Really disable SSLv2 and v3 again.
authorWerner Koch <wk@gnupg.org>
Mon, 30 Jan 2017 15:54:09 +0000 (16:54 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 30 Jan 2017 15:54:18 +0000 (16:54 +0100)
Fixes the last patch.

config.c

index 4df7997..e54b63c 100644 (file)
--- a/config.c
+++ b/config.c
@@ -943,6 +943,7 @@ parse_HTTPS(void)
     POUND_CTX           *pc;
 
     ssl_op_enable = SSL_OP_ALL;
+    ssl_op_enable |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 #ifdef  SSL_OP_NO_COMPRESSION
     ssl_op_enable |= SSL_OP_NO_COMPRESSION;
 #endif
@@ -1154,18 +1155,16 @@ parse_HTTPS(void)
               ;
 #ifdef SSL_OP_NO_TLSv1
             else if(strcasecmp(lin + matches[1].rm_so, "TLSv1") == 0)
-                ssl_op_enable |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
+                ssl_op_enable |= SSL_OP_NO_TLSv1;
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
             else if(strcasecmp(lin + matches[1].rm_so, "TLSv1_1") == 0)
-                ssl_op_enable |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
+                ssl_op_enable |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
             else if(strcasecmp(lin + matches[1].rm_so, "TLSv1_2") == 0)
-                ssl_op_enable |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+                ssl_op_enable |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #endif
-            else
-                ssl_op_enable |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
         } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
             res->allow_client_reneg = atoi(lin + matches[1].rm_so);
             if (res->allow_client_reneg == 2) {