[erlang-questions] Removing SSL v3 support from the ssl module

CT Radu ct.radu.001@REDACTED
Wed Nov 26 16:36:49 CET 2014


Hi all,

I am currently stuck with a R15 erlang release and I do want to disable
sslv3 on listening connections.
More specifically on cowboy websocket listeners.

The problem I am facing is that:
I passed these args to the erlang vm:
-ssl protocol_version "[\'tlsv1.2\',\'tlsv1.1\',tlsv1]"

I passed in cowboy ssl options (that gets passed along the way to
ssl:listen options)
{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}

And the best I got until now is:
ssl:versions().
[{ssl_app,"5.1.2"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

And the end result is that the application can still serve via sslv3:
openssl s_client -ssl3 -connect 127.0.0.1:8936 |grep "Protocol"

 Protocol  : SSLv3
 Cipher    : DHE-RSA-AES256-SHA

>From what I understand on R15 the versions options in ssl:listen() are
ignored.
Are there any other methods of disabling SSLv3 in a R15 system ?

Many thanks,
Costin-Tiberiu


2014-11-06 16:40 GMT+02:00 Ingela Andin <ingela.andin@REDACTED>:

> Hi!
>
> 2014-10-22 17:29 GMT+02:00 Vincent de Phily <
> vincent.dephily@REDACTED>:
>
>> On Wednesday 15 October 2014 19:41:23 Steve Vinoski wrote:
>> > On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <aschultz@REDACTED>
>> wrote:
>> > > Hi,
>> > >
>> > > ----- On 15 Oct, 2014, at 11:10, Kenji Rikitake kenji@REDACTED wrote:
>> > > > I'd be glad if how to remove SSL v3 support from OTP ssl module is
>> > > > provided by the OTP Team, to prevent getting trapped into the POODLE
>> > > > bug. (I think it won't be that hard, regarding what I've found from
>> the
>> > > > ssl module source code. The keyword atom is "sslv3".)
>> > >
>> > > Add  {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to
>> > > restrict
>> > > the version choice.
>> >
>> > Slight correction:  {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}
>>
>> I suggest going with
>>
>> proplists:get_value(available,ssl:versions()) -- [sslv3]
>>
>> to future-proof your code a bit. I'm not sure what the difference between
>> 'supported' and 'available' is (a clarification in the docs would be
>> nice),
>> neither of them seem to be affected by the command-line argument to
>> restrict
>> versions.
>>
>> It was proably a quoting problem, or that you did not start the ssl
> application before callinge ssl:versions(). !
>
> > erl -ssl protocol_version '[tlsv1]'
> Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8]
> [async-threads:10] [hipe] [kernel-poll:false]
>
> Eshell V7.0  (abort with ^G)
> 1> ssl:start().
> ok
> 2> ssl:versions().
> [{ssl_app,"5.3.7"},
>  {supported,[tlsv1]},
>  {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
>
> > erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"
> Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8]
> [async-threads:10] [hipe] [kernel-poll:false]
>
> Eshell V7.0  (abort with ^G)
> 1> ssl:start().
> ok
> 2>  ssl:versions().
> [{ssl_app,"5.3.7"},
>  {supported,['tlsv1.2','tlsv1.1']},
>  {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
> 3>
>
>
> Maybe we should call them configured_default (supported) and
> system_default (available) ?  We will think about it.
> We might exclude sslv3 from the system default and make it only available
> through configuration.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>> --
>> Vincent de Phily
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141126/54453b07/attachment.htm>


More information about the erlang-questions mailing list