From 1bee18fcf4fef8122d4b7f0872497e0a15bc8d53 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Wed, 11 Mar 2015 23:53:10 +0100 Subject: [PATCH] m_ssl_openssl: Allow disabling SSLv3 via the config --- data/modules.example.conf | 8 ++++++++ modules/extra/m_ssl_openssl.cpp | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/data/modules.example.conf b/data/modules.example.conf index be4725816..355572ae0 100644 --- a/data/modules.example.conf +++ b/data/modules.example.conf @@ -620,6 +620,14 @@ module { name = "help" } */ cert = "data/anope.crt" key = "data/anope.key" + + /* + * As of 2014 SSL 3.0 is considered insecure, but it might be enabled + * on some systems by default for compatibility reasons. + * You can use the following option to enable or disable it explicitly. + * Leaving this option not set defaults to the default system behavior. + */ + #sslv3 = no } /* diff --git a/modules/extra/m_ssl_openssl.cpp b/modules/extra/m_ssl_openssl.cpp index 67ab6164c..c26c63655 100644 --- a/modules/extra/m_ssl_openssl.cpp +++ b/modules/extra/m_ssl_openssl.cpp @@ -162,6 +162,20 @@ class SSLModule : public Module Log() << "Unable to open private key " << this->keyfile; } + // Allow disabling SSLv3 + if (!config->Get("sslv3").empty()) + { + if (config->Get("sslv3")) + { + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); + } + else + { + SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3); + } + } } void OnPreServerConnect() anope_override