Merge pull request #2625 from libgit2/cmn/ssl-tls

ssl: dump the SSL ciphers in favour of TLS
author: Edward Thomson <ethomson@edwardthomson.com> 2014-10-23 08:27:13 -0700
committer: Edward Thomson <ethomson@edwardthomson.com> 2014-10-23 08:27:13 -0700
commit: d676af43da6603f1b31fb6d2d3eb02793b260ad0 (patch)
tree: 5b6e6e3e6c505a210a82b5ec5258cddf5cf4d010
parent: 943fde7f8c1d270c2f0b73ff52f07b91e1983390 (diff)
parent: f0f9737094080a3c23abc013347a66342d360ec5 (diff)
download: libgit2-d676af43da6603f1b31fb6d2d3eb02793b260ad0.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/src/global.c b/src/global.c
index 4a0b680ef..514b96ccb 100644
--- a/src/global.c
+++ b/src/global.c
@@ -71,7 +71,20 @@ static void init_ssl(void)
 #ifdef GIT_SSL
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
+	/*
+	 * Load SSLv{2,3} and TLSv1 so that we can talk with servers
+	 * which use the SSL hellos, which are often used for
+	 * compatibility. We then disable SSL so we only allow OpenSSL
+	 * to speak TLSv1 to perform the encryption itself.
+	 */
 	git__ssl_ctx = SSL_CTX_new(SSLv23_method());
+	SSL_CTX_set_options(git__ssl_ctx,
+			    SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
+	/* Older OpenSSL and MacOS OpenSSL doesn't have this */
+# ifdef SSL_OP_NO_COMPRESSION
+			    | SSL_OP_NO_COMPRESSION
+# endif
+		);
 	SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
 	SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
 	if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {
author	Edward Thomson <ethomson@edwardthomson.com>	2014-10-23 08:27:13 -0700
committer	Edward Thomson <ethomson@edwardthomson.com>	2014-10-23 08:27:13 -0700
commit	d676af43da6603f1b31fb6d2d3eb02793b260ad0 (patch)
tree	5b6e6e3e6c505a210a82b5ec5258cddf5cf4d010
parent	943fde7f8c1d270c2f0b73ff52f07b91e1983390 (diff)
parent	f0f9737094080a3c23abc013347a66342d360ec5 (diff)
download	libgit2-d676af43da6603f1b31fb6d2d3eb02793b260ad0.tar.gz