[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Ingela Andin ingela.andin@REDACTED
Mon Oct 20 15:17:39 CEST 2014 

The commit that solves the problem is:

bfb408ae3d424bf8f510806434eb14a730adc4fb

How easy it is to port it to R14 I do not know, but I think doing so is
proably your best option if you can not
upgrade.

Regards Ingela Erlang/OTP Team - Ericsson AB

2014-10-20 13:42 GMT+02:00 Bogdan Andu <bog495@REDACTED>:

> Hi Ingela,
>
> Thank you for reply so quickly.
>
> You are right, R14 is rather old, but in the near future this is my only
> option to run my
> production application server that servers ssl connections as this is a
> per policy decision
> and the pressure upon me is high to disable SSLv3 support from the
> management.
>
> Is there a workaround to enable this functionality on R14, or is there a
> patch that
> could be cleanly applied on a R14B04 otp release?
>
> Best Regards,
>
> Bogdan
>
>
> On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin <ingela.andin@REDACTED>
> wrote:
>
>> Hi!
>>
>> R14B04 is a really old release, time to upgrade I would say, featuring
>> ssl-4.X.Y, I think you are seeing a bug fixed in ssl-5.3
>> Fixed Bugs and Malfunctions
>>
>>    -
>>
>>    Honor the versions option to ssl:connect and ssl:listen.
>>
>>    Own Id: OTP-10905
>>
>>
>> Regards Ingela Erlang/OTP team - Ericsson AB
>>
>> 2014-10-20 10:26 GMT+02:00 Bogdan Andu <bog495@REDACTED>:
>>
>>> Hello,
>>>
>>> I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
>>> protocol for an Erlang virtual machine using:
>>> 1) command line switch:
>>>     erl ... -ssl protocol_version '[tlsv1]'
>>> 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
>>>
>>> Neither of the above has effect.
>>>
>>> When starting the vm I see this:
>>> (test@REDACTED)2> ssl:versions().
>>> [{ssl_app,"4.1.6"},
>>>  {supported,[tlsv1]},
>>>  {available,[tlsv1,sslv3]}]
>>> (test@REDACTED)3>
>>>
>>>
>>> however, when I execute the command:
>>> $ openssl s_client -connect 10.10.11.66:5151 -ssl3
>>> I see that the handshake is successful:
>>> ..................
>>>
>>> SSL handshake has read 2944 bytes and written 338 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : SSLv3
>>>     Cipher    : DHE-RSA-AES256-SHA
>>>     Session-ID:
>>> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
>>>     Session-ID-ctx:
>>>     Master-Key:
>>> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
>>>     Key-Arg   : None
>>>     Krb5 Principal: None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     Start Time: 1413793000
>>>     Timeout   : 7200 (sec)
>>>     Verify return code: 0 (ok)
>>>
>>>
>>> The handshake shouldn't be successful.
>>>
>>> But when I execute the command:
>>> $ openssl s_client -connect 10.10.11.66:5151 -ssl2
>>>
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 7 bytes and written 48 bytes
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : SSLv2
>>>     Cipher    : 0000
>>>     Session-ID:
>>>     Session-ID-ctx:
>>>     Master-Key:
>>>     Key-Arg   : None
>>>     Krb5 Principal: None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     Start Time: 1413793132
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 0 (ok)
>>> ---
>>>
>>> The protocol is refused because is disabled by default.
>>>
>>> The same thing I want to happen with SSLv3 protocol.
>>>
>>> I don't know what I am missing.
>>>
>>> What should I do to instruct the Erlang vm to accept ssl connections
>>> using only TLSv1 protocol?
>>>
>>> the version of vm is:
>>>
>>> Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
>>> [async-threads:0] [kernel-poll:false]
>>>
>>> Thank you ,
>>>
>>> Bogdan
>>>
>>> _______________________________________________
>>> erlang-questions mailing list
>>> erlang-questions@REDACTED
>>> http://erlang.org/mailman/listinfo/erlang-questions
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/abd8a255/attachment.htm>

More information about the erlang-questions mailing list