OTP 20.3 has no gcm ciphers

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OTP 20.3 has no gcm ciphers

Leo Liu-2
I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)
and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm
ciphers.

I have previously compiled 20.2 from source and it has gcm ciphers. I
wonder if this is an intended change in OTP 20.3? Thanks.

Leo

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: OTP 20.3 has no gcm ciphers

books
I can reproduce the issue,  while I change to call this
http://erlang.org/doc/man/ssl.html#cipher_suites-2

with 2nd argument 'tlsv1.2'  it seems still have some gcm ciphers;
wonder is this change intended ?   I am not seeing the change in
http://erlang.org/download/otp_src_20.3.readme

13> ssl:cipher_suites(all, 'tlsv1.2').
[#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_rsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_rsa,
   mac => sha384,prf => sha384},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => dhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => aes_256_gcm,key_exchange => dhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => dhe_dss,mac => aead,
   prf => sha384},



On Wed, Mar 14, 2018 at 9:18 AM, Leo Liu <[hidden email]> wrote:
> I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)
> and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm
> ciphers.
>

> I have previously compiled 20.2 from source and it has gcm ciphers. I
> wonder if this is an intended change in OTP 20.3? Thanks.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: OTP 20.3 has no gcm ciphers

Ingela Andin
Hi!

Well that was not intended, but I would not worry too much about it. We plan to deprecate the ssl:cipher_suites/1 function in 21 and this function is not used in runtime of the ssl application.
I have not investigated why yet but we will fix it.

Regards Ingela Erlang/OTP team - Ericsson AB

2018-03-14 19:10 GMT+01:00 derek <[hidden email]>:
I can reproduce the issue,  while I change to call this
http://erlang.org/doc/man/ssl.html#cipher_suites-2

with 2nd argument 'tlsv1.2'  it seems still have some gcm ciphers;
wonder is this change intended ?   I am not seeing the change in
http://erlang.org/download/otp_src_20.3.readme

13> ssl:cipher_suites(all, 'tlsv1.2').
[#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_rsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_rsa,
   mac => sha384,prf => sha384},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => dhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => aes_256_gcm,key_exchange => dhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => dhe_dss,mac => aead,
   prf => sha384},



On Wed, Mar 14, 2018 at 9:18 AM, Leo Liu <[hidden email]> wrote:
> I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)
> and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm
> ciphers.
>

> I have previously compiled 20.2 from source and it has gcm ciphers. I
> wonder if this is an intended change in OTP 20.3? Thanks.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: OTP 20.3 has no gcm ciphers

Ingela Andin

Hi!

I have investigated and I found the problem, alas it was not local to the function ssl:cipher_suites/1.  It is an internal filter function that has a problem. The patch is:


diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 62a172c..59cf05f 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -2175,6 +2175,8 @@ is_acceptable_cipher(Cipher, Algos) ->
 
 is_acceptable_hash(null, _Algos) ->
     true;
+is_acceptable_hash(aead, _Algos) ->
+    true;
 is_acceptable_hash(Hash, Algos) ->
     proplists:get_bool(Hash, Algos).


We will make a patch.

Regards Ingela Erlang/OTP team - Ericsson AB


2018-03-15 9:38 GMT+01:00 Ingela Andin <[hidden email]>:
Hi!

Well that was not intended, but I would not worry too much about it. We plan to deprecate the ssl:cipher_suites/1 function in 21 and this function is not used in runtime of the ssl application.
I have not investigated why yet but we will fix it.

Regards Ingela Erlang/OTP team - Ericsson AB

2018-03-14 19:10 GMT+01:00 derek <[hidden email]>:
I can reproduce the issue,  while I change to call this
http://erlang.org/doc/man/ssl.html#cipher_suites-2

with 2nd argument 'tlsv1.2'  it seems still have some gcm ciphers;
wonder is this change intended ?   I am not seeing the change in
http://erlang.org/download/otp_src_20.3.readme

13> ssl:cipher_suites(all, 'tlsv1.2').
[#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdhe_rsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_ecdsa,
   mac => aead,prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => ecdh_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_ecdsa,
   mac => sha384,prf => sha384},
 #{cipher => aes_256_cbc,key_exchange => ecdh_rsa,
   mac => sha384,prf => sha384},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_ecdsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => ecdhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => chacha20_poly1305,key_exchange => dhe_rsa,
   mac => aead,prf => sha256},
 #{cipher => aes_256_gcm,key_exchange => dhe_rsa,mac => aead,
   prf => sha384},
 #{cipher => aes_256_gcm,key_exchange => dhe_dss,mac => aead,
   prf => sha384},



On Wed, Mar 14, 2018 at 9:18 AM, Leo Liu <[hidden email]> wrote:
> I just compiled Erlang 20.3 from github with openssl 1.0.1 (centos 7)
> and 1.0.2 (Sierra 10.12.6). ssl:cipher_suites(erlang) returns no gcm
> ciphers.
>

> I have previously compiled 20.2 from source and it has gcm ciphers. I
> wonder if this is an intended change in OTP 20.3? Thanks.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: OTP 20.3 has no gcm ciphers

Leo Liu-2

> On 15 Mar 2018, at 17:42, Ingela Andin <[hidden email]> wrote:
>
> I have investigated and I found the problem, alas it was not local to the function ssl:cipher_suites/1.

Thanks for the fix.

Leo
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions