Disable SSL 2 and 3
This commit is contained in:
parent
de61f9ce5b
commit
e86dc2fbcd
|
@ -3895,6 +3895,9 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
|
||||||
SSL_CTX_set_mode (ssl_ctx,
|
SSL_CTX_set_mode (ssl_ctx,
|
||||||
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
||||||
|
|
||||||
|
// Disable deprecated protocols (see RFC 7568)
|
||||||
|
SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
|
||||||
const char *ca_file = get_config_string (s->config, "ssl_ca_file");
|
const char *ca_file = get_config_string (s->config, "ssl_ca_file");
|
||||||
const char *ca_path = get_config_string (s->config, "ssl_ca_path");
|
const char *ca_path = get_config_string (s->config, "ssl_ca_path");
|
||||||
|
|
||||||
|
|
3
kike.c
3
kike.c
|
@ -3507,6 +3507,9 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
|
||||||
SSL_CTX_set_mode (ctx->ssl_ctx,
|
SSL_CTX_set_mode (ctx->ssl_ctx,
|
||||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
|
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||||
|
|
||||||
|
// Disable deprecated protocols (see RFC 7568)
|
||||||
|
SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
|
||||||
// XXX: perhaps we should read the files ourselves for better messages
|
// XXX: perhaps we should read the files ourselves for better messages
|
||||||
const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers");
|
const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers");
|
||||||
if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
|
if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
|
||||||
|
|
|
@ -316,7 +316,8 @@ irc_get_boolean_from_config
|
||||||
static bool
|
static bool
|
||||||
irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
|
irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
|
||||||
{
|
{
|
||||||
// XXX: maybe we should call SSL_CTX_set_options() for some workarounds
|
// Disable deprecated protocols (see RFC 7568)
|
||||||
|
SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
|
||||||
bool verify;
|
bool verify;
|
||||||
if (!irc_get_boolean_from_config (ctx, "ssl_verify", &verify, e))
|
if (!irc_get_boolean_from_config (ctx, "ssl_verify", &verify, e))
|
||||||
|
|
Loading…
Reference in New Issue