Package: erlang / 1:17.3-dfsg-4~bpo70+1

sslv3disable.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
Description: Patch removes support for SSLv3 protocol because it is proved to
 be insecure and nobody should use it anymore.
Author Sergei Golovan
Bug-Debian: https://bugs.debian.org/771359
Last-Update: Sun, 30 Nov 2014 20:20:41 +0300

--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -47,10 +47,10 @@
       </p>
     <p>Note that the environment parameters can be set on the command line,
       for instance,</p>
-    <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
+    <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
       </p>
     <taglist>
-      <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
+      <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
       <item>
 	<p>Protocol that will be supported by started clients and
 	servers. If this option is not set it will default to all
@@ -58,6 +58,9 @@
 	Note that this option may be overridden by the version option
 	to ssl:connect/[2,3] and ssl:listen/2.
 	</p>
+	<p>For Debian GNU/Linux distribution the sslv3 protocol was
+	disabled due to its security issues.
+	</p>
       </item>
 
       <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -123,7 +123,7 @@
 
     <p><c>sslsocket() - opaque to the user. </c></p>
     
-    <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+    <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
     
     <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
     
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -64,8 +64,8 @@
 -define(TRUE, 0).
 -define(FALSE, 1).
 
--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
+-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
+-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
 -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
 
--- a/lib/ssl/src/ssl_record.hrl
+++ b/lib/ssl/src/ssl_record.hrl
@@ -144,6 +144,7 @@
 %% 	 }).
 
 -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
+-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
 	
 
 -record(generic_stream_cipher, {
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -276,14 +276,20 @@
 %%--------------------------------------------------------------------
 -spec is_acceptable_version(tls_version()) -> boolean().
 is_acceptable_version({N,_}) 
-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+    true;
+is_acceptable_version({N,M}) 
+  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
     true;
 is_acceptable_version(_) ->
     false.
 
 -spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
 is_acceptable_version({N,_} = Version, Versions)   
-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+    lists:member(Version, Versions);
+is_acceptable_version({N,M} = Version, Versions)   
+  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
     lists:member(Version, Versions);
 is_acceptable_version(_,_) ->
     false.