From 10f63cd38e47dd220877ec30e16287fba65a4522 Mon Sep 17 00:00:00 2001 From: "brian m. carlson" Date: Sat, 6 Dec 2014 18:52:25 +0000 Subject: [PATCH] crypto: disable SSLv3 if shared OpenSSL lacks it Some distributions disable SSLv3 due to POODLE. In such a case, disable the specific SSLv3 methods and throw an exception, much like the code already does for SSLv2. The SSLv23* code is retained because this is OpenSSL's terminology for "no version in particular". --- src/node_crypto.cc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 06651280bfeb45..26f6a51655a215 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -326,11 +326,23 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { return env->ThrowError("SSLv2 methods disabled"); #endif } else if (strcmp(*sslmethod, "SSLv3_method") == 0) { +#ifndef OPENSSL_NO_SSL3 method = SSLv3_method(); +#else + return env->ThrowError("SSLv3 methods disabled"); +#endif } else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) { +#ifndef OPENSSL_NO_SSL3 method = SSLv3_server_method(); +#else + return env->ThrowError("SSLv3 methods disabled"); +#endif } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) { +#ifndef OPENSSL_NO_SSL3 method = SSLv3_client_method(); +#else + return env->ThrowError("SSLv3 methods disabled"); +#endif } else if (strcmp(*sslmethod, "SSLv23_method") == 0) { method = SSLv23_method(); } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {