From 2eef89d9c3ef3349d47fd880aae495afdc0b61ef Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 15 Oct 2014 17:39:34 +0000 Subject: Disable SSLv3 by default. SSLv3 has been long known to have weaknesses and the POODLE attack has once again shown that it is effectively broken/insecure. As such, it is time to stop enabling a protocol was deprecated almost 15 years ago. If an application really wants to provide backwards compatibility, at the cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be used to re-enable it on a per-application basis. General agreement from many. ok miod@ --- src/lib/libssl/src/ssl/ssl_lib.c | 5 ++++- src/lib/libssl/ssl_lib.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index f6a21d4351..d3108f2663 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f6a21d4351..d3108f2663 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, -- cgit v1.2.3-55-g6feb