From 6e4d12670fbfc60e4fdc12aa982f36ae6119497c Mon Sep 17 00:00:00 2001 From: jsing Date: Wed, 15 Oct 2014 17:39:34 +0000 Subject: Disable SSLv3 by default. SSLv3 has been long known to have weaknesses and the POODLE attack has once again shown that it is effectively broken/insecure. As such, it is time to stop enabling a protocol was deprecated almost 15 years ago. If an application really wants to provide backwards compatibility, at the cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be used to re-enable it on a per-application basis. General agreement from many. ok miod@ --- lib/libssl/ssl_lib.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/libssl/ssl_lib.c') diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index f6a21d43514..d3108f2663d 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.85 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1825,6 +1825,9 @@ SSL_CTX_new(const SSL_METHOD *meth) */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* Disable SSLv3 by default. */ + ret->options |= SSL_OP_NO_SSLv3; + return (ret); err: SSLerr(SSL_F_SSL_CTX_NEW, -- cgit v1.2.3-59-g8ed1b