There doesn't seem to be a way to disable SSL 3.0 protocol
GoogleCodeExporter opened this issue · 3 comments
GoogleCodeExporter commented
What steps will reproduce the problem?
1. Go to a test site for SSL certificate: https://www.digicert.com/help
2. Enter your URL for a shellinbox server with SSL support and then click to
check the SSL cert.
What is the expected output? What do you see instead?
It should show a green checkmark for Protocol Support without any warnings.
Instead it shows this:
SSL 3.0 is an outdated protocol version with known vulnerabilities
This is easy to disable in the apache config file, but I don't see a way in the
manual page on how to disable the protocol using shellinabox as a web server.
What version of the product are you using? On what operating system?
shellinabox-2.14-27.git88822c1.fc19.x86_64 already installed and latest version
(on Fedora 19)
Please provide any additional information below.
For more information on the vulnerability:
https://www.digicert.com/cert-inspector-vulnerabilities.htm#ssl_3_protocol_enabl
ed
Original issue reported on code.google.com by markhric...@gmail.com
on 27 Nov 2014 at 7:33
GoogleCodeExporter commented
[deleted comment]
GoogleCodeExporter commented
Issue 215 has a patch that is supposed to disable SSL 3.0 but it fails to build
after applying it (for me); I've attached the log output from make.
Original comment by p...@hughesbox.co.uk
on 27 Nov 2014 at 2:02
Attachments:
GoogleCodeExporter commented
A fix for this has been released by JGRennison on GitHub:
https://github.com/JGRennison/shellinabox.
Original comment by p...@hughesbox.co.uk
on 15 Dec 2014 at 8:46