1 files changed, 9 insertions, 5 deletions

diff --git a/dpi/https.c b/dpi/https.c
index e6d2b0e9..da75b9e8 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -156,9 +156,12 @@ static void yes_ssl_support(void)
       }
    }
 
-   /* Do not use the SSLv2 protocol. */
+   /* SSL2 has been known to be insecure forever, disabling SSL3 is in response
+    * to POODLE, and disabling compression is in response to CRIME.
+    */
    if (exit_error == 0){
-      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2);
+      SSL_CTX_set_options(ssl_context,
+                        SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
    }
 
    /*Set directory to load certificates from*/
@@ -188,10 +191,11 @@ static void yes_ssl_support(void)
    }
 
    if (exit_error == 0){
-      /* Need to do the following if we want to deal with all
-       * possible ciphers
+      /* Don't want: eNULL, which has no encryption; aNULL, which has no
+       * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
+       * EXPORT40, which uses 40-bit encryption.
        */
-      SSL_set_cipher_list(ssl_connection, "ALL");
+      SSL_CTX_set_cipher_list(ssl_context, "ALL:!aNULL:!eNULL:!LOW:!EXPORT40");
 
       /* Need to do this if we want to have the option of dealing
        * with self-signed certs