SSL: Fix for broken ECDH ciper suite in R16B
See: http://osdir.com/ml/erlang-programming-bugs/2013-10/msg00004.html
Fix inspired by https://github.com/extend/ranch/commit/c0c09a1311
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index bf503cc..fff0b42 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -15,7 +15,8 @@
listen(Ssl, Port, Opts, SslOpts) ->
case Ssl of
true ->
- case ssl:listen(Port, Opts ++ SslOpts) of
+ Opts1 = add_unbroken_ciphers_default(Opts ++ SslOpts),
+ case ssl:listen(Port, Opts1) of
{ok, ListenSocket} ->
{ok, {ssl, ListenSocket}};
{error, _} = Err ->
@@ -25,6 +26,20 @@
gen_tcp:listen(Port, Opts)
end.
+add_unbroken_ciphers_default(Opts) ->
+ Ciphers = filter_broken_cipher_suites(proplists:get_value(ciphers, Opts, ssl:cipher_suites())),
+ [{ciphers, Ciphers} | proplists:delete(ciphers, Opts)].
+
+filter_broken_cipher_suites(Ciphers) ->
+ case proplists:get_value(ssl_app, ssl:versions()) of
+ "5.3" ++ _ ->
+ lists:filter(fun(Suite) ->
+ string:left(atom_to_list(element(1, Suite)), 4) =/= "ecdh"
+ end, Ciphers);
+ _ ->
+ Ciphers
+ end.
+
accept({ssl, ListenSocket}) ->
% There's a bug in ssl:transport_accept/2 at the moment, which is the
% reason for the try...catch block. Should be fixed in OTP R14.