[erlang-questions] Does Erlang/OTP SSL app have heartbleed vulnerability?
Tue Apr 8 06:58:40 CEST 2014
On 8 Apr 2014, at 2:37 pm, Danil Zagoskin <z@REDACTED> wrote:
> As far as I know, OTP SSL and crypto apps use openssl, but some of SSL handshake logic is rewritten in Erlang.
From my reading, it's more like all of the handshake logic is in Erlang. It really looks like it only uses OpenSSL for the crypto features like ciphers. The code to encode/decode TLS extensions in the Hello messages doesn't appear to support RFC6520 (the "heartbeat" extension) -- it's extension type #15, which is not in any of the logic there (it will just drop it or else never send it, as far as I can tell).
So from what I can see, it won't negotiate heartbeat support at the start, and will just ignore any messages about it (since it doesn't understand them). It would be nice to have a quick test that can be run for this vulnerability though...
More information about the erlang-questions