aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Aurich <paul@darkrain42.org>2009-12-04 09:48:08 -0800
committerPaul Aurich <paul@darkrain42.org>2009-12-04 09:48:08 -0800
commita5dcc1d8c6f4a0d38b0ddc84033c1dabf9127fba (patch)
treea16f32783467fe55aa10f7789166b29bdc8c03fd
parentc82b309e7884e380d28b4326395c3bc52b7b3d8d (diff)
downloadprosody-a5dcc1d8c6f4a0d38b0ddc84033c1dabf9127fba.tar.gz
prosody-a5dcc1d8c6f4a0d38b0ddc84033c1dabf9127fba.zip
Disable SSLv2 by default, it's known to be insecure.
-rw-r--r--core/hostmanager.lua4
-rw-r--r--net/httpserver.lua1
-rwxr-xr-xprosody2
3 files changed, 4 insertions, 3 deletions
diff --git a/core/hostmanager.lua b/core/hostmanager.lua
index f89eaeba..713788dd 100644
--- a/core/hostmanager.lua
+++ b/core/hostmanager.lua
@@ -20,8 +20,8 @@ end
local incoming_s2s = _G.prosody.incoming_s2s;
-- These are the defaults if not overridden in the config
-local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
-local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
+local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
+local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
local log = require "util.logger".init("hostmanager");
diff --git a/net/httpserver.lua b/net/httpserver.lua
index 7366351e..beaa3d64 100644
--- a/net/httpserver.lua
+++ b/net/httpserver.lua
@@ -282,6 +282,7 @@ function new_from_config(ports, handle_request, default_options)
if ssl then
ssl.mode = "server";
ssl.protocol = "sslv23";
+ ssl.options = "no_sslv2";
end
new{ port = port, interface = interface,
diff --git a/prosody b/prosody
index 7f69e085..1805e5b2 100755
--- a/prosody
+++ b/prosody
@@ -177,7 +177,7 @@ function init_global_state()
-- Load SSL settings from config, and create a ctx table
local global_ssl_ctx = rawget(_G, "ssl") and config.get("*", "core", "ssl");
if global_ssl_ctx then
- local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none"; };
+ local default_ssl_ctx = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; };
setmetatable(global_ssl_ctx, { __index = default_ssl_ctx });
end