|
|
|
|
|
|
by jlouis
4013 days ago
|
|
|
You could tell the `ssl` application to avoid SSL-3.0, TLS-1.0 and RC4. Here is an explanation by RabbitMQ: https://www.rabbitmq.com/ssl.html It is different from an end-user application in the sense that you can configure this in a safe way, and that has indeed been the typical workaround. Now we just make it impossible for people to misconfigure this in any way. The fix was also backported to 17.5 w.r.t the padding for TLS-1.0. Another point worth mentioning is that Erlang/OTP uses OpenSSL, but only for the cryptographic ciphers. `ssl` is a complete standalone implementation of TLS in Erlang and this automatically avoids a lot of trouble. The common case is that an attack on OpenSSL leaves the `ssl` application unaffected by the error. |
|
|