This repository has been archived by the owner. It is now read-only.

Change default ssl protocol to TLSv1 in the 1.9.x branch to address POODLE #12663

Closed
wants to merge 2 commits into
base: 1.9
from

Conversation

Projects
None yet
4 participants
@markstos

markstos commented Oct 18, 2014

SSLv3 is vulnerable to man-in-middle attacks as discovered in POODLE. Servers and clients are encouraged to use TLSv1 instead.

PhantomJS already supports bothh protocols, but the vulnerable SSLv3 is currently the default.

Here's a patch to change the default to TLSv1 instead. I've also included a second to help prepare the 1.9.8 release, if that's of interest. If not, the basic update can cherry-picked or copy/pasted as a diff easily enough.

The proposed ChangeLog entry provided explains the change a bit and tells people how to get the old behavior in case they want or need it.

@ariya

This comment has been minimized.

Show comment
Hide comment
@ariya

ariya Oct 19, 2014

Owner

@markstos Looks good, thanks for taking care of this!

@Vitallium Looks like we need your help to produce a security release 1.9.8 (Windows binary).

Owner

ariya commented Oct 19, 2014

@markstos Looks good, thanks for taking care of this!

@Vitallium Looks like we need your help to produce a security release 1.9.8 (Windows binary).

@Vitallium

This comment has been minimized.

Show comment
Hide comment
@Vitallium

Vitallium Oct 20, 2014

Collaborator

@ariya sure, no problem. Just let me know.

Collaborator

Vitallium commented Oct 20, 2014

@ariya sure, no problem. Just let me know.

@markstos

This comment has been minimized.

Show comment
Hide comment
@markstos

markstos Oct 20, 2014

I'm sharing that I saw a Phantom failure in the wild due to POODLE-related changes by other web servers.

Phantom was attempting to load a JavaScript asset from a CloudFlare CDN, but CloudFlare explicitly disabled SSLv3 connections, presumably due to POODLE. This caused this request to fail, which had a cascading effect of causing other JavaScript on the failure to not load, such that "window.renderable" never got set, and Phantom declared that "Render failed".

Pushing out the new default --ssl-protocol=TLSv1 will fix Phantom scripts that end up loading SSL assets from CloudFlare or other CDNs that also improved their security disabling SSLv3 connections.

Here's a low-level check I used to test the difference:

openssl s_client -tls1 -connect cdnjs.cloudflare.com:443
openssl s_client -ssl3 -connect cdnjs.cloudflare.com:443

Compare the results to see that the first succeeds and the second one

markstos commented Oct 20, 2014

I'm sharing that I saw a Phantom failure in the wild due to POODLE-related changes by other web servers.

Phantom was attempting to load a JavaScript asset from a CloudFlare CDN, but CloudFlare explicitly disabled SSLv3 connections, presumably due to POODLE. This caused this request to fail, which had a cascading effect of causing other JavaScript on the failure to not load, such that "window.renderable" never got set, and Phantom declared that "Render failed".

Pushing out the new default --ssl-protocol=TLSv1 will fix Phantom scripts that end up loading SSL assets from CloudFlare or other CDNs that also improved their security disabling SSLv3 connections.

Here's a low-level check I used to test the difference:

openssl s_client -tls1 -connect cdnjs.cloudflare.com:443
openssl s_client -ssl3 -connect cdnjs.cloudflare.com:443

Compare the results to see that the first succeeds and the second one

@snkashis

This comment has been minimized.

Show comment
Hide comment
@snkashis

snkashis commented Oct 21, 2014

+1

@ariya

This comment has been minimized.

Show comment
Hide comment
@ariya

ariya Oct 21, 2014

Owner

@Vitallium Thanks, we'll track 1.9.8 release in #12670.

Owner

ariya commented Oct 21, 2014

@Vitallium Thanks, we'll track 1.9.8 release in #12670.

@ariya

This comment has been minimized.

Show comment
Hide comment
@ariya

ariya Oct 21, 2014

Owner

This is merged to 1.9 branch. Thank you very much!

Owner

ariya commented Oct 21, 2014

This is merged to 1.9 branch. Thank you very much!

@ariya ariya closed this Oct 21, 2014

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.