Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-1144

Cipher suites are not always filtered against crypto support

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OTP 22.1.1
    • Fix Version/s: OTP-22.2.4
    • Component/s: ssl
    • Labels:

      Description

      When using the option:

       

      ssl:cipher_suites(all, 'tlsv1.2')

       

      It's possible to get suites that aren't supported by the underlying crypto lib.

       

      According to the docs: https://erlang.org/doc/man/ssl.html#type-cipher_suites  this appears to be the way to increase compatibility with older servers, but it can lead to failed connections if a suite is negotiated that isn't actually supported.

       

      When the ciphers option is left blank, the default behaviour is to filter suites:

      https://github.com/erlang/otp/blob/OTP-22.2.1/lib/ssl/src/ssl.erl#L2273

      And when the deprecated /1 arity method is used, that's also filtered:

       

      ssl:cipher_suites(all)

       

      https://github.com/erlang/otp/blob/OTP-22.2.1/lib/ssl/src/ssl.erl#L1447

       

      It would make sense IMO to either use available_suites instead of supported_suites in ssl:cipher_suites/2,3 or to document the ssl_cipher:filter_suites should be used manually when asking for all tlsv1.2 ciphers.

        Attachments

          Activity

            People

            Assignee:
            otp_team_ps Team PS
            Reporter:
            jwheare James Wheare
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: