improved Mojo::IOLoop::Server to prioritize RC4 cipher, which mitigat…

…es the BEAST attack
mojolicious · Jun 24, 2012 · 970dfe7 · 970dfe7
1 parent a99e5e8
commit 970dfe7
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/Changes b/Changes
@@ -17,6 +17,8 @@
   - Added accept_interval attribute to Mojo::IOLoop.
   - Added support for new HTTP status code.
   - Modernized ".perltidyrc".
+  - Improved Mojo::IOLoop::Server to prioritize RC4 cipher, which mitigates
+    the BEAST attack.
   - Improved not found page to highlight custom route names.
   - Improved to method in Mojolicious::Routes::Route to give easier access to
     default parameters.

diff --git a/lib/Mojo/IOLoop/Server.pm b/lib/Mojo/IOLoop/Server.pm
@@ -88,11 +88,14 @@ sub listen {
   return unless $args->{tls};
   croak "IO::Socket::SSL 1.75 required for TLS support" unless TLS;
 
-  # Options
+  # Options (Prioritize RC4 to mitigate BEAST attack)
   my $options = $self->{tls} = {
     SSL_cert_file => $args->{tls_cert} || $CERT,
-    SSL_key_file  => $args->{tls_key}  || $KEY,
-    SSL_startHandshake => 0
+    SSL_cipher_list =>
+      '!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!LOW:RC4-SHA:RC4-MD5:ALL',
+    SSL_honor_cipher_order => 1,
+    SSL_key_file           => $args->{tls_key} || $KEY,
+    SSL_startHandshake     => 0
   };
   %$options = (
     %$options,