[centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?

Bryan Hunt

Hi,

Before, when building OTP I always set the compile time option to disable elliptic curve cryptography using the
CFLAGS environmental variable (RHEL doesn’t ship with it) :

```
export CFLAGS="-DOPENSSL_NO_EC=1"
./otp_build configure  \
        --without-odbc \
        --without-cosEventDomain \
        --without-cosEvent \
        --without-cosFileTransfer \
        --without-cosNotification \
        --without-cosProperty \
        --without-cosTime \
        --without-cosTransactions \
        --without-debugger \
        --without-et \
        --without-gs \
        --without-ic \
        --without-javac \
        --without-jinterface \
        --without-megaco \
        --without-observer \
        --without-orber \
        --without-percept \
        --without-typer \
        --without-wx \
        --without-tv \
        --without-diameter \
        --without-hipe
```

And that still works for the older versions.

But when applied to OTP-21.0-rc1 I receive the following error :

```
gmake[6]: Entering directory `/root/otp/lib/crypto/c_src'
 CC     ../priv/obj/x86_64-unknown-linux-gnu/crypto.o
In file included from /usr/include/openssl/ecdh.h:78:0,
                 from /usr/include/openssl/engine.h:86,
                 from crypto.c:63:
/usr/include/openssl/ec.h:82:4: error: #error EC is disabled.
 #  error EC is disabled.
    ^
gmake[6]: Leaving directory `/root/otp/lib/crypto/c_src'
gmake[6]: *** [../priv/obj/x86_64-unknown-linux-gnu/crypto.o] Error 1
gmake[5]: *** [release_spec] Error 2
gmake[5]: Leaving directory `/root/otp/lib/crypto/c_src'
gmake[4]: *** [release] Error 2
gmake[4]: Leaving directory `/root/otp/lib/crypto/c_src'
gmake[3]: *** [release] Error 2
gmake[3]: Leaving directory `/root/otp/lib/crypto/c_src'
gmake[2]: *** [release] Error 2
gmake[2]: Leaving directory `/root/otp/lib/crypto'
gmake[1]: Leaving directory `/root/otp/lib'
gmake[1]: *** [release] Error 2
gmake: *** [release] Error 2
The command '/bin/sh -c ./build-erlang.sh' returned a non-zero code: 1
Unable to find image 'bryanhuntesl/centos7-erlang:OTP-21.0-rc1' locally
docker: Error response from daemon: manifest for bryanhuntesl/centos7-erlang:OTP-21.0-rc1 not found.
See 'docker run --help’.
```

Has this behaviour changed recently ?

Bryan





_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: [centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?

Hans Nilsson R (AL/EAB)
Thanks!

Will be fixed in OTP-21.0-rc2 and in a patch on OTP-20 which also has this error.

It is the engine support down in openssl that has problems, so I simply disable our engine support if EC is disabled.

/Hans

On 05/03/2018 09:23 PM, Bryan Hunt wrote:

>
> Hi,
>
> Before, when building OTP I always set the compile time option to disable elliptic curve cryptography using the
> CFLAGS environmental variable (RHEL doesn’t ship with it) :
>
> ```
> export CFLAGS="-DOPENSSL_NO_EC=1"
> ./otp_build configure  \
>         --without-odbc \
>         --without-cosEventDomain \
>         --without-cosEvent \
>         --without-cosFileTransfer \
>         --without-cosNotification \
>         --without-cosProperty \
>         --without-cosTime \
>         --without-cosTransactions \
>         --without-debugger \
>         --without-et \
>         --without-gs \
>         --without-ic \
>         --without-javac \
>         --without-jinterface \
>         --without-megaco \
>         --without-observer \
>         --without-orber \
>         --without-percept \
>         --without-typer \
>         --without-wx \
>         --without-tv \
>         --without-diameter \
>         --without-hipe
> ```
>
> And that still works for the older versions.
>
> But when applied to OTP-21.0-rc1 I receive the following error :
>
> ```
> gmake[6]: Entering directory `/root/otp/lib/crypto/c_src'
>  CC     ../priv/obj/x86_64-unknown-linux-gnu/crypto.o
> In file included from /usr/include/openssl/ecdh.h:78:0,
>                  from /usr/include/openssl/engine.h:86,
>                  from crypto.c:63:
> /usr/include/openssl/ec.h:82:4: error: #error EC is disabled.
>  #  error EC is disabled.
>     ^
> gmake[6]: Leaving directory `/root/otp/lib/crypto/c_src'
> gmake[6]: *** [../priv/obj/x86_64-unknown-linux-gnu/crypto.o] Error 1
> gmake[5]: *** [release_spec] Error 2
> gmake[5]: Leaving directory `/root/otp/lib/crypto/c_src'
> gmake[4]: *** [release] Error 2
> gmake[4]: Leaving directory `/root/otp/lib/crypto/c_src'
> gmake[3]: *** [release] Error 2
> gmake[3]: Leaving directory `/root/otp/lib/crypto/c_src'
> gmake[2]: *** [release] Error 2
> gmake[2]: Leaving directory `/root/otp/lib/crypto'
> gmake[1]: Leaving directory `/root/otp/lib'
> gmake[1]: *** [release] Error 2
> gmake: *** [release] Error 2
> The command '/bin/sh -c ./build-erlang.sh' returned a non-zero code: 1
> Unable to find image 'bryanhuntesl/centos7-erlang:OTP-21.0-rc1' locally
> docker: Error response from daemon: manifest for bryanhuntesl/centos7-erlang:OTP-21.0-rc1 not found.
> See 'docker run --help’.
> ```
>
> Has this behaviour changed recently ?
>
> Bryan
>
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: [centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?

