Disable SSLv3 to avoid POODLE vulnerability

Related: #3031 Motivation: The only way to protect ourselves from POODLE vulnerability in Java for now is to disable SSLv3. - http://en.wikipedia.org/wiki/POODLE - https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability Modifivation: Disable SSLv3 in SslContext implementations Result: Prevent POODLE vulnerability when a user used SslContext with the default configuration
2014-10-21 13:55:32 +09:00 · 2014-10-21 13:55:32 +09:00 · a1af35313c
commit a1af35313c
parent f3ef94d35e
2 changed files with 2 additions and 1 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@ -55,7 +55,7 @@ public abstract class JdkSslContext extends SslContext {
        List<String> protocols = new ArrayList<String>();
        addIfSupported(
                supportedProtocols, protocols,
-                "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3");
+                "TLSv1.2", "TLSv1.1", "TLSv1");

        if (!protocols.isEmpty()) {
            PROTOCOLS = protocols.toArray(new String[protocols.size()]);
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@ -170,6 +170,7 @@ public final class OpenSslServerContext extends SslContext {

                SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
                SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
+                SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
                SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
                SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
                SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);