Skip to content

Instantly share code, notes, and snippets.

@olov
Created October 15, 2014 08:55
Show Gist options
  • Save olov/eb60ab878eb73a7c5e22 to your computer and use it in GitHub Desktop.
Save olov/eb60ab878eb73a7c5e22 to your computer and use it in GitHub Desktop.
listenandservetls_nossl30.go
// You don't want to serve HTTPS supporting for SSL3.0 any longer, see:
// http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html
import (
"crypto/tls"
"net/http"
)
// This code supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2
// Chances are you currently do this but want to stop due to the POODLE
err := http.ListenAndServeTLS(addr, "crtfile", "keyfile", handler)
// This code instead supports TLS1.0, TLS1.1 and TLS1.2
// But note that it may cause you compatibility problems
// (In particular, TLS_FALLBACK_SCSV is not handled)
config := &tls.Config{MinVersion: tls.VersionTLS10}
server := &http.Server{Addr: addr, Handler: handler, TLSConfig: config}
err := server.ListenAndServeTLS("crtfile", "keyfile")
@olov
Copy link
Author

olov commented Oct 15, 2014

verify using openssl: openssl s_client -ssl3 -host HOSTNAME -port 443

this should say SSL3_GET_RECORD:wrong version number (among other things)

compare to openssl s_client -tls1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment