From 69de799fdce1c4cc5a582df6f2a86ccd3e62c3a9 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Mon, 12 Jan 2015 12:15:22 +0100 Subject: ssl: Remove sslv3 from the default supported protocol versions --- lib/ssl/doc/src/ssl.xml | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 83e5ed82bb..bd2cb70e3f 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -4,7 +4,7 @@
- 19992014 + 19992015 Ericsson AB. All Rights Reserved. @@ -38,7 +38,9 @@ ssl requires the crypto and public_key applications. Supported SSL/TLS-versions are SSL-3.0, TLS-1.0, TLS-1.1 and TLS-1.2. - For security reasons sslv2 is not supported. + For security reasons SSL-2.0 is not supported. + For security reasons SSL-3.0 is no longer supported by default, + but may be configured. Ephemeral Diffie-Hellman cipher suites are supported but not Diffie Hellman Certificates cipher suites. Elliptic Curve cipher suites are supported if crypto @@ -302,7 +304,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo - {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca + {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca } Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3 with the selected CA as trusted anchor and the rest of the chain. @@ -311,7 +313,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo {versions, [protocol()]} TLS protocol versions that will be supported by started clients and servers. This option overrides the application environment option protocol_version. If the - environment option is not set it defaults to all versions supported by the SSL application. See also + environment option is not set it defaults to all versions, except SSL-3.0, supported by the SSL application. See also ssl(6) @@ -904,19 +906,37 @@ fun(srp, Username :: string(), UserState :: term()) -> - versions() -> - [{SslAppVer, SupportedSslVer, AvailableSslVsn}] + versions() -> [versions_info()] Returns version information relevant for the ssl application. - SslAppVer = string() - SupportedSslVer = [protocol()] - AvailableSslVsn = [protocol()] + versions_info() = {app_vsn, string()} | {supported | available, [protocol()]

Returns version information relevant for the - ssl application.

+ ssl application. +

+ + app_vsn + The application version of the OTP ssl application. + + supported + + TLS/SSL versions supported by default. + Overridden by a versions option on + connect/[2,3,4], listen/2 and ssl_accept/[1,2,3]. For the + negotiated TLS/SSL version see ssl:connection_info/1 + + + available + All TLS/SSL versions that the Erlang ssl application + can support. Note that TLS 1.2 requires sufficient support + from the crypto application. + -- cgit v1.2.3 From 519b07bca04bdd8585b48f2de6b7124ca6455358 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 13 Jan 2015 15:16:20 +0100 Subject: ssl: Reenable padding check for TLS-1.0 and provide backwards compatible disable option --- lib/ssl/doc/src/ssl.xml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'lib/ssl/doc') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index bd2cb70e3f..d77c6440b0 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -350,11 +350,23 @@ fun(srp, Username :: string(), UserState :: term()) ->

+ {padding_check, boolean()} + +

This option only affects TLS-1.0 connections. + If set to false it disables the block cipher padding check + to be able to interoperate with legacy software. +

+ +

Using this option makes TLS vulnerable to + the Poodle attack

 + + + - + - -
+ +
SSL OPTION DESCRIPTIONS - CLIENT SIDE

Options described here are client specific or has a slightly different -- cgit v1.2.3