Update "CipherList" to not enable SSLv3 by default

Idea, initial patch, and testing by Christoph Biedl
<ngircd.anoy@manchmal.in-ulm.de>

3 files changed, 6 insertions, 6 deletions

diff --git a/doc/sample-ngircd.conf.tmpl b/doc/sample-ngircd.conf.tmpl
index 1d07822c..b5db1d9e 100644
--- a/doc/sample-ngircd.conf.tmpl
+++ b/doc/sample-ngircd.conf.tmpl
@@ -259,9 +259,9 @@
 	# See 'man 1ssl ciphers' (OpenSSL) or 'man 3 gnutls_priority_init'
 	# (GnuTLS) for details.
 	# For OpenSSL:
-	;CipherList = HIGH:!aNULL:@STRENGTH
+	;CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
 	# For GnuTLS:
-	;CipherList = SECURE128
+	;CipherList = SECURE128:-VERS-SSL3.0
 
 	# Diffie-Hellman parameters
 	;DHFile = :ETCDIR:/ssl/dhparams.pem
diff --git a/man/ngircd.conf.5.tmpl b/man/ngircd.conf.5.tmpl
index 9b2ed082..0d57f902 100644
--- a/man/ngircd.conf.5.tmpl
+++ b/man/ngircd.conf.5.tmpl
@@ -1,7 +1,7 @@
 .\"
 .\" ngircd.conf(5) manual page template
 .\"
-.TH ngircd.conf 5 "Jan 2014" ngIRCd "ngIRCd Manual"
+.TH ngircd.conf 5 "Oct 2014" ngIRCd "ngIRCd Manual"
 .SH NAME
 ngircd.conf \- configuration file of ngIRCd
 .SH SYNOPSIS
@@ -375,7 +375,7 @@ SSL Certificate file of the private server key.
 .TP
 \fBCipherList\fR (string)
 Select cipher suites allowed for SSL/TLS connections.  This defaults to
-"HIGH:!aNULL:@STRENGTH" (OpenSSL) or "SECURE128" (GnuTLS).
+"HIGH:!aNULL:@STRENGTH:!SSLv3" (OpenSSL) or "SECURE128:-VERS-SSL3.0" (GnuTLS).
 Please see 'man 1ssl ciphers' (OpenSSL) and 'man 3 gnutls_priority_init'
 (GnuTLS) for details.
 .TP
diff --git a/src/ngircd/conf.c b/src/ngircd/conf.c
index 6692ecbb..5f8c3929 100644
--- a/src/ngircd/conf.c
+++ b/src/ngircd/conf.c
@@ -88,10 +88,10 @@ static void Init_Server_Struct PARAMS(( CONF_SERVER *Server ));
 #endif
 
 #ifdef HAVE_LIBSSL
-#define DEFAULT_CIPHERS		"HIGH:!aNULL:@STRENGTH"
+#define DEFAULT_CIPHERS		"HIGH:!aNULL:@STRENGTH:!SSLv3"
 #endif
 #ifdef HAVE_LIBGNUTLS
-#define DEFAULT_CIPHERS		"SECURE128"
+#define DEFAULT_CIPHERS		"SECURE128:-VERS-SSL3.0"
 #endif
 
 #ifdef SSL_SUPPORT