<div dir="ltr"><div>Hi!<br><br></div>From ssl man page:<br><br>[...]<br><span class=""><br>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </span><br><div><div><dl><dt>[...]</dt><dd><br></dd><dt><strong>{versions, [protocol()]}</strong></dt><dd>TLS protocol versions that will be supported by started clients and servers.
This option overrides the application environment option <span class="">protocol_version</span>. If the
environment option is not set it defaults to all versions supported by the SSL application. See also
<span class=""><a href="http://www.erlang.org/doc/man/ssl_app.html">ssl(6)</a></span>
</dd></dl>from ssl(6) man page:<br></div><div><p><span class="">erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</span>.
</p>
<dl><dt><strong><span class="">protocol_version = [sslv3|tlsv1] <optional></span>. %% I see we need to update the documentation here to include </strong><span class="">'tlsv1.1' | 'tlsv1.2' </span></dt><dd>
<p>Protocol that will be supported by started clients and
servers. If this option is not set it will default to all
protocols currently supported by the erlang ssl application.
Note that this option may be overridden by the version option
to ssl:connect/[2,3] and ssl:listen/2.
</p></dd></dl><p>ssl:versions().<br>[{ssl_app,"5.3.6"},<br> {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},<br> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]</p><p>If you change the environment variable supported and available will differ. And even if all versions are available it can always be overridden by the versions option.<br></p><div><div>Name choices are backwards compatible, like it or not. <br></div><div><br></div><div>I do not see a reason to remove the possibility to run sslv3 altogether even though from a security perspective I would no configure my server to run it. <br></div><div><br></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">2014-10-16 1:41 GMT+02:00 Steve Vinoski <span dir="ltr"><<a href="mailto:vinoski@ieee.org" target="_blank">vinoski@ieee.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <span dir="ltr"><<a href="mailto:aschultz@tpip.net" target="_blank">aschultz@tpip.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<span>----- On 15 Oct, 2014, at 11:10, Kenji Rikitake <a href="mailto:kenji@k2r.org" target="_blank">kenji@k2r.org</a> wrote:<br>
<br>
> I'd be glad if how to remove SSL v3 support from OTP ssl module is<br>
> provided by the OTP Team, to prevent getting trapped into the POODLE<br>
> bug. (I think it won't be that hard, regarding what I've found from the<br>
> ssl module source code. The keyword atom is "sslv3".)<br>
<br>
</span>Add {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to restrict<br>
the version choice.</blockquote><div><br></div></span><div>Slight correction: {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}</div><div><br></div><div>The 'v' characters were missing from the latter two atoms.</div><span class=""><font color="#888888"><div><br></div><div>--steve</div></font></span></div></div></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div></div></div></div></div>