From 2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb Mon Sep 17 00:00:00 2001 From: tedu <> Date: Wed, 15 Oct 2014 21:02:39 +0000 Subject: Fuck it. No SSLv3; not now, not ever. The API of the future will only support the protocols of the future. (Perhaps a bit late in burning this bridge entirely, but there's no time like the present, esp. with other players now leaning against back compat.) --- src/lib/libressl/ressl.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'src/lib/libressl/ressl.c') diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c index b500c83063..06c7d54cc2 100644 --- a/src/lib/libressl/ressl.c +++ b/src/lib/libressl/ressl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.c,v 1.17 2014/10/15 14:11:47 jsing Exp $ */ +/* $OpenBSD: ressl.c,v 1.18 2014/10/15 21:02:39 tedu Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -172,14 +172,12 @@ int ressl_configure_ssl(struct ressl *ctx) { SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); - if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0) - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0) -- cgit v1.2.3-55-g6feb