Copyright © https://mongoose-os.com

Mongoose OS Forum

frame
ATTENTION! This forum has moved to:

https://community.mongoose-os.com

Do not post any new messages.

mongoose should explicitly disable SSLv2, SSLv3

mongoose scores A- on the SSLlabs test, but only as long as SSLv3 is manually disabled. (Both SSLv2 and SSLv3 are no longer considered secure). (Test run on centos6 with stock openssl).

I use this code:

diff --git a/src/mongoose6.c b/src/mongoose6.c
index a9fd835..a6f3e07 100644
--- a/src/mongoose6.c
+++ b/src/mongoose6.c
@ const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
SSL_set_fd(nc->ssl, nc->sock);
}

  • SSL_CTX_set_options(nc->ssl_ctx, SSL_OP_NO_SSLv2);
  • SSL_CTX_set_options(nc->ssl_ctx, SSL_OP_NO_SSLv3);

  • #ifndef MG_DISABLE_PFS
    SSL_CTX_set_cipher_list(nc->ssl_ctx, mg_s_cipher_list);
    #endif

K.O.

Comments

  • SergeySergey Dublin, Ireland

    @rojer does it make sense to do it?

  • hello! year 2016 to mongoose developers! known insecure protocols turned off yet? SSLv2, SSLv3, RC4? Anybody home? Run mongoose against the SSLlabs https scanner twice daily, yes?

  • SergeySergey Dublin, Ireland

    @alex please integrate the proposed patch.

Sign In or Register to comment.