You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by rn...@apache.org on 2015/07/29 17:54:46 UTC
[17/50] mochiweb commit: updated refs/heads/upstream to b66b68d

SSL: Fix for broken ECDH ciper suite in R16B

See: http://osdir.com/ml/erlang-programming-bugs/2013-10/msg00004.html

Fix inspired by https://github.com/extend/ranch/commit/c0c09a1311


Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/95c0c926
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/95c0c926
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/95c0c926

Branch: refs/heads/upstream
Commit: 95c0c926cc80969fbcb4200a7b2005becc3e5121
Parents: 7cf56e3
Author: Arjan Scherpenisse <ar...@scherpenisse.net>
Authored: Thu Jul 3 09:58:24 2014 +0200
Committer: Marc Worrell <ma...@worrell.nl>
Committed: Wed Oct 15 12:46:09 2014 +0200

----------------------------------------------------------------------
 src/mochiweb_socket.erl | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/95c0c926/src/mochiweb_socket.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index bf503cc..fff0b42 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -15,7 +15,8 @@
 listen(Ssl, Port, Opts, SslOpts) ->
     case Ssl of
         true ->
-            case ssl:listen(Port, Opts ++ SslOpts) of
+            Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
+            case ssl:listen(Port, Opts1) of
                 {ok, ListenSocket} ->
                     {ok, {ssl, ListenSocket}};
                 {error, _} = Err ->
@@ -25,6 +26,20 @@ listen(Ssl, Port, Opts, SslOpts) ->
             gen_tcp:listen(Port, Opts)
     end.
 
+add_unbroken_ciphers_default(Opts) ->
+    Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())),
+    [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
+
+filter_broken_cipher_suites(Ciphers) ->
+	case proplists:get_value(ssl_app, ssl:versions()) of
+		"5.3" ++ _ ->
+            lists:filter(fun(Suite) ->
+                                 string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
+                         end, Ciphers);
+        _ ->
+            Ciphers
+    end.
+
 accept({ssl, ListenSocket}) ->
     % There's a bug in ssl:transport_accept/2 at the moment, which is the
     % reason for the try...catch block. Should be fixed in OTP R14.