[erlang-questions] Crypto differences (Red Hat ECC support)

Steve Davis steven.charles.davis@REDACTED
Fri Oct 3 01:31:06 CEST 2014


Hi Ingela,

Thanks for your responses. I was aware of the claimed legal issue, so I had already built openssl on that server from a pristine tarball (rather than the supplied rpms). I was frustrated and I could not understand why these ciphers still weren't appearing. 

crypto:info_lib() supplied the answer... the erlang distro was still pointing at the FIPS compliant openssl libraries rather than the new openssl install... agh!

If others face this issue:
1) before building openssl, export CFLAGS="-fDIC", at configure, invoke with the keyword "shared" then make and install as usual
2) once openssl is built and ec + ecparams commands are available, configure erlang with the explicit flag --with-ssl=/usr/local/ssl

regs,
/s


On Oct 2, 2014, at 2:33 AM, Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
> 
> 2014-10-01 23:36 GMT+02:00 Steve Davis <steven.charles.davis@REDACTED>:
> ...which doesn't address the issue?
> 
> 
> I think it does!  It talks about problems that ECC, especially ECDH  support, was not available in some Red Hat distributions, it talks about patent problems, and also
> about that the issue was resolved, and that software using OpenSSL needed be recompiled after taking the update. I do not know exactly what will solve your problem but
> upgrading your Red Hat distribution seems to be a good place to start!
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
>  
> 
>  
> On Oct 1, 2014, at 4:18 PM, Ingela Andin <ingela.andin@REDACTED> wrote:
> 
>> Hi!
>> 
>> Google suggest the following link:
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=319901
>> 
>> 
>> Regards Ingela Erlang/OTP Team - Ericsson AB 
>> 
>> 2014-10-01 21:58 GMT+02:00 Steve Davis <steven.charles.davis@REDACTED>:
>> I'm running an app that uses ECC public keys and have discovered a problem that only appears to emerge on RedHat ...
>> 
>> ...specifically I'm getting not_sup for crypto:generate_key for ecdh.
>> 
>> I have built openssl 1.0.1h from source on the RH server, and 17.3 on top of that, but still I am missing ec_gf2m, ecdsa and ecdh support (see 'public_keys' section in the below repl, and the comparative from deploys on OS X and Windows).
>> 
>> On RedHat Linux
>> 1> crypto:supports().
>> [{hashs,[md4,md5,sha,ripemd160,sha224,sha256,sha384,sha512]},
>> {ciphers,[des_cbc,des_cfb,des3_cbc,des_ede3,blowfish_cbc,
>>            blowfish_cfb64,blowfish_ofb64,blowfish_ecb,aes_cbc128,
>>            aes_cfb8,aes_cfb128,aes_cbc256,rc2_cbc,aes_ctr,rc4,des3_cbf,
>>            aes_ige256]},
>> {public_keys,[rsa,dss,dh,srp]}]
>> 2> crypto:ec_curves().
>> [secp112r1,secp112r2,secp128r1,secp128r2,secp160k1,
>> secp160r1,secp160r2,secp192r1,secp192k1,secp224k1,secp224r1,
>> secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,
>> prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,
>> prime256v1,wtls6,wtls7,wtls8,wtls9,wtls12,brainpoolP160r1,
>> brainpoolP160t1|...]
>> 
>> On OSX + Windows
>> 1> crypto:supports().
>> [{hashs,[md4,md5,sha,ripemd160,sha224,sha256,sha384,sha512]},
>>  {ciphers,[des_cbc,des_cfb,des3_cbc,des_ede3,blowfish_cbc,
>>            blowfish_cfb64,blowfish_ofb64,blowfish_ecb,aes_cbc128,
>>            aes_cfb8,aes_cfb128,aes_cbc256,rc2_cbc,aes_ctr,rc4,des3_cbf,
>>            aes_ige256]},
>>  {public_keys,[rsa,dss,dh,srp,ec_gf2m,ecdsa,ecdh]}]
>> 2> crypto:ec_curves().
>> [secp112r1,secp112r2,secp128r1,secp128r2,secp160k1,
>>  secp160r1,secp160r2,secp192r1,secp192k1,secp224k1,secp224r1,
>>  secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,
>>  prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,
>>  prime256v1,wtls6,wtls7,wtls8,wtls9,wtls12,brainpoolP160r1,
>>  brainpoolP160t1|...]
>> 
>> I'm hoping somebody else has faced this frustration before and found a solution...?
>> 
>> regs,
>> /s
>> 
>> 
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141002/ad30738c/attachment.htm>


More information about the erlang-questions mailing list