
shellinabox - issue #270
There doesn't seem to be a way to disable SSL 3.0 protocol
What steps will reproduce the problem? 1. Go to a test site for SSL certificate: https://www.digicert.com/help
- Enter your URL for a shellinbox server with SSL support and then click to check the SSL cert.
What is the expected output? What do you see instead?
It should show a green checkmark for Protocol Support without any warnings.
Instead it shows this:
SSL 3.0 is an outdated protocol version with known vulnerabilities
This is easy to disable in the apache config file, but I don't see a way in the manual page on how to disable the protocol using shellinabox as a web server.
What version of the product are you using? On what operating system?
shellinabox-2.14-27.git88822c1.fc19.x86_64 already installed and latest version (on Fedora 19)
Please provide any additional information below.
For more information on the vulnerability:
https://www.digicert.com/cert-inspector-vulnerabilities.htm#ssl_3_protocol_enabled
Comment #1
Posted on Nov 27, 2014 by Happy HorseComment deleted
Comment #2
Posted on Nov 27, 2014 by Happy HorseIssue 215 has a patch that is supposed to disable SSL 3.0 but it fails to build after applying it (for me); I've attached the log output from make.
- output.txt 13.46KB
Comment #3
Posted on Dec 15, 2014 by Happy HorseA fix for this has been released by JGRennison on GitHub: https://github.com/JGRennison/shellinabox.
Status: New
Labels:
Type-Defect
Priority-Medium