Improve TLS security configuration in m_ssl_openssl.

- Always disable SSLv3. Unreal has already done this so clients
  will have to upgrade anyway.

- Disable TLSv1.0 by default. Various security standards (e.g.
  PCI DSS) are already planning on sunsetting this so we should
  too.

1 files changed, 3 insertions, 4 deletions

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index ae5e213b7..1aab0d086 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -130,7 +130,7 @@ namespace OpenSSL
 		{
 			// Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
 			// and when choosing a cipher, use the server's preferences instead of the client preferences.
-			long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+			long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
 			// Only turn options on if they exist
 #ifdef SSL_OP_SINGLE_ECDH_USE
 			opts |= SSL_OP_SINGLE_ECDH_USE;
@@ -291,9 +291,8 @@ namespace OpenSSL
 			if (!tag->getBool("compression", false)) // Disable compression by default
 				setoptions |= SSL_OP_NO_COMPRESSION;
 #endif
-			if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default
-				setoptions |= SSL_OP_NO_SSLv3;
-			if (!tag->getBool("tlsv1", true))
+			// Disable TLSv1.0 by default.
+			if (!tag->getBool("tlsv1", false))
 				setoptions |= SSL_OP_NO_TLSv1;
 
 			if (!setoptions && !clearoptions)