aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregory Maxwell <greg@xiph.org>2014-12-06 07:08:02 -0800
committerGregory Maxwell <greg@xiph.org>2014-12-06 07:08:02 -0800
commit683dc4009b2b01699e672f8150c28e2ebe0aae19 (patch)
treef1b9abb7c19d5798bbe04705908b74b4af2e6de0
parent4383319e4e0cb96818d2be734f7280181daac9fa (diff)
Disable SSLv3 (in favor of TLS) for the RPC client and server.
TLS is subject to downgrade attacks when SSLv3 is available, and SSLv3 has vulnerabilities. The popular solution is to disable SSLv3. On the web this breaks some tiny number of very old clients. While Bitcoin RPC shouldn't be exposed to the open Internet, it also shouldn't be exposed to really old SSL implementations, so it shouldn't be a major issue for us to disable SSLv3. There is more information on the downgrade attacks and disabling SSLv3 at https://disablessl3.com/ .
-rw-r--r--src/bitcoin-cli.cpp2
-rw-r--r--src/rpcserver.cpp2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/bitcoin-cli.cpp b/src/bitcoin-cli.cpp
index 1b638e99e9..ea349b197e 100644
--- a/src/bitcoin-cli.cpp
+++ b/src/bitcoin-cli.cpp
@@ -110,7 +110,7 @@ Object CallRPC(const string& strMethod, const Array& params)
bool fUseSSL = GetBoolArg("-rpcssl", false);
asio::io_service io_service;
ssl::context context(io_service, ssl::context::sslv23);
- context.set_options(ssl::context::no_sslv2);
+ context.set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3);
asio::ssl::stream<asio::ip::tcp::socket> sslStream(io_service, context);
SSLIOStreamDevice<asio::ip::tcp> d(sslStream, fUseSSL);
iostreams::stream< SSLIOStreamDevice<asio::ip::tcp> > stream(d);
diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp
index 90695611f2..252b0866a2 100644
--- a/src/rpcserver.cpp
+++ b/src/rpcserver.cpp
@@ -597,7 +597,7 @@ void StartRPCThreads()
if (fUseSSL)
{
- rpc_ssl_context->set_options(ssl::context::no_sslv2);
+ rpc_ssl_context->set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3);
filesystem::path pathCertFile(GetArg("-rpcsslcertificatechainfile", "server.cert"));
if (!pathCertFile.is_complete()) pathCertFile = filesystem::path(GetDataDir()) / pathCertFile;