Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Change default ssl protocol to TLSv1 in the 1.9.x branch to address POODLE #12663
SSLv3 is vulnerable to man-in-middle attacks as discovered in POODLE. Servers and clients are encouraged to use TLSv1 instead.
PhantomJS already supports bothh protocols, but the vulnerable SSLv3 is currently the default.
Here's a patch to change the default to TLSv1 instead. I've also included a second to help prepare the 1.9.8 release, if that's of interest. If not, the basic update can cherry-picked or copy/pasted as a diff easily enough.
The proposed ChangeLog entry provided explains the change a bit and tells people how to get the old behavior in case they want or need it.
referenced this pull request
Oct 20, 2014
I'm sharing that I saw a Phantom failure in the wild due to POODLE-related changes by other web servers.
Pushing out the new default
Here's a low-level check I used to test the difference:
Compare the results to see that the first succeeds and the second one