[erlang-questions] Compiling Erlang without RC4?

Andreas Schultz aschultz@REDACTED
Wed Sep 14 15:12:53 CEST 2016


Hi Oliver,

Test suite was simple enough, so I made the RC4 fix into a real pull request:

https://github.com/erlang/otp/pull/1169

Andreas

----- Original Message -----
> From: "Oliver Korpilla" <Oliver.Korpilla@REDACTED>
> To: "Luis Rascão" <luis.rascao@REDACTED>
> Cc: "erlang-questions" <erlang-questions@REDACTED>
> Sent: Wednesday, September 14, 2016 12:39:40 PM
> Subject: Re: [erlang-questions] Compiling Erlang without RC4?

> Hello, Luis.
> 
> Yes, I thought about building Erlang on a more "full-featured" machine and
> deploying it as a statically linked binary as alternate solution.
> 
> Since we rely on SCTP support in the kernel, however, my personal guess would be
> that this is a little risky but doable and will require testing if all features
> still work properly on target.
> 
> So, yes, this would have been our next option to pursue. :)
> 
> Thanks,
> Oliver
> 
> 
> Gesendet: Mittwoch, 14. September 2016 um 10:15 Uhr
> Von: "Luis Rascão" <luis.rascao@REDACTED>
> An: "Andreas Schultz" <aschultz@REDACTED>
> Cc: "Oliver Korpilla" <Oliver.Korpilla@REDACTED>, erlang-questions
> <erlang-questions@REDACTED>
> Betreff: Re: [erlang-questions] Compiling Erlang without RC4?
> 
> You could build OpenSSL yourself and link statically link Erlang with it, would
> that work also maybe?
> 
> On Wed, Sep 14, 2016 at 9:08 AM, Andreas Schultz <aschultz@REDACTED> wrote:Hi
> Oliver,
> 
> You could try the attached patch. This just disables the rc4 support,
> for a pull request, some adjustments to the test suite might be
> required as well.
> 
> I don't have a OpenSSL without RC4, so this is purely guesswork!
> 
> Andreas
> 
> ----- Original Message -----
>> From: "Oliver Korpilla" <Oliver.Korpilla@REDACTED[Oliver.Korpilla@REDACTED]>
>> To: "Alexander Færøy" <ahf@REDACTED[ahf@REDACTED]>
>> Cc: "erlang-questions"
>> <erlang-questions@REDACTED[erlang-questions@REDACTED]>
>> Sent: Tuesday, September 13, 2016 11:03:03 PM
>> Subject: Re: [erlang-questions] Compiling Erlang without RC4?
> 
>> Hello, Alexander.
>>
>> You misunderstand... I'm not concerned at all. The Linux distribution I have to
>> work with removed the rc4.h header and without it I can not compile the Erlang
>> runtime environment (and not deploy my application).
>>
>> I did a cursory look but it is as you say - I found no guards and there were
>> plenty of references towards definitions from that header, so I was a bit out
>> on a limb to ask if anything knew a trick to compile the Erlang runtime without
>> this header...
>>
>> Thanks,
>> Oliver
>> 
>> 
>>
>> Gesendet: Dienstag, 13. September 2016 um 20:42 Uhr
>> Von: "Alexander Færøy" <ahf@REDACTED[ahf@REDACTED]>
>> An: erlang-questions <erlang-questions@REDACTED[erlang-questions@REDACTED]>
>> Betreff: Re: [erlang-questions] Compiling Erlang without RC4?
>> On 13 September 2016 at 17:16, Oliver Korpilla
>> <Oliver.Korpilla@REDACTED[Oliver.Korpilla@REDACTED]> wrote:
>>> We currently have to work with a system where somebody thought removing rc4.h
>>> would solve the security issues involved with this weak algorithm...
>>>
>>> Is there any way to build Erlang without RC4 (but still with crypto
>>> functionality)?
>>
>> It doesn't look like the RC4 functionality is hidden behind a guard in
>> the C source code, but I don't think you should be overly worried
>> about using an Erlang release that contains RC4 support.
>>
>> If you take a look at the ciphers that the SSL application will use by
>> default, you will see that there's no RC4 ciphers included (at least
>> not in my OTP-18 installation locally):
>>
>> lists:foreach(fun (Suite) -> io:format("~p~n", [Suite]) end,
>> ssl:cipher_suites()).
>>
>> You could consider filtering out the 3DES ciphers that are enabled by
>> default though[1] using the {ciphers, [...]} option for SSL
>> connections.
>>
>> Cheers,
>> Alex.
>>
>> [1]: https://sweet32.info[https://sweet32.info]
>>
>>
>> --
>> Alexander Færøy
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED[erlang-questions@REDACTED]
>> http://erlang.org/mailman/listinfo/erlang-questions[http://erlang.org/mailman/listinfo/erlang-questions][http://erlang.org/mailman/listinfo/erlang-questions[http://erlang.org/mailman/listinfo/erlang-questions]]
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED[erlang-questions@REDACTED]
>> http://erlang.org/mailman/listinfo/erlang-questions[http://erlang.org/mailman/listinfo/erlang-questions]
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED[erlang-questions@REDACTED]
> http://erlang.org/mailman/listinfo/erlang-questions
>  
> --
> 
> PGP fingerprint: F708 E141 AE8D 2D38 E1BC  DF3D 1719 3EA0 647D 7260
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions



More information about the erlang-questions mailing list