$OpenBSD: patch-src_lib_ecore_con_ecore_con_ssl_c,v 1.1 2015/07/18 21:32:20 sthen Exp $
--- src/lib/ecore_con/ecore_con_ssl.c.orig	Sat Jul 18 15:12:36 2015
+++ src/lib/ecore_con/ecore_con_ssl.c	Sat Jul 18 15:31:39 2015
@@ -1556,8 +1556,14 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server
    if (ssl_type & ECORE_CON_USE_SSL2)
      return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
 
+#ifdef OPENSSL_NO_SSL3
+   if (ssl_type & ECORE_CON_USE_SSL3)
+     return ECORE_CON_SSL_ERROR_NOT_SUPPORTED;
+#endif
+
    switch (ssl_type)
      {
+#ifndef OPENSSL_NO_SSL3
       case ECORE_CON_USE_SSL3:
       case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
         if (!svr->created)
@@ -1565,9 +1571,15 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server
         else
           SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(SSLv3_server_method())));
         break;
+#endif
 
       case ECORE_CON_USE_TLS:
       case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
+	/*
+	 * XXX TLSv1_method restricts to TLSv1.0 only (disabling 1.1+).
+	 * SSLv23_method allows 1.1+ also, but requires options to be set
+	 * in order to disable SSLv2/3.
+	 */
         if (!svr->created)
           SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx = SSL_CTX_new(TLSv1_client_method())));
         else
