Export to GitHub

shellinabox - issue #270

There doesn't seem to be a way to disable SSL 3.0 protocol


Posted on Nov 27, 2014 by Grumpy Dog

What steps will reproduce the problem? 1. Go to a test site for SSL certificate: https://www.digicert.com/help

  1. Enter your URL for a shellinbox server with SSL support and then click to check the SSL cert.

What is the expected output? What do you see instead?

It should show a green checkmark for Protocol Support without any warnings.

Instead it shows this:

SSL 3.0 is an outdated protocol version with known vulnerabilities

This is easy to disable in the apache config file, but I don't see a way in the manual page on how to disable the protocol using shellinabox as a web server.

What version of the product are you using? On what operating system?

shellinabox-2.14-27.git88822c1.fc19.x86_64 already installed and latest version (on Fedora 19)

Please provide any additional information below.

For more information on the vulnerability:

https://www.digicert.com/cert-inspector-vulnerabilities.htm#ssl_3_protocol_enabled

Comment #1

Posted on Nov 27, 2014 by Happy Horse

Comment deleted

Comment #2

Posted on Nov 27, 2014 by Happy Horse

Issue 215 has a patch that is supposed to disable SSL 3.0 but it fails to build after applying it (for me); I've attached the log output from make.

Attachments

Comment #3

Posted on Dec 15, 2014 by Happy Horse

A fix for this has been released by JGRennison on GitHub: https://github.com/JGRennison/shellinabox.

Status: New

Labels:
Type-Defect Priority-Medium