From 5165d71048a0cc20c319fcd62ac4c50465ff0414 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Tue, 13 Jan 2015 00:45:31 +0100
Subject: build,src: remove sslv3 support

SSLv3 is susceptible to downgrade attacks.  Provide secure defaults,
disable v3 protocol support entirely.

PR-URL: https://github.com/iojs/io.js/pull/315
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
---
 src/node_crypto_clienthello.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/node_crypto_clienthello.cc')

diff --git a/src/node_crypto_clienthello.cc b/src/node_crypto_clienthello.cc
index 34507858c9..8fbc3161f8 100644
--- a/src/node_crypto_clienthello.cc
+++ b/src/node_crypto_clienthello.cc
@@ -61,13 +61,15 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
 
   // Check hello protocol version.  Protocol tuples that we know about:
   //
-  // (3,0) SSL v3.0
   // (3,1) TLS v1.0
   // (3,2) TLS v1.1
   // (3,3) TLS v1.2
   //
-  if (data[body_offset_ + 4] != 0x03 || data[body_offset_ + 5] > 0x03)
+  if (data[body_offset_ + 4] != 0x03 ||
+      data[body_offset_ + 5] < 0x01 ||
+      data[body_offset_ + 5] > 0x03) {
     goto fail;
+  }
 
   if (data[body_offset_] == kClientHello) {
     if (state_ == kTLSHeader) {
-- 
cgit v1.2.3