Warn when using ssl-10.2

hexpm · Jan 15, 2021 · 4dc8033 · 4dc8033
1 parent 17451df
commit 4dc8033
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/lib/hex/application.ex b/lib/hex/application.ex
@@ -10,6 +10,7 @@ defmodule Hex.Application do
     Mix.RemoteConverger.register(Hex.RemoteConverger)
 
     Hex.Version.start()
+    warn_ssl()
     start_httpc()
 
     opts = [strategy: :one_for_one, name: Hex.Supervisor]
@@ -24,6 +25,22 @@ defmodule Hex.Application do
     defp dev_setup, do: :ok
   end
 
+  defp warn_ssl() do
+    case Application.load(:ssl) do
+      :ok ->
+        if :application.get_key(:ssl, :vsn) == {:ok, '10.2'} do
+          Hex.Shell.warn("""
+          You are using an OTP release with the application ssl-10.2 which has a vulnerability \
+          making it susceptible to man-in-the-middle attacks. You are strongly recommended to \
+          upgrade to newer version, ssl-10.2.1+ or OTP-23.2.2+.
+          """)
+        end
+
+      {:error, _} ->
+        :ok
+    end
+  end
+
   defp start_httpc() do
     :inets.start(:httpc, profile: :hex)