[erlang-questions] Removing SSL v3 support from the ssl module

Ingela Andin ingela.andin@REDACTED
Thu Nov 6 15:40:09 CET 2014 

Hi!

2014-10-22 17:29 GMT+02:00 Vincent de Phily <
vincent.dephily@REDACTED>:

> On Wednesday 15 October 2014 19:41:23 Steve Vinoski wrote:
> > On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <aschultz@REDACTED>
> wrote:
> > > Hi,
> > >
> > > ----- On 15 Oct, 2014, at 11:10, Kenji Rikitake kenji@REDACTED wrote:
> > > > I'd be glad if how to remove SSL v3 support from OTP ssl module is
> > > > provided by the OTP Team, to prevent getting trapped into the POODLE
> > > > bug. (I think it won't be that hard, regarding what I've found from
> the
> > > > ssl module source code. The keyword atom is "sslv3".)
> > >
> > > Add  {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to
> > > restrict
> > > the version choice.
> >
> > Slight correction:  {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}
>
> I suggest going with
>
> proplists:get_value(available,ssl:versions()) -- [sslv3]
>
> to future-proof your code a bit. I'm not sure what the difference between
> 'supported' and 'available' is (a clarification in the docs would be nice),
> neither of them seem to be affected by the command-line argument to
> restrict
> versions.
>
> It was proably a quoting problem, or that you did not start the ssl
application before callinge ssl:versions(). !

> erl -ssl protocol_version '[tlsv1]'
Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8]
[async-threads:10] [hipe] [kernel-poll:false]

Eshell V7.0  (abort with ^G)
1> ssl:start().
ok
2> ssl:versions().
[{ssl_app,"5.3.7"},
 {supported,[tlsv1]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

> erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"
Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8]
[async-threads:10] [hipe] [kernel-poll:false]

Eshell V7.0  (abort with ^G)
1> ssl:start().
ok
2>  ssl:versions().
[{ssl_app,"5.3.7"},
 {supported,['tlsv1.2','tlsv1.1']},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
3>


Maybe we should call them configured_default (supported) and system_default
(available) ?  We will think about it.
We might exclude sslv3 from the system default and make it only available
through configuration.

Regards Ingela Erlang/OTP team - Ericsson AB



> --
> Vincent de Phily
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141106/aa944ef4/attachment.htm>

More information about the erlang-questions mailing list