Bryan Hunt
Great, thanks for the quick response Hans. B

> On 4 May 2018, at 10:54, Hans Nilsson R <[hidden email]> wrote:
>
> Thanks!
>
> Will be fixed in OTP-21.0-rc2 and in a patch on OTP-20 which also has this error.
>
> It is the engine support down in openssl that has problems, so I simply disable our engine support if EC is disabled.
>
> /Hans
>
> On 05/03/2018 09:23 PM, Bryan Hunt wrote:
>>
>> Hi,
>>
>> Before, when building OTP I always set the compile time option to disable elliptic curve cryptography using the
>> CFLAGS environmental variable (RHEL doesn’t ship with it) :
>>
>> ```
>> export CFLAGS="-DOPENSSL_NO_EC=1"
>> ./otp_build configure  \
>>        --without-odbc \
>>        --without-cosEventDomain \
>>        --without-cosEvent \
>>        --without-cosFileTransfer \
>>        --without-cosNotification \
>>        --without-cosProperty \
>>        --without-cosTime \
>>        --without-cosTransactions \
>>        --without-debugger \
>>        --without-et \
>>        --without-gs \
>>        --without-ic \
>>        --without-javac \
>>        --without-jinterface \
>>        --without-megaco \
>>        --without-observer \
>>        --without-orber \
>>        --without-percept \
>>        --without-typer \
>>        --without-wx \
>>        --without-tv \
>>        --without-diameter \
>>        --without-hipe
>> ```
>>
>> And that still works for the older versions.
>>
>> But when applied to OTP-21.0-rc1 I receive the following error :
>>
>> ```
>> gmake[6]: Entering directory `/root/otp/lib/crypto/c_src'
>> CC     ../priv/obj/x86_64-unknown-linux-gnu/crypto.o
>> In file included from /usr/include/openssl/ecdh.h:78:0,
>>                 from /usr/include/openssl/engine.h:86,
>>                 from crypto.c:63:
>> /usr/include/openssl/ec.h:82:4: error: #error EC is disabled.
>> #  error EC is disabled.
>>    ^
>> gmake[6]: Leaving directory `/root/otp/lib/crypto/c_src'
>> gmake[6]: *** [../priv/obj/x86_64-unknown-linux-gnu/crypto.o] Error 1
>> gmake[5]: *** [release_spec] Error 2
>> gmake[5]: Leaving directory `/root/otp/lib/crypto/c_src'
>> gmake[4]: *** [release] Error 2
>> gmake[4]: Leaving directory `/root/otp/lib/crypto/c_src'
>> gmake[3]: *** [release] Error 2
>> gmake[3]: Leaving directory `/root/otp/lib/crypto/c_src'
>> gmake[2]: *** [release] Error 2
>> gmake[2]: Leaving directory `/root/otp/lib/crypto'
>> gmake[1]: Leaving directory `/root/otp/lib'
>> gmake[1]: *** [release] Error 2
>> gmake: *** [release] Error 2
>> The command '/bin/sh -c ./build-erlang.sh' returned a non-zero code: 1
>> Unable to find image 'bryanhuntesl/centos7-erlang:OTP-21.0-rc1' locally
>> docker: Error response from daemon: manifest for bryanhuntesl/centos7-erlang:OTP-21.0-rc1 not found.
>> See 'docker run --help’.
>> ```
>>
>> Has this behaviour changed recently ?
>>
>> Bryan
>>
>>
>>
>>
>>
>> _______________________________________________
>> erlang-questions mailing list
>> [hidden email]
>> http://erlang.org/mailman/listinfo/erlang-questions
>>

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: [centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?

Hans Nilsson R (AL/EAB)
In reply to this post by Bryan Hunt
The patch will be OTP-20.3.6 in next week.

