You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/07/29 17:54:46 UTC
[17/50] mochiweb commit: updated refs/heads/upstream to b66b68d
SSL: Fix for broken ECDH ciper suite in R16B
See: http://osdir.com/ml/erlang-programming-bugs/2013-10/msg00004.html
Fix inspired by https://github.com/extend/ranch/commit/c0c09a1311
Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/95c0c926
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/95c0c926
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/95c0c926
Branch: refs/heads/upstream
Commit: 95c0c926cc80969fbcb4200a7b2005becc3e5121
Parents: 7cf56e3
Author: Arjan Scherpenisse <ar...@scherpenisse.net>
Authored: Thu Jul 3 09:58:24 2014 +0200
Committer: Marc Worrell <ma...@worrell.nl>
Committed: Wed Oct 15 12:46:09 2014 +0200
----------------------------------------------------------------------
src/mochiweb_socket.erl | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/95c0c926/src/mochiweb_socket.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index bf503cc..fff0b42 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -15,7 +15,8 @@
listen(Ssl, Port, Opts, SslOpts) ->
case Ssl of
true ->
- case ssl:listen(Port, Opts ++ SslOpts) of
+ Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
+ case ssl:listen(Port, Opts1) of
{ok, ListenSocket} ->
{ok, {ssl, ListenSocket}};
{error, _} = Err ->
@@ -25,6 +26,20 @@ listen(Ssl, Port, Opts, SslOpts) ->
gen_tcp:listen(Port, Opts)
end.
+add_unbroken_ciphers_default(Opts) ->
+ Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())),
+ [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
+
+filter_broken_cipher_suites(Ciphers) ->
+ case proplists:get_value(ssl_app, ssl:versions()) of
+ "5.3" ++ _ ->
+ lists:filter(fun(Suite) ->
+ string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
+ end, Ciphers);
+ _ ->
+ Ciphers
+ end.
+
accept({ssl, ListenSocket}) ->
% There's a bug in ssl:transport_accept/2 at the moment, which is the
% reason for the try...catch block. Should be fixed in OTP R14.