[tor-commits] [meek/master] Set TLSv1.0 as the minimum TLS version in meek-server.

dcf at torproject.org dcf at torproject.org
Thu Oct 23 00:01:07 UTC 2014


commit 91d199b66a70fa43e652b6e5f0816d250d6f0bdc
Author: David Fifield <david at bamsoftware.com>
Date:   Wed Oct 22 16:39:09 2014 -0700

    Set TLSv1.0 as the minimum TLS version in meek-server.
    
    As a mitigationn for POODLE. This was spotted by Jesse Victors.
---
 meek-server/meek-server.go |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go
index 81a1757..669f329 100644
--- a/meek-server/meek-server.go
+++ b/meek-server/meek-server.go
@@ -248,6 +248,11 @@ func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename stri
 		return nil, err
 	}
 
+	// Additionally disable SSLv3 because of the POODLE attack.
+	// http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
+	// https://code.google.com/p/go/source/detail?r=ad9e191a51946e43f1abac8b6a2fefbf2291eea7
+	config.MinVersion = tls.VersionTLS10
+
 	tlsListener := tls.NewListener(conn, config)
 
 	return tlsListener, nil



More information about the tor-commits mailing list