diff options
author | des <des@FreeBSD.org> | 2015-01-12 10:02:23 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2015-01-12 10:02:23 +0000 |
commit | 0d480bf6b4f2c062375a93961d373a02dd43ac47 (patch) | |
tree | 2f3c7d2747de135f7432b5da7a4d25b18525dde4 /lib/libfetch/common.c | |
parent | 174dee17606754c607963d982e3a099e42ce1081 (diff) | |
download | FreeBSD-src-0d480bf6b4f2c062375a93961d373a02dd43ac47.zip FreeBSD-src-0d480bf6b4f2c062375a93961d373a02dd43ac47.tar.gz |
MFH (r273114, r273124): disable SSLv3 by default.
Diffstat (limited to 'lib/libfetch/common.c')
-rw-r--r-- | lib/libfetch/common.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index a6fc47c..eabea2b 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -675,10 +675,14 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; if (getenv("SSL_ALLOW_SSL2") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv2; - if (getenv("SSL_NO_SSL3") != NULL) + if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; + if (getenv("SSL_NO_TLS1_1") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_1; + if (getenv("SSL_NO_TLS1_2") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_2; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); @@ -873,8 +877,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) } if (verbose) { - fetch_info("SSL connection established using %s", - SSL_get_cipher(conn->ssl)); + fetch_info("%s connection established using %s", + SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); name = X509_get_subject_name(conn->ssl_cert); str = X509_NAME_oneline(name, 0, 0); fetch_info("Certificate subject: %s", str); |