[erlang-questions] Erlang Crypto R16+ and Centos 6.4+ incompatibility

Andreas Schultz aschultz@REDACTED
Tue Dec 17 17:36:53 CET 2013


Hi,

Found it, Centos 6.5 disables EC only partly. Most EC functions
are there, only the support for GF2m curves has been disabled
(that means all the sectXXXr1 and r2 curves won't work).

The corresponding OpenSSL define OPENSSL_NO_EC2M is set.

The simplest (untested) workaround would be to put a "-DOPENSSL_NO_EC=1"
into CFLAGS, e.g.: 

      CFLAGS="-DOPENSSL_NO_EC=1" ./configure

Alternatively, you could edit lib/crypto/c_src/crypto.c and change:

#if OPENSSL_VERSION_NUMBER >= 0x009080ffL \
        && !defined(OPENSSL_NO_EC) \
        && !defined(OPENSSL_NO_ECDH) \
        && !defined(OPENSSL_NO_ECDSA)
# define HAVE_EC
#endif

to

#if OPENSSL_VERSION_NUMBER >= 0x009080ffL \
        && !defined(OPENSSL_NO_EC) \
        && !defined(OPENSSL_NO_EC2M) \
        && !defined(OPENSSL_NO_ECDH) \
        && !defined(OPENSSL_NO_ECDSA)
# define HAVE_EC
#endif

Both will disable EC completely.

Andreas

----- Original Message -----
> Hi,
> 
> ----- Original Message -----
> > 
> > 
> > >That is not an Erlang problem itself. The binary Erlang packet you
> > installed
> > >was build on an system that had a OpenSSL with EC support enabled while
> > the
> > >system you are trying to install one, has OpenSSL with EC support
> > disabled.
> > 
> > Nope, I compiled erlang from sources, and it throws the error in
> > crypto:start(). Seems like ./configure does not detect missing curves.
> 
> configure has nothing to do with it. When openssl is configured and build
> a file named opensslconf.h is generated (on Ubuntu it's installed to
> /usr/include/x86_64-linux-gnu/openssl/opensslconf.h)
> 
> That file is indirectly included though the other openssl headers and
> specifies at compile time what ciphers are supported. That your Erlang
> was compiled with EC support when your openssl seems to be missing
> support for it, means that that config header must be broken.
> 
> Would be great to know how that happened.
> 
> Andreas
> 
> > >No, that is Centos/Redhat stupidity. OpenSSL by default does EC, but
> > Redhat choose
> > 
> > >to disabled EC so that the NSA can better spy on you.
> > 
> > Sure it's not erlang fault, but still do we really want to ditch half of
> > potential user base? Or suggest everyone to install outdated R15, as it
> > still works?
> > 
> > 
> 
> --
> --
> Dipl. Inform.
> Andreas Schultz
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz



More information about the erlang-questions mailing list