Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
certmanager, net.http: Disable SSLv3 by default 0.9.6
authorMatthew Wild <mwild1@gmail.com>
Tue, 14 Oct 2014 18:55:08 +0100
changeset 6499 e4b998ffc922
parent 6475 acae6289e0a6
child 6500 19213331e7f7
certmanager, net.http: Disable SSLv3 by default
core/certmanager.lua file | annotate | diff | comparison | revisions
net/http.lua file | annotate | diff | comparison | revisions 
--- a/core/certmanager.lua	Tue Oct 14 10:58:11 2014 +0100
+++ b/core/certmanager.lua	Tue Oct 14 18:55:08 2014 +0100
@@ -33,7 +33,7 @@
 local default_ssl_config = configmanager.get("*", "ssl");
 local default_capath = "/etc/ssl/certs";
 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
-local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
 
 if ssl and not luasec_has_verifyext and ssl.x509 then
--- a/net/http.lua	Tue Oct 14 10:58:11 2014 +0100
+++ b/net/http.lua	Tue Oct 14 18:55:08 2014 +0100
@@ -175,7 +175,7 @@
 	
 	local sslctx = false;
 	if using_https then
-		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } };
+		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
 	end
 
 	req.handler, req.conn = assert(server.wrapclient(conn, host, port_number, listener, "*a", sslctx));
prosody