961faf1
From: Sergei Golovan <sgolovan@debian.org>
961faf1
Date: Sun, 30 Nov 2014 20:20:41 +0300
961faf1
Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
961faf1
 to be insecure and nobody should use it anymore.
961faf1
961faf1
961faf1
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
961faf1
index 1d74faf..912acc2 100644
961faf1
--- a/lib/ssl/doc/src/ssl.xml
961faf1
+++ b/lib/ssl/doc/src/ssl.xml
961faf1
@@ -123,7 +123,7 @@
961faf1
 
961faf1
     

<c>sslsocket() - opaque to the user. </c>

961faf1
     
961faf1
-    

<c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c>

961faf1
+    

<c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c>

961faf1
     
961faf1
     

<c>ciphers() = [ciphersuite()] | string() (according to old API)</c>

961faf1
     
961faf1
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
961faf1
index 0ee5b23..c65f8a3 100644
961faf1
--- a/lib/ssl/doc/src/ssl_app.xml
961faf1
+++ b/lib/ssl/doc/src/ssl_app.xml
961faf1
@@ -47,10 +47,10 @@
961faf1
       

961faf1
     

Note that the environment parameters can be set on the command line,

961faf1
       for instance,

961faf1
-    

<c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.

961faf1
+    

<c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.

961faf1
       

961faf1
     <taglist>
961faf1
-      <tag><c>]]></c>.</tag>
961faf1
+      <tag><c>]]></c>.</tag>
961faf1
       <item>
961faf1
 	

Protocol that will be supported by started clients and

961faf1
 	servers. If this option is not set it will default to all
961faf1
@@ -58,6 +58,9 @@
961faf1
 	Note that this option may be overridden by the version option
961faf1
 	to ssl:connect/[2,3] and ssl:listen/2.
961faf1
 	

961faf1
+	

For Debian GNU/Linux distribution the sslv3 protocol was

961faf1
+	disabled due to its security issues.
961faf1
+	

961faf1
       </item>
961faf1
 
961faf1
       <tag><c>]]></c></tag>
961faf1
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
961faf1
index 0186f9f..6f84830 100644
961faf1
--- a/lib/ssl/src/ssl_internal.hrl
961faf1
+++ b/lib/ssl/src/ssl_internal.hrl
961faf1
@@ -67,8 +67,8 @@
961faf1
 -define(TRUE, 0).
961faf1
 -define(FALSE, 1).
961faf1
 
961faf1
--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
961faf1
--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
961faf1
+-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
961faf1
+-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
961faf1
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
961faf1
 -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
961faf1
 
961faf1
diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
961faf1
index c17fa53..f4be9be 100644
961faf1
--- a/lib/ssl/src/ssl_record.hrl
961faf1
+++ b/lib/ssl/src/ssl_record.hrl
961faf1
@@ -144,6 +144,7 @@
961faf1
 %% 	 }).
961faf1
 
961faf1
 -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
961faf1
+-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
961faf1
 	
961faf1
 
961faf1
 -record(generic_stream_cipher, {
961faf1
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
961faf1
index 8810755..3c5c7e9 100644
961faf1
--- a/lib/ssl/src/tls_record.erl
961faf1
+++ b/lib/ssl/src/tls_record.erl
961faf1
@@ -269,13 +269,19 @@ supported_protocol_versions([_|_] = Vsns) ->
961faf1
 %% 
961faf1
 %%--------------------------------------------------------------------
961faf1
 is_acceptable_version({N,_}) 
961faf1
-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
961faf1
+  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
961faf1
+    true;
961faf1
+is_acceptable_version({N,M}) 
961faf1
+  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
961faf1
     true;
961faf1
 is_acceptable_version(_) ->
961faf1
     false.
961faf1
 
961faf1
 is_acceptable_version({N,_} = Version, Versions)   
961faf1
-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
961faf1
+  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
961faf1
+    lists:member(Version, Versions);
961faf1
+is_acceptable_version({N,M} = Version, Versions)   
961faf1
+  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
961faf1
     lists:member(Version, Versions);
961faf1
 is_acceptable_version(_,_) ->
961faf1
     false.