diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-15 17:39:35 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-10-15 17:39:35 +0000 |
| commit | f3d8b1e1618952b662d88a2e182ea23057ea6e91 (patch) | |
| tree | 2170cf6e4bbe6d2b92b60628ba6dbc9947afde58 /lib/libssl | |
| parent | 5b4bda80c2651430742479242fe9bd923fefae37 (diff) | |
Disable SSLv3 by default.
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f6a21d43514..d3108f2663d 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, |