Improve TLS security configuration in m_ssl_openssl.

- Always disable SSLv3. Unreal has already done this so clients
  will have to upgrade anyway.

- Disable TLSv1.0 by default. Various security standards (e.g.
  PCI DSS) are already planning on sunsetting this so we should
  too.

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index ae5e213b7c119e66b2dd2a611ce38e0c87a3e476..1aab0d0866214d16a87d4c3f69b696cc0449b853 100644 (file)
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -130,7 +130,7 @@ namespace OpenSSL
                {
                        // Sane default options for OpenSSL see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
                        // and when choosing a cipher, use the server's preferences instead of the client preferences.
-                       long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
+                       long opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_SINGLE_DH_USE;
                        // Only turn options on if they exist
 #ifdef SSL_OP_SINGLE_ECDH_USE
                        opts |= SSL_OP_SINGLE_ECDH_USE;
@@ -291,9 +291,8 @@ namespace OpenSSL
                        if (!tag->getBool("compression", false)) // Disable compression by default
                                setoptions |= SSL_OP_NO_COMPRESSION;
 #endif
-                       if (!tag->getBool("sslv3", false)) // Disable SSLv3 by default
-                               setoptions |= SSL_OP_NO_SSLv3;
-                       if (!tag->getBool("tlsv1", true))
+                       // Disable TLSv1.0 by default.
+                       if (!tag->getBool("tlsv1", false))
                                setoptions |= SSL_OP_NO_TLSv1;
 
                        if (!setoptions && !clearoptions)