applied patch to disable SSLv2 by default; discussion:

http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976 Submitted by Kaspar Brand.
2008-02-19 23:10:07 +00:00
parent 0cae201044
commit f9a6062081
4 changed files with 13 additions and 7 deletions
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1324,6 +1324,10 @@ ossl_connect_step1(struct connectdata *conn,
  */
  SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);

+  /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
+  if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
+    SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2);
+
 #if 0
  /*
   * Not sure it's needed to tell SSL_connect() that socket is