From 60724172a442e8569a042e31a38d7936f70cbe63 Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Tue, 8 Mar 2016 15:22:35 +0200 Subject: [PATCH] Removed support for SSLv3 SSLv3 can't be considered safe anymore so removing the support for it improves MaxScale's security as a whole. --- Documentation/Getting-Started/Configuration-Guide.md | 3 ++- server/core/listener.c | 9 +-------- server/include/gw_ssl.h | 1 - 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 04ad8ab48..bb6b88f1b 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -629,12 +629,13 @@ A string giving a file path that identifies an existing readable file. The file #### `ssl_version` This parameter controls the level of encryption used. Accepted values are: - * SSLv3 * TLSv10 * TLSv11 * TLSv12 * MAX +`MAX` is the maximum available TLS version which at the time of writing is TLSv1.2. + #### `ssl_cert_verification_depth` The maximum length of the certificate authority chain that will be accepted. Legal values are positive integers. Note that if the client is to submit an SSL certificate, the `ssl_cert_verification_depth` parameter must not be 0. If no value is specified, the default is 9. diff --git a/server/core/listener.c b/server/core/listener.c index e0ce4b792..3419cecf4 100644 --- a/server/core/listener.c +++ b/server/core/listener.c @@ -80,11 +80,7 @@ listener_alloc(char *protocol, char *address, unsigned short port, char *authent int listener_set_ssl_version(SSL_LISTENER *ssl_listener, char* version) { - if (strcasecmp(version,"SSLV3") == 0) - { - ssl_listener->ssl_method_type = SERVICE_SSLV3; - } - else if (strcasecmp(version,"TLSV10") == 0) + if (strcasecmp(version,"TLSV10") == 0) { ssl_listener->ssl_method_type = SERVICE_TLS10; } @@ -147,9 +143,6 @@ listener_init_SSL(SSL_LISTENER *ssl_listener) { switch(ssl_listener->ssl_method_type) { - case SERVICE_SSLV3: - ssl_listener->method = (SSL_METHOD*)SSLv3_server_method(); - break; case SERVICE_TLS10: ssl_listener->method = (SSL_METHOD*)TLSv1_server_method(); break; diff --git a/server/include/gw_ssl.h b/server/include/gw_ssl.h index 60cedbd53..29deadef4 100644 --- a/server/include/gw_ssl.h +++ b/server/include/gw_ssl.h @@ -42,7 +42,6 @@ struct dcb; enum { - SERVICE_SSLV3, SERVICE_TLS10, #ifdef OPENSSL_1_0 SERVICE_TLS11,