MEDIUM: ssl: disable SSLv3 per default for bind

For security, disable SSLv3 on bind line must be the default configuration.
SSLv3 can be enabled with "ssl-min-ver SSLv3".

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 19c11323cd7aaafa127e8c85081fad61331f8a08..61376fc78bcf544bff0aeeff3e141d7986fdaae5 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10678,7 +10678,8 @@ ssl
   enables SSL deciphering on connections instantiated from this listener. A
   certificate is necessary (see "crt" above). All contents in the buffers will
   appear in clear text, so that ACLs and HTTP processing will only have access
-  to deciphered contents.
+  to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3"
+  to enable it.
 
 ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
   This option enforces use of <version> or lower on SSL connections instantiated

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 776140f49b3166e18b8d2c1c0373426b6e1c7c71..885aff973417a702f06a1e21b3da471248d6ac79 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3544,12 +3544,16 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
        else
                flags = conf_ssl_methods->flags;
 
+       min = conf_ssl_methods->min;
+       max = conf_ssl_methods->max;
+       /* start with TLSv10 to remove SSLv3 per default */
+       if (!min && (!max || max >= CONF_TLSV10))
+               min = CONF_TLSV10;
        /* Real min and max should be determinate with configuration and openssl's capabilities */
-       if (conf_ssl_methods->min)
-               flags |= (methodVersions[conf_ssl_methods->min].flag - 1);
-       if (conf_ssl_methods->max)
-               flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
-
+       if (min)
+               flags |= (methodVersions[min].flag - 1);
+       if (max)
+               flags |= ~((methodVersions[max].flag << 1) - 1);
        /* find min, max and holes */
        min = max = CONF_TLSV_NONE;
        hole = 0;