diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-15 17:39:35 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-15 17:39:35 +0000 |
| commit | a99bb57b30617d9470fb7eb57d94361711e144ba (patch) | |
| tree | 689b922f49f71a54fa70562020b69162d5611cf6 | |
| parent | 3a44d34da4930822d32cd89ef0f36b0ec6030a6e (diff) | |
Disable SSLv3 by default.
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
| -rw-r--r-- | lib/libssl/src/ssl/ssl_lib.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index f6a21d43514..d3108f2663d 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, |