1

Is there a way to prevent Thin from accepting requests using SSLv3?

I cannot find any resources on how to deal with Poodle for a Thin server running with SSL. I don't want to move thin behind nginx if I don't have to so any resources would be helpful. I took a look at the source code but couldn't find a way to monkey patch it, can't even find a reference to it.

Danesh
  • 145
  • 7

1 Answers1

2

Thin uses eventmachine, so the solution involves making eventmachine not use SSLv2 or v3.

This discussion has some insights on a generic patch https://github.com/eventmachine/eventmachine/issues/359

Another option is to build eventmachine with a patch to disable (https://github.com/eventmachine/eventmachine/wiki/Building-EventMachine) and then a patch of

--- a/ext/ssl.cpp
+++ b/ext/ssl.cpp
@@ -145,7 +145,7 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
        }

        bIsServer = is_server;
-       pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+       pCtx = SSL_CTX_new (is_server ? TLSv1_server_method() : TLSv1_client_method());
        if (!pCtx)
                throw std::runtime_error ("no SSL context");

I haven't been able to get it fully tested, but this command should fail:

openssl s_client -connect 127.0.0.1:3000 -ssl3
Tom Guevin
  • 36
  • 1