Skip to content
Commit 885838a0 authored by Josh Cooper's avatar Josh Cooper
Browse files

(PUP-3467) Reject SSLv3 when initiating SSL connections 

Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.

This commit ensures puppet will not downgrade to SSLv3 by setting the
`OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".

[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
parent 67b89bdd
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment