projects / ckermit.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
DISABLE_SSLV3 option, disables SSLv3 at compile time
[ckermit.git] / ck_ssl.c
diff --git a/ck_ssl.c b/ck_ssl.c
index 6df7507..cc8a4ed 100644 (file)
--- a/ck_ssl.c
+++ b/ck_ssl.c
@@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
             /* This can fail because we do not have RSA available */
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef DISABLE_SSLV3
                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
             }
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
+#endif
                 last_ssl_mode = -1;
                 return(0);
             }
@@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
                     debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
                 } else {
                     debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+#ifndef DISABLE_SSLV3
                     tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+#endif /* DISABLE_SSLV3 */
                     if ( !tls_ctx ) {
+#ifndef DISABLE_SSLV3
                         debug(F110,
-                              "ssl_tn_init","TLSv1_client_method failed",0);
+                              "ssl_tn_init","SSLv3_client_method failed",0);
+#endif /* DISABLE_SSLV3 */
                         debug(F110,
                               "ssl_tn_init","All SSL client methods failed",0);
                         last_ssl_mode = -1;
@@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
             /* This can fail because we do not have RSA available */
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
+#ifndef DISABLE_SSLV3
                 ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
             }
             if ( !ssl_ctx ) {
                 debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
+#endif
                 last_ssl_mode = -1;
                 return(0);
             }
@@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
          * that cannot read poorly written specs :-)
          * for TLS be sure to prevent use of SSLv2
          */
-        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
+        SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
+#ifdef DISABLE_SSLV3
+                                    |SSL_OP_NO_SSLv3
+#endif
+            );
         SSL_CTX_set_options(tls_ctx,
-                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
+                 SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+                 |SSL_OP_NO_SSLv3
+#endif
+            );
 
         SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
         SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
@@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
      * for TLS be sure to prevent use of SSLv2
      */
     SSL_CTX_set_options(tls_http_ctx,
-            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
+            SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+#ifdef DISABLE_SSLV3
+            |SSL_OP_NO_SSLv3
+#endif
+        );
 
     SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
 
ckermit debian package