From 6150de5eb213505d6e70500977658b2e93725246 Mon Sep 17 00:00:00 2001
From: Trustin Lee <t@motd.kr>
Date: Tue, 21 Oct 2014 13:55:32 +0900
Subject: [PATCH] Disable SSLv3 to avoid POODLE vulnerability

Related: #3031

Motivation:

The only way to protect ourselves from POODLE vulnerability in Java for
now is to disable SSLv3.

- http://en.wikipedia.org/wiki/POODLE
- https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability

Modifivation:

Disable SSLv3 in SslContext implementations

Result:

Prevent POODLE vulnerability when a user used SslContext with the
default configuration
---
 handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java   | 2 +-
 .../main/java/io/netty/handler/ssl/OpenSslServerContext.java    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
index 15402a8c2f..0ccd30c58d 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@@ -55,7 +55,7 @@ public abstract class JdkSslContext extends SslContext {
         List<String> protocols = new ArrayList<String>();
         addIfSupported(
                 supportedProtocols, protocols,
-                "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3");
+                "TLSv1.2", "TLSv1.1", "TLSv1");
 
         if (!protocols.isEmpty()) {
             PROTOCOLS = protocols.toArray(new String[protocols.size()]);
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
index a62c6d7b2d..7012f5c267 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@@ -170,6 +170,7 @@ public final class OpenSslServerContext extends SslContext {
 
                 SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
                 SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
+                SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
                 SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
                 SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
                 SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);