src: Disable insecure SSLv3

This commit is contained in:
Tatsuhiro Tsujikawa 2014-10-22 23:14:07 +09:00
parent 4bc5e55113
commit c6cfcc3c30
5 changed files with 14 additions and 9 deletions

View File

@ -1513,7 +1513,8 @@ int HttpServer::run()
}
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_NO_TICKET |

View File

@ -103,7 +103,8 @@ void http2_impl::listen(const std::string& address, uint16_t port,
auto ctx = ssl_ctx->native_handle();
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_NO_TICKET |

View File

@ -1710,7 +1710,8 @@ int communicate(const std::string& scheme, const std::string& host,
goto fin;
}
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);

View File

@ -1060,8 +1060,8 @@ SSL/TLS:
--tls-proto-list=<LIST>
Comma delimited list of SSL/TLS protocol to be
enabled. The following protocols are available:
TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3. The name
matching is done in case-insensitive manner. The
TLSv1.2, TLSv1.1 and TLSv1.0. The name matching
is done in case-insensitive manner. The
parameter must be delimited by a single comma
only and any white spaces are treated as a part
of protocol string.

View File

@ -196,10 +196,10 @@ int alpn_select_proto_cb(SSL *ssl,
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
namespace {
const char *tls_names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0", "SSLv3" };
const char *tls_names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0" };
const size_t tls_namelen = util::array_size(tls_names);
const long int tls_masks[] = { SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1,
SSL_OP_NO_TLSv1, SSL_OP_NO_SSLv3 };
SSL_OP_NO_TLSv1 };
} // namespace
long int create_tls_proto_mask(const std::vector<char*>& tls_proto_list)
@ -231,7 +231,8 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
}
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_NO_TICKET |
@ -384,7 +385,8 @@ SSL_CTX* create_ssl_client_context()
DIE();
}
SSL_CTX_set_options(ssl_ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION |
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
get_config()->tls_proto_mask);