[erlang-questions] Removing SSL v3 support from the ssl module

Ingela Andin ingela.andin@REDACTED
Mon Oct 20 11:20:36 CEST 2014 

Hi!

>From ssl man page:

[...]

protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2'
[...]
*{versions, [protocol()]}*TLS protocol versions that will be supported by
started clients and servers. This option overrides the application
environment option protocol_version. If the environment option is not set
it defaults to all versions supported by the SSL application. See also
ssl(6) <http://www.erlang.org/doc/man/ssl_app.html> from ssl(6) man page:

erl ... -ssl protocol_version '[sslv3, tlsv1]' ....
*protocol_version = [sslv3|tlsv1] <optional>.     %% I see we need to
update the documentation here to include *'tlsv1.1' | 'tlsv1.2'

Protocol that will be supported by started clients and servers. If this
option is not set it will default to all protocols currently supported by
the erlang ssl application. Note that this option may be overridden by the
version option to ssl:connect/[2,3] and ssl:listen/2.

ssl:versions().
[{ssl_app,"5.3.6"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

If you change the environment variable supported and available will differ.
And even if all versions are available it can always be overridden by the
versions option.
Name choices are backwards compatible, like it or not.

I do not see a reason to remove the possibility to run sslv3 altogether
even though from a security perspective I would no configure my server to
run it.

Regards Ingela Erlang/OTP team - Ericsson AB


2014-10-16 1:41 GMT+02:00 Steve Vinoski <vinoski@REDACTED>:

>
>
> On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <aschultz@REDACTED>
> wrote:
>
>> Hi,
>> ----- On 15 Oct, 2014, at 11:10, Kenji Rikitake kenji@REDACTED wrote:
>>
>> > I'd be glad if how to remove SSL v3 support from OTP ssl module is
>> > provided by the OTP Team, to prevent getting trapped into the POODLE
>> > bug. (I think it won't be that hard, regarding what I've found from the
>> > ssl module source code. The keyword atom is "sslv3".)
>>
>> Add  {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to
>> restrict
>> the version choice.
>
>
> Slight correction:  {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}
>
> The 'v' characters were missing from the latter two atoms.
>
> --steve
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/026edac1/attachment.htm>

More information about the erlang-questions mailing list