[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Andreas Schultz aschultz@REDACTED
Mon Oct 20 16:02:40 CEST 2014 

Hi,

----- On 20 Oct, 2014, at 15:17, Ingela Andin ingela.andin@REDACTED wrote:

> The commit that solves the problem is:
> 
> bfb408ae3d424bf8f510806434eb14a730adc4fb
> 
> How easy it is to port it to R14 I do not know, but I think doing so is proably
> your best option if you can not
> upgrade.

Instead of back-porting, you could always adjust this define in
ssl_internal.hrl:

-define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1, sslv3]).

Andreas

> 
> Regards Ingela Erlang/OTP Team - Ericsson AB
> 
> 2014-10-20 13:42 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
> 
> 
> 
> Hi Ingela,
> 
> Thank you for reply so quickly.
> 
> You are right, R14 is rather old, but in the near future this is my only option
> to run my
> production application server that servers ssl connections as this is a per
> policy decision
> and the pressure upon me is high to disable SSLv3 support from the management.
> 
> Is there a workaround to enable this functionality on R14, or is there a patch
> that
> could be cleanly applied on a R14B04 otp release?
> 
> Best Regards,
> 
> Bogdan
> 
> 
> On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin < ingela.andin@REDACTED > wrote:
> 
> 
> 
> Hi!
> 
> 
> R14B04 is a really old release, time to upgrade I would say, featuring
> ssl-4.X.Y, I think you are seeing a bug fixed in ssl- 5.3 Fixed Bugs and
> Malfunctions
> 
> 
>    *
> 
> Honor the versions option to ssl:connect and ssl:listen.
> 
> Own Id: OTP-10905
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> 2014-10-20 10:26 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
> 
> 
> 
> Hello,
> 
> I am trying to dezactivate SSLv3 protocol and keep active only TLSv1 protocol
> for an Erlang virtual machine using:
> 1) command line switch:
> erl ... -ssl protocol_version '[tlsv1]'
> 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
> 
> Neither of the above has effect.
> 
> When starting the vm I see this:
> (test@REDACTED)2> ssl:versions().
> [{ssl_app,"4.1.6"},
> {supported,[tlsv1]},
> {available,[tlsv1,sslv3]}]
> ( test@REDACTED) 3>
> 
> 
> however, when I execute the command:
> $ openssl s_client -connect 10.10.11.66:5151 -ssl3
> I see that the handshake is successful :
> ..................
> 
> SSL handshake has read 2944 bytes and written 338 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : SSLv3
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
> Session-ID-ctx:
> Master-Key:
> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1413793000
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> 
> 
> The handshake shouldn't be successful.
> 
> But when I execute the command:
> $ openssl s_client -connect 10.10.11.66:5151 -ssl2
> 
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 48 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : SSLv2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1413793132
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> 
> The protocol is refused because is disabled by default.
> 
> The same thing I want to happen with SSLv3 protocol.
> 
> I don't know what I am missing.
> 
> What should I do to instruct the Erlang vm to accept ssl connections using only
> TLSv1 protocol?
> 
> the version of vm is:
> 
> Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8] [async-threads:0]
> [kernel-poll:false]
> 
> Thank you ,
> 
> Bogdan
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> 
> 
> 
> 
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------- enabling your networks -------------------

Travelping GmbH               phone:         +49-391-819099229
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       info@REDACTED
GERMANY                       web:   http://www.travelping.com

Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------

More information about the erlang-questions mailing list