(PUP-3467) Reject SSLv3 when initiating SSL connections
Previously, when puppet initiated SSL connections, e.g. puppet agent, puppet module, etc, it could downgrade to SSLv3. This commit ensures puppet will not downgrade to SSLv3 by setting the `OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3". [1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
parent
67b89bdd
Please register or sign in to comment