[PATCH] SSL: don't enable SSLv3 by default
Piotr Sikora
piotr at cloudflare.com
Thu Oct 30 04:17:04 UTC 2014
# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1414642398 25200
# Wed Oct 29 21:13:18 2014 -0700
# Node ID bf17486e5d30574b870926b76c1d6f421e4def75
# Parent 87ada3ba1392fadaf4d9193b5d345c248be32f77
SSL: don't enable SSLv3 by default.
Prodded by Jagannath Das.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c Wed Oct 29 21:13:18 2014 -0700
@@ -2815,9 +2815,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_session_reuse, 1);
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
- |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
- |NGX_SSL_TLSv1_2));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Oct 29 21:13:18 2014 -0700
@@ -561,7 +561,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
diff -r 87ada3ba1392 -r bf17486e5d30 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Mon Oct 27 14:25:56 2014 -0700
+++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Oct 29 21:13:18 2014 -0700
@@ -1598,9 +1598,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_session_reuse, 1);
ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
- |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
- |NGX_SSL_TLSv1_2));
+ (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
+ |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
diff -r 87ada3ba1392 -r bf17486e5d30 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Oct 27 14:25:56 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c Wed Oct 29 21:13:18 2014 -0700
@@ -235,7 +235,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
prev->prefer_server_ciphers, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
- (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1
+ (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
|NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
More information about the nginx-devel
mailing list