[erlang-questions] ERL-823: SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

Guilherme Andrade g@REDACTED
Fri Jan 4 00:15:52 CET 2019

I've in the mean time noticed Nicholas mentioned custom OpenSSL builds in
the ticket, which I obviously didn't read through well enough. Long week, I
apologize for the noise.

On Thu, 3 Jan 2019 at 23:08, Guilherme Andrade <g@REDACTED> wrote:

> Fair enough :-)
> The intention behind my suggestion to Nicholas was not to misguide, but
> rather to present an alternative in case everything else fails - one that
> has worked for me in the past, albeit for different reasons (using EC
> ciphers in Amazon Linux.)
> However, this being cryptography and me a layman in it, I'll humbly atone
> for my heresy in case I've given terrible advice (no sarcasm, truly.)
> On Thu, 3 Jan 2019 at 22:11, Ingela Andin <ingela.andin@REDACTED> wrote:
>> I say it would be a lot easier to configure the erlang cipher suites the
>> way you like and skip trying to tweak OpenSSL.  Please see ERL382.
>> Regards Ingela Erlang/OTP team
>> Den tors 3 jan. 2019 kl 22:29 skrev Guilherme Andrade <g@REDACTED>:
>>> Hello,
>>> Some people have worked around the issue by building OpenSSL separately
>>> and statically linking it against ERTS. This does have the disadvantage of
>>> not benefiting from distro package upgrades, though.
>>> There's a tutorial that lists the appropriate steps[1].
>>> (I know this doesn't solve your particular problem, but it might work
>>> out as an alternative in case you haven't considered it already - depending
>>> on your particular requirements.)
>>> [1]: https://github.com/lrascao/erlang-ec2-build
>>> On Thu, 3 Jan 2019 at 20:18, Nicholas Lundgaard <nalundgaard@REDACTED>
>>> wrote:
>>>> Hi,
>>>> I wanted to call ERL-823 (https://bugs.erlang.org/browse/ERL-823) to
>>>> this list's attention. My company operates Erlang microservices in AWS on a
>>>> kerl-built OTP installation on Amazon Linux (RedHat/CentOS-based), and
>>>> we've encountered a serious challenge to upgrading to OTP 21: When you
>>>> disable OpenSSL EC ciphers during an OTP build, which is necessary to build
>>>> an OTP installation that doesn't erroneously think it has a bunch of EC
>>>> ciphers that aren't built into the underlying OpenSSL, you're no longer
>>>> able to connect to google.com via https (not to mention many, many
>>>> other web properties, like much of AWS infrastructure).
>>>> It confuses me that there is not a simpler way to align the Erlang
>>>> crypto/ssl cipher support with the underlying openssl installation it's
>>>> linked to, but that notwithstanding, It would be really helpful to have a
>>>> flag to build OTP with support for RedHat/Fedora's EC cipher subset, or
>>>> something similar to this.
>>>> Thanks,
>>>> —Nicholas Lundgaard
>>>> _______________________________________________
>>>> erlang-questions mailing list
>>>> erlang-questions@REDACTED
>>>> http://erlang.org/mailman/listinfo/erlang-questions
>>> --
>>> Guilherme
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
> --
> Guilherme

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190103/1a76c9bc/attachment.htm>

More information about the erlang-questions mailing list