Software / code / prosody
Changeset
6496:e4b998ffc922 0.9.6
certmanager, net.http: Disable SSLv3 by default
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 14 Oct 2014 18:55:08 +0100 |
| parents | 6472:acae6289e0a6 |
| children | 6497:19213331e7f7 |
| files | core/certmanager.lua net/http.lua |
| diffstat | 2 files changed, 2 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/core/certmanager.lua Tue Oct 14 10:58:11 2014 +0100 +++ b/core/certmanager.lua Tue Oct 14 18:55:08 2014 +0100 @@ -33,7 +33,7 @@ local default_ssl_config = configmanager.get("*", "ssl"); local default_capath = "/etc/ssl/certs"; local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; -local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; +local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; if ssl and not luasec_has_verifyext and ssl.x509 then
--- a/net/http.lua Tue Oct 14 10:58:11 2014 +0100 +++ b/net/http.lua Tue Oct 14 18:55:08 2014 +0100 @@ -175,7 +175,7 @@ local sslctx = false; if using_https then - sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } }; + sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } }; end req.handler, req.conn = assert(server.wrapclient(conn, host, port_number, listener, "*a", sslctx));
