Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There doesn't seem to be a way to disable SSL 3.0 protocol #270

Open
GoogleCodeExporter opened this issue Mar 16, 2015 · 3 comments
Open

Comments

@GoogleCodeExporter
Copy link

What steps will reproduce the problem?
1. Go to a test site for SSL certificate: https://www.digicert.com/help

2. Enter your URL for a shellinbox server with SSL support and then click to 
check the SSL cert.

What is the expected output? What do you see instead?

It should show a green checkmark for Protocol Support without any warnings. 

Instead it shows this:

SSL 3.0 is an outdated protocol version with known vulnerabilities

This is easy to disable in the apache config file, but I don't see a way in the 
manual page on how to disable the protocol using shellinabox as a web server.

What version of the product are you using? On what operating system?

shellinabox-2.14-27.git88822c1.fc19.x86_64 already installed and latest version 
(on Fedora 19)

Please provide any additional information below.

For more information on the vulnerability:

https://www.digicert.com/cert-inspector-vulnerabilities.htm#ssl_3_protocol_enabl
ed

Original issue reported on code.google.com by [email protected] on 27 Nov 2014 at 7:33

@GoogleCodeExporter
Copy link
Author

[deleted comment]

@GoogleCodeExporter
Copy link
Author

Issue 215 has a patch that is supposed to disable SSL 3.0 but it fails to build 
after applying it (for me); I've attached the log output from make.

Original comment by [email protected] on 27 Nov 2014 at 2:02

Attachments:

@GoogleCodeExporter
Copy link
Author

A fix for this has been released by JGRennison on GitHub: 
https://github.com/JGRennison/shellinabox.

Original comment by [email protected] on 15 Dec 2014 at 8:46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant