From: Sergei Golovan <sgolovan@debian.org>
Date: Sun, 30 Nov 2014 20:20:41 +0300
Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
to be insecure and nobody should use it anymore.
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index b53344e..b245621 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -123,7 +123,7 @@
<p><c>sslsocket() - opaque to the user. </c></p>
- <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+ <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
<p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 43cb393..ff12e04 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -47,10 +47,10 @@
</p>
<p>Note that the environment parameters can be set on the command line,
for instance,</p>
- <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
+ <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
</p>
<taglist>
- <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
+ <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
<item>
<p>Protocol that will be supported by started clients and
servers. If this option is not set it will default to all
@@ -58,6 +58,9 @@
Note that this option may be overridden by the version option
to ssl:connect/[2,3] and ssl:listen/2.
</p>
+ <p>For Debian GNU/Linux distribution the sslv3 protocol was
+ disabled due to its security issues.
+ </p>
</item>
<tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 75efb64..155fa81 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -67,8 +67,8 @@
-define(TRUE, 0).
-define(FALSE, 1).
--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
+-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
+-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
-define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
-define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
index 6aab35d..1511abd 100644
--- a/lib/ssl/src/ssl_record.hrl
+++ b/lib/ssl/src/ssl_record.hrl
@@ -144,6 +144,7 @@
%% }).
-define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
+-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
-record(generic_stream_cipher, {
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
index f50ea22..aa4fc8d 100644
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -276,14 +276,20 @@ supported_protocol_versions([_|_] = Vsns) ->
%%--------------------------------------------------------------------
-spec is_acceptable_version(tls_version()) -> boolean().
is_acceptable_version({N,_})
- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+ true;
+is_acceptable_version({N,M})
+ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
true;
is_acceptable_version(_) ->
false.
-spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
is_acceptable_version({N,_} = Version, Versions)
- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
+ lists:member(Version, Versions);
+is_acceptable_version({N,M} = Version, Versions)
+ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
lists:member(Version, Versions);
is_acceptable_version(_,_) ->
false.