Changeset

2767:473627393d40

Disable SSLv2 by default, it's known to be insecure.
author Paul Aurich <paul@darkrain42.org>
date Fri, 04 Dec 2009 09:48:08 -0800
parents 2766:5fe6ea49cf70
children 2768:c317bfef9b74
files core/hostmanager.lua net/httpserver.lua prosody
diffstat 3 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/core/hostmanager.lua	Thu Dec 03 19:18:18 2009 +0000
+++ b/core/hostmanager.lua	Fri Dec 04 09:48:08 2009 -0800
@@ -20,8 +20,8 @@
 local incoming_s2s = _G.prosody.incoming_s2s;
 
 -- These are the defaults if not overridden in the config
-local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
-local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
+local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
+local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
 
 local log = require "util.logger".init("hostmanager");
 
--- a/net/httpserver.lua	Thu Dec 03 19:18:18 2009 +0000
+++ b/net/httpserver.lua	Fri Dec 04 09:48:08 2009 -0800
@@ -282,6 +282,7 @@
 		if ssl then
 			ssl.mode = "server";
 			ssl.protocol = "sslv23";
+			ssl.options = "no_sslv2";
 		end
 		
 		new{ port = port, interface = interface, 
--- a/prosody	Thu Dec 03 19:18:18 2009 +0000
+++ b/prosody	Fri Dec 04 09:48:08 2009 -0800
@@ -177,7 +177,7 @@
 	-- Load SSL settings from config, and create a ctx table
 	local global_ssl_ctx = rawget(_G, "ssl") and config.get("*", "core", "ssl");
 	if global_ssl_ctx then
-		local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
+		local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
 		setmetatable(global_ssl_ctx, { __index = default_ssl_ctx });
 	end