diff options
| author | Ben Noordhuis <info@bnoordhuis.nl> | 2015-01-13 00:45:31 +0100 |
|---|---|---|
| committer | Ben Noordhuis <info@bnoordhuis.nl> | 2015-01-13 01:59:30 +0100 |
| commit | 5165d71048a0cc20c319fcd62ac4c50465ff0414 (patch) | |
| tree | ce05b41dab1258a2f83c7427d5125560d14029fa /src/node_crypto_clienthello.cc | |
| parent | 635337f953aac7ae26d1c19630e7f940dbfc3120 (diff) | |
| download | android-node-v8-5165d71048a0cc20c319fcd62ac4c50465ff0414.tar.gz android-node-v8-5165d71048a0cc20c319fcd62ac4c50465ff0414.tar.bz2 android-node-v8-5165d71048a0cc20c319fcd62ac4c50465ff0414.zip | |
build,src: remove sslv3 support
SSLv3 is susceptible to downgrade attacks. Provide secure defaults,
disable v3 protocol support entirely.
PR-URL: https://github.com/iojs/io.js/pull/315
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Diffstat (limited to 'src/node_crypto_clienthello.cc')
| -rw-r--r-- | src/node_crypto_clienthello.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/node_crypto_clienthello.cc b/src/node_crypto_clienthello.cc index 34507858c9..8fbc3161f8 100644 --- a/src/node_crypto_clienthello.cc +++ b/src/node_crypto_clienthello.cc @@ -61,13 +61,15 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) { // Check hello protocol version. Protocol tuples that we know about: // - // (3,0) SSL v3.0 // (3,1) TLS v1.0 // (3,2) TLS v1.1 // (3,3) TLS v1.2 // - if (data[body_offset_ + 4] != 0x03 || data[body_offset_ + 5] > 0x03) + if (data[body_offset_ + 4] != 0x03 || + data[body_offset_ + 5] < 0x01 || + data[body_offset_ + 5] > 0x03) { goto fail; + } if (data[body_offset_] == kClientHello) { if (state_ == kTLSHeader) { |