[erlang-questions] Compiling Erlang without RC4?

Luis Rascão luis.rascao@REDACTED
Wed Sep 14 10:15:37 CEST 2016


You could build OpenSSL yourself and link statically link Erlang with it,
would that work also maybe?

On Wed, Sep 14, 2016 at 9:08 AM, Andreas Schultz <aschultz@REDACTED> wrote:

> Hi Oliver,
>
> You could try the attached patch. This just disables the rc4 support,
> for a pull request, some adjustments to the test suite might be
> required as well.
>
> I don't have a OpenSSL without RC4, so this is purely guesswork!
>
> Andreas
>
> ----- Original Message -----
> > From: "Oliver Korpilla" <Oliver.Korpilla@REDACTED>
> > To: "Alexander Færøy" <ahf@REDACTED>
> > Cc: "erlang-questions" <erlang-questions@REDACTED>
> > Sent: Tuesday, September 13, 2016 11:03:03 PM
> > Subject: Re: [erlang-questions] Compiling Erlang without RC4?
>
> > Hello, Alexander.
> >
> > You misunderstand... I'm not concerned at all. The Linux distribution I
> have to
> > work with removed the rc4.h header and without it I can not compile the
> Erlang
> > runtime environment (and not deploy my application).
> >
> > I did a cursory look but it is as you say - I found no guards and there
> were
> > plenty of references towards definitions from that header, so I was a
> bit out
> > on a limb to ask if anything knew a trick to compile the Erlang runtime
> without
> > this header...
> >
> > Thanks,
> > Oliver
> >
> >
> >
> > Gesendet: Dienstag, 13. September 2016 um 20:42 Uhr
> > Von: "Alexander Færøy" <ahf@REDACTED>
> > An: erlang-questions <erlang-questions@REDACTED>
> > Betreff: Re: [erlang-questions] Compiling Erlang without RC4?
> > On 13 September 2016 at 17:16, Oliver Korpilla <Oliver.Korpilla@REDACTED>
> wrote:
> >> We currently have to work with a system where somebody thought removing
> rc4.h
> >> would solve the security issues involved with this weak algorithm...
> >>
> >> Is there any way to build Erlang without RC4 (but still with crypto
> >> functionality)?
> >
> > It doesn't look like the RC4 functionality is hidden behind a guard in
> > the C source code, but I don't think you should be overly worried
> > about using an Erlang release that contains RC4 support.
> >
> > If you take a look at the ciphers that the SSL application will use by
> > default, you will see that there's no RC4 ciphers included (at least
> > not in my OTP-18 installation locally):
> >
> > lists:foreach(fun (Suite) -> io:format("~p~n", [Suite]) end,
> > ssl:cipher_suites()).
> >
> > You could consider filtering out the 3DES ciphers that are enabled by
> > default though[1] using the {ciphers, [...]} option for SSL
> > connections.
> >
> > Cheers,
> > Alex.
> >
> > [1]: https://sweet32.info
> >
> >
> > --
> > Alexander Færøy
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions[
> http://erlang.org/mailman/listinfo/erlang-questions]
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>


-- 
PGP fingerprint: F708 E141 AE8D 2D38 E1BC  DF3D 1719 3EA0 647D 7260
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160914/49ecc849/attachment.htm>


More information about the erlang-questions mailing list