Merge pull request #295 from DavidZey/poodle_fix

POODLE fix for JIRA HUDEV-95
theVolary · Oct 17, 2014 · dde39d3 · dde39d3
2 parents 5e7efc2 + c9634d8
commit dde39d3
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/lib/server.js b/lib/server.js
@@ -16,7 +16,8 @@ var tls             = require("tls"),
     restProxy       = require("./restProxy"),
     connectRouter   = require("./router_connect"),
     console         = require("console"),
-    ResourcePackager = require("./resource-packager");
+    ResourcePackager = require("./resource-packager"),
+    constants       = require('constants');
 
 exports.init = function(options, cb) {
 
@@ -301,9 +302,24 @@ exports.init = function(options, cb) {
                   }
 
                   tlsOptions = {
+                    // This is the default secureProtocol used by Node.js, but it might be
+                    // sane to specify this by default as it's required if you want to
+                    // remove supported protocols from the list. This protocol supports:
+                    //
+                    // - SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+                    //
+                    secureProtocol: 'SSLv23_method',
                     key: fs.readFileSync(options.ssl.key),
                     cert: fs.readFileSync(options.ssl.cert)
                   };
+
+                  // disable SSLv3 by default to prevent POODLE exploit
+                  if (!options.ssl.allowSSLv3) {
+                    // Supply `SSL_OP_NO_SSLv3` constant as secureOption to disable SSLv3
+                    // from the list of supported protocols that SSLv23_method supports.
+                    tlsOptions.secureOptions = constants.SSL_OP_NO_SSLv3;
+                  }
+
                   if (options.ssl.ca) {
                     tlsOptions.ca = [];
                     _.each(options.ssl.ca, function(ca) {