Problems with PFS Ciphers and erlang R16B03
113 views
Skip to first unread message
Bernd May
Jan 30, 2015, 6:12:13 AM1/30/15
to rabbitm...@googlegroups.com
Hi List,
i have had some problems with the ssl configuration of rabbitmq the past two weeks concerning supported ciphers suites. It appears that when using erlang R16B03 though the ssl libraries seem to support it, using a PFS Cipher only will cause an 'insufficient security' ssl alert and fatal error during connection setup between client and server. Whenever I add a non (ec)dhe cipher to the list the connection setup works.
I have written a small erlang client and server according to this documentation http://www.erlang.org/doc/apps/ssl/using_ssl.html and confirmed that this is indeed caused by erlang ssl servers running on R16B03. I have yet to determine the actual cause, but so far it seems there is a problem with the cipher negotiation resulting in an empty cipher set overlap of client and server supported ciphers. I have also posted my findings to the erlang mailing list, including the fact that when using a 17.4 erlang ssl server the connection setup works.
I have yet to get my hand on a ubuntu package for R16b03-1, I have heard there were some ssl fixes that might affect this bug. Maybe it would be good advice to increase the recommened version to 16b03-1 or at least add a note to the ssl section in the rabbitmq installation guide.
Regards
Bernd
i have had some problems with the ssl configuration of rabbitmq the past two weeks concerning supported ciphers suites. It appears that when using erlang R16B03 though the ssl libraries seem to support it, using a PFS Cipher only will cause an 'insufficient security' ssl alert and fatal error during connection setup between client and server. Whenever I add a non (ec)dhe cipher to the list the connection setup works.
I have written a small erlang client and server according to this documentation http://www.erlang.org/doc/apps/ssl/using_ssl.html and confirmed that this is indeed caused by erlang ssl servers running on R16B03. I have yet to determine the actual cause, but so far it seems there is a problem with the cipher negotiation resulting in an empty cipher set overlap of client and server supported ciphers. I have also posted my findings to the erlang mailing list, including the fact that when using a 17.4 erlang ssl server the connection setup works.
I have yet to get my hand on a ubuntu package for R16b03-1, I have heard there were some ssl fixes that might affect this bug. Maybe it would be good advice to increase the recommened version to 16b03-1 or at least add a note to the ssl section in the rabbitmq installation guide.
Regards
Bernd
Michael Klishin
Jan 30, 2015, 9:12:37 AM1/30/15
to Bernd May, rabbitm...@googlegroups.com
On 30 January 2015 at 17:09:44, Bernd May (er...@cs.tu-berlin.de) wrote:
> I have yet to get my hand on a ubuntu package for R16b03-1, I have
> heard there were some ssl fixes that might affect this bug. Maybe
> it would be good advice to increase the recommened version to
> 16b03-1 or at least add a note to the ssl section in the rabbitmq
> installation guide.
Bernd,
> I have yet to get my hand on a ubuntu package for R16b03-1, I have
> heard there were some ssl fixes that might affect this bug. Maybe
> it would be good advice to increase the recommened version to
> 16b03-1 or at least add a note to the ssl section in the rabbitmq
> installation guide.
Thank you for reporting this. I believe bumping the recommended version to R16B03-1
is reasonable. In fact, there other (minor) issues that make me wonder if we should
recommend 17.x.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Gotthard, Petr
Jan 30, 2015, 9:44:23 AM1/30/15
to Michael Klishin, Bernd May, rabbitm...@googlegroups.com
We also faced a TLS issue in Erlang R16B03-1 recently. The openssl-initiated connection was terminated by Erlang and a function_clause error was reported.
The [erlang-questions] list stated that "There have been several changes that went into R16B03 and R17 concerning the curve selection."
http://erlang.org/pipermail/erlang-questions/2014-March/078141.html
Based on this answer I’d say that 17.x should be recommended at least for those who face some TLS related issues.
Petr
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send an email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
The [erlang-questions] list stated that "There have been several changes that went into R16B03 and R17 concerning the curve selection."
http://erlang.org/pipermail/erlang-questions/2014-March/078141.html
Based on this answer I’d say that 17.x should be recommended at least for those who face some TLS related issues.
Petr
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send an email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Jan 30, 2015, 9:48:23 AM1/30/15
to Bernd May, rabbitm...@googlegroups.com, Gotthard, Petr
On 30 January 2015 at 17:44:20, Gotthard, Petr (petr.g...@honeywell.com) wrote:
> We also faced a TLS issue in Erlang R16B03-1 recently. The openssl-initiated
> connection was terminated by Erlang and a function_clause error
> was reported.
>
> The [erlang-questions] list stated that "There have been several
> changes that went into R16B03 and R17 concerning the curve selection."
> http://erlang.org/pipermail/erlang-questions/2014-March/078141.html
>
> Based on this answer I’d say that 17.x should be recommended at
> least for those who face some TLS related issues.
Recommended, yes. But not required. There are no major issues in R16B01 as far
> We also faced a TLS issue in Erlang R16B03-1 recently. The openssl-initiated
> connection was terminated by Erlang and a function_clause error
> was reported.
>
> The [erlang-questions] list stated that "There have been several
> changes that went into R16B03 and R17 concerning the curve selection."
> http://erlang.org/pipermail/erlang-questions/2014-March/078141.html
>
> Based on this answer I’d say that 17.x should be recommended at
> least for those who face some TLS related issues.
as we can see: using ECC or PFS ciphers is not what most users do, at least today.
We'll try to make it clearer that 17.x is recommended for TLS and why. But the required
version should stay R16B01 for now.
Reply all
Reply to author
Forward
0 new messages