From d893d96f8faeaf709ee906eae80b3f24db2750be Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 3 Jun 2014 01:35:00 +0100
Subject: [PATCH] Subject: [PATCH] SSL: Disable support for SSLv2 and SSLv3.

---
 lib/ssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/ssl.c b/lib/ssl.c
index d6087b5..a546ae0 100644
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -114,6 +114,10 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 	/*
 	 * Firefox insists on SSLv23 not SSLv3
 	 * Konq disables SSLv2 by default now, SSLv23 works
+	 *
+	 * SSLv23_server_method() is the openssl method for "allow all TLS
+	 * versions", compared to e.g. TLSv1_2_server_method() which only allows
+	 * tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options()
 	 */
 
 	method = (SSL_METHOD *)SSLv23_server_method();
@@ -133,6 +137,8 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 		return 1;
 	}
 
+	/* Disable SSLv2 and SSLv3 */
+	SSL_CTX_set_options(context->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 #ifdef SSL_OP_NO_COMPRESSION
 	SSL_CTX_set_options(context->ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif
-- 
2.7.4