Thin uses eventmachine, so the solution involves making eventmachine not use SSLv2 or v3.
This discussion has some insights on a generic patch
https://github.com/eventmachine/eventmachine/issues/359
Another option is to build eventmachine with a patch to disable
(https://github.com/eventmachine/eventmachine/wiki/Building-EventMachine)
and then a patch of
--- a/ext/ssl.cpp
+++ b/ext/ssl.cpp
@@ -145,7 +145,7 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
}
bIsServer = is_server;
- pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+ pCtx = SSL_CTX_new (is_server ? TLSv1_server_method() : TLSv1_client_method());
if (!pCtx)
throw std::runtime_error ("no SSL context");
I haven't been able to get it fully tested, but this command should fail:
openssl s_client -connect 127.0.0.1:3000 -ssl3