RejectedSoftware Forums

Sign up

Disabling SSL3

avatar
Márcio Martins
Posted Wed, 23 Sep 2015 13:29:22 GMT
Reply

Hi!

I recently moved our traffic to be 100% HTTPS, and found out that you can't disable SSL3 without forcing a specific version. Basically, if your version is not TLSVersion.any, it seems like it will force that version.

SSL3 is known to be vulnerable to a MITM attack, and lots of server software have disabled it by now. Is there a way to fix this with the current interface that I missed?

A quick and easy way would be to pass SSLOPNOSSLv3 in addition to SSLOPNOSSLv2 to OpenSSL, when the selected version is TLSVersion.any.

Re: Disabling SSL3

avatar
Sönke Ludwig
Posted Fri, 25 Sep 2015 10:45:17 +0200 in reply to Márcio Martins
Reply

Am 23.09.2015 um 15:29 schrieb Márcio Martins:

Hi!

I recently moved our traffic to be 100% HTTPS, and found out that you can't disable SSL3 without forcing a specific version. Basically, if your version is not TLSVersion.any, it seems like it will force that version.

SSL3 is known to be vulnerable to a MITM attack, and lots of server software have disabled it by now. Is there a way to fix this with the current interface that I missed?

A quick and easy way would be to pass SSLOPNOSSLv3 in addition to SSLOPNOSSLv2 to OpenSSL, when the selected version is TLSVersion.any.

SSL_OP_NO_SSLv3 sounds good. I remember having looked into this before
and I think there was something missing in the older 1.0.1 branch of
OpenSSL, but I'm not sure if it was that option. I'll have a look.

Probably it also makes sense to switch that scheme to
TLSVersion.tls10OrLater, .tls11OrLater etc.. The current scheme is
tailored too much to the awkward interface that OpenSSL provides.