div><div><table style="font-size:1em;line-height:1.4em;font-weight:normal;font-style:normal;color:black" width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr id="gmail-syntaxplugin_code_and_gutter"><td style="line-height:1.4em;padding:0em;vertical-align:top"><pre style="font-size:1em;margin:10px 10px 0px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace">add_rsa_suites(Version) -></span></pre>
                        </td>
                </tr>
                                <tr id="gmail-syntaxplugin_code_and_gutter">
                                                <td style="line-height:1.4em;padding:0em;vertical-align:top">
                                        <pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace">    All = ssl:cipher_suites(all, Version),</span></pre>
                        </td>
                </tr>
                                <tr id="gmail-syntaxplugin_code_and_gutter">
                                                <td style="line-height:1.4em;padding:0em;vertical-align:top">
                                        <pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace">    Default = ssl:cipher_suites(default, Version),</span></pre>
                        </td>
                </tr>
                                <tr id="gmail-syntaxplugin_code_and_gutter">
                                                <td style="line-height:1.4em;padding:0em;vertical-align:top">
                                        <pre style="font-size:1em;margin:0px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace">    RSASuites = ssl:filter_cipher_suites(All,[{key_exchange, fun(rsa) -> true;(_) -> false end}]),</span></pre>
                        </td>
                </tr>
                                <tr id="gmail-syntaxplugin_code_and_gutter">
                                                <td style="line-height:1.4em;padding:0em;vertical-align:top">
                                        <pre style="font-size:1em;margin:0px 10px 10px;width:auto;padding:0px"><span style="color:black;font-family:"Consolas","Bitstream Vera Sans Mono","Courier New",Courier,monospace">    ssl:append_cipher_suites(RSASuites, Default).<br><br><br>From a security perspective that would not be my recommendation though.<br><br>For backward compatibility reasons just supplying the OpenSSL names will probably still work. However we do not guarantee forward compatibility for that.<br>We plan on having some support for RFC names which are similar to OpenSSL names but more consistent. We do already have suite_to_str function but we plan on having a str_to_suite too .<br><br>Regards Ingela Erlang/OTP team<br><br></span></pre></td></tr></tbody></table></div></div><br><div class="gmail_quote"><div dir="ltr">Den fre 4 jan. 2019 kl 03:41 skrev Fred Hebert <<a href="mailto:mononcqc@ferd.ca">mononcqc@ferd.ca</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 01/03, Ingela Andin wrote:<br>
>I say it would be a lot easier to configure the erlang cipher suites the<br>
>way you like and skip trying to tweak OpenSSL.  Please see ERL382.<br>
><br>
>Regards Ingela Erlang/OTP team<br>
><br>
<br>
Additionally, Heroku has an open source library to handle TLS servers <br>
with SNI for dispatch, which comes with some default configurations and <br>
ways to easily translate from a known SSL list of ciphers such as what <br>
you'd find at:<br>
<br>
- <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html" rel="noreferrer" target="_blank">https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html</a><br>
- <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29" rel="noreferrer" target="_blank">https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29</a><br>
<br>
In all of these lists, the format chosen is something like <br>
ECDHE-ECDSA-AES128-GCM-SHA256 rather than the Erlang-specific maps like  <br>
#{cipher => aes_128_cbc,key_exchange => ecdhe_rsa, mac => sha256,prf => <br>
sha256} or {ecdhe_ecdsa,aes_128_gcm,null,sha256} (in OTP 20.2 and <br>
earlier)<br>
<br>
To facilitate with this, I've written and updated their lib (PR pending) <br>
to include procedures to make the conversion between both formats easy:<br>
<a href="https://github.com/heroku/snit/pull/36/files#diff-1ea45e0c99dd72cbe37b5b3f4f561c70R38" rel="noreferrer" target="_blank">https://github.com/heroku/snit/pull/36/files#diff-1ea45e0c99dd72cbe37b5b3f4f561c70R38</a><br>
<br>
It goes a bit like this:<br>
<br>
    %% Declare the list of suites you want in the order you need them<br>
    OpenSSLSuites = [<br>
        "ECDHE-ECDSA-AES128-GCM-SHA256",<br>
        "ECDHE-ECDSA-AES256-GCM-SHA384",<br>
        "ECDHE-RSA-AES128-GCM-SHA256",<br>
        ...<br>
    ],<br>
<br>
    %% Declare the supported TLS versions you want (you may want to drop <br>
    %% tlsv1 and possibly 'tlsv1.1' as well, depending on compatibility<br>
    SupportedVersions = [tlsv1, 'tlsv1.1', 'tlsv1.2'],<br>
<br>
    %% Then run the following (see the source file for equivalents in<br>
    %% older versions of Erlang and OTP)<br>
    Suites = lists:usort(lists:append(<br>
        [ssl:cipher_suites(all, Vsn) || Vsn <- SupportedVersions]<br>
    )),<br>
    Table = [{Str, [S]}  || S <- Suites,<br>
                            Raw <- [ssl_cipher_format:suite(S)],<br>
                            Str <- [ssl_cipher_format:openssl_suite_name(Raw)],<br>
                            not is_map(Str)],<br>
    [lists:keyfind(Suite, 1, Table) || Suite <- OpenSSLSuites].<br>
<br>
This gives a full table of all currently supported suites with both the <br>
OpenSSL and the Erlang format, such as:<br>
<br>
    [{"ECDHE-ECDSA-AES128-GCM-SHA256",<br>
      [#{cipher => aes_128_gcm,key_exchange => ecdhe_ecdsa,<br>
         mac => aead,prf => sha256}]},<br>
     {"ECDHE-ECDSA-AES256-GCM-SHA384",<br>
      [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,<br>
         mac => aead,prf => sha384}]},<br>
     {"ECDHE-RSA-AES128-GCM-SHA256",<br>
      [#{cipher => aes_128_gcm,key_exchange => ecdhe_rsa,mac => aead,<br>
         prf => sha256}]},<br>
     ...<br>
    ]<br>
<br>
Which in my opinion, makes it a lot easier to manage configurations if <br>
you don't want to carefully groom them all -- just copy a list you trust <br>
from some source online and get it applied directly. Snit uses that list <br>
and re-validates it at start time, but it would be easy to retransform <br>
it by just using lists:flatten([Map || {_Name, Map} <- Result]) for the <br>
format the Erlang ssl lib uses natively.<br>
<br>
This also has the benefit that if you have any infosec department, <br>
they'll love you for providing them a list and format they're familiar <br>
with rather than the unique internal erlang format.<br>
<br>
Regards,<br>
Fred.<br>
</blockquote></div>