From 8cb17b5a5cb28222f3bd0330d891d304518020fa Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 12 Mar 2019 10:45:45 +0100
Subject: ssl: Remove default support for legacy versions

TLS-1.0, TLS-1.1 and DTLS-1.0 are now considered legacy
---
 lib/ssl/doc/src/ssl.xml                       | 7 ++++++-
 lib/ssl/src/dtls_connection.erl               | 2 +-
 lib/ssl/src/ssl.erl                           | 7 ++++---
 lib/ssl/src/ssl_internal.hrl                  | 7 ++++---
 lib/ssl/test/ssl_basic_SUITE.erl              | 6 +++---
 lib/ssl/test/ssl_certificate_verify_SUITE.erl | 1 +
 6 files changed, 19 insertions(+), 11 deletions(-)

(limited to 'lib')

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 37bf9033a1..74a0a0a03e 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -145,8 +145,13 @@
      </datatype>
      
      <datatype>
-       <name name="legacy_version"/>
+       <name name="tls_legacy_version"/>
      </datatype>
+
+     <datatype>
+       <name name="dtls_legacy_version"/>
+     </datatype>
+     
      
        <datatype>
        <name name="prf_random"/>
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index ed47980a69..30b2ab7c4f 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -840,7 +840,7 @@ next_dtls_record(Data, StateName, #state{protocol_buffers = #protocol_buffers{
     end.
 
 acceptable_record_versions(hello, _) ->
-    [dtls_record:protocol_version(Vsn) || Vsn <- ?ALL_DATAGRAM_SUPPORTED_VERSIONS];
+    [dtls_record:protocol_version(Vsn) || Vsn <- ?ALL_AVAILABLE_DATAGRAM_VERSIONS];
 acceptable_record_versions(_, #state{connection_env = #connection_env{negotiated_version = Version}}) ->
     [Version].
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index bfa349c8d8..c7c96370b3 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -103,9 +103,10 @@
 -type ip_address()               :: inet:ip_address().
 -type session_id()               :: binary().
 -type protocol_version()         :: tls_version() | dtls_version().
--type tls_version()              :: tlsv1 | 'tlsv1.1' | 'tlsv1.2' | 'tlsv1.3' | legacy_version().
--type dtls_version()             :: 'dtlsv1' | 'dtlsv1.2'.
--type legacy_version()           :: sslv3.
+-type tls_version()              :: 'tlsv1.2' | 'tlsv1.3' | tls_legacy_version().
+-type dtls_version()             :: 'dtlsv1.2' | dtls_legacy_version().
+-type tls_legacy_version()       ::  tlsv1 | 'tlsv1.1' | sslv3.
+-type dtls_legacy_version()      :: 'dtlsv1'. 
 -type verify_type()              :: verify_none | verify_peer.
 -type cipher()                   :: aes_128_cbc |
                                     aes_256_cbc |
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 3d117a655f..4ee0230d88 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -72,12 +72,13 @@
 
 %% sslv3 is considered insecure due to lack of padding check (Poodle attack)
 %% Keep as interop with legacy software but do not support as default
+%% tlsv1.0 and tlsv1.1 is now also considered legacy
 %% tlsv1.3 is under development (experimental).
 -define(ALL_AVAILABLE_VERSIONS, ['tlsv1.3', 'tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
 -define(ALL_AVAILABLE_DATAGRAM_VERSIONS, ['dtlsv1.2', dtlsv1]).
 %% Defines the default versions when not specified by an ssl option.
--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
+-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2']).
+-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1']).
 
 %% Versions allowed in TLSCiphertext.version (TLS 1.2 and prior) and
 %% TLSCiphertext.legacy_record_version (TLS 1.3).
@@ -86,7 +87,7 @@
 %% Thus, the allowed range is limited to 0x0300 - 0x0303.
 -define(ALL_TLS_RECORD_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
 
--define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+-define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2']).
 -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, [dtlsv1]).
 
 %% TLS 1.3 - Section 4.1.3
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index ff5638ff34..2e6883cc4f 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -3463,9 +3463,9 @@ defaults(Config) when is_list(Config)->
     true = lists:member(sslv3, proplists:get_value(available, Versions)),
     false = lists:member(sslv3,  proplists:get_value(supported, Versions)),
     true = lists:member('tlsv1', proplists:get_value(available, Versions)),
-    true = lists:member('tlsv1',  proplists:get_value(supported, Versions)),
+    false = lists:member('tlsv1',  proplists:get_value(supported, Versions)),
     true = lists:member('tlsv1.1', proplists:get_value(available, Versions)),
-    true = lists:member('tlsv1.1',  proplists:get_value(supported, Versions)),
+    false = lists:member('tlsv1.1',  proplists:get_value(supported, Versions)),
     true = lists:member('tlsv1.2', proplists:get_value(available, Versions)),
     true = lists:member('tlsv1.2',  proplists:get_value(supported, Versions)),    
     false = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites()),
@@ -3477,7 +3477,7 @@ defaults(Config) when is_list(Config)->
     true = lists:member('dtlsv1.2', proplists:get_value(available_dtls, Versions)),
     true = lists:member('dtlsv1', proplists:get_value(available_dtls, Versions)),
     true = lists:member('dtlsv1.2', proplists:get_value(supported_dtls, Versions)),
-    true = lists:member('dtlsv1', proplists:get_value(supported_dtls, Versions)).
+    false = lists:member('dtlsv1', proplists:get_value(supported_dtls, Versions)).
 
 %%--------------------------------------------------------------------
 reuseaddr() ->
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 8690faed54..4f340af4f5 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -147,6 +147,7 @@ init_per_testcase(_TestCase, Config) ->
     ssl:stop(),
     ssl:start(),
     ssl_test_lib:ct_log_supported_protocol_versions(Config),
+    ct:pal(" ~p", [ dtls_record:supported_protocol_versions()]),
     ct:timetrap({seconds, 10}),
     Config.
 
-- 
cgit v1.2.3