[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Bogdan Andu bog495@REDACTED
Mon Oct 20 19:25:18 CEST 2014


Much obliged,

Bogdan

On Mon, Oct 20, 2014 at 7:56 PM, Ingela Andin <ingela.andin@REDACTED>
wrote:

> Hi!
>
> 2014-10-20 16:44 GMT+02:00 Bogdan Andu <bog495@REDACTED>:
>
>> Thank you both for help,
>>
>> I definitely look into both solutions, the -define one looking the
>> easiest.
>>
>> So, if I define de following as:
>>
>> -define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1]).
>>
>> and recompile otp R14
>> there should be available only tlsv1 I presume.
>>
>> Thank you very much,
>>
>>
>
> Well yes Andreas has a point that this would have the desired affect.  It
> does not fix the bug, but as in your case of R14, disabling sslv3  would
> leave one version of the protocol,
> so I guess that would be acceptable.
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
>> Bogdan
>>
>>
>>
>> On Mon, Oct 20, 2014 at 5:02 PM, Andreas Schultz <aschultz@REDACTED>
>> wrote:
>>
>>> Hi,
>>>
>>> ----- On 20 Oct, 2014, at 15:17, Ingela Andin ingela.andin@REDACTED
>>> wrote:
>>>
>>> > The commit that solves the problem is:
>>> >
>>> > bfb408ae3d424bf8f510806434eb14a730adc4fb
>>> >
>>> > How easy it is to port it to R14 I do not know, but I think doing so
>>> is proably
>>> > your best option if you can not
>>> > upgrade.
>>>
>>> Instead of back-porting, you could always adjust this define in
>>> ssl_internal.hrl:
>>>
>>> -define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1, sslv3]).
>>>
>>> Andreas
>>>
>>> >
>>> > Regards Ingela Erlang/OTP Team - Ericsson AB
>>> >
>>> > 2014-10-20 13:42 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
>>> >
>>> >
>>> >
>>> > Hi Ingela,
>>> >
>>> > Thank you for reply so quickly.
>>> >
>>> > You are right, R14 is rather old, but in the near future this is my
>>> only option
>>> > to run my
>>> > production application server that servers ssl connections as this is
>>> a per
>>> > policy decision
>>> > and the pressure upon me is high to disable SSLv3 support from the
>>> management.
>>> >
>>> > Is there a workaround to enable this functionality on R14, or is there
>>> a patch
>>> > that
>>> > could be cleanly applied on a R14B04 otp release?
>>> >
>>> > Best Regards,
>>> >
>>> > Bogdan
>>> >
>>> >
>>> > On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin < ingela.andin@REDACTED
>>> > wrote:
>>> >
>>> >
>>> >
>>> > Hi!
>>> >
>>> >
>>> > R14B04 is a really old release, time to upgrade I would say, featuring
>>> > ssl-4.X.Y, I think you are seeing a bug fixed in ssl- 5.3 Fixed Bugs
>>> and
>>> > Malfunctions
>>> >
>>> >
>>> >    *
>>> >
>>> > Honor the versions option to ssl:connect and ssl:listen.
>>> >
>>> > Own Id: OTP-10905
>>> >
>>> > Regards Ingela Erlang/OTP team - Ericsson AB
>>> >
>>> > 2014-10-20 10:26 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
>>> >
>>> >
>>> >
>>> > Hello,
>>> >
>>> > I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
>>> protocol
>>> > for an Erlang virtual machine using:
>>> > 1) command line switch:
>>> > erl ... -ssl protocol_version '[tlsv1]'
>>> > 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
>>> >
>>> > Neither of the above has effect.
>>> >
>>> > When starting the vm I see this:
>>> > (test@REDACTED)2> ssl:versions().
>>> > [{ssl_app,"4.1.6"},
>>> > {supported,[tlsv1]},
>>> > {available,[tlsv1,sslv3]}]
>>> > ( test@REDACTED) 3>
>>> >
>>> >
>>> > however, when I execute the command:
>>> > $ openssl s_client -connect 10.10.11.66:5151 -ssl3
>>> > I see that the handshake is successful :
>>> > ..................
>>> >
>>> > SSL handshake has read 2944 bytes and written 338 bytes
>>> > ---
>>> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> > Server public key is 2048 bit
>>> > Secure Renegotiation IS supported
>>> > Compression: NONE
>>> > Expansion: NONE
>>> > SSL-Session:
>>> > Protocol : SSLv3
>>> > Cipher : DHE-RSA-AES256-SHA
>>> > Session-ID:
>>> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
>>> > Session-ID-ctx:
>>> > Master-Key:
>>> >
>>> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
>>> > Key-Arg : None
>>> > Krb5 Principal: None
>>> > PSK identity: None
>>> > PSK identity hint: None
>>> > Start Time: 1413793000
>>> > Timeout : 7200 (sec)
>>> > Verify return code: 0 (ok)
>>> >
>>> >
>>> > The handshake shouldn't be successful.
>>> >
>>> > But when I execute the command:
>>> > $ openssl s_client -connect 10.10.11.66:5151 -ssl2
>>> >
>>> > No client certificate CA names sent
>>> > ---
>>> > SSL handshake has read 7 bytes and written 48 bytes
>>> > ---
>>> > New, (NONE), Cipher is (NONE)
>>> > Secure Renegotiation IS NOT supported
>>> > Compression: NONE
>>> > Expansion: NONE
>>> > SSL-Session:
>>> > Protocol : SSLv2
>>> > Cipher : 0000
>>> > Session-ID:
>>> > Session-ID-ctx:
>>> > Master-Key:
>>> > Key-Arg : None
>>> > Krb5 Principal: None
>>> > PSK identity: None
>>> > PSK identity hint: None
>>> > Start Time: 1413793132
>>> > Timeout : 300 (sec)
>>> > Verify return code: 0 (ok)
>>> > ---
>>> >
>>> > The protocol is refused because is disabled by default.
>>> >
>>> > The same thing I want to happen with SSLv3 protocol.
>>> >
>>> > I don't know what I am missing.
>>> >
>>> > What should I do to instruct the Erlang vm to accept ssl connections
>>> using only
>>> > TLSv1 protocol?
>>> >
>>> > the version of vm is:
>>> >
>>> > Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
>>> [async-threads:0]
>>> > [kernel-poll:false]
>>> >
>>> > Thank you ,
>>> >
>>> > Bogdan
>>> >
>>> > _______________________________________________
>>> > erlang-questions mailing list
>>> > erlang-questions@REDACTED
>>> > http://erlang.org/mailman/listinfo/erlang-questions
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > erlang-questions mailing list
>>> > erlang-questions@REDACTED
>>> > http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>> --
>>> --
>>> Dipl. Inform.
>>> Andreas Schultz
>>>
>>> email: as@REDACTED
>>> phone: +49-391-819099-224
>>> mobil: +49-170-2226073
>>>
>>> ------------------- enabling your networks -------------------
>>>
>>> Travelping GmbH               phone:         +49-391-819099229
>>> Roentgenstr. 13               fax:           +49-391-819099299
>>> D-39108 Magdeburg             email:       info@REDACTED
>>> GERMANY                       web:   http://www.travelping.com
>>>
>>> Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
>>> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
>>> --------------------------------------------------------------
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/27f5e753/attachment.htm>


More information about the erlang-questions mailing list