[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Ingela Andin ingela.andin@REDACTED
Mon Oct 20 12:28:08 CEST 2014 

Hi!

R14B04 is a really old release, time to upgrade I would say, featuring
ssl-4.X.Y, I think you are seeing a bug fixed in ssl-5.3
Fixed Bugs and Malfunctions

   -

   Honor the versions option to ssl:connect and ssl:listen.

   Own Id: OTP-10905


Regards Ingela Erlang/OTP team - Ericsson AB

2014-10-20 10:26 GMT+02:00 Bogdan Andu <bog495@REDACTED>:

> Hello,
>
> I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
> protocol for an Erlang virtual machine using:
> 1) command line switch:
>     erl ... -ssl protocol_version '[tlsv1]'
> 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
>
> Neither of the above has effect.
>
> When starting the vm I see this:
> (test@REDACTED)2> ssl:versions().
> [{ssl_app,"4.1.6"},
>  {supported,[tlsv1]},
>  {available,[tlsv1,sslv3]}]
> (test@REDACTED)3>
>
>
> however, when I execute the command:
> $ openssl s_client -connect 10.10.11.66:5151 -ssl3
> I see that the handshake is successful:
> ..................
>
> SSL handshake has read 2944 bytes and written 338 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : SSLv3
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
>     Session-ID-ctx:
>     Master-Key:
> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1413793000
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>
>
> The handshake shouldn't be successful.
>
> But when I execute the command:
> $ openssl s_client -connect 10.10.11.66:5151 -ssl2
>
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 48 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : SSLv2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1413793132
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
>
> The protocol is refused because is disabled by default.
>
> The same thing I want to happen with SSLv3 protocol.
>
> I don't know what I am missing.
>
> What should I do to instruct the Erlang vm to accept ssl connections using
> only TLSv1 protocol?
>
> the version of vm is:
>
> Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
> [async-threads:0] [kernel-poll:false]
>
> Thank you ,
>
> Bogdan
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/9f0176e3/attachment.htm>

More information about the erlang-questions mailing list