[erlang-questions] Compiling Erlang without RC4?

Oliver Korpilla Oliver.Korpilla@REDACTED
Tue Sep 13 23:03:03 CEST 2016


Hello, Alexander.

You misunderstand... I'm not concerned at all. The Linux distribution I have to work with removed the rc4.h header and without it I can not compile the Erlang runtime environment (and not deploy my application).

I did a cursory look but it is as you say - I found no guards and there were plenty of references towards definitions from that header, so I was a bit out on a limb to ask if anything knew a trick to compile the Erlang runtime without this header...

Thanks,
Oliver
 
 

Gesendet: Dienstag, 13. September 2016 um 20:42 Uhr
Von: "Alexander Færøy" <ahf@REDACTED>
An: erlang-questions <erlang-questions@REDACTED>
Betreff: Re: [erlang-questions] Compiling Erlang without RC4?
On 13 September 2016 at 17:16, Oliver Korpilla <Oliver.Korpilla@REDACTED> wrote:
> We currently have to work with a system where somebody thought removing rc4.h would solve the security issues involved with this weak algorithm...
>
> Is there any way to build Erlang without RC4 (but still with crypto functionality)?

It doesn't look like the RC4 functionality is hidden behind a guard in
the C source code, but I don't think you should be overly worried
about using an Erlang release that contains RC4 support.

If you take a look at the ciphers that the SSL application will use by
default, you will see that there's no RC4 ciphers included (at least
not in my OTP-18 installation locally):

lists:foreach(fun (Suite) -> io:format("~p~n", [Suite]) end,
ssl:cipher_suites()).

You could consider filtering out the 3DES ciphers that are enabled by
default though[1] using the {ciphers, [...]} option for SSL
connections.

Cheers,
Alex.

[1]: https://sweet32.info


--
Alexander Færøy
_______________________________________________
erlang-questions mailing list
erlang-questions@REDACTED
http://erlang.org/mailman/listinfo/erlang-questions[http://erlang.org/mailman/listinfo/erlang-questions]



More information about the erlang-questions mailing list