From d679aee471301f3321a223d0180fb26787be8e2f Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Wed, 15 Oct 2014 19:10:39 +0900 Subject: New patch 340_ssl-init.patch to disable SSLv3 [CVE-2014-3566] --- debian/patches/340_ssl-init.patch | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 debian/patches/340_ssl-init.patch (limited to 'debian/patches/340_ssl-init.patch') diff --git a/debian/patches/340_ssl-init.patch b/debian/patches/340_ssl-init.patch new file mode 100644 index 0000000..b47bbb6 --- /dev/null +++ b/debian/patches/340_ssl-init.patch @@ -0,0 +1,50 @@ +Subject: Force ssl_verify_server on, and disable SSLv2 and SSLv3 +Author: Ludwig Nussel , Tatsuya Kinoshita +Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 + + Update README.SSL to follow default values + + Disable SSLv3 by default [CVE-2014-3566] + cf. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ + + Force ssl_verify_server on and disable SSLv2 support + Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 + +diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL +index 4aedfde..670ed5f 100644 +--- a/doc-jp/README.SSL ++++ b/doc-jp/README.SSL +@@ -25,9 +25,9 @@ SSL + + ssl_forbid_method + 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1) +- (デフォルトは). ++ (デフォルトは2, 3). + ssl_verify_server ON/OFF +- SSLのサーバ認証を行う(デフォルトはOFF). ++ SSLのサーバ認証を行う(デフォルトはON). + ssl_cert_file ファイル名 + SSLのクライアント用PEM形式証明書ファイル(デフォルトは). + ssl_key_file ファイル名 +diff --git a/fm.h b/fm.h +index 8378939..ddcd4fc 100644 +--- a/fm.h ++++ b/fm.h +@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); + #endif + + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) +-global int ssl_verify_server init(FALSE); ++global int ssl_verify_server init(TRUE); + global char *ssl_cert_file init(NULL); + global char *ssl_key_file init(NULL); + global char *ssl_ca_path init(NULL); +@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); + #endif /* defined(USE_SSL) && + * defined(USE_SSL_VERIFY) */ + #ifdef USE_SSL +-global char *ssl_forbid_method init(NULL); ++global char *ssl_forbid_method init("2, 3"); + #endif + + global int is_redisplay init(FALSE); -- cgit v1.2.3