From 0c46e400afa7fef669b2f3a9ea2ed76633e8652b Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Wed, 20 Mar 2013 20:31:52 +0000
Subject: net.http: Disable SSLv2 support for HTTPS connections

---
 net/http.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'net/http.lua')

diff --git a/net/http.lua b/net/http.lua
index 9ed837e2..a1e4e523 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -190,7 +190,7 @@ function request(u, ex, callback)
 	
 	local sslctx = false;
 	if using_https then
-		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23" };
+		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2" } };
 	end
 
 	req.handler, req.conn = server.wrapclient(conn, req.host, port, listener, "*a", sslctx);
-- 
cgit v1.2.3