# HG changeset patch # User Paul Aurich # Date 1259948888 28800 # Node ID 7e7484a4e82127e732a5535b69e239ce8b7aa124 # Parent 2ca7445b882a6d969a12384a09708976c603ea48 Disable SSLv2 by default, it's known to be insecure. diff -r 2ca7445b882a -r 7e7484a4e821 core/hostmanager.lua --- a/core/hostmanager.lua Fri Dec 04 14:41:53 2009 +0000 +++ b/core/hostmanager.lua Fri Dec 04 09:48:08 2009 -0800 @@ -20,8 +20,8 @@ local incoming_s2s = _G.prosody.incoming_s2s; -- These are the defaults if not overridden in the config -local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; }; -local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; }; +local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; +local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; local log = require "util.logger".init("hostmanager"); diff -r 2ca7445b882a -r 7e7484a4e821 net/httpserver.lua --- a/net/httpserver.lua Fri Dec 04 14:41:53 2009 +0000 +++ b/net/httpserver.lua Fri Dec 04 09:48:08 2009 -0800 @@ -282,6 +282,7 @@ if ssl then ssl.mode = "server"; ssl.protocol = "sslv23"; + ssl.options = "no_sslv2"; end new{ port = port, interface = interface, diff -r 2ca7445b882a -r 7e7484a4e821 prosody --- a/prosody Fri Dec 04 14:41:53 2009 +0000 +++ b/prosody Fri Dec 04 09:48:08 2009 -0800 @@ -177,7 +177,7 @@ -- Load SSL settings from config, and create a ctx table local global_ssl_ctx = rawget(_G, "ssl") and config.get("*", "core", "ssl"); if global_ssl_ctx then - local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; }; + local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; setmetatable(global_ssl_ctx, { __index = default_ssl_ctx }); end