Branch: Tag:

2014-10-22

2014-10-22 09:29:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Disable support for SSL 3.0 by default.

Requires recent Pike 7.8 or later.

Blocks the POODLE attack.

305: Inside #if constant(SSL.ServerConnection)
   "<p>Note: For full Suite B compliance a "    "suitable certificate must also be "    "used.</p>"))); -  + #endif /* SSL.ServerConnection */ + #if constant(SSL.Constants.PROTOCOL_TLS_MAX)    defvar("ssl_min_version", -  Variable.IntChoice(SSL.Constants.PROTOCOL_SSL_3_0, +  Variable.IntChoice(SSL.Constants.PROTOCOL_TLS_1_0,    ([    SSL.Constants.PROTOCOL_SSL_3_0:    "SSL 3.0",    SSL.Constants.PROTOCOL_TLS_1_0:    "TLS 1.0 (aka SSL 3.1)", -  + #if constant(SSL.Constants.PROTOCOL_TLS_1_2)    SSL.Constants.PROTOCOL_TLS_1_1:    "TLS 1.1",    SSL.Constants.PROTOCOL_TLS_1_2:    "TLS 1.2", -  + #endif    ]),    0,    LOCALE(0, "Minimum supported version of SSL/TLS"),    LOCALE(0, "<p>Reject clients that want to use a "    "version of SSL/TLS lower than the selected "    "version.</p>\n"))); - #endif /* SSL.ServerConnection */ + #endif /* SSL.Constants.PROTOCOL_TLS_MAX */   }