|
1 Remove SSLv3 from SSL default due to the POODLE attack. |
|
2 |
|
3 Based on the following curl changeset: |
|
4 |
|
5 commit ec783dc142129d3860e542b443caaa78a6172d56 |
|
6 Author: Jay Satiro <[email protected]> |
|
7 Date: Fri Oct 24 13:41:56 2014 +0200 |
|
8 |
|
9 - Remove SSLv3 from the SSL default effectively making the default TLS 1.x. |
|
10 - Update curl_easy_setopt doc. |
|
11 |
|
12 --- ./docs/libcurl/curl_easy_setopt.3.orig 2014-11-11 12:03:20.659217117 -0800 |
|
13 +++ ./docs/libcurl/curl_easy_setopt.3 2014-11-11 12:06:57.274210401 -0800 |
|
14 @@ -1819,8 +1819,7 @@ |
|
15 .RS |
|
16 .IP CURL_SSLVERSION_DEFAULT |
|
17 The default action. This will attempt to figure out the remote SSL protocol |
|
18 -version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled |
|
19 -by default with 7.18.1). |
|
20 +version. SSLv2 and SSLv3 are disabled by default. |
|
21 .IP CURL_SSLVERSION_TLSv1 |
|
22 Force TLSv1 |
|
23 .IP CURL_SSLVERSION_SSLv2 |
|
24 --- ./lib/nss.c.orig 2014-11-11 12:08:37.152918397 -0800 |
|
25 +++ ./lib/nss.c 2014-11-11 12:11:02.819141917 -0800 |
|
26 @@ -1177,12 +1177,6 @@ |
|
27 switch (data->set.ssl.version) { |
|
28 default: |
|
29 case CURL_SSLVERSION_DEFAULT: |
|
30 - ssl3 = PR_TRUE; |
|
31 - if (data->state.ssl_connect_retry) |
|
32 - infof(data, "TLS disabled due to previous handshake failure\n"); |
|
33 - else |
|
34 - tlsv1 = PR_TRUE; |
|
35 - break; |
|
36 case CURL_SSLVERSION_TLSv1: |
|
37 tlsv1 = PR_TRUE; |
|
38 break; |
|
39 --- ./lib/qssl.c.orig 2014-11-11 12:08:44.037832982 -0800 |
|
40 +++ ./lib/qssl.c 2014-11-11 12:12:10.802950719 -0800 |
|
41 @@ -192,9 +192,6 @@ |
|
42 |
|
43 default: |
|
44 case CURL_SSLVERSION_DEFAULT: |
|
45 - h->protocol = SSL_VERSION_CURRENT; /* TLSV1 compat. SSLV[23]. */ |
|
46 - break; |
|
47 - |
|
48 case CURL_SSLVERSION_TLSv1: |
|
49 h->protocol = TLS_VERSION_1; |
|
50 break; |
|
51 --- ./lib/ssluse.c.orig 2014-11-11 12:08:52.156569428 -0800 |
|
52 +++ ./lib/ssluse.c 2014-11-11 12:21:38.593664424 -0800 |
|
53 @@ -1448,10 +1448,6 @@ |
|
54 switch(data->set.ssl.version) { |
|
55 default: |
|
56 case CURL_SSLVERSION_DEFAULT: |
|
57 - /* we try to figure out version */ |
|
58 - req_method = SSLv23_client_method(); |
|
59 - use_sni(TRUE); |
|
60 - break; |
|
61 case CURL_SSLVERSION_TLSv1: |
|
62 req_method = TLSv1_client_method(); |
|
63 use_sni(TRUE); |
|
64 @@ -1531,9 +1527,9 @@ |
|
65 |
|
66 SSL_CTX_set_options(connssl->ctx, ctx_options); |
|
67 |
|
68 - /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ |
|
69 + /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */ |
|
70 if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |
|
71 - SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2); |
|
72 + SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
|
73 |
|
74 #if 0 |
|
75 /* |