diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-12 22:10:13 +0200 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-13 00:13:14 +0200 |
commit | e86dc2fbcd96482e997ff0fc8ffef203277a29ed (patch) | |
tree | fec7d17f9071d8024786894d69f9b099430459ae | |
parent | de61f9ce5b2c10692ce9b7850e2979c47dd338fb (diff) | |
download | xK-e86dc2fbcd96482e997ff0fc8ffef203277a29ed.tar.gz xK-e86dc2fbcd96482e997ff0fc8ffef203277a29ed.tar.xz xK-e86dc2fbcd96482e997ff0fc8ffef203277a29ed.zip |
Disable SSL 2 and 3
-rw-r--r-- | degesch.c | 3 | ||||
-rw-r--r-- | kike.c | 3 | ||||
-rw-r--r-- | zyklonb.c | 3 |
3 files changed, 8 insertions, 1 deletions
@@ -3895,6 +3895,9 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + // Disable deprecated protocols (see RFC 7568) + SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + const char *ca_file = get_config_string (s->config, "ssl_ca_file"); const char *ca_path = get_config_string (s->config, "ssl_ca_path"); @@ -3507,6 +3507,9 @@ irc_initialize_ssl_ctx (struct server_context *ctx, SSL_CTX_set_mode (ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); + // Disable deprecated protocols (see RFC 7568) + SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + // XXX: perhaps we should read the files ourselves for better messages const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers"); if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers)) @@ -316,7 +316,8 @@ irc_get_boolean_from_config static bool irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e) { - // XXX: maybe we should call SSL_CTX_set_options() for some workarounds + // Disable deprecated protocols (see RFC 7568) + SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); bool verify; if (!irc_get_boolean_from_config (ctx, "ssl_verify", &verify, e)) |