[erlang-questions] Different SSL behaviours, how to pick ciphers?

Ingela Andin ingela.andin@REDACTED
Tue Aug 9 14:27:23 CEST 2016


Hi!

I investigated it and as it turns out it is not a bug. RFC 5246 says,

7.4.1.4.1 Signature Algorithms[...]

 Note: this extension is not meaningful for TLS versions prior to 1.2.
 Clients MUST NOT offer it if they are offering prior versions.


However the initial client hello will now be sent with the TLS record
protocol with lowest version supported, which it failed to do before and
that is
why it happened to work before. Extensions are sent for the wanted version
and should be ignored if a lower version is negotiated with exception of
signature algorithms, due to the sentence above.

Regards Ingela Erlang/OTP Team - Ericsson AB


2016-08-08 17:42 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi!
>
>
> 2016-07-13 17:27 GMT+02:00 André Cruz <andre@REDACTED>:
>
>> Hello Fred.
>>
>> > On 13 Jul 2016, at 14:41, Fred Hebert <mononcqc@REDACTED> wrote:
>> >
>> > On 07/12, André Cruz wrote:
>> >> As can be seen I cannot establish a connection using the container
>> version of Erlang. Looking at the traffic I can see that the ClientHello
>> message specifies SSLv3 ciphers, while the version that works uses TLS1.2.
>> How can I influence this choice of ciphers? Is it a problem with the
>> openssl lib in the container image?
>> >>
>> >
>> > You should at the very least have some basic configuration of SSL in
>> Erlang -- the one that ships stock isn't particularly great.
>>
>> I've found the difference in the default SSL configuration between 18.3.1
>> and 18.3.2.
>>
>> 18.3.1 uses TLS1.2 records:
>>
>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello
>>     Content Type: Handshake (22)
>>     Version: TLS 1.0 (0x0301)
>>     Length: 279
>>
>>
>> 18.3.2 uses SSL records:
>>
>> SSL Record Layer: Handshake Protocol: Client Hello
>>     Content Type: Handshake (22)
>>     Version: TLS 1.0 (0x0301)
>>     Length: 249
>>
>> It's strange to change this default in a minor version upgrade. Is this
>> something that can be configured? I've found that some SSL servers drop the
>> connection immediately when SSL records are used.
>>
>>
> Huum ... I think this was suppose to be a bug fix, maybe I got it wrong I
> will investigate.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>> Thanks,
>> André
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160809/ffa53af6/attachment.htm>


More information about the erlang-questions mailing list