FS-10406: [mod_sofia] mod_sofia secure websocket connections SSLv3 and tls v1.0 is...

diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update
index 8f426572b4f8da7f170b5baf7e79a6ad2a24718d..951671267f9f660ae1bb52d071de29ee251f6136 100644 (file)
--- a/libs/sofia-sip/.update
+++ b/libs/sofia-sip/.update
@@ -1 +1 @@
-Mon Jun  5 17:43:45 CDT 2017
+Wed Jun 21 08:51:26 CDT 2017

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c
index 6b525581f14676738e9a757ee120c0ab861c2e45..3ce3b4a005a0873b5c8d4bc4f4fd9fa153db10f3 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c
@@ -390,6 +390,15 @@ static int tport_ws_init_primary_secure(tport_primary_t *pri,
       goto done;
   }
 
+  /* Disable SSLv2 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv2);
+  /* Disable SSLv3 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv3);
+  /* Disable TLSv1 */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_TLSv1);
+  /* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
+  SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_COMPRESSION);
+  
   if (chain) {
          if ( !SSL_CTX_use_certificate_chain_file(wspri->ssl_ctx, chain) ) {
             tls_log_errors(3, "tport_ws_init_primary_secure", 0);