There doesn't seem to be a way to disable SSL 3.0 protocol

Question

There doesn't seem to be a way to disable SSL 3.0 protocol

Opened this issue 9 years ago · 3 comments

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. Go to a test site for SSL certificate: https://www.digicert.com/help

2. Enter your URL for a shellinbox server with SSL support and then click to 
check the SSL cert.

What is the expected output? What do you see instead?

It should show a green checkmark for Protocol Support without any warnings. 

Instead it shows this:

SSL 3.0 is an outdated protocol version with known vulnerabilities

This is easy to disable in the apache config file, but I don't see a way in the 
manual page on how to disable the protocol using shellinabox as a web server.

What version of the product are you using? On what operating system?

shellinabox-2.14-27.git88822c1.fc19.x86_64 already installed and latest version 
(on Fedora 19)

Please provide any additional information below.

For more information on the vulnerability:

https://www.digicert.com/cert-inspector-vulnerabilities.htm#ssl_3_protocol_enabl
ed

Original issue reported on code.google.com by markhric...@gmail.com on 27 Nov 2014 at 7:33

Answer 1 · 2015-06-23T16:51:32.000Z

[deleted comment]

Answer 2 · 2015-06-23T16:51:32.000Z

Issue 215 has a patch that is supposed to disable SSL 3.0 but it fails to build 
after applying it (for me); I've attached the log output from make.

Original comment by p...@hughesbox.co.uk on 27 Nov 2014 at 2:02

Attachments:

output.txt

Answer 3 · 2015-06-23T16:51:32.000Z

A fix for this has been released by JGRennison on GitHub: 
https://github.com/JGRennison/shellinabox.

Original comment by p...@hughesbox.co.uk on 15 Dec 2014 at 8:46