# Disable SSLv2 and SSLv3.
# Internal patch. Not a chance it will be accepted upstream.
--- src/ne_openssl.c	2015-05-13 12:22:57.460825869 -0700
+++ src/ne_openssl.c	2015-05-13 12:31:36.644453270 -0700
@@ -565,7 +565,7 @@
         /* set client cert callback. */
         SSL_CTX_set_client_cert_cb(ctx->ctx, provide_client_cert);
         /* enable workarounds for buggy SSL server implementations */
-        SSL_CTX_set_options(ctx->ctx, SSL_OP_ALL);
+        SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
         SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, verify_callback);
     } else if (mode == NE_SSL_CTX_SERVER) {
         ctx->ctx = SSL_CTX_new(SSLv23_server_method());
@@ -573,7 +573,8 @@
 #ifdef SSL_OP_NO_TICKET
         /* disable ticket support since it inhibits testing of session
          * caching. */
-        SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_TICKET);
+        SSL_CTX_set_options(ctx->ctx,
+                            SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
 #endif
     } else {
 #ifdef OPENSSL_NO_SSL2
@@ -581,6 +582,7 @@
         return NULL;
 #else
         ctx->ctx = SSL_CTX_new(SSLv2_server_method());
+        SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
         SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT);
 #endif
     }
@@ -590,18 +592,8 @@
 void ne_ssl_context_set_flag(ne_ssl_context *ctx, int flag, int value)
 {
     long opts = SSL_CTX_get_options(ctx->ctx);
-
-    switch (flag) {
-    case NE_SSL_CTX_SSLv2:
-        if (value) { 
-            /* Enable SSLv2 support; clear the "no SSLv2" flag. */
-            opts &= ~SSL_OP_NO_SSLv2;
-        } else {
-            /* Disable it: set the flag. */
             opts |= SSL_OP_NO_SSLv2;
-        }
-        break;
-    }
+    opts |= SSL_OP_NO_SSLv3;
 
     SSL_CTX_set_options(ctx->ctx, opts);
 }