[erlang-questions] [POODLE] SSLv3 dezactivation in Erlang VM

Ingela Andin ingela.andin@REDACTED
Mon Oct 20 18:56:27 CEST 2014


Hi!

2014-10-20 16:44 GMT+02:00 Bogdan Andu <bog495@REDACTED>:

> Thank you both for help,
>
> I definitely look into both solutions, the -define one looking the easiest.
>
> So, if I define de following as:
>
> -define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1]).
>
> and recompile otp R14
> there should be available only tlsv1 I presume.
>
> Thank you very much,
>
>

Well yes Andreas has a point that this would have the desired affect.  It
does not fix the bug, but as in your case of R14, disabling sslv3  would
leave one version of the protocol,
so I guess that would be acceptable.


Regards Ingela Erlang/OTP team - Ericsson AB




> Bogdan
>
>
>
> On Mon, Oct 20, 2014 at 5:02 PM, Andreas Schultz <aschultz@REDACTED>
> wrote:
>
>> Hi,
>>
>> ----- On 20 Oct, 2014, at 15:17, Ingela Andin ingela.andin@REDACTED
>> wrote:
>>
>> > The commit that solves the problem is:
>> >
>> > bfb408ae3d424bf8f510806434eb14a730adc4fb
>> >
>> > How easy it is to port it to R14 I do not know, but I think doing so is
>> proably
>> > your best option if you can not
>> > upgrade.
>>
>> Instead of back-porting, you could always adjust this define in
>> ssl_internal.hrl:
>>
>> -define(DEFAULT_SUPPORTED_VERSIONS, [tlsv1, sslv3]).
>>
>> Andreas
>>
>> >
>> > Regards Ingela Erlang/OTP Team - Ericsson AB
>> >
>> > 2014-10-20 13:42 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
>> >
>> >
>> >
>> > Hi Ingela,
>> >
>> > Thank you for reply so quickly.
>> >
>> > You are right, R14 is rather old, but in the near future this is my
>> only option
>> > to run my
>> > production application server that servers ssl connections as this is a
>> per
>> > policy decision
>> > and the pressure upon me is high to disable SSLv3 support from the
>> management.
>> >
>> > Is there a workaround to enable this functionality on R14, or is there
>> a patch
>> > that
>> > could be cleanly applied on a R14B04 otp release?
>> >
>> > Best Regards,
>> >
>> > Bogdan
>> >
>> >
>> > On Mon, Oct 20, 2014 at 1:28 PM, Ingela Andin < ingela.andin@REDACTED
>> > wrote:
>> >
>> >
>> >
>> > Hi!
>> >
>> >
>> > R14B04 is a really old release, time to upgrade I would say, featuring
>> > ssl-4.X.Y, I think you are seeing a bug fixed in ssl- 5.3 Fixed Bugs and
>> > Malfunctions
>> >
>> >
>> >    *
>> >
>> > Honor the versions option to ssl:connect and ssl:listen.
>> >
>> > Own Id: OTP-10905
>> >
>> > Regards Ingela Erlang/OTP team - Ericsson AB
>> >
>> > 2014-10-20 10:26 GMT+02:00 Bogdan Andu < bog495@REDACTED > :
>> >
>> >
>> >
>> > Hello,
>> >
>> > I am trying to dezactivate SSLv3 protocol and keep active only TLSv1
>> protocol
>> > for an Erlang virtual machine using:
>> > 1) command line switch:
>> > erl ... -ssl protocol_version '[tlsv1]'
>> > 2) pass to the ssl:listen/2 function the option: {versions, [tlsv1]}
>> >
>> > Neither of the above has effect.
>> >
>> > When starting the vm I see this:
>> > (test@REDACTED)2> ssl:versions().
>> > [{ssl_app,"4.1.6"},
>> > {supported,[tlsv1]},
>> > {available,[tlsv1,sslv3]}]
>> > ( test@REDACTED) 3>
>> >
>> >
>> > however, when I execute the command:
>> > $ openssl s_client -connect 10.10.11.66:5151 -ssl3
>> > I see that the handshake is successful :
>> > ..................
>> >
>> > SSL handshake has read 2944 bytes and written 338 bytes
>> > ---
>> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> > Server public key is 2048 bit
>> > Secure Renegotiation IS supported
>> > Compression: NONE
>> > Expansion: NONE
>> > SSL-Session:
>> > Protocol : SSLv3
>> > Cipher : DHE-RSA-AES256-SHA
>> > Session-ID:
>> A4B1A5AA7DE23C5691C8C982E5EC18F577561508F951778B7B5E19E468A91749
>> > Session-ID-ctx:
>> > Master-Key:
>> >
>> 4B04633A344F789EDB0B330BB2454EB7E19BF298461A440A04F1C6CE4F0772C02587B23127B966E84CF2571939AA4F3A
>> > Key-Arg : None
>> > Krb5 Principal: None
>> > PSK identity: None
>> > PSK identity hint: None
>> > Start Time: 1413793000
>> > Timeout : 7200 (sec)
>> > Verify return code: 0 (ok)
>> >
>> >
>> > The handshake shouldn't be successful.
>> >
>> > But when I execute the command:
>> > $ openssl s_client -connect 10.10.11.66:5151 -ssl2
>> >
>> > No client certificate CA names sent
>> > ---
>> > SSL handshake has read 7 bytes and written 48 bytes
>> > ---
>> > New, (NONE), Cipher is (NONE)
>> > Secure Renegotiation IS NOT supported
>> > Compression: NONE
>> > Expansion: NONE
>> > SSL-Session:
>> > Protocol : SSLv2
>> > Cipher : 0000
>> > Session-ID:
>> > Session-ID-ctx:
>> > Master-Key:
>> > Key-Arg : None
>> > Krb5 Principal: None
>> > PSK identity: None
>> > PSK identity hint: None
>> > Start Time: 1413793132
>> > Timeout : 300 (sec)
>> > Verify return code: 0 (ok)
>> > ---
>> >
>> > The protocol is refused because is disabled by default.
>> >
>> > The same thing I want to happen with SSLv3 protocol.
>> >
>> > I don't know what I am missing.
>> >
>> > What should I do to instruct the Erlang vm to accept ssl connections
>> using only
>> > TLSv1 protocol?
>> >
>> > the version of vm is:
>> >
>> > Erlang R14B04 (erts-5.8.5) [source] [64-bit] [smp:8:8] [rq:8]
>> [async-threads:0]
>> > [kernel-poll:false]
>> >
>> > Thank you ,
>> >
>> > Bogdan
>> >
>> > _______________________________________________
>> > erlang-questions mailing list
>> > erlang-questions@REDACTED
>> > http://erlang.org/mailman/listinfo/erlang-questions
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > erlang-questions mailing list
>> > erlang-questions@REDACTED
>> > http://erlang.org/mailman/listinfo/erlang-questions
>>
>> --
>> --
>> Dipl. Inform.
>> Andreas Schultz
>>
>> email: as@REDACTED
>> phone: +49-391-819099-224
>> mobil: +49-170-2226073
>>
>> ------------------- enabling your networks -------------------
>>
>> Travelping GmbH               phone:         +49-391-819099229
>> Roentgenstr. 13               fax:           +49-391-819099299
>> D-39108 Magdeburg             email:       info@REDACTED
>> GERMANY                       web:   http://www.travelping.com
>>
>> Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
>> Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
>> --------------------------------------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141020/a57647c1/attachment.htm>


More information about the erlang-questions mailing list