[erlang-questions] Does Erlang/OTP SSL app have heartbleed vulnerability?
Tue Apr 8 09:54:43 CEST 2014
2014-04-08 6:58 GMT+02:00 Alex Wilson <alex@REDACTED>:
> On 8 Apr 2014, at 2:37 pm, Danil Zagoskin <z@REDACTED> wrote:
> > As far as I know, OTP SSL and crypto apps use openssl, but some of SSL
> handshake logic is rewritten in Erlang.
> From my reading, it's more like all of the handshake logic is in Erlang.
Yes it is!
> It really looks like it only uses OpenSSL for the crypto features like
> ciphers. The code to encode/decode TLS extensions in the Hello messages
> doesn't appear to support RFC6520 (the "heartbeat" extension) -- it's
> extension type #15, which is not in any of the logic there (it will just
> drop it or else never send it, as far as I can tell).
> So from what I can see, it won't negotiate heartbeat support at the start,
> and will just ignore any messages about it (since it doesn't understand
> them). It would be nice to have a quick test that can be run for this
> vulnerability though...
You are correct the heartbeat extension is not currently supported, but
will likely be implemented in the future. As far as I understood the
OpenSSL bug is du to a memory boundary problem,
which really is not a problem you have when you use Erlang to write your
Regards Ingela Erlang/OTP team - Ericsson AB
> erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions