Disable SSLv3

See rhbz #1169375 for further details:

https://bugzilla.redhat.com/1169375

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>

erlang.spec

@@ -10,7 +10,7 @@
 
 Name:		erlang
 Version:	17.3.4
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	General-purpose programming language and runtime environment
 
 Group:		Development/Languages
@@ -74,6 +74,9 @@ Patch10: otp-0010-Split-off-webtool-dependency-from-tools.patch
 # Fedora specific patch
 #   Introduce os:getenv/2
 Patch11: otp-0011-Introduce-os-getenv-2.patch
+# Fedora specific patch
+#   Patch removes support for SSLv3 protocol because it is proved
+Patch12: otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch
 # end of autogenerated patch tag list
 
 BuildRequires:	lksctp-tools-devel
@@ -904,6 +907,7 @@ Erlang mode for XEmacs (source lisp files).
 %patch9 -p1 -b .Expose_NIF_version
 %patch10 -p1 -b .Split_off_webtool_dependency_from_tools
 %patch11 -p1 -b .Introduce_os_getenv_2
+%patch12 -p1 -b .Patch_removes_support_for_SSLv3_protocol_because_it_
 # end of autogenerated prep patch list
 
 # FIXME we should come up with a better solution
@@ -2224,6 +2228,9 @@ useradd -r -g epmd -d /tmp -s /sbin/nologin \
 
 
 %changelog
+* Mon Dec 01 2014 Peter Lemenkov <lemenkov@gmail.com> - 17.3.4-3
+- Disable SSLv3 (see rhbz #1169375)
+
 * Mon Dec 01 2014 Peter Lemenkov <lemenkov@gmail.com> - 17.3.4-2
 - Backport useful os:getenv/2 from master (see https://github.com/erlang/otp/pull/535 )
 

otp-0012-Patch-removes-support-for-SSLv3-protocol-because-it-.patch

@@ -0,0 +1,100 @@
+From: Sergei Golovan <sgolovan@debian.org>
+Date: Sun, 30 Nov 2014 20:20:41 +0300
+Subject: [PATCH] Patch removes support for SSLv3 protocol because it is proved
+ to be insecure and nobody should use it anymore.
+
+
+diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
+index f14d0b8..3a768e9 100644
+--- a/lib/ssl/doc/src/ssl.xml
++++ b/lib/ssl/doc/src/ssl.xml
+@@ -123,7 +123,7 @@
+ 
+     <p><c>sslsocket() - opaque to the user. </c></p>
+     
+-    <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
++    <p><c>protocol() = tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
+     
+     <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
+     
+diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
+index 43cb393..ff12e04 100644
+--- a/lib/ssl/doc/src/ssl_app.xml
++++ b/lib/ssl/doc/src/ssl_app.xml
+@@ -47,10 +47,10 @@
+       </p>
+     <p>Note that the environment parameters can be set on the command line,
+       for instance,</p>
+-    <p><c>erl ... -ssl protocol_version '[sslv3, tlsv1]' ...</c>.
++    <p><c>erl ... -ssl protocol_version '[tlsv1.1, tlsv1]' ...</c>.
+       </p>
+     <taglist>
+-      <tag><c><![CDATA[protocol_version = [sslv3|tlsv1] <optional>]]></c>.</tag>
++      <tag><c><![CDATA[protocol_version = [tlsv1|tlsv1.1|tlsv1.2] <optional>]]></c>.</tag>
+       <item>
+ 	<p>Protocol that will be supported by started clients and
+ 	servers. If this option is not set it will default to all
+@@ -58,6 +58,9 @@
+ 	Note that this option may be overridden by the version option
+ 	to ssl:connect/[2,3] and ssl:listen/2.
+ 	</p>
++	<p>For Debian GNU/Linux distribution the sslv3 protocol was
++	disabled due to its security issues.
++	</p>
+       </item>
+ 
+       <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
+diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
+index 85724de..14013a4 100644
+--- a/lib/ssl/src/ssl_internal.hrl
++++ b/lib/ssl/src/ssl_internal.hrl
+@@ -64,8 +64,8 @@
+ -define(TRUE, 0).
+ -define(FALSE, 1).
+ 
+--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
++-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
++-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
+ -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+ -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+ 
+diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
+index 6aab35d..1511abd 100644
+--- a/lib/ssl/src/ssl_record.hrl
++++ b/lib/ssl/src/ssl_record.hrl
+@@ -144,6 +144,7 @@
+ %% 	 }).
+ 
+ -define(LOWEST_MAJOR_SUPPORTED_VERSION, 3).
++-define(LOWEST_MINOR_SUPPORTED_VERSION, 1).
+ 	
+ 
+ -record(generic_stream_cipher, {
+diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
+index f50ea22..aa4fc8d 100644
+--- a/lib/ssl/src/tls_record.erl
++++ b/lib/ssl/src/tls_record.erl
+@@ -276,14 +276,20 @@ supported_protocol_versions([_|_] = Vsns) ->
+ %%--------------------------------------------------------------------
+ -spec is_acceptable_version(tls_version()) -> boolean().
+ is_acceptable_version({N,_}) 
+-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++    true;
++is_acceptable_version({N,M}) 
++  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+     true;
+ is_acceptable_version(_) ->
+     false.
+ 
+ -spec is_acceptable_version(tls_version(), Supported :: [tls_version()]) -> boolean().
+ is_acceptable_version({N,_} = Version, Versions)   
+-  when N >= ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++  when N > ?LOWEST_MAJOR_SUPPORTED_VERSION ->
++    lists:member(Version, Versions);
++is_acceptable_version({N,M} = Version, Versions)   
++  when N == ?LOWEST_MAJOR_SUPPORTED_VERSION andalso M >= ?LOWEST_MINOR_SUPPORTED_VERSION ->
+     lists:member(Version, Versions);
+ is_acceptable_version(_,_) ->
+     false.