[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Bogdan Andu bog495@REDACTED
Mon Oct 20 10:26:47 CEST 2014 

Hello,

I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
protocol for an Erlang virtual machine using:
1) command line switch:
    erl ... -ssl protocol_version '[tlsv1]'
2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}

Neither of the above has effect.

When starting the vm I see this:
(test@REDACTED)2> ssl:versions().
[{ssl_app,"4.1.6"},
 {supported,[tlsv1]},
 {available,[tlsv1,sslv3]}]
(test@REDACTED)3>


however, when I execute the command:
$ openssl s_client -connect 10.10.11.66:5151 -ssl3
I see that the handshake is successful:
..................

SSL handshake has read 2944 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
    Session-ID-ctx:
    Master-Key:
4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413793000
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)


The handshake shouldn't be successful.

But when I execute the command:
$ openssl s_client -connect 10.10.11.66:5151 -ssl2

No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 48 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413793132
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

The protocol is refused because is disabled by default.

The same thing I want to happen with SSLv3 protocol.

I don't know what I am missing.

What should I do to instruct the Erlang vm to accept ssl connections using
only TLSv1 protocol?

the version of vm is:

Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
[async-threads:0] [kernel-poll:false]

Thank you ,

Bogdan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/46f692a3/attachment.htm>

More information about the erlang-questions mailing list