https dpi: disable SSLv2

SSLv2 is considered insecure.

submitted by: p37sitdu@lavabit.com

1 files changed, 8 insertions, 1 deletions

diff --git a/dpi/https.c b/dpi/https.c
index 9aea31e5..e6d2b0e9 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -75,8 +75,9 @@
 
 #ifdef ENABLE_SSL
 
-#include <openssl/ssl.h>
+#include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/ssl.h>
 
 static int get_network_connection(char * url);
 static int handle_certificate_problem(SSL * ssl_connection);
@@ -155,6 +156,11 @@ static void yes_ssl_support(void)
       }
    }
 
+   /* Do not use the SSLv2 protocol. */
+   if (exit_error == 0){
+      SSL_CTX_set_options(ssl_context, SSL_OP_NO_SSLv2);
+   }
+
    /*Set directory to load certificates from*/
    /*FIXME - provide for sysconfdir variables and such*/
    if (exit_error == 0){
@@ -286,6 +292,7 @@ static void yes_ssl_support(void)
       /*Actually do SSL connection handshake*/
       if (SSL_connect(ssl_connection) != 1){
          MSG("SSL_connect failed\n");
+         ERR_print_errors_fp(stderr);
          exit_error = 1;
       }
    }