https://bugzilla.redhat.com/show_bug.cgi?id=1206714
--- Comment #4 from David A. Cafaro dac@cafaro.net --- Looking upstream it appears a patch for this was added in Release 17.5 and later.
http://www.erlang.org/download/otp_src_17.5.readme
"OTP-12420 Application(s): ssl
*** POTENTIAL INCOMPATIBILITY ***
Add padding check for TLS-1.0 to remove Poodle vulnerability from TLS 1.0, also add the option padding_check. This option only affects TLS-1.0 connections and if set to false it disables the block cipher padding check to be able to interoperate with legacy software.
OTP-12458 Application(s): ssl
Add support for TLS_FALLBACK_SCSV used to prevent undesired TLS version downgrades. If used by a client that is vulnerable to the POODLE attack, and the server also supports TLS_FALLBACK_SCSV, the attack can be prevented."
I have not found a back port to the current Release 14 Beta 4 in the repos.
Do we have any status on a fix for this?