Disallow SSLv3 connections and session tickets.

shizmob · Nov 7, 2016 · 2fbddfb · 2fbddfb
1 parent 4d58aac
commit 2fbddfb
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/pydle/connection.py b/pydle/connection.py
@@ -120,9 +120,10 @@ def setup_tls(self):
             self.tls_context.load_cert_chain(self.tls_certificate_file, self.tls_certificate_keyfile, password=self.tls_certificate_password)
 
         # Set some relevant options:
-        # - No server should use SSLv2 any more, it's outdated and full of security holes.
+        # - No server should use SSLv2 or SSLv3 any more, they are outdated and full of security holes. (RFC6176, RFC7568)
         # - Disable compression in order to counter the CRIME attack. (https://en.wikipedia.org/wiki/CRIME_%28security_exploit%29)
-        for opt in [ 'NO_SSLv2', 'NO_COMPRESSION']:
+        # - Disable session resumption to maintain perfect forward secrecy. (https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/)
+        for opt in ['NO_SSLv2', 'NO_SSLv3', 'NO_COMPRESSION', 'NO_TICKET']:
             if hasattr(ssl, 'OP_' + opt):
                 self.tls_context.options |= getattr(ssl, 'OP_' + opt)