diff options
| -rw-r--r-- | data/modules.example.conf | 8 | ||||
| -rw-r--r-- | modules/extra/m_ssl_openssl.cpp | 14 |
2 files changed, 22 insertions, 0 deletions
diff --git a/data/modules.example.conf b/data/modules.example.conf index be4725816..355572ae0 100644 --- a/data/modules.example.conf +++ b/data/modules.example.conf @@ -620,6 +620,14 @@ module { name = "help" } */ cert = "data/anope.crt" key = "data/anope.key" + + /* + * As of 2014 SSL 3.0 is considered insecure, but it might be enabled + * on some systems by default for compatibility reasons. + * You can use the following option to enable or disable it explicitly. + * Leaving this option not set defaults to the default system behavior. + */ + #sslv3 = no } /* diff --git a/modules/extra/m_ssl_openssl.cpp b/modules/extra/m_ssl_openssl.cpp index 67ab6164c..c26c63655 100644 --- a/modules/extra/m_ssl_openssl.cpp +++ b/modules/extra/m_ssl_openssl.cpp @@ -162,6 +162,20 @@ class SSLModule : public Module Log() << "Unable to open private key " << this->keyfile; } + // Allow disabling SSLv3 + if (!config->Get<Anope::string>("sslv3").empty()) + { + if (config->Get<bool>("sslv3")) + { + SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); + } + else + { + SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(server_ctx, SSL_OP_NO_SSLv3); + } + } } void OnPreServerConnect() anope_override |