[erlang-questions] Does Erlang/OTP SSL app have heartbleed vulnerability?
Ingela Andin
ingela.andin@REDACTED
Tue Apr 8 09:38:03 CEST 2014
Hi!
2014-04-08 6:37 GMT+02:00 Danil Zagoskin <z@REDACTED>:
> Hello!
>
> Recently heartbleed bug was found in openssl: http://heartbleed.com/
>
>
As far as I know, OTP SSL and crypto apps use openssl, but some of SSL
> handshake logic is rewritten in Erlang.
>
All of the SSL/TLS handshake logic is written in Erlang. Only OpenSSLs
crypto library is used directly via the crypto application or indirectly
via the public_key application. The crypto library is used to perform
encryption/decryption/verification - operations (number crunching).
So this OpenSSL bug will not effect Erlangs SSL/TLS-application. But if an
OpenSSL client/server communicates with a
Erlang client/server you can of course still have a problem.
> Grepping lib/ssl and lib/crypto sources for 'heartbeat' didn't give any
> results.
> I have not found any tool to check a server for the vulnerability either.
>
> So, should anyone using SSL in OTP immediately upgrade openssl to fix this
> bug?
>
>
>
Well not for the sake of Erlang, but this is probably a good idea anyway.
Regards Ingela Erlang/OTP team - Ericsson AB
> --
> Danil Zagoskin | z@REDACTED
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140408/55cb748a/attachment.htm>
More information about the erlang-questions
mailing list