commit 91d199b66a70fa43e652b6e5f0816d250d6f0bdc Author: David Fifield david@bamsoftware.com Date: Wed Oct 22 16:39:09 2014 -0700
Set TLSv1.0 as the minimum TLS version in meek-server.
As a mitigationn for POODLE. This was spotted by Jesse Victors. --- meek-server/meek-server.go | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go index 81a1757..669f329 100644 --- a/meek-server/meek-server.go +++ b/meek-server/meek-server.go @@ -248,6 +248,11 @@ func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename stri return nil, err }
+ // Additionally disable SSLv3 because of the POODLE attack. + // http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploitin... + // https://code.google.com/p/go/source/detail?r=ad9e191a51946e43f1abac8b6a2fefb... + config.MinVersion = tls.VersionTLS10 + tlsListener := tls.NewListener(conn, config)
return tlsListener, nil
tor-commits@lists.torproject.org
-
dcf@torproject.org