From 918fdf26b715336be8386b8c865b32ac34d84535 Mon Sep 17 00:00:00 2001 From: Peter Lemenkov Date: Dec 01 2014 14:13:00 +0000 Subject: Disable SSLv3 See rhbz #1169375 for further details: https://bugzilla.redhat.com/1169375 Signed-off-by: Peter Lemenkov --- diff --git a/erlang.spec b/erlang.spec index eff8714..66fdfd8 100644 --- a/erlang.spec +++ b/erlang.spec @@ -10,7 +10,7 @@ Name: erlang Version: 17.3.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: General-purpose programming language and runtime environment Group: Development/Languages @@ -74,6 +74,9 @@ Patch10: otp-0010-Split-off-webtool-dependency-from-tools.patch # Fedora specific patch # Introduce os:getenv/2 Patch11: otp-0011-Introduce-os-getenv-2.patch +# Fedora specific patch +# Patch removes support for SSLv3 protocol because it is proved +Patch12: otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch # end of autogenerated patch tag list BuildRequires: lksctp-tools-devel @@ -904,6 +907,7 @@ Erlang mode for XEmacs (source lisp files). %patch9 -p1 -b .Expose_NIF_version %patch10 -p1 -b .Split_off_webtool_dependency_from_tools %patch11 -p1 -b .Introduce_os_getenv_2 +%patch12 -p1 -b .Patch_removes_support_for_SSLv3_protocol_because_it_ # end of autogenerated prep patch list # FIXME we should come up with a better solution @@ -2224,6 +2228,9 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \ %changelog +* Mon Dec 01 2014 Peter Lemenkov - 17.3.4-3 +- Disable SSLv3 (see rhbz #1169375) + * Mon Dec 01 2014 Peter Lemenkov - 17.3.4-2 - Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 ) diff --git a/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch b/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch new file mode 100644 index 0000000..584fa59 --- /dev/null +++ b/otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch @@ -0,0 +1,100 @@ +From: Sergei Golovan +Date: Sun, 30 Nov 2014 20:20:41 +0300 +Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved + to be insecure and nobody should use it anymore. + + +diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml +index f14d0b8..3a768e9 100644 +--- a/lib/ssl/doc/src/ssl.xml ++++ b/lib/ssl/doc/src/ssl.xml +@@ -123,7 +123,7 @@ + +

sslsocket() - opaque to the user.

+ +-

protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2'

++

protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2'

+ +

ciphers() = [ciphersuite()] | string() (according to old API)

+ +diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml +index 43cb393..ff12e04 100644 +--- a/lib/ssl/doc/src/ssl_app.xml ++++ b/lib/ssl/doc/src/ssl_app.xml +@@ -47,10 +47,10 @@ +

+

Note that the environment parameters can be set on the command line, + for instance,

+-

erl ... -ssl protocol_version '[sslv3, tlsv1]' .... ++

erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' .... +

+ +- ]]>. ++ ]]>. + +

Protocol that will be supported by started clients and + servers. If this option is not set it will default to all +@@ -58,6 +58,9 @@ + Note that this option may be overridden by the version option + to ssl:connect/[2,3] and ssl:listen/2. +

++

For Debian GNU/Linux distribution the sslv3 protocol was ++ disabled due to its security issues. ++

+
+ + ]]> +diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl +index 85724de..14013a4 100644 +--- a/lib/ssl/src/ssl_internal.hrl ++++ b/lib/ssl/src/ssl_internal.hrl +@@ -64,8 +64,8 @@ + -define(TRUE, 0). + -define(FALSE, 1). + +--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]). +--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]). ++-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]). ++-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]). + -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). + -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]). + +diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl +index 6aab35d..1511abd 100644 +--- a/lib/ssl/src/ssl_record.hrl ++++ b/lib/ssl/src/ssl_record.hrl +@@ -144,6 +144,7 @@ + %% }). + + -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3). ++-define(LOWEST_MINOR_SUPPORTED_VERSION, 1). + + + -record(generic_stream_cipher, { +diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl +index f50ea22..aa4fc8d 100644 +--- a/lib/ssl/src/tls_record.erl ++++ b/lib/ssl/src/tls_record.erl +@@ -276,14 +276,20 @@ supported_protocol_versions([_|_] = Vsns) -> + %%-------------------------------------------------------------------- + -spec is_acceptable_version(tls_version()) -> boolean(). + is_acceptable_version({N,_}) +- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION -> ++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION -> ++ true; ++is_acceptable_version({N,M}) ++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION -> + true; + is_acceptable_version(_) -> + false. + + -spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean(). + is_acceptable_version({N,_} = Version, Versions) +- when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION -> ++ when N > ?LOWEST_MAJOR_SUPPORTED_VERSION -> ++ lists:member(Version, Versions); ++is_acceptable_version({N,M} = Version, Versions) ++ when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION -> + lists:member(Version, Versions); + is_acceptable_version(_,_) -> + false.