diff options
author | Rob Crittenden <rcritten@redhat.com> | 2014-10-16 14:09:47 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2014-10-16 16:57:31 -0400 |
commit | 051f87219c90fd2880d432e1d3ca62c45e91209c (patch) | |
tree | 0c0fbcc2b07e287a1f10aafdb028abae00df35a1 | |
parent | 78c17097186a8cacfb237af67fdd87599a727e88 (diff) | |
download | mod_nss-051f87219c90fd2880d432e1d3ca62c45e91209c.tar.gz mod_nss-051f87219c90fd2880d432e1d3ca62c45e91209c.tar.xz mod_nss-051f87219c90fd2880d432e1d3ca62c45e91209c.zip |
Don't enable SSL 3 by default
This is in response to the POODLE CVE CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
-rw-r--r-- | docs/mod_nss.html | 4 | ||||
-rw-r--r-- | nss.conf.in | 2 | ||||
-rw-r--r-- | nss_engine_init.c | 4 |
3 files changed, 5 insertions, 5 deletions
diff --git a/docs/mod_nss.html b/docs/mod_nss.html index 4bd62c5..3d7c121 100644 --- a/docs/mod_nss.html +++ b/docs/mod_nss.html @@ -850,7 +850,7 @@ Note that this differs from mod_ssl in that you can't add or subtract protocols.<br> <br> If no NSSProtocol is specified, mod_nss will default to allowing the use of -the SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where SSLv3 will be set to +the TLSv1.0, TLSv1.1 and TLSv1.2 protocols, where TLSv1.0 will be set to be the minimum protocol allowed, and TLSv1.2 will be set to be the maximum protocol allowed. <br> @@ -1031,7 +1031,7 @@ syntax is identical to NSSProtocol.<br> </code><br> <big><big>NSSProxyCipherSuite</big></big><br> <br> -Specifies the SSL ciphers available for proxy connections. They syntax +Specifies the SSL ciphers available for proxy connections. The syntax is identical to NSSCipherSuite.<br> <br> <span style="font-weight: bold;">Example</span><br> diff --git a/nss.conf.in b/nss.conf.in index 37d8ee5..79f6511 100644 --- a/nss.conf.in +++ b/nss.conf.in @@ -118,7 +118,7 @@ NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa # Since all protocol ranges are completely inclusive, and no protocol in the # middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.1" # is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1". -NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2 +NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. diff --git a/nss_engine_init.c b/nss_engine_init.c index b5af76a..d74f002 100644 --- a/nss_engine_init.c +++ b/nss_engine_init.c @@ -646,9 +646,9 @@ static void nss_init_ctx_protocol(server_rec *s, } else { if (mctx->auth.protocols == NULL) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "%s value not set; using: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2", + "%s value not set; using: TLSv1.0, TLSv1.1 and TLSv1.2", protocol_marker); - ssl3 = tls = tls1_1 = tls1_2 = 1; + tls = tls1_1 = tls1_2 = 1; } else { lprotocols = strdup(mctx->auth.protocols); ap_str_tolower(lprotocols); |