<div dir="ltr">Hi!<br><div class="gmail_extra"><br><div class="gmail_quote">2014-04-08 6:58 GMT+02:00 Alex Wilson <span dir="ltr"><<a href="mailto:alex@cooperi.net" target="_blank">alex@cooperi.net</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On 8 Apr 2014, at 2:37 pm, Danil Zagoskin <<a href="mailto:z@gosk.in">z@gosk.in</a>> wrote:<br>
> As far as I know, OTP SSL and crypto apps use openssl, but some of SSL handshake logic is rewritten in Erlang.<br>
<br>
</div>From my reading, it's more like all of the handshake logic is in Erlang. </blockquote><div><br></div><div>Yes it is!</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It really looks like it only uses OpenSSL for the crypto features like ciphers. The code to encode/decode TLS extensions in the Hello messages doesn't appear to support RFC6520 (the "heartbeat" extension) -- it's extension type #15, which is not in any of the logic there (it will just drop it or else never send it, as far as I can tell).<br>
<br>
So from what I can see, it won't negotiate heartbeat support at the start, and will just ignore any messages about it (since it doesn't understand them). It would be nice to have a quick test that can be run for this vulnerability though...<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>You are correct the heartbeat extension is not currently supported, but will likely be implemented in the future. As far as I understood the OpenSSL bug is du to a memory boundary problem,</div>
<div>which really is not a problem you have when you use Erlang to write your code :)</div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB</div><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</div></div></blockquote></div><br></div></div>