File 1663-ssl-Nonce-of-size-32-and-not-requested-in-... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 1663-ssl-Nonce-of-size-32-and-not-requested-in-ClientHell.patch of Package erlang

From fca25b869303ef718942acb5fcb9e24ed201f98f Mon Sep 17 00:00:00 2001
From: Jakub Witczak <kuba@erlang.org>
Date: Thu, 25 Apr 2024 19:35:48 +0200
Subject: [PATCH] ssl: Nonce of size 32 and not requested in ClientHello by
 default

---
 lib/ssl/src/ssl.erl            | 2 +-
 lib/ssl/src/ssl_internal.hrl   | 2 +-
 lib/ssl/src/tls_handshake.erl  | 2 +-
 lib/ssl/test/ssl_api_SUITE.erl | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/soc/src/ssl.xml
index fc3df65615..0827b26fee 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -1282,7 +1282,7 @@
 
         <p>When map is used, boolean ocsp_nonce key may indicate if
         OCSP nonce should be requested by the client (default is
-        <c>true</c>).</p>
+        <c>false</c>).</p>
         </desc>
       </datatype>
 
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index a38e3d5ded..538e272d9b 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -193,5 +193,5 @@
 
 -define(DEFAULT_DEPTH, 10).
 -define(DEFAULT_STAPLING_OPT, no_staple).
--define(DEFAULT_OCSP_NONCE_OPT, true).
+-define(DEFAULT_OCSP_NONCE_OPT, false).
 -endif. % -ifdef(ssl_internal).
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 01e0552bb1..e9b95867d0 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -315,7 +315,7 @@ get_tls_handshakes(Version, Data, Buffer, Options) ->
 ocsp_nonce(SslOpts) ->
     case maps:get(stapling, SslOpts, disabled) of
         #{ocsp_nonce := true} ->
-            public_key:der_encode('Nonce', crypto:strong_rand_bytes(8));
+            public_key:der_encode('Nonce', crypto:strong_rand_bytes(32)); %RFC8954 2.1
         _ ->
             undefined
     end.
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index 78e252aeb2..37ef7fa82a 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -3013,9 +3013,9 @@ options_stapling(_Config) ->
     ?OK(#{}, [], client, [stapling]),
     ?OK(#{}, [{stapling, no_staple}], client, [stapling]),
 
-    ?OK(#{stapling := #{ocsp_nonce := true}},
+    ?OK(#{stapling := #{ocsp_nonce := false}},
         [{stapling, staple}], client),
-    ?OK(#{stapling := #{ocsp_nonce := true}},
+    ?OK(#{stapling := #{ocsp_nonce := false}},
         [{stapling, #{}}], client),
     ?OK(#{stapling := #{ocsp_nonce := true}},
         [{stapling, #{ocsp_nonce => true}}], client),
-- 
2.35.3

Places

File 1663-ssl-Nonce-of-size-32-and-not-requested-in-ClientHell.patch of Package erlang

Places