This patch will disable SSLv3 and SSLv2 by default but leaves
the protocol compiled in into the library so that applications
can use it when they still need it (e.g. sslscan).
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-cryptodev.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-fix_parallel_build-1.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1e-weak-ciphers.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
--- /dev/null
+diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c\r
+--- openssl-1.0.1h/ssl/ssl_lib.c.v2v3 2014-06-11 16:02:52.000000000 +0200\r
++++ openssl-1.0.1h/ssl/ssl_lib.c 2014-06-30 14:18:04.290248080 +0200\r
+@@ -1875,6 +1875,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m\r
+ */\r
+ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;\r
+ \r
++ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */\r
++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;\r
++\r
+ return(ret);\r
+ err:\r
+ SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);\r