drop SSLv2 support (set SSL_OP_NO_SSLv2 for any new SSL_CTX)

[apache] / modules / ssl / ssl_engine_io.c

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 45e2ca42a44c091d533295b78bd753649707448c..a1d9f6a33b7016ea3311c3b44ba9f226f50456b9 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1050,13 +1050,12 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
 #ifndef OPENSSL_NO_TLSEXT
         /*
          * Enable SNI for backend requests. Make sure we don't do it for
-         * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+         * pure SSLv3 connections, and also prevent IP addresses
          * from being included in the SNI extension. (OpenSSL would simply
          * pass them on, but RFC 6066 is quite clear on this: "Literal
          * IPv4 and IPv6 addresses are not permitted".)
          */
         if (hostname_note &&
-            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {