projects / prosody.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a41f37c)
certmanager, net.http: Disable SSLv3 by default
authorMatthew Wild <mwild1@gmail.com>
Tue, 14 Oct 2014 17:55:08 +0000 (18:55 +0100)
committerMatthew Wild <mwild1@gmail.com>
Tue, 14 Oct 2014 17:55:08 +0000 (18:55 +0100)
core/certmanager.lua patch | blob | history
net/http.lua patch | blob | history

diff --git a/core/certmanager.lua b/core/certmanager.lua
index d6784a968f68d16c2f7f840576df0fcfc7b63913..624bd841ef433ceed10667b45e946a3036d873b2 100644 (file)
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -33,7 +33,7 @@ module "certmanager"
 local default_ssl_config = configmanager.get("*", "ssl");
 local default_capath = "/etc/ssl/certs";
 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
-local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
 
 if ssl and not luasec_has_verifyext and ssl.x509 then
diff --git a/net/http.lua b/net/http.lua
index 9dde6062d22ebf1c9df245cbc95f7f7148eef00c..8ce474948c9737a12f346c1fb3c195455e93d9bd 100644 (file)
--- a/net/http.lua
+++ b/net/http.lua
@@ -175,7 +175,7 @@ function request(u, ex, callback)
        
        local sslctx = false;
        if using_https then
-               sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } };
+               sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
        end
 
        req.handler, req.conn = assert(server.wrapclient(conn, host, port_number, listener, "*a", sslctx));