[erlang-questions] Does Erlang/OTP SSL app have heartbleed vulnerability?

Ingela Andin ingela.andin@REDACTED
Tue Apr 8 09:54:43 CEST 2014


Hi!

2014-04-08 6:58 GMT+02:00 Alex Wilson <alex@REDACTED>:

> On 8 Apr 2014, at 2:37 pm, Danil Zagoskin <z@REDACTED> wrote:
> > As far as I know, OTP SSL and crypto apps use openssl, but some of SSL
> handshake logic is rewritten in Erlang.
>
> From my reading, it's more like all of the handshake logic is in Erlang.


Yes it is!


> It really looks like it only uses OpenSSL for the crypto features like
> ciphers. The code to encode/decode TLS extensions in the Hello messages
> doesn't appear to support RFC6520 (the "heartbeat" extension) -- it's
> extension type #15, which is not in any of the logic there (it will just
> drop it or else never send it, as far as I can tell).
>
> So from what I can see, it won't negotiate heartbeat support at the start,
> and will just ignore any messages about it (since it doesn't understand
> them). It would be nice to have a quick test that can be run for this
> vulnerability though...
>
>
You are correct the heartbeat extension is not currently supported, but
will likely be implemented in the future. As far as I understood the
OpenSSL bug is du to a memory boundary problem,
which really is not a problem you have when you use Erlang to write your
code :)

Regards Ingela Erlang/OTP team - Ericsson AB





> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140408/e8a8bb58/attachment.htm>


More information about the erlang-questions mailing list