Disable SSLv3 and 3DES ciphers

[packages/ejabberd.git] / ejabberd-no_sslv3_or_3des.patch

diff --git a/ejabberd-no_sslv3_or_3des.patch b/ejabberd-no_sslv3_or_3des.patch
new file mode 100644 (file)
index 0000000..4ee7a00
--- /dev/null
+++ b/ejabberd-no_sslv3_or_3des.patch
@@ -0,0 +1,26 @@
+diff -dur ejabberd-13.10.orig/deps/p1_tls/c_src/p1_tls_drv.c ejabberd-13.10/deps/p1_tls/c_src/p1_tls_drv.c
+--- ejabberd-13.10.orig/deps/p1_tls/c_src/p1_tls_drv.c 2013-07-17 13:50:12.000000000 +0200
++++ ejabberd-13.10/deps/p1_tls/c_src/p1_tls_drv.c      2013-11-16 15:29:02.705022418 +0100
+@@ -44,7 +44,7 @@
+ #define SSL_OP_NO_TICKET 0
+ #endif
+ 
+-#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
++#define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!3DES"
+ 
+ /*
+  * R15B changed several driver callbacks to use ErlDrvSizeT and
+@@ -490,11 +490,11 @@
+        SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
+ 
+        if (command == SET_CERTIFICATE_FILE_ACCEPT) {
+-          SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET|SSL_OP_ALL);
++          SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET|SSL_OP_ALL);
+ 
+           SSL_set_accept_state(d->ssl);
+        } else {
+-          SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
++          SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
+           SSL_set_connect_state(d->ssl);
+        }
+        break;