[erlang-questions] Crypto differences (Red Hat ECC support)

Ingela Andin ingela.andin@REDACTED
Fri Oct 3 11:10:53 CEST 2014 

Hi!

2014-10-03 1:31 GMT+02:00 Steve Davis <steven.charles.davis@REDACTED>:

> Hi Ingela,
>
> Thanks for your responses. I was aware of the claimed legal issue, so I
> had already built openssl on that server from a pristine tarball (rather
> than the supplied rpms). I was frustrated and I could not understand why
> these ciphers still weren't appearing.
>
> crypto:info_lib() supplied the answer... the erlang distro was still
> pointing at the FIPS compliant openssl libraries rather than the new
> openssl install... agh!
>
>
Ah, well that  was that function is for. Thank you for sharing the
solution. From the information I got from your first mail the only
conclusion I could draw was that it seemed to
be an OpenSSL issue on Redhat  and not an Erlang issue, so I Googled that
... and the rest is history ;)


Regards Ingela Erlang/OTP team - Ericsson AB


If others face this issue:
> 1) before building openssl, export CFLAGS="-fDIC", at configure, invoke
> with the keyword "shared" then make and install as usual
> 2) once openssl is built and ec + ecparams commands are available,
> configure erlang with the explicit flag --with-ssl=/usr/local/ssl
>
> regs,
> /s
>
>
> On Oct 2, 2014, at 2:33 AM, Ingela Andin <ingela.andin@REDACTED> wrote:
>
> Hi!
>
> 2014-10-01 23:36 GMT+02:00 Steve Davis <steven.charles.davis@REDACTED>:
>
>> ...which doesn't address the issue?
>>
>>
> I think it does!  It talks about problems that ECC, especially ECDH
> support, was not available in some Red Hat distributions, it talks about
> patent problems, and also
> about that the issue was resolved, and that software using OpenSSL needed
> be recompiled after taking the update. I do not know exactly what will
> solve your problem but
> upgrading your Red Hat distribution seems to be a good place to start!
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
>
>> On Oct 1, 2014, at 4:18 PM, Ingela Andin <ingela.andin@REDACTED> wrote:
>>
>> Hi!
>>
>> Google suggest the following link:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=319901
>>
>>
>> Regards Ingela Erlang/OTP Team - Ericsson AB
>>
>> 2014-10-01 21:58 GMT+02:00 Steve Davis <steven.charles.davis@REDACTED>:
>>
>>> I'm running an app that uses ECC public keys and have discovered a
>>> problem that only appears to emerge on RedHat ...
>>>
>>> ...specifically I'm getting not_sup for crypto:generate_key for ecdh.
>>>
>>> I have built openssl 1.0.1h from source on the RH server, and 17.3 on
>>> top of that, but still I am missing ec_gf2m, ecdsa and ecdh support (see
>>> 'public_keys' section in the below repl, and the comparative from deploys
>>> on OS X and Windows).
>>>
>>> On RedHat Linux
>>> 1> crypto:supports().
>>> [{hashs,[md4,md5,sha,ripemd160,sha224,sha256,sha384,sha512]},
>>> {ciphers,[des_cbc,des_cfb,des3_cbc,des_ede3,blowfish_cbc,
>>>            blowfish_cfb64,blowfish_ofb64,blowfish_ecb,aes_cbc128,
>>>            aes_cfb8,aes_cfb128,aes_cbc256,rc2_cbc,aes_ctr,rc4,des3_cbf,
>>>            aes_ige256]},
>>> {public_keys,[rsa,dss,dh,srp]}]
>>> 2> crypto:ec_curves().
>>> [secp112r1,secp112r2,secp128r1,secp128r2,secp160k1,
>>> secp160r1,secp160r2,secp192r1,secp192k1,secp224k1,secp224r1,
>>> secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,
>>> prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,
>>> prime256v1,wtls6,wtls7,wtls8,wtls9,wtls12,brainpoolP160r1,
>>> brainpoolP160t1|...]
>>>
>>> On OSX + Windows
>>> 1> crypto:supports().
>>> [{hashs,[md4,md5,sha,ripemd160,sha224,sha256,sha384,sha512]},
>>>  {ciphers,[des_cbc,des_cfb,des3_cbc,des_ede3,blowfish_cbc,
>>>            blowfish_cfb64,blowfish_ofb64,blowfish_ecb,aes_cbc128,
>>>            aes_cfb8,aes_cfb128,aes_cbc256,rc2_cbc,aes_ctr,rc4,des3_cbf,
>>>            aes_ige256]},
>>>  {public_keys,[rsa,dss,dh,srp,ec_gf2m,ecdsa,ecdh]}]
>>> 2> crypto:ec_curves().
>>> [secp112r1,secp112r2,secp128r1,secp128r2,secp160k1,
>>>  secp160r1,secp160r2,secp192r1,secp192k1,secp224k1,secp224r1,
>>>  secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,
>>>  prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,
>>>  prime256v1,wtls6,wtls7,wtls8,wtls9,wtls12,brainpoolP160r1,
>>>  brainpoolP160t1|...]
>>>
>>> I'm hoping somebody else has faced this frustration before and found a
>>> solution...?
>>>
>>> regs,
>>> /s
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141003/ceae0f69/attachment.htm>

More information about the erlang-questions mailing list