Merge pull request #296 from DavidZey/poodle_fix

turn off sslv2 as well
theVolary · Oct 17, 2014 · 5037406 · 5037406
2 parents dde39d3 + e0ce153
commit 5037406
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/lib/server.js b/lib/server.js
@@ -313,11 +313,15 @@ exports.init = function(options, cb) {
                     cert: fs.readFileSync(options.ssl.cert)
                   };
 
-                  // disable SSLv3 by default to prevent POODLE exploit
-                  if (!options.ssl.allowSSLv3) {
-                    // Supply `SSL_OP_NO_SSLv3` constant as secureOption to disable SSLv3
+                  // disable SSLv2 and SSLv3 by default to prevent POODLE exploit
+                  // There is a bit of a debate on when this will appear in node core 
+                  // and whether it will be on or off by default. https://github.com/joyent/node/pull/8551
+                  // This current solution will work until the Node community decides.
+                  if (!options.ssl.allowSSLv23) {
+
+                    // Supply `SSL_OP_NO_SSLv3` and `SSL_OP_NO_SSLv2` constant as secureOption to disable SSLv2 and SSLv3
                     // from the list of supported protocols that SSLv23_method supports.
-                    tlsOptions.secureOptions = constants.SSL_OP_NO_SSLv3;
+                    tlsOptions.secureOptions = constants.SSL_OP_NO_SSLv3|constants.SSL_OP_NO_SSLv2;
                   }
 
                   if (options.ssl.ca) {