[GitHub] [couchdb-mochiweb] nickva commented on a change in pull request #5: Upgrade crypto functions to support OTP 23

Wed, 26 May 2021 11:31:57 -0700 


nickva commented on a change in pull request #5:
URL: https://github.com/apache/couchdb-mochiweb/pull/5#discussion_r640024067



##########
File path: src/mochiweb_socket.erl
##########
@@ -29,11 +29,22 @@ listen(Ssl, Port, Opts, SslOpts) ->
             gen_tcp:listen(Port, Opts)
     end.
 
+-ifdef(new_ssl_unavailable).
 add_unbroken_ciphers_default(Opts) ->
     Default = filter_unsecure_cipher_suites(ssl:cipher_suites()),
     Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, 
Default)),
     [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
 
+-else.
+add_unbroken_ciphers_default(Opts) ->
+    CipherSuitesListMap = ssl:cipher_suites(default, 'tlsv1.3'),

Review comment:
       This might not always be true. `tlsv1.3` might not be available. Notice 
in Erlang 22 on MacOS BigSur:
   
   ```
   % asdf shell erlang 21.3.8.15
   % erl
   Erlang/OTP 21 [erts-10.3.5.11] [source] [64-bit] [smp:12:12] [ds:12:12:10] 
[async-threads:1] [hipe]
   
   Eshell V10.3.5.11  (abort with ^G)
   1> ssl:versions().
   [{ssl_app,"9.2"},
    {supported,['tlsv1.2','tlsv1.1',tlsv1]},
    {supported_dtls,['dtlsv1.2',dtlsv1]},
    {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
    {available_dtls,['dtlsv1.2',dtlsv1]}]
   
   2> ssl:cipher_suites(default, 'tlsv1.3').
   ** exception error: no function clause matching
                       ssl_cipher:suites('tlsv1.3') (ssl_cipher.erl, line 253)
        in function  ssl:cipher_suites/2 (ssl.erl, line 909)
   ```
   
   In this case I think we'd want to look at the `versions` options after it 
had been filtered with `add_safe_protocol_version/1` os maybe switch the order 
of:
   
   ```
               Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
               Opts2 = add_safe_protocol_versions(Opts1)
   ```
   to
   ```
               Opts1 = add_safe_protocol_versions(Opts)
               Opts2 = add_unbroken_ciphers_default(Opts1 ++ SslOpts),
   ```
   
   Then query `ssl:cipher_suites(default, Version)` for each Version and gather 
the suites in a list that way.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to