<div dir="ltr"><div><div><div>The commit that solves the problem is:<br><br>bfb408ae3d424bf8f510806434eb14a730adc4fb <br><br></div>How easy it is to port it to R14 I do not know, but I think doing so is proably your best option if you can not<br></div>upgrade.<br><br></div>Regards Ingela Erlang/OTP Team - Ericsson AB <br><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-20 13:42 GMT+02:00 Bogdan Andu <span dir="ltr"><<a href="mailto:bog495@gmail.com" target="_blank">bog495@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div>Hi Ingela,<br><br></div>Thank you for reply so quickly.<br><br></div>You are right, R14 is rather old, but in the near future this is my only option to run my <br></div>production application server that servers ssl connections as this is a per policy decision<br></div><div>and the pressure upon me is high to disable SSLv3 support from the management.<br></div><div><br></div>Is there a workaround to enable this functionality on R14, or is there a patch that <br>could be cleanly applied on a R14B04 otp release?<br><br></div>Best Regards,<br><br></div>Bogdan<br><div><div><br></div></div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><h3><a name="1492d5d363a6e8f9_1492d1989506aa1b_id65451"></a></h3><h3>Hi!</h3><p>R14B04 is a really old release, time to upgrade I would say, featuring ssl-4.X.Y, I think you are seeing a bug fixed in ssl-<a name="1492d5d363a6e8f9_1492d1989506aa1b_id65451">5.3</a></p>
<h4>Fixed Bugs and Malfunctions</h4>
<ul><li>
<p>
Honor the versions option to ssl:connect and ssl:listen.</p>
<p>
Own Id: OTP-10905</p>
</li></ul><div class="gmail_extra"><br></div><div class="gmail_extra">Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>2014-10-20 10:26 GMT+02:00 Bogdan Andu <span dir="ltr"><<a href="mailto:bog495@gmail.com" target="_blank">bog495@gmail.com</a>></span>:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr"><div><div><div><div><div><div>Hello,<br><br></div>I am trying to dezactivate SSLv3 protocol and keep active only TLSv1 protocol for an Erlang virtual machine using:<br></div>1) command line switch:<br> <span>erl ... -ssl protocol_version '[tlsv1]'<br></span></div><span>2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}<br><br></span></div><div><span>Neither of the above has effect.<br></span></div><div><span><br></span></div><span>When starting the vm I see this:<br>(test@localhost)2> ssl:versions().<br>[{ssl_app,"4.1.6"},<br> {supported,[tlsv1]},<br> {available,[tlsv1,sslv3]}]<br>(</span><span><span>test@localhost)</span>3> <br><br><br></span></div><span>however, when I execute the command:<br>$ openssl s_client -connect <a href="http://10.10.11.66:5151" target="_blank">10.10.11.66:5151</a> -ssl3<br></span></div><span>I see that the handshake is </span><span><span>successful</span>:<br>..................<br><br>SSL handshake has read 2944 bytes and written 338 bytes<br>---<br>New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA<br>Server public key is 2048 bit<br>Secure Renegotiation IS supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : SSLv3<br> Cipher : DHE-RSA-AES256-SHA<br> Session-ID: A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749<br> Session-ID-ctx: <br> Master-Key: 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A<br> Key-Arg : None<br> Krb5 Principal: None<br> PSK identity: None<br> PSK identity hint: None<br> Start Time: 1413793000<br> Timeout : 7200 (sec)<br> Verify return code: 0 (ok)<br><br><br></span><div><span>The handshake shouldn't be successful.<br><br></span></div><div><span>But </span><span>when I execute the command:<br>$ openssl s_client -connect <a href="http://10.10.11.66:5151" target="_blank">10.10.11.66:5151</a> -ssl2<br><br>No client certificate CA names sent<br>---<br>SSL handshake has read 7 bytes and written 48 bytes<br>---<br>New, (NONE), Cipher is (NONE)<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>SSL-Session:<br> Protocol : SSLv2<br> Cipher : 0000<br> Session-ID: <br> Session-ID-ctx: <br> Master-Key: <br> Key-Arg : None<br> Krb5 Principal: None<br> PSK identity: None<br> PSK identity hint: None<br> Start Time: 1413793132<br> Timeout : 300 (sec)<br> Verify return code: 0 (ok)<br>---<br><br></span></div><div><span>The protocol is refused because is disabled by default.<br><br></span></div><div><span>The same thing I want to happen with SSLv3 protocol.<br></span></div><div><span><br></span></div><div><span>I don't know what I am missing.<br><br></span></div><div><span>What should I do to instruct the Erlang vm to accept ssl connections using only TLSv1 protocol?<br><br></span></div><div><span>the version of vm is:<br><br>Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8] [async-threads:0] [kernel-poll:false]<br><br></span></div><div><span>Thank you ,<br><br></span></div><div><span>Bogdan<br></span></div></div>
<br></div></div>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div></div></div></div>