From ae14012eab8caeae1548a9246c63378cd052efe2 Mon Sep 17 00:00:00 2001
From: "T.C. Hollingsworth" <tchollingsworth@gmail.com>
Date: Tue, 14 Oct 2014 23:00:40 -0700
Subject: [PATCH] use TLSv1 and disable SSLv3 to avoid POODLE attacks

---
 koji/ssl/SSLCommon.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py
index 1a3b3d6..b218a80 100644
--- a/koji/ssl/SSLCommon.py
+++ b/koji/ssl/SSLCommon.py
@@ -37,7 +37,7 @@ def CreateSSLContext(certs):
         if f and not os.access(f, os.R_OK):
             raise StandardError, "%s does not exist or is not readable" % f
 
-    ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    ctx = SSL.Context(SSL.TLSv1_METHOD)   # TLSv1 only
     ctx.use_certificate_file(key_and_cert)
     ctx.use_privatekey_file(key_and_cert)
     ctx.load_client_ca(ca_cert)
@@ -45,7 +45,7 @@ def CreateSSLContext(certs):
     verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
     ctx.set_verify(verify, our_verify)
     ctx.set_verify_depth(10)
-    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
     return ctx
 
 
-- 
1.9.3