summaryrefslogtreecommitdiff
path: root/src/modules
diff options
context:
space:
mode:
authorPeter Powell <petpow@saberuk.com>2017-11-30 12:23:33 +0000
committerPeter Powell <petpow@saberuk.com>2017-11-30 13:42:14 +0000
commit9201b69a13b81ca5cfa97a49ecdd035e463883f7 (patch)
tree689dad79f0b1d30fa47f8cc9086d4b491dbb4075 /src/modules
parentc83ce753688bde7b6106acf2de44c3cf29b30a7e (diff)
Improve TLS security configuration in m_ssl_openssl.
- Always disable SSLv3. Unreal has already done this so clients will have to upgrade anyway. - Disable TLSv1.0 by default. Various security standards (e.g. PCI DSS) are already planning on sunsetting this so we should too.
Diffstat (limited to 'src/modules')
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp7
1 files changed, 3 insertions, 4 deletions
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index ae5e213b7..1aab0d086 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -130,7 +130,7 @@ namespace OpenSSL
{
// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
// and when choosing a cipher, use the server's preferences instead of the client preferences.
- long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+ long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
// Only turn options on if they exist
#ifdef SSL_OP_SINGLE_ECDH_USE
opts |= SSL_OP_SINGLE_ECDH_USE;
@@ -291,9 +291,8 @@ namespace OpenSSL
if (!tag->getBool("compression", false)) // Disable compression by default
setoptions |= SSL_OP_NO_COMPRESSION;
#endif
- if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default
- setoptions |= SSL_OP_NO_SSLv3;
- if (!tag->getBool("tlsv1", true))
+ // Disable TLSv1.0 by default.
+ if (!tag->getBool("tlsv1", false))
setoptions |= SSL_OP_NO_TLSv1;
if (!setoptions && !clearoptions)