From bfd656df1715b88256658767cc908c260367df77 Mon Sep 17 00:00:00 2001
From: Benjamin Pollack <benjamin@bitquabit.com>
Date: Tue, 1 Mar 2016 19:42:08 -0500
Subject: [PATCH] Dump everything before TLSv1

All versions of SSL are deprecated and have major security issues. Just
kill the whole thing. If you want to deliberately expose yourself to
POODLE, you can do it on your own time.
---
 .../io/sockets/secure/openssl/openssl.factor  |  3 ---
 basis/io/sockets/secure/secure-docs.factor    | 21 ++-----------------
 basis/io/sockets/secure/secure.factor         |  4 ++--
 basis/openssl/libssl/libssl-tests.factor      |  2 +-
 4 files changed, 5 insertions(+), 25 deletions(-)

diff --git a/basis/io/sockets/secure/openssl/openssl.factor b/basis/io/sockets/secure/openssl/openssl.factor
index fc64c02448..e2f169997a 100644
--- a/basis/io/sockets/secure/openssl/openssl.factor
+++ b/basis/io/sockets/secure/openssl/openssl.factor
@@ -13,9 +13,6 @@ IN: io.sockets.secure.openssl
 
 GENERIC: ssl-method ( symbol -- method )
 
-M: SSLv2  ssl-method drop SSLv2_client_method ;
-M: SSLv23 ssl-method drop SSLv23_method ;
-M: SSLv3  ssl-method drop SSLv3_method ;
 M: TLSv1  ssl-method drop TLSv1_method ;
 
 TUPLE: openssl-context < secure-context aliens sessions ;
diff --git a/basis/io/sockets/secure/secure-docs.factor b/basis/io/sockets/secure/secure-docs.factor
index dc9b3a6abd..fdf2503d56 100644
--- a/basis/io/sockets/secure/secure-docs.factor
+++ b/basis/io/sockets/secure/secure-docs.factor
@@ -4,20 +4,6 @@ IN: io.sockets.secure
 HELP: secure-socket-timeout
 { $var-description "Timeout for operations not associated with a constructed port instance, such as SSL handshake and shutdown. Represented as a " { $link duration } "." } ;
 
-HELP: SSLv2
-{ $description "Possible value for the " { $snippet "method" } " slot of a " { $link secure-config } "."
-$nl
-"Note that the SSLv2 protocol is vulnerable to truncation attacks and its use is discouraged (" { $url "http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html" } ")." } ;
-
-HELP: SSLv3
-{ $description "Possible value for the " { $snippet "method" } " slot of a " { $link secure-config } "."
-$nl
-"SSLv3 is widely used, however it is being supersceded by TLSv1." } ;
-
-HELP: SSLv23
-{ $description "Possible value for the " { $snippet "method" } " slot of a " { $link secure-config } "."
-$nl
-"This value indicates that either SSLv2 or SSLv3 is acceptable." } ;
 
 HELP: TLSv1
 { $description "Possible value for the " { $snippet "method" } " slot of a " { $link secure-config } "."
@@ -27,12 +13,9 @@ $nl
 ARTICLE: "ssl-methods" "SSL/TLS methods"
 "The " { $snippet "method" } " slot of a " { $link secure-config } " can be set to one of the following values:"
 { $subsections
-    SSLv2
-    SSLv23
-    SSLv3
     TLSv1
 }
-"The default value is " { $link SSLv23 } "." ;
+"The default value is " { $link TLSv1 } "." ;
 
 HELP: secure-config
 { $class-description "Instances represent secure socket configurations." } ;
@@ -121,7 +104,7 @@ $nl
 { $subsections accept-secure-handshake } ;
 
 HELP: premature-close
-{ $error-description "Thrown if an SSL connection is closed without the proper " { $snippet "close_notify" } " sequence. This error is never reported for " { $link SSLv2 } " connections because there is no distinction between expected and unexpected connection closure in that case." } ;
+{ $error-description "Thrown if an SSL connection is closed without the proper " { $snippet "close_notify" } " sequence." } ;
 
 HELP: certificate-verify-error
 { $error-description "Thrown if certificate verification failed. The " { $snippet "result" } " slot contains an object identifying the low-level error that occurred." } ;
diff --git a/basis/io/sockets/secure/secure.factor b/basis/io/sockets/secure/secure.factor
index 9e6f55569e..8f4678fd6c 100644
--- a/basis/io/sockets/secure/secure.factor
+++ b/basis/io/sockets/secure/secure.factor
@@ -17,7 +17,7 @@ HOOK: ssl-certificate-verification-supported? secure-socket-backend ( -- ? )
 M: object ssl-supported? f ;
 M: object ssl-certificate-verification-supported? f ;
 
-SINGLETONS: SSLv2 SSLv23 SSLv3 TLSv1 ;
+SINGLETONS: TLSv1 ;
 
 TUPLE: secure-config
 method
@@ -30,7 +30,7 @@ ephemeral-key-bits ;
 
 : <secure-config> ( -- config )
     secure-config new
-        SSLv23 >>method
+        TLSv1 >>method
         1024 >>ephemeral-key-bits
         ssl-certificate-verification-supported? >>verify ;
 
diff --git a/basis/openssl/libssl/libssl-tests.factor b/basis/openssl/libssl/libssl-tests.factor
index 5becb771c1..3dbdb8d122 100644
--- a/basis/openssl/libssl/libssl-tests.factor
+++ b/basis/openssl/libssl/libssl-tests.factor
@@ -23,7 +23,7 @@ IN: openssl.libssl.tests
     swap SSL_CTRL_OPTIONS 0 f SSL_CTX_ctrl bitand 0 > ;
 
 : new-ctx ( -- ctx )
-    SSLv23_client_method SSL_CTX_new ;
+    TLSv1_client_method SSL_CTX_new ;
 
 : new-ssl ( -- ssl )
     new-ctx SSL_new ;