I'm sorry, but we will not do a patch on earlier 20 releases. However, the new crypto (crypto-4.2.2) *could* work in an OTP-20.2 environment, but I haven't tried.

/Hans

On 05/04/2018 02:07 PM, Nicholas Lundgaard wrote:

> Hans,
>
> Regarding this issue, which 20.x versions will this patch be applied to? Is it possible to have a 20.2.x patch in addition to the one for the latest 20.3.x?
>
> If it's possible to know what the timeframe is on a patch release, I would really appreciate it. We deploy onto CentOS 6/7 at my company; just last night I was just working on updating our Erlang version from 20.1.7 to 20.2.4 and encountered this issue. We would remain on 20.1.7, but it has an issue with SSL Server Name Indication that have been fixed in 20.2[1] which has caused us problems recently.
>
> Thanks,
> —Nicholas Lundgaard
>
> [1]: https://github.com/erlang/otp/commit/78a9a09af9216a2dea454f561e0774e67a15c361
>
>> From: Hans Nilsson R <[hidden email]>
>> Subject: Re: [erlang-questions] [centos-7]With newer Erlang versions has the eliptic curve crypto situation changed?
>> Date: May 4, 2018 at 4:54:29 AM CDT
>> To: Bryan Hunt <[hidden email]>, <[hidden email]>
>>
>>
>> Thanks!
>>
>> Will be fixed in OTP-21.0-rc2 and in a patch on OTP-20 which also has this error.
>>
>> It is the engine support down in openssl that has problems, so I simply disable our engine support if EC is disabled.
>>
>> /Hans
>>
>> On 05/03/2018 09:23 PM, Bryan Hunt wrote:
>>>
>>> Hi,
>>>
>>> Before, when building OTP I always set the compile time option to disable elliptic curve cryptography using the
>>> CFLAGS environmental variable (RHEL doesn’t ship with it) :
>>>
>>> ```
>>> export CFLAGS="-DOPENSSL_NO_EC=1"
>>> ./otp_build configure  \
>>>        --without-odbc \
>>>        --without-cosEventDomain \
>>>        --without-cosEvent \
>>>        --without-cosFileTransfer \
>>>        --without-cosNotification \
>>>        --without-cosProperty \
>>>        --without-cosTime \
>>>        --without-cosTransactions \
>>>        --without-debugger \
>>>        --without-et \
>>>        --without-gs \
>>>        --without-ic \
>>>        --without-javac \
>>>        --without-jinterface \
>>>        --without-megaco \
>>>        --without-observer \
>>>        --without-orber \
>>>        --without-percept \
>>>        --without-typer \
>>>        --without-wx \
>>>        --without-tv \
>>>        --without-diameter \
>>>        --without-hipe
>>> ```
>>>
>>> And that still works for the older versions.
>>>
>>> But when applied to OTP-21.0-rc1 I receive the following error :
>>>
>>> ```
>>> gmake[6]: Entering directory `/root/otp/lib/crypto/c_src'
>>> CC     ../priv/obj/x86_64-unknown-linux-gnu/crypto.o
>>> In file included from /usr/include/openssl/ecdh.h:78:0,
>>>                 from /usr/include/openssl/engine.h:86,
>>>                 from crypto.c:63:
>>> /usr/include/openssl/ec.h:82:4: error: #error EC is disabled.
>>> #  error EC is disabled.
>>>    ^
>>> gmake[6]: Leaving directory `/root/otp/lib/crypto/c_src'
>>> gmake[6]: *** [../priv/obj/x86_64-unknown-linux-gnu/crypto.o] Error 1
>>> gmake[5]: *** [release_spec] Error 2
>>> gmake[5]: Leaving directory `/root/otp/lib/crypto/c_src'
>>> gmake[4]: *** [release] Error 2
>>> gmake[4]: Leaving directory `/root/otp/lib/crypto/c_src'
>>> gmake[3]: *** [release] Error 2
>>> gmake[3]: Leaving directory `/root/otp/lib/crypto/c_src'
>>> gmake[2]: *** [release] Error 2
>>> gmake[2]: Leaving directory `/root/otp/lib/crypto'
>>> gmake[1]: Leaving directory `/root/otp/lib'
>>> gmake[1]: *** [release] Error 2
>>> gmake: *** [release] Error 2
>>> The command '/bin/sh -c ./build-erlang.sh' returned a non-zero code: 1
>>> Unable to find image 'bryanhuntesl/centos7-erlang:OTP-21.0-rc1' locally
>>> docker: Error response from daemon: manifest for bryanhuntesl/centos7-erlang:OTP-21.0-rc1 not found.
>>> See 'docker run --help’.
>>> ```
>>>
>>> Has this behaviour changed recently ?
>>>
>>> Bryan
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> [hidden email]
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>
>
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions