Projects
Kolab:16:Testing:Candidate
erlang
otp-0009-Patch-removes-support-for-SSLv3-protoc...
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File otp-0009-Patch-removes-support-for-SSLv3-protocol-because-it-.patch of Package erlang (Revision 1)
Currently displaying revision
1
,
Show latest
From: Sergei Golovan <sgolovan@debian.org> Date: Sun, 30 Nov 2014 20:20:41 +0300 Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved to be insecure and nobody should use it anymore. diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index b53344e..b245621 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -123,7 +123,7 @@ <p><c>sslsocket() - opaque to the user. </c></p> - <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p> + <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p> <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p> diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml index 43cb393..ff12e04 100644 --- a/lib/ssl/doc/src/ssl_app.xml +++ b/lib/ssl/doc/src/ssl_app.xml @@ -47,10 +47,10 @@ </p> <p>Note that the environment parameters can be set on the command line, for instance,</p> - <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>. + <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>. </p> <taglist> - <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag> + <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag> <item> <p>Protocol that will be supported by started clients and servers. If this option is not set it will default to all @@ -58,6 +58,9 @@ Note that this option may be overridden by the version option to ssl:connect/[2,3] and ssl:listen/2. </p> + <p>For Debian GNU/Linux distribution the sslv3 protocol was + disabled due to its security issues. + </p> </item> <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag> diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl index 75efb64..155fa81 100644 --- a/lib/ssl/src/ssl_internal.hrl +++ b/lib/ssl/src/ssl_internal.hrl @@ -67,8 +67,8 @@ -define(TRUE, 0). -define(FALSE, 1). --define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]). --define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]). +-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]). +-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]). -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl index 6aab35d..1511abd 100644 --- a/lib/ssl/src/ssl_record.hrl +++ b/lib/ssl/src/ssl_record.hrl @@ -144,6 +144,7 @@ %% }). -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3). +-define(LOWEST_MINOR_SUPPORTED_VERSION, 1). -record(generic_stream_cipher, { diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl index f50ea22..aa4fc8d 100644 --- a/lib/ssl/src/tls_record.erl +++ b/lib/ssl/src/tls_record.erl @@ -276,14 +276,20 @@ supported_protocol_versions([_|_] = Vsns) -> %%-------------------------------------------------------------------- -spec is_acceptable_version(tls_version()) -> boolean(). is_acceptable_version({N,_}) - when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION -> + when N > ?LOWEST_MAJOR_SUPPORTED_VERSION -> + true; +is_acceptable_version({N,M}) + when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION -> true; is_acceptable_version(_) -> false. -spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean(). is_acceptable_version({N,_} = Version, Versions) - when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION -> + when N > ?LOWEST_MAJOR_SUPPORTED_VERSION -> + lists:member(Version, Versions); +is_acceptable_version({N,M} = Version, Versions) + when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION -> lists:member(Version, Versions); is_acceptable_version(_,_) -> false.
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.