From 3a013e94bbf93a83a37a73424afbc9916c9a2868 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <manu@gandi.net>
Date: Thu, 15 Jun 2017 12:45:28 +0200
Subject: [PATCH] BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib
 have no SSLv3

The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and
factored for min/max tlsxx" drop this case. OPENSSL_NO_SSL3 is define when
ssl lib have no SSLv3 support, set SSL_OP_NO_SSLv3 to 0 makes sure that
haproxy is aware of this.
---
 src/ssl_sock.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c3778b7..8940f09 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1808,6 +1808,10 @@ ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_con
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
+#ifdef OPENSSL_NO_SSL3                                  /* SSLv3 support removed */
+#undef  SSL_OP_NO_SSLv3
+#define SSL_OP_NO_SSLv3 0
+#endif
 #ifndef SSL_OP_NO_TLSv1_1                               /* needs OpenSSL >= 1.0.1 */
 #define SSL_OP_NO_TLSv1_1 0
 #endif
@@ -1835,7 +1839,7 @@ typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
 
 static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
 {
-#if SSL_OP_NO_SSLv3 && !defined(OPENSSL_NO_SSL3_METHOD)
+#if SSL_OP_NO_SSLv3
 	c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method())
 		: SSL_CTX_set_ssl_version(ctx, SSLv3_client_method());
 #endif
-- 
2.1.4