Disable SSL 2.0 in TLS driver

SSL 2.0 is not used anywhere as it has security problems. Disable it unconditionally both in server and client mode. This does _not_ disable support for SSL 2.0 compatible client hello which still will be accepted in the server mode.
author: Janusz Dziemidowicz <rraptorr@nails.eu.org> 2012-07-18 21:57:28 +0200
committer: Janusz Dziemidowicz <rraptorr@nails.eu.org> 2012-07-18 21:57:28 +0200
commit: e06c1c49c14c3f56cf4ddae080514f7802669335 (patch)
tree: 2f473cc854f02d58237231ebb59f53d2b6beb2b8
parent: Reduce size of XML stream state (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/tls/tls_drv.c b/src/tls/tls_drv.c
index 6dbdccbe..da11b50a 100644
--- a/src/tls/tls_drv.c
+++ b/src/tls/tls_drv.c
@@ -354,6 +354,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
 	    res = SSL_CTX_check_private_key(ctx);
 	    die_unless(res > 0, "SSL_CTX_check_private_key failed");
 
+	    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
+
 	    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 	    SSL_CTX_set_default_verify_paths(ctx);
 #ifdef SSL_MODE_RELEASE_BUFFERS
@@ -386,10 +388,8 @@ static ErlDrvSSizeT tls_drv_control(ErlDrvData handle,
 	 SSL_set_bio(d->ssl, d->bio_read, d->bio_write);
 
 	 if (command == SET_CERTIFICATE_FILE_ACCEPT) {
-	    SSL_set_options(d->ssl, SSL_OP_NO_TICKET);
 	    SSL_set_accept_state(d->ssl);
 	 } else {
-	    SSL_set_options(d->ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
 	    SSL_set_connect_state(d->ssl);
 	 }
 	 break;
author	Janusz Dziemidowicz <rraptorr@nails.eu.org>	2012-07-18 21:57:28 +0200
committer	Janusz Dziemidowicz <rraptorr@nails.eu.org>	2012-07-18 21:57:28 +0200
commit	e06c1c49c14c3f56cf4ddae080514f7802669335 (patch)
tree	2f473cc854f02d58237231ebb59f53d2b6beb2b8
parent	Reduce size of XML stream state (diff)