MEDIUM: ssl: disable SSLv3 per default for bind
For security, disable SSLv3 on bind line must be the default configuration.
SSLv3 can be enabled with "ssl-min-ver SSLv3".
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 19c1132..61376fc 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10678,7 +10678,8 @@
enables SSL deciphering on connections instantiated from this listener. A
certificate is necessary (see "crt" above). All contents in the buffers will
appear in clear text, so that ACLs and HTTP processing will only have access
- to deciphered contents.
+ to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3"
+ to enable it.
ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
This option enforces use of <version> or lower on SSL connections instantiated
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 776140f..885aff9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3544,12 +3544,16 @@
else
flags = conf_ssl_methods->flags;
+ min = conf_ssl_methods->min;
+ max = conf_ssl_methods->max;
+ /* start with TLSv10 to remove SSLv3 per default */
+ if (!min && (!max || max >= CONF_TLSV10))
+ min = CONF_TLSV10;
/* Real min and max should be determinate with configuration and openssl's capabilities */
- if (conf_ssl_methods->min)
- flags |= (methodVersions[conf_ssl_methods->min].flag - 1);
- if (conf_ssl_methods->max)
- flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
-
+ if (min)
+ flags |= (methodVersions[min].flag - 1);
+ if (max)
+ flags |= ~((methodVersions[max].flag << 1) - 1);
/* find min, max and holes */
min = max = CONF_TLSV_NONE;
hole = 0;