Description of problem:
SSLv2 is a protocol known to be insecure for close to 20 years now. Recent OpenSSL vulnerability (CVE-2015-3197) shows that just keeping this code around is a liability. Moreover, upstream plans to remove it soon too: MZBZ#1228555.
Thus support for SSLv2 should be disabled without a way to override.
Created attachment 1132852 [details]
disable ssl2 suppport - libssl part
Created attachment 1132853 [details]
disable ssl2 support - test scripts part
Created attachment 1132855 [details]
Add "-c v " to tstclnt invocation for ocsp stapling tests and some SNI tests.
Created attachment 1132859 [details]
ensure in ssl stress tool invocation lower protocol in range is ssl3
don't rely on default for minimum wnich is currently ssl2
Created attachment 1132860 [details]
For ssl authentication tests ensure ssl3 is the minimum and not ssl2
Created attachment 1132861 [details]
nss.spec file changes - in patch format
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.