[ejabberd] poodle and linux versions

Randy Bush randy at psg.com
Thu Oct 16 22:08:09 MSK 2014


Well, the approach (patch and rebuild rather than jumping to 14.07)
may be reasonable, but the suggested patch is wrong.  The file in
question is ejabberd/src/tls/tls_drv.c.  The suggested patch is:

> - #define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
> + #define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"

which changes the cipher list, not the protocol list.

I think the right patch, if we take this path, is:

-	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);

Granted, one might //also// want to tweak the cipher list as long as
one has the cover off, but Poodle is about protocol, not cipher.


More information about the ejabberd mailing list