diff -urN ./Pound-2.7c.orig/config.c ./Pound-2.7c/config.c --- ./Pound-2.7c.orig/config.c 2014-04-21 13:16:08.000000000 +0200 +++ ./Pound-2.7c/config.c 2014-10-16 01:25:50.190376633 +0200 @@ -78,7 +78,7 @@ static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale; -static regex_t ClientCert, AddHeader, DisableSSLv2, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers; +static regex_t ClientCert, AddHeader, DisableSSLv2, DisableSSLv3, DisableTLSv1, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers; static regex_t CAlist, VerifyList, CRLlist, NoHTTPS11, Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert; static regex_t Disabled, Threads, CNName, Anonymise; @@ -928,6 +928,8 @@ res->err503 = "The service is not available. Please try again later."; res->allow_client_reneg = 0; res->disable_ssl_v2 = 0; + res->disable_ssl_v3 = 0; + res->disable_tls_v1 = 0; res->log_level = log_level; if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED)) conf_err("xHTTP bad default pattern - aborted"); @@ -1118,6 +1120,10 @@ } } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) { res->disable_ssl_v2 = 1; + } else if(!regexec(&DisableSSLv3, lin, 4, matches, 0)) { + res->disable_ssl_v3 = 1; + } else if(!regexec(&DisableTLSv1, lin, 4, matches, 0)) { + res->disable_tls_v1 = 1; } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) { res->allow_client_reneg = atoi(lin + matches[1].rm_so); if (res->allow_client_reneg == 2) { @@ -1218,6 +1224,10 @@ SSL_CTX_clear_options(pc->ctx, ssl_op_disable); if (res->disable_ssl_v2 == 1) SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2); + if (res->disable_ssl_v3 == 1) + SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3); + if (res->disable_tls_v1 == 1) + SSL_CTX_set_options(pc->ctx, SSL_OP_NO_TLSv1); sprintf(lin, "%d-Pound-%ld", getpid(), random()); SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin)); SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback); @@ -1421,6 +1431,8 @@ || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&DisableSSLv3, "^[ \t]*DisableSSLv3[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&DisableTLSv1, "^[ \t]*DisableTLSv1[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) @@ -1583,6 +1595,8 @@ regfree(&AddHeader); regfree(&SSLAllowClientRenegotiation); regfree(&DisableSSLv2); + regfree(&DisableSSLv3); + regfree(&DisableTLSv1); regfree(&SSLHonorCipherOrder); regfree(&Ciphers); regfree(&CAlist); diff -urN ./Pound-2.7c.orig/pound.h ./Pound-2.7c/pound.h --- ./Pound-2.7c.orig/pound.h 2014-04-21 13:16:08.000000000 +0200 +++ ./Pound-2.7c/pound.h 2014-10-16 01:24:52.581141100 +0200 @@ -409,6 +409,8 @@ int log_level; /* log level for this listener */ int allow_client_reneg; /* Allow Client SSL Renegotiation */ int disable_ssl_v2; /* Disable SSL version 2 */ + int disable_ssl_v3; /* Disable SSL version 3 */ + int disable_tls_v1; /* Disable TLSv1 */ SERVICE *services; struct _listener *next; } LISTENER;