Disable SSLv3? #591
Comments
|
@renier are you using puma ssl in production? |
|
@evanphx I'm not, but using in internet-facing servers. I know you can put things behind a web server like nginx, but would rather just be able to configure this in puma for dev/test purposes. |
|
@evanphx I think I can work on this patch. Would you prefer for SSLv3 to be enabled or disabled by default in the puma server? |
|
@evanphx If you try to open an SSLv3 socket to test for the POODLE vulnerability: You will see that the connection hangs. It is not being terminated properly by the server. In mini_ssl.c#engine_read, I think you need to accept more SSL_get_error() values to send the EOF to. e = SSL_get_error(conn->ssl, bytes);
if(e == SSL_ERROR_ZERO_RETURN || e == SSL_ERROR_SYSCALL || e == SSL_ERROR_SSL) {
rb_eof_error();
}If I test this locally, the connection is closed as I would have expected when I try the test above. |
|
Hi, @evanphx. Pinging on the above. |
The C implementation has not supported SSLv3 at all since puma#591, and SSLv3 is disabled by default in java now (http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html) so we can drop support from JRuby.
Can we get a configuration option to disable SSLv3?
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
The text was updated successfully, but these errors were encountered: