FS-10406: [mod_sofia] mod_sofia secure websocket connections SSLv3 and tls v1.0 is still not disabled #resolve

2017-06-21 08:51:50 -05:00 · 2017-06-21 08:51:50 -05:00 · dcc0bf72ec
parent 752f46ece9
commit dcc0bf72ec
2 changed files with 10 additions and 1 deletions
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@ -1 +1 @@
-Mon Jun  5 17:43:45 CDT 2017
+Wed Jun 21 08:51:26 CDT 2017
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c
@ -390,6 +390,15 @@ static int tport_ws_init_primary_secure(tport_primary_t *pri,
      goto done;
  }

+  /* Disable SSLv2 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv2);
+  /* Disable SSLv3 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv3);
+  /* Disable TLSv1 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_TLSv1);
+  /* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_COMPRESSION);
+  
  if (chain) {
 	  if ( !SSL_CTX_use_certificate_chain_file(wspri->ssl_ctx, chain) ) {
            tls_log_errors(3, "tport_ws_init_primary_secure", 0);