[PATCH] SSL: don't enable SSLv3 by default

Piotr Sikora piotr at cloudflare.com
Thu Oct 30 04:17:04 UTC 2014


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1414642398 25200
#      Wed Oct 29 21:13:18 2014 -0700
# Node ID bf17486e5d30574b870926b76c1d6f421e4def75
# Parent  87ada3ba1392fadaf4d9193b5d345c248be32f77
SSL: don't enable SSLv3 by default.

Prodded by Jagannath Das.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c	Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c	Wed Oct 29 21:13:18 2014 -0700
@@ -2815,9 +2815,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
                               prev->upstream.ssl_session_reuse, 1);
 
     ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
-                                 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
-                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
-                                  |NGX_SSL_TLSv1_2));
+                                 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+                                  |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c	Wed Oct 29 21:13:18 2014 -0700
@@ -561,7 +561,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
                          prev->prefer_server_ciphers, 0);
 
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
-                         (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c	Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_uwsgi_module.c	Wed Oct 29 21:13:18 2014 -0700
@@ -1598,9 +1598,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
                               prev->upstream.ssl_session_reuse, 1);
 
     ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
-                                 (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
-                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
-                                  |NGX_SSL_TLSv1_2));
+                                 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+                                  |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
     ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
                              "DEFAULT");
diff -r 87ada3ba1392 -r bf17486e5d30 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Mon Oct 27 14:25:56 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c	Wed Oct 29 21:13:18 2014 -0700
@@ -235,7 +235,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
                          prev->prefer_server_ciphers, 0);
 
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
-                         (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
                           |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
 
     ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");



More information about the nginx-devel mailing list