-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable SSLv3? #591
Comments
@renier are you using puma ssl in production? |
@evanphx I'm not, but using in internet-facing servers. I know you can put things behind a web server like nginx, but would rather just be able to configure this in puma for dev/test purposes. |
@evanphx I think I can work on this patch. Would you prefer for SSLv3 to be enabled or disabled by default in the puma server? |
@evanphx If you try to open an SSLv3 socket to test for the POODLE vulnerability:
You will see that the connection hangs. It is not being terminated properly by the server. In mini_ssl.c#engine_read, I think you need to accept more SSL_get_error() values to send the EOF to. e = SSL_get_error(conn->ssl, bytes);
if(e == SSL_ERROR_ZERO_RETURN || e == SSL_ERROR_SYSCALL || e == SSL_ERROR_SSL) {
rb_eof_error();
} If I test this locally, the connection is closed as I would have expected when I try the test above. |
Hi, @evanphx. Pinging on the above. |
The C implementation has not supported SSLv3 at all since puma#591, and SSLv3 is disabled by default in java now (http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html) so we can drop support from JRuby.
Can we get a configuration option to disable SSLv3?
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
The text was updated successfully, but these errors were encountered: