[erlang-questions] OTP 20.3 has no gcm ciphers

Ingela Andin ingela.andin@REDACTED
Thu Mar 15 10:42:17 CET 2018


Hi!

I have investigated and I found the problem, alas it was not local to the
function ssl:cipher_suites/1.  It is an internal filter function that has a
problem. The patch is:


diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 62a172c..59cf05f 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2175,6 +2175,8 @@ is_acceptable_cipher(Cipher, Algos) ->

 is_acceptable_hash(null, _Algos) ->
     true;
+is_acceptable_hash(aead, _Algos) ->
+    true;
 is_acceptable_hash(Hash, Algos) ->
     proplists:get_bool(Hash, Algos).


We will make a patch.

Regards Ingela Erlang/OTP team - Ericsson AB


2018-03-15 9:38 GMT+01:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi!
>
> Well that was not intended, but I would not worry too much about it. We
> plan to deprecate the ssl:cipher_suites/1 function in 21 and this function
> is not used in runtime of the ssl application.
> I have not investigated why yet but we will fix it.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
> 2018-03-14 19:10 GMT+01:00 derek <denc716@REDACTED>:
>
>> I can reproduce the issue,  while I change to call this
>> http://erlang.org/doc/man/ssl.html#cipher_suites-2
>>
>> with 2nd argument 'tlsv1.2'  it seems still have some gcm ciphers;
>> wonder is this change intended ?   I am not seeing the change in
>> http://erlang.org/download/otp_src_20.3.readme
>>
>> 13> ssl:cipher_suites(all, 'tlsv1.2').
>> [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
>>    mac => aead,prf => sha384},
>>  #{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,
>>    prf => sha384},
>>  #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
>>    mac => sha384,prf => sha384},
>>  #{cipher => aes_256_cbc,key_exchange => ecdhe_rsa,
>>    mac => sha384,prf => sha384},
>>  #{cipher => aes_256_gcm,key_exchange => ecdh_ecdsa,
>>    mac => aead,prf => sha384},
>>  #{cipher => aes_256_gcm,key_exchange => ecdh_rsa,mac => aead,
>>    prf => sha384},
>>  #{cipher => aes_256_cbc,key_exchange => ecdh_ecdsa,
>>    mac => sha384,prf => sha384},
>>  #{cipher => aes_256_cbc,key_exchange => ecdh_rsa,
>>    mac => sha384,prf => sha384},
>>  #{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,
>>    mac => aead,prf => sha256},
>>  #{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,
>>    mac => aead,prf => sha256},
>>  #{cipher => chacha20_poly1305,key_exchange => dhe_rsa,
>>    mac => aead,prf => sha256},
>>  #{cipher => aes_256_gcm,key_exchange => dhe_rsa,mac => aead,
>>    prf => sha384},
>>  #{cipher => aes_256_gcm,key_exchange => dhe_dss,mac => aead,
>>    prf => sha384},
>>
>>
>>
>> On Wed, Mar 14, 2018 at 9:18 AM, Leo Liu <sdl.web@REDACTED> wrote:
>> > I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)
>> > and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm
>> > ciphers.
>> >
>>
>> > I have previously compiled 20.2 from source and it has gcm ciphers. I
>> > wonder if this is an intended change in OTP 20.3? Thanks.
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180315/f559e9db/attachment.htm>


More information about the erlang-questions mailing list