[erlang-questions] Removing SSL v3 support from the ssl module

Vincent de Phily vincent.dephily@REDACTED
Wed Oct 22 17:29:10 CEST 2014


On Wednesday 15 October 2014 19:41:23 Steve Vinoski wrote:
> On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <aschultz@REDACTED> wrote:
> > Hi,
> > 
> > ----- On 15 Oct, 2014, at 11:10, Kenji Rikitake kenji@REDACTED wrote:
> > > I'd be glad if how to remove SSL v3 support from OTP ssl module is
> > > provided by the OTP Team, to prevent getting trapped into the POODLE
> > > bug. (I think it won't be that hard, regarding what I've found from the
> > > ssl module source code. The keyword atom is "sslv3".)
> > 
> > Add  {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to
> > restrict
> > the version choice.
> 
> Slight correction:  {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}

I suggest going with

proplists:get_value(available,ssl:versions()) -- [sslv3]

to future-proof your code a bit. I'm not sure what the difference between 
'supported' and 'available' is (a clarification in the docs would be nice), 
neither of them seem to be affected by the command-line argument to restrict 
versions.

-- 
Vincent de Phily




More information about the erlang-questions mailing list