Disable SSL 2 and 3

3 files changed, 8 insertions, 1 deletions

diff --git a/degesch.c b/degesch.c
index 5ef0bc2..325ea83 100644
--- a/degesch.c
+++ b/degesch.c
@@ -3895,6 +3895,9 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 	SSL_CTX_set_mode (ssl_ctx,
 		SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
+	// Disable deprecated protocols (see RFC 7568)
+	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 	const char *ca_file = get_config_string (s->config, "ssl_ca_file");
 	const char *ca_path = get_config_string (s->config, "ssl_ca_path");
 
diff --git a/kike.c b/kike.c
index 6bdba55..fafa38d 100644
--- a/kike.c
+++ b/kike.c
@@ -3507,6 +3507,9 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
 	SSL_CTX_set_mode (ctx->ssl_ctx,
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
 
+	// Disable deprecated protocols (see RFC 7568)
+	SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 	// XXX: perhaps we should read the files ourselves for better messages
 	const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers");
 	if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
diff --git a/zyklonb.c b/zyklonb.c
index 88bbc87..35eac17 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -316,7 +316,8 @@ irc_get_boolean_from_config
 static bool
 irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
 {
-	// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
+	// Disable deprecated protocols (see RFC 7568)
+	SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
 	bool verify;
 	if (!irc_get_boolean_from_config (ctx, "ssl_verify", &verify, e))