From 69de799fdce1c4cc5a582df6f2a86ccd3e62c3a9 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Mon, 12 Jan 2015 12:15:22 +0100 Subject: ssl: Remove sslv3 from the default supported protocol versions --- lib/ssl/doc/src/ssl.xml | 40 ++++++++++++++++++++++++++++++---------- lib/ssl/src/ssl.erl | 4 ++-- lib/ssl/src/ssl_internal.hrl | 9 ++++++--- lib/ssl/src/tls_record.erl | 13 +++++++++++-- lib/ssl/test/ssl_basic_SUITE.erl | 16 +++++++++++++--- 5 files changed, 62 insertions(+), 20 deletions(-) (limited to 'lib') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 83e5ed82bb..bd2cb70e3f 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -4,7 +4,7 @@
- 19992014 + 19992015 Ericsson AB. All Rights Reserved. @@ -38,7 +38,9 @@ ssl requires the crypto and public_key applications. Supported SSL/TLS-versions are SSL-3.0, TLS-1.0, TLS-1.1 and TLS-1.2. - For security reasons sslv2 is not supported. + For security reasons SSL-2.0 is not supported. + For security reasons SSL-3.0 is no longer supported by default, + but may be configured. Ephemeral Diffie-Hellman cipher suites are supported but not Diffie Hellman Certificates cipher suites. Elliptic Curve cipher suites are supported if crypto @@ -302,7 +304,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo - {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca + {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca } Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3 with the selected CA as trusted anchor and the rest of the chain. @@ -311,7 +313,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo {versions, [protocol()]} TLS protocol versions that will be supported by started clients and servers. This option overrides the application environment option protocol_version. If the - environment option is not set it defaults to all versions supported by the SSL application. See also + environment option is not set it defaults to all versions, except SSL-3.0, supported by the SSL application. See also ssl(6) @@ -904,19 +906,37 @@ fun(srp, Username :: string(), UserState :: term()) -> - versions() -> - [{SslAppVer, SupportedSslVer, AvailableSslVsn}] + versions() -> [versions_info()] Returns version information relevant for the ssl application. - SslAppVer = string() - SupportedSslVer = [protocol()] - AvailableSslVsn = [protocol()] + versions_info() = {app_vsn, string()} | {supported | available, [protocol()]

Returns version information relevant for the - ssl application.

+ ssl application. +

+ + app_vsn + The application version of the OTP ssl application. + + supported + + TLS/SSL versions supported by default. + Overridden by a versions option on + connect/[2,3,4], listen/2 and ssl_accept/[1,2,3]. For the + negotiated TLS/SSL version see ssl:connection_info/1 + + + available + All TLS/SSL versions that the Erlang ssl application + can support. Note that TLS 1.2 requires sufficient support + from the crypto application. + diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index dcba69a65e..b06b1aa7c7 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 1999-2014. All Rights Reserved. +%% Copyright Ericsson AB 1999-2015. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -454,7 +454,7 @@ session_info(#sslsocket{pid = {Listen,_}}) when is_port(Listen) -> versions() -> Vsns = tls_record:supported_protocol_versions(), SupportedVsns = [tls_record:protocol_version(Vsn) || Vsn <- Vsns], - AvailableVsns = ?ALL_SUPPORTED_VERSIONS, + AvailableVsns = ?ALL_AVAILABLE_VERSIONS, %% TODO Add DTLS versions when supported [{ssl_app, ?VSN}, {supported, SupportedVsns}, {available, AvailableVsns}]. diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl index 75efb64e3f..4c2fdf74f1 100644 --- a/lib/ssl/src/ssl_internal.hrl +++ b/lib/ssl/src/ssl_internal.hrl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2014. All Rights Reserved. +%% Copyright Ericsson AB 2007-2015. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -67,8 +67,11 @@ -define(TRUE, 0). -define(FALSE, 1). --define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]). --define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]). +%% sslv3 is considered insecure due to lack of padding check (Poodle attack) +%% Keep as interop with legacy software but do not support as default +-define(ALL_AVAILABLE_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]). +-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]). +-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]). -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl index 544d200f70..37929c928d 100644 --- a/lib/ssl/src/tls_record.erl +++ b/lib/ssl/src/tls_record.erl @@ -311,8 +311,17 @@ supported_protocol_versions([]) -> Vsns; supported_protocol_versions([_|_] = Vsns) -> - Vsns. - + case sufficient_tlsv1_2_crypto_support() of + true -> + Vsns; + false -> + case Vsns -- ['tlsv1.2'] of + [] -> + ?MIN_SUPPORTED_VERSIONS; + NewVsns -> + NewVsns + end + end. %%-------------------------------------------------------------------- %% %% Description: ssl version 2 is not acceptable security risks are too big. diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index dc9e8934e6..0f7dbef91b 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -65,7 +65,7 @@ groups() -> {'tlsv1.2', [], all_versions_groups()}, {'tlsv1.1', [], all_versions_groups()}, {'tlsv1', [], all_versions_groups() ++ rizzo_tests()}, - {'sslv3', [], all_versions_groups() ++ rizzo_tests()}, + {'sslv3', [], all_versions_groups() ++ rizzo_tests() ++ [ciphersuite_vs_version]}, {api,[], api_tests()}, {session, [], session_tests()}, {renegotiate, [], renegotiate_tests()}, @@ -90,7 +90,8 @@ basic_tests() -> version_option, connect_twice, connect_dist, - clear_pem_cache + clear_pem_cache, + defaults ]. options_tests() -> @@ -116,7 +117,6 @@ options_tests() -> tcp_reuseaddr, honor_server_cipher_order, honor_client_cipher_order, - ciphersuite_vs_version, unordered_protocol_versions_server, unordered_protocol_versions_client ]. @@ -2507,6 +2507,16 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) -> ssl_test_lib:close(Client1). %%-------------------------------------------------------------------- +defaults(Config) when is_list(Config)-> + [_, + {supported, Supported}, + {available, Available}] + = ssl:versions(), + true = lists:member(sslv3, Available), + false = lists:member(sslv3, Supported), + false = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites()), + true = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites(all)). +%%-------------------------------------------------------------------- reuseaddr() -> [{doc,"Test reuseaddr option"}]. -- cgit v1.2.3