[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Bogdan Andu bog495@REDACTED
Mon Oct 20 13:42:03 CEST 2014


Hi Ingela,

Thank you for reply so quickly.

You are right, R14 is rather old, but in the near future this is my only
option to run my
production application server that servers ssl connections as this is a per
policy decision
and the pressure upon me is high to disable SSLv3 support from the
management.

Is there a workaround to enable this functionality on R14, or is there a
patch that
could be cleanly applied on a R14B04 otp release?

Best Regards,

Bogdan


On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin <ingela.andin@REDACTED>
wrote:

> Hi!
>
> R14B04 is a really old release, time to upgrade I would say, featuring
> ssl-4.X.Y, I think you are seeing a bug fixed in ssl-5.3
> Fixed Bugs and Malfunctions
>
>    -
>
>    Honor the versions option to ssl:connect and ssl:listen.
>
>    Own Id: OTP-10905
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
> 2014-10-20 10:26 GMT+02:00 Bogdan Andu <bog495@REDACTED>:
>
>> Hello,
>>
>> I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
>> protocol for an Erlang virtual machine using:
>> 1) command line switch:
>>     erl ... -ssl protocol_version '[tlsv1]'
>> 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
>>
>> Neither of the above has effect.
>>
>> When starting the vm I see this:
>> (test@REDACTED)2> ssl:versions().
>> [{ssl_app,"4.1.6"},
>>  {supported,[tlsv1]},
>>  {available,[tlsv1,sslv3]}]
>> (test@REDACTED)3>
>>
>>
>> however, when I execute the command:
>> $ openssl s_client -connect 10.10.11.66:5151 -ssl3
>> I see that the handshake is successful:
>> ..................
>>
>> SSL handshake has read 2944 bytes and written 338 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : SSLv3
>>     Cipher    : DHE-RSA-AES256-SHA
>>     Session-ID:
>> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
>>     Session-ID-ctx:
>>     Master-Key:
>> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1413793000
>>     Timeout   : 7200 (sec)
>>     Verify return code: 0 (ok)
>>
>>
>> The handshake shouldn't be successful.
>>
>> But when I execute the command:
>> $ openssl s_client -connect 10.10.11.66:5151 -ssl2
>>
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 48 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : SSLv2
>>     Cipher    : 0000
>>     Session-ID:
>>     Session-ID-ctx:
>>     Master-Key:
>>     Key-Arg   : None
>>     Krb5 Principal: None
>>     PSK identity: None
>>     PSK identity hint: None
>>     Start Time: 1413793132
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>> The protocol is refused because is disabled by default.
>>
>> The same thing I want to happen with SSLv3 protocol.
>>
>> I don't know what I am missing.
>>
>> What should I do to instruct the Erlang vm to accept ssl connections
>> using only TLSv1 protocol?
>>
>> the version of vm is:
>>
>> Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
>> [async-threads:0] [kernel-poll:false]
>>
>> Thank you ,
>>
>> Bogdan
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/a68743d5/attachment.htm>


More information about the erlang-questions mailing list