[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Bogdan Andu bog495@REDACTED
Mon Oct 20 16:44:53 CEST 2014


Thank you both for help,

I definitely look into both solutions, the -define one looking the easiest.

So, if I define de following as:

-define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1]).

and recompile otp R14
there should be available only tlsv1 I presume.

Thank you very much,

Bogdan



On Mon, Oct 20, 2014 at 5:02 PM, Andreas Schultz <aschultz@REDACTED> wrote:

> Hi,
>
> ----- On 20 Oct, 2014, at 15:17, Ingela Andin ingela.andin@REDACTED
> wrote:
>
> > The commit that solves the problem is:
> >
> > bfb408ae3d424bf8f510806434eb14a730adc4fb
> >
> > How easy it is to port it to R14 I do not know, but I think doing so is
> proably
> > your best option if you can not
> > upgrade.
>
> Instead of back-porting, you could always adjust this define in
> ssl_internal.hrl:
>
> -define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1, sslv3]).
>
> Andreas
>
> >
> > Regards Ingela Erlang/OTP Team - Ericsson AB
> >
> > 2014-10-20 13:42 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
> >
> >
> >
> > Hi Ingela,
> >
> > Thank you for reply so quickly.
> >
> > You are right, R14 is rather old, but in the near future this is my only
> option
> > to run my
> > production application server that servers ssl connections as this is a
> per
> > policy decision
> > and the pressure upon me is high to disable SSLv3 support from the
> management.
> >
> > Is there a workaround to enable this functionality on R14, or is there a
> patch
> > that
> > could be cleanly applied on a R14B04 otp release?
> >
> > Best Regards,
> >
> > Bogdan
> >
> >
> > On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin < ingela.andin@REDACTED
> > wrote:
> >
> >
> >
> > Hi!
> >
> >
> > R14B04 is a really old release, time to upgrade I would say, featuring
> > ssl-4.X.Y, I think you are seeing a bug fixed in ssl- 5.3 Fixed Bugs and
> > Malfunctions
> >
> >
> >    *
> >
> > Honor the versions option to ssl:connect and ssl:listen.
> >
> > Own Id: OTP-10905
> >
> > Regards Ingela Erlang/OTP team - Ericsson AB
> >
> > 2014-10-20 10:26 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
> >
> >
> >
> > Hello,
> >
> > I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
> protocol
> > for an Erlang virtual machine using:
> > 1) command line switch:
> > erl ... -ssl protocol_version '[tlsv1]'
> > 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
> >
> > Neither of the above has effect.
> >
> > When starting the vm I see this:
> > (test@REDACTED)2> ssl:versions().
> > [{ssl_app,"4.1.6"},
> > {supported,[tlsv1]},
> > {available,[tlsv1,sslv3]}]
> > ( test@REDACTED) 3>
> >
> >
> > however, when I execute the command:
> > $ openssl s_client -connect 10.10.11.66:5151 -ssl3
> > I see that the handshake is successful :
> > ..................
> >
> > SSL handshake has read 2944 bytes and written 338 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : SSLv3
> > Cipher : DHE-RSA-AES256-SHA
> > Session-ID:
> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
> > Session-ID-ctx:
> > Master-Key:
> >
> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
> > Key-Arg : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1413793000
> > Timeout : 7200 (sec)
> > Verify return code: 0 (ok)
> >
> >
> > The handshake shouldn't be successful.
> >
> > But when I execute the command:
> > $ openssl s_client -connect 10.10.11.66:5151 -ssl2
> >
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 7 bytes and written 48 bytes
> > ---
> > New, (NONE), Cipher is (NONE)
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : SSLv2
> > Cipher : 0000
> > Session-ID:
> > Session-ID-ctx:
> > Master-Key:
> > Key-Arg : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1413793132
> > Timeout : 300 (sec)
> > Verify return code: 0 (ok)
> > ---
> >
> > The protocol is refused because is disabled by default.
> >
> > The same thing I want to happen with SSLv3 protocol.
> >
> > I don't know what I am missing.
> >
> > What should I do to instruct the Erlang vm to accept ssl connections
> using only
> > TLSv1 protocol?
> >
> > the version of vm is:
> >
> > Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
> [async-threads:0]
> > [kernel-poll:false]
> >
> > Thank you ,
> >
> > Bogdan
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> >
> >
> >
> >
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
>
> --
> --
> Dipl. Inform.
> Andreas Schultz
>
> email: as@REDACTED
> phone: +49-391-819099-224
> mobil: +49-170-2226073
>
> ------------------- enabling your networks -------------------
>
> Travelping GmbH               phone:         +49-391-819099229
> Roentgenstr. 13               fax:           +49-391-819099299
> D-39108 Magdeburg             email:       info@REDACTED
> GERMANY                       web:   http://www.travelping.com
>
> Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
> --------------------------------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/281ef9de/attachment.htm>


More information about the erlang-questions mailing list