--- a/components/apache2/patches/no_ssl2_and_3.patch Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,48 +0,0 @@
-Patch origin: in-house
-Patch status: unclear; so far they disable it just in configuration file
-
-https://bz.apache.org/bugzilla/show_bug.cgi?id=57120
-
---- modules/ssl/ssl_private.h
-+++ modules/ssl/ssl_private.h
-@@ -244,9 +244,9 @@
- #define SSL_PROTOCOL_SSLV3 (1<<1)
- #define SSL_PROTOCOL_TLSV1 (1<<2)
- #ifdef OPENSSL_NO_SSL2
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #else
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #endif
- #ifdef HAVE_TLSV1_X
- #define SSL_PROTOCOL_TLSV1_1 (1<<3)
---- docs/manual/mod/mod_ssl.html.en
-+++ docs/manual/mod/mod_ssl.html.en
-@@ -1082,8 +1082,8 @@
- <p>
- This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
- the Netscape Corporation.
-- It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
-- almost all popular browsers.</p></li>
-+ It is the successor to SSLv2 and the predecessor to TLSv1. Though its
-+ use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
-
- <li><code>TLSv1</code>
- <p>
-@@ -1103,13 +1103,11 @@
-
- <li><code>All</code>
- <p>
-- This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
-- - when using OpenSSL 1.0.1 and later -
-- ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
-+ This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
- </ul>
- <div class="example"><h3>Example</h3><p><code>
- # enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
--SSLProtocol All -SSLv2
-+SSLProtocol All +SSLv3
- </code></p></div>
-
- </div>