|
|
|
|
|
|
by throwaway12357
4008 days ago
|
|
|
> ssl: Remove default support for SSL-3.0 and added padding check for TLS-1.0 due to the Poodle vulnerability. > ssl: Remove default support for RC4 cipher suites, as they are consider too weak. I'm not following Erlang news but was just wondering, aren't these fixes coming out way too late? |
|
|
https://www.rabbitmq.com/ssl.html
It is different from an end-user application in the sense that you can configure this in a safe way, and that has indeed been the typical workaround.
Now we just make it impossible for people to misconfigure this in any way.
The fix was also backported to 17.5 w.r.t the padding for TLS-1.0.
Another point worth mentioning is that Erlang/OTP uses OpenSSL, but only for the cryptographic ciphers. `ssl` is a complete standalone implementation of TLS in Erlang and this automatically avoids a lot of trouble. The common case is that an attack on OpenSSL leaves the `ssl` application unaffected by the error.