<div dir="ltr">Hi!<br><div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-22 17:29 GMT+02:00 Vincent de Phily <span dir="ltr"><<a href="mailto:vincent.dephily@mobile-devices.fr" target="_blank">vincent.dephily@mobile-devices.fr</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class=""><div class="h5">On Wednesday 15 October 2014 19:41:23 Steve Vinoski wrote:<br>
> On Wed, Oct 15, 2014 at 5:34 AM, Andreas Schultz <<a href="mailto:aschultz@tpip.net">aschultz@tpip.net</a>> wrote:<br>
> > Hi,<br>
> ><br>
> > ----- On 15 Oct, 2014, at 11:10, Kenji Rikitake <a href="mailto:kenji@k2r.org">kenji@k2r.org</a> wrote:<br>
> > > I'd be glad if how to remove SSL v3 support from OTP ssl module is<br>
> > > provided by the OTP Team, to prevent getting trapped into the POODLE<br>
> > > bug. (I think it won't be that hard, regarding what I've found from the<br>
> > > ssl module source code. The keyword atom is "sslv3".)<br>
> ><br>
> > Add {versions, ['tlsv1.2', 'tls1.1', 'tls1']} to your SSL options to<br>
> > restrict<br>
> > the version choice.<br>
><br>
> Slight correction: {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}<br>
<br>
</div></div>I suggest going with<br>
<br>
proplists:get_value(available,ssl:versions()) -- [sslv3]<br>
<br>
to future-proof your code a bit. I'm not sure what the difference between<br>
'supported' and 'available' is (a clarification in the docs would be nice),<br>
neither of them seem to be affected by the command-line argument to restrict<br>
versions.<br>
<span class=""><font color="#888888"><br></font></span></blockquote><div>It was proably a quoting problem, or that you did not start the ssl application before callinge ssl:versions(). !<br></div><div><br>> erl -ssl protocol_version '[tlsv1]'<br>Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]<br><br>Eshell V7.0 (abort with ^G)<br>1> ssl:start().<br>ok<br>2> ssl:versions().<br>[{ssl_app,"5.3.7"},<br> {supported,[tlsv1]},<br> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]<br><br></div>> erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"<br>Erlang/OTP 18 [DEVELOPMENT] [erts-7.0] [source-7ed6eb5] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false]<br><br>Eshell V7.0 (abort with ^G)<br>1> ssl:start().<br>ok<br>2> ssl:versions(). <br>[{ssl_app,"5.3.7"},<br> {supported,['tlsv1.2','tlsv1.1']},<br> {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]<br>3> <br><br><br></div><div class="gmail_quote">Maybe we should call them configured_default (supported) and system_default (available) ? We will think about it.<br></div><div class="gmail_quote">We might exclude sslv3 from the system default and make it only available through configuration.<br> <br></div><div class="gmail_quote">Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div class="gmail_quote"><br><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""><font color="#888888">
--<br>
Vincent de Phily<br>
</font></span><div class=""><div class="h5"><br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</div></div></blockquote></div><br></div></div></div>