[erlang-questions] bug : ssl losing ciphers

Nicolas Thauvin nthauvin@REDACTED
Fri Apr 8 16:13:23 CEST 2016


Hi,

  We've been trying to restrict SSL ciphers to a secure set in Yaws / OTP  
R18, but only a few of them were actually taken into account (leading to  
connection issues from old browsers).

According to the documentation, one can list the availables ciphers with  
ssl:cipher_suites().
For example:

[...
  {rsa,aes_256_gcm,null,sha384},
  {rsa,aes_256_cbc,sha256},
...]

Note there are 3-tuples and 4-tuples in the result.

Now, when the customised 'ciphers' SSL option is set, its content is  
processed by ssl:binary_cipher_suites/2

(Beam you up :  
https://github.com/erlang/otp/blob/maint-18/lib/ssl/src/ssl.erl#L1092)

There comes the issue : this function expects all the entries to be the  
same tuple size (3 or 4) according to a matching on the first element,  
losing entries from the list when they don't match the tuple size.

The patch for ssl:binary_cipher_suites/2 is trivial, but why does  
ssl_cipher:suite() still returns a mixed-size of tuples since 4-tuples  
seems to be considered as backward compatible according to the comments ?

Cheers,

-- Nicolas



More information about the erlang-questions mailing list