diff options
| author |   jsing <jsing@openbsd.org> | 2014-10-15 17:39:34 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2014-10-15 17:39:34 +0000 |
| commit | 6e4d12670fbfc60e4fdc12aa982f36ae6119497c (patch) | |
| tree | 076cc275e26179966f731fe485016c29708f458c /lib/libssl/ssl_lib.c | |
| parent | Do not panic when attempting to decode invalid condition codes, or if (diff) | |
| download | wireguard-openbsd-6e4d12670fbfc60e4fdc12aa982f36ae6119497c.tar.xz wireguard-openbsd-6e4d12670fbfc60e4fdc12aa982f36ae6119497c.zip | |
Disable SSLv3 by default.
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
Diffstat (limited to 'lib/libssl/ssl_lib.c')
| -rw-r--r-- | lib/libssl/ssl_lib.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f6a21d43514..d3108f2663d 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, |