[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

Guilherme Andrade g@REDACTED
Thu Jan 3 22:29:23 CET 2019


Some people have worked around the issue by building OpenSSL separately and
statically linking it against ERTS. This does have the disadvantage of not
benefiting from distro package upgrades, though.

There's a tutorial that lists the appropriate steps[1].

(I know this doesn't solve your particular problem, but it might work out
as an alternative in case you haven't considered it already - depending on
your particular requirements.)

[1]: https://github.com/lrascao/erlang-ec2-build

On Thu, 3 Jan 2019 at 20:18, Nicholas Lundgaard <nalundgaard@REDACTED>

> Hi,
> I wanted to call ERL-823 (https://bugs.erlang.org/browse/ERL-823) to this
> list's attention. My company operates Erlang microservices in AWS on a
> kerl-built OTP installation on Amazon Linux (RedHat/CentOS-based), and
> we've encountered a serious challenge to upgrading to OTP 21: When you
> disable OpenSSL EC ciphers during an OTP build, which is necessary to build
> an OTP installation that doesn't erroneously think it has a bunch of EC
> ciphers that aren't built into the underlying OpenSSL, you're no longer
> able to connect to google.com via https (not to mention many, many other
> web properties, like much of AWS infrastructure).
> It confuses me that there is not a simpler way to align the Erlang
> crypto/ssl cipher support with the underlying openssl installation it's
> linked to, but that notwithstanding, It would be really helpful to have a
> flag to build OTP with support for RedHat/Fedora's EC cipher subset, or
> something similar to this.
> Thanks,
> —Nicholas Lundgaard
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190103/c62e3b8a/attachment.htm>

More information about the erlang-questions mailing list