Copyright ©

Mongoose OS Forum


mongoose should explicitly disable SSLv2, SSLv3

mongoose scores A- on the SSLlabs test, but only as long as SSLv3 is manually disabled. (Both SSLv2 and SSLv3 are no longer considered secure). (Test run on centos6 with stock openssl).

I use this code:

diff --git a/src/mongoose6.c b/src/mongoose6.c
index a9fd835..a6f3e07 100644
--- a/src/mongoose6.c
+++ b/src/mongoose6.c
@ const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
SSL_set_fd(nc->ssl, nc->sock);

  • SSL_CTX_set_options(nc->ssl_ctx, SSL_OP_NO_SSLv2);
  • SSL_CTX_set_options(nc->ssl_ctx, SSL_OP_NO_SSLv3);

  • #ifndef MG_DISABLE_PFS
    SSL_CTX_set_cipher_list(nc->ssl_ctx, mg_s_cipher_list);



Sign In or Register to comment.