Hi,
So you have code like this for both client and server:
static int worker_set_client_method(worker_t * worker, const char
*sslstr) {
int is_ssl = 0;
ssl_wconf_t *config = ssl_get_worker_config(worker);
if (strcasecmp(sslstr, "SSL") == 0) {
is_ssl = 1;
config->meth = SSLv23_client_method();
}
#ifndef OPENSSL_NO_SSL2
else if (strcasecmp(sslstr, "SSL2") == 0) {
is_ssl = 1;
config->meth = SSLv2_client_method();
}
#endif
else if (strcasecmp(sslstr, "SSL3") == 0) {
is_ssl = 1;
config->meth = SSLv3_client_method();
}
else if (strcasecmp(sslstr, "TLS1") == 0) {
is_ssl = 1;
config->meth = TLSv1_client_method();
}
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
else if (strcasecmp(sslstr, "TLS1.1") == 0) {
is_ssl = 1;
config->meth = TLSv1_1_client_method();
}
else if (strcasecmp(sslstr, "TLS1.2") == 0) {
is_ssl = 1;
config->meth = TLSv1_2_client_method();
}
#endif
else if (strcasecmp(sslstr, "DTLS1") == 0) {
is_ssl = 1;
config->meth = DTLSv1_client_method();
}
return is_ssl;
}
The SSLv3 method has just been disabled in Debian.
I recommand you use the SSLv23_* and DTLS_* method. They are the
only one supporting multiple versions of the protocol. It would
also get you DTLS 1.2 support.
If you want to be able to disable protocols I suggest you use
SSL_(CTX_)set_options with something like SSL_OP_NO_SSLv3.
Kurt
