SERVER-15673 Disable SSLv3 ciphers (CVE-2014-3566 "POODLE")

(cherry picked from commit 035b5a90f56d653e930fcbe20c89f4dda7e48a30)
author: Dan Pasette <dan@10gen.com> 2014-10-27 22:45:56 -0400
committer: Dan Pasette <dan@mongodb.com> 2014-10-27 22:45:56 -0400
commit: 8b9242837510e6410ddcf4f19969da4c7b01b2f7 (patch)
tree: 7a273a299ecbb4d6660e6ebe1f9dbd02f1fc306a
parent: 6c0fccd4601b65c7c808608a60cbfb182f0b7215 (diff)
download: mongo-8b9242837510e6410ddcf4f19969da4c7b01b2f7.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index dd8b3a2fe6f..0efdd7ced60 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -140,7 +140,9 @@ namespace mongo {
                 _context);
    
         // Activate all bug workaround options, to support buggy client SSL's.
-        SSL_CTX_set_options(_context, SSL_OP_ALL);
+        // SSL_OP_NO_SSLv2 - Disable SSL v2 support
+        // SSL_OP_NO_SSLv3 - Disable SSL v3 support
+        SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
 
         // If renegotiation is needed, don't return from recv() or send() until it's successful.
         // Note: this is for blocking sockets only.
author	Dan Pasette <dan@10gen.com>	2014-10-27 22:45:56 -0400
committer	Dan Pasette <dan@mongodb.com>	2014-10-27 22:45:56 -0400
commit	8b9242837510e6410ddcf4f19969da4c7b01b2f7 (patch)
tree	7a273a299ecbb4d6660e6ebe1f9dbd02f1fc306a
parent	6c0fccd4601b65c7c808608a60cbfb182f0b7215 (diff)
download	mongo-8b9242837510e6410ddcf4f19969da4c7b01b2f7.tar.gz