Disable support for SSL 3 protocol in 2.1.x #124

wants to merge 1 commit into from

8 participants


Not sure if this'll work, but I believe it will disable negotiation for both the SSL 2 and SSL 3 protocols, leaving it to be TLS 1, 1.1, 1.2, or future versions yet to be written.

I believe it doesn't change the version requirements for OpenSSL, but obviously the higher the version the more available secure protocols (e.g. TLS 1.2 is available in OpenSSL 1.0.1 and later)


@f3ndot f3ndot Add SSL_OP_NO_SSLv3 to OpenSSL context options;
SSLv3 is on the way out. It is considered less secure than TLS and should not be offered as an available protocol for XMPP.

Already done here processone/tls@5d3cad3


@amurdaca I'm slightly confused then. What does tls_drv.c do if the TLS for ejabberd is handled in a separate project/repo?


The project amurdaca refers to is used by ejabberd master, it has nothing to do with ejabberd 2.x


Ah. Are we no longer considering PRs for 2.x?

ProcessOne - XMPP, Erlang, jabber member

I reverted 5d3cad37a80c6d730e2e5e3b6091cbb69ce199ec because it breaks backward compatibility with Tkabber and Miranda. Also people reported some s2s problems.

Too early for this commit. Let's wait a couple of years.


Tkabber and Miranda must update the code, please do not revert this change for security (apply this patch).


I really encourage the ejabberd project to take a stance by disabling SSL 3.0. The entire internet community will benefit from this security wise. We shouldn't worry about breaking compatibility with clients. We should rather encourage developers of those respected clients to update their code and preferring TLS1.2 with PFS ciphers.

Please apply this patch

@zinid Could you elaborate a bit more on the s2s problems? I would be interested to know.

ProcessOne - XMPP, Erlang, jabber member

We shouldn't worry about breaking compatibility with clients

ejabberd will introduce option to disable SSLv3. At least @alexeyshch was going to do that. I don't know about 2.1.x though.

Regarding s2s: I can't clarify because I didn't ask for details. Problems with Tkabber were enough for me.


Note for Tkabber: http://tkabber.jabber.ru/tkabber-1.0 (01/01/2014)
And Miranda NG: http://miranda-ng.org/


Miranda NG depends only on the underlying Windows Security Services. Even under XP it guarantees SSL3 & TLS 1.0 support, so SSL3 might be disabled easily


It is a confirmation that Tkabber and Miranda NG are not infected by the problem.
You can disable all old SSL versions and have TLS 1.0 and more enabled.

ProcessOne - XMPP, Erlang, jabber member

@Neustradamus Are you talking about recent versions? Recent versions are not affected of course. For example, Tkabber has been fixed just recently because of my bug report.
But there are still some versions in use which are affected.


People update the client, so it is not a problem.

@kvakvs kvakvs pushed a commit that referenced this pull request Mar 5, 2014
@ppikula ppikula remove unused is_list guards issue #124 0715bc3

For security of old 2.1.x servers, it is needed to remove SSLv3 support like I have said several months ago.

-> Poodle


Prosody 0.9.6 now has SSLv3 disabled by default. Since it's nearly been a year, can we revisit the possibility disabling SSLv3 for 2.1.x?


POODLE attack requires very specific conditions that are only present in web browsers. In particular:

  • ability to sent arbitrary packets from attacked browser
  • browser itself retrying SSL/TLS connections with lower SSL/TLS version

Those conditions do not apply to ejabberd or any other XMPP server:

  • you cannot easily send arbitrary packets from attacked XMPP client
  • XMPP clients do not make downgraded connections

SSL/TLS has perfectly valid version negiotiation mechanism. Even if the XMPP server does support SSL 3.0 it does not make anyone vulnerable.
Before jumping to conclusions I strongly suggest that you read and understand how the attack works: https://www.openssl.org/~bodo/ssl-poodle.pdf

Oh, and I am in general in favor of disabling SSL 3.0, I just don't like the general attitude "OMG, POODLE, we must disable" without understanding what and why.

ProcessOne - XMPP, Erlang, jabber member

closing as it's not needed and 2.1 not maintained

@cromain cromain closed this Mar 27, 2015
@f3ndot f3ndot deleted the f3ndot:disable-sslv3-protocol branch Mar 31, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment