From 9201b69a13b81ca5cfa97a49ecdd035e463883f7 Mon Sep 17 00:00:00 2001 From: Peter Powell Date: Thu, 30 Nov 2017 12:23:33 +0000 Subject: Improve TLS security configuration in m_ssl_openssl. - Always disable SSLv3. Unreal has already done this so clients will have to upgrade anyway. - Disable TLSv1.0 by default. Various security standards (e.g. PCI DSS) are already planning on sunsetting this so we should too. --- src/modules/extra/m_ssl_openssl.cpp | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index ae5e213b7..1aab0d086 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -130,7 +130,7 @@ namespace OpenSSL { // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html // and when choosing a cipher, use the server's preferences instead of the client preferences. - long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; + long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE; // Only turn options on if they exist #ifdef SSL_OP_SINGLE_ECDH_USE opts |= SSL_OP_SINGLE_ECDH_USE; @@ -291,9 +291,8 @@ namespace OpenSSL if (!tag->getBool("compression", false)) // Disable compression by default setoptions |= SSL_OP_NO_COMPRESSION; #endif - if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default - setoptions |= SSL_OP_NO_SSLv3; - if (!tag->getBool("tlsv1", true)) + // Disable TLSv1.0 by default. + if (!tag->getBool("tlsv1", false)) setoptions |= SSL_OP_NO_TLSv1; if (!setoptions && !clearoptions) -- cgit v1.2.3