Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-823

SSL cipher_suites too limited when compiling with OPENSSL_NO_EC=1

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: 21.0, 21.1, 21.2
    • Fix Version/s: None
    • Component/s: crypto, ssl
    • Labels:
      None

      Description

      Many companies, including my own, use Erlang/OTP built and running on a RedHat/CentOS/Fedora-based Linux system, such as Amazon Linux. These systems use a customized OpenSSL installation that eschews most elliptic curve ciphers due to patent concerns on the part of RedHat. This means that, in order to get a reliable working Erlang installation on the platform, a developer's only option (outside of baking one's own OpenSSL a generally discouraged practice for enterprise systems) is to compile Erlang/OTP with

      export CFLAGS="-O2 -g -DOPENSSL_NO_EC=1"

      I and others have reported a lot more about this issue under the Erlang/OTP building utility kerl: See kerl/kerl#212 and kerl/kerl#279.

      Now, using OPENSSL_NO_EC=1 has worked fine for all Erlang/OTP releases through Erlang/OTP 20.3 (with the exception of 20.0-20.2, which had a compilation bug). Unfortunately, as of Erlang/OTP 21.0, the available cipher_suites when building OTP in this way is so pared down that you really can't use SSL at all.

      In OTP 20.3 built with OPENSSL_NO_EC=1, this was the available list of ciphers in the ssl module:

      Erlang/OTP 20 [erts-9.3.3.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:10] [hipe] [kernel-poll:false]
      
      Eshell V9.3.3.3  (abort with ^G)
      1> ssl:cipher_suites().
      [{dhe_rsa,aes_256_gcm,aead,sha384},
       {dhe_dss,aes_256_gcm,aead,sha384},
       {dhe_rsa,aes_256_cbc,sha256},
       {dhe_dss,aes_256_cbc,sha256},
       {rsa,aes_256_gcm,aead,sha384},
       {rsa,aes_256_cbc,sha256},
       {dhe_rsa,aes_128_gcm,aead,sha256},
       {dhe_dss,aes_128_gcm,aead,sha256},
       {dhe_rsa,aes_128_cbc,sha256},
       {dhe_dss,aes_128_cbc,sha256},
       {rsa,aes_128_gcm,aead,sha256},
       {rsa,aes_128_cbc,sha256},
       {dhe_rsa,aes_256_cbc,sha},
       {dhe_dss,aes_256_cbc,sha},
       {rsa,aes_256_cbc,sha},
       {dhe_rsa,aes_128_cbc,sha},
       {dhe_dss,aes_128_cbc,sha},
       {rsa,aes_128_cbc,sha},
       {dhe_rsa,'3des_ede_cbc',sha},
       {dhe_dss,'3des_ede_cbc',sha},
       {rsa,'3des_ede_cbc',sha}]
      

      In Erlang/OTP 21 built with OPENSSL_NO_EC=1, this is the list:

      Erlang/OTP 21 [erts-10.2.1] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [hipe]
      
      Eshell V10.2.1  (abort with ^G)
      1> ssl:cipher_suites().
      [{dhe_rsa,aes_256_gcm,aead,sha384},
       {dhe_dss,aes_256_gcm,aead,sha384},
       {dhe_rsa,aes_256_cbc,sha256},
       {dhe_dss,aes_256_cbc,sha256},
       {dhe_rsa,aes_128_gcm,aead,sha256},
       {dhe_dss,aes_128_gcm,aead,sha256},
       {dhe_rsa,aes_128_cbc,sha256},
       {dhe_dss,aes_128_cbc,sha256},
       {dhe_rsa,aes_256_cbc,sha},
       {dhe_dss,aes_256_cbc,sha},
       {dhe_rsa,aes_128_cbc,sha},
       {dhe_dss,aes_128_cbc,sha}]
      

      The cipher suites have been cut from 21 to 12, and as a result, clients can't even negotiate an SSL connection to google.com:

      =INFO REPORT==== 3-Jan-2019::09:12:44.709649 ===
      TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure
      
      {error,{failed_connect,[{to_address,{"google.com",443}},
                              {inet,[inet],{tls_alert,"handshake failure"}}]}}
      

      Not to mention many other important HTTPS servers, like most of AWS's internal services (S3, DynamoDB, etc).

      It would be ideal if Erlang/OTP actually consulted the linked OpenSSL installation for available ciphers during compilation, since they can be consulted directly. However, barring that, perhaps it is possible to provide a compilation option that would allow RedHat/CentOS users to build an OTP with some, but not all, of the EC ciphers and the attendant SSL cipher suites.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ingela Ingela Anderton Andin
              Reporter:
              nalundgaard Nicholas Lundgaard
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: