commit 91d199b66a70fa43e652b6e5f0816d250d6f0bdc Author: David Fifield <david@bamsoftware.com> Date: Wed Oct 22 16:39:09 2014 -0700 Set TLSv1.0 as the minimum TLS version in meek-server. As a mitigationn for POODLE. This was spotted by Jesse Victors. --- meek-server/meek-server.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go index 81a1757..669f329 100644 --- a/meek-server/meek-server.go +++ b/meek-server/meek-server.go @@ -248,6 +248,11 @@ func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename stri return nil, err } + // Additionally disable SSLv3 because of the POODLE attack. + // http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploitin... + // https://code.google.com/p/go/source/detail?r=ad9e191a51946e43f1abac8b6a2fefb... + config.MinVersion = tls.VersionTLS10 + tlsListener := tls.NewListener(conn, config) return tlsListener, nil