From 5b83a1219de706d241a4d0b6ebd0441052ee6e94 Mon Sep 17 00:00:00 2001
From: David Champion <dgc@bikeshed.us>
Date: Tue, 4 Nov 2014 23:40:10 -0600
Subject: [PATCH] Disable SSLv3 by default.

Since Oct. 14 2014 SSLv3 is no longer considered safe. See POODLE:
https://en.wikipedia.org/wiki/Transport_Layer_Security#POODLE_attack
---
 init.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/init.h b/init.h
index 8265551e..f1f46c3d 100644
--- a/init.h
+++ b/init.h
@@ -2990,14 +2990,16 @@ struct option_t MuttVars[] = {
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv2 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
 # endif /* defined USE_SSL_OPENSSL */
-  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
+  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 0 },
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv3 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
   { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
   /*
-- 
2.40.0