Looking at the code it has:
static LSEC_SSL_METHOD* str2method(const char *method)
{
if (!strcmp(method, "sslv23")) return SSLv23_method();
if (!strcmp(method, "sslv3")) return SSLv3_method();
if (!strcmp(method, "tlsv1")) return TLSv1_method();
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
#endif
return NULL;
}
And almost all the samples seems to be doing:
./samples/info/client.lua: protocol = "sslv3",
./samples/info/client.lua: options = {"all", "no_sslv2"},
A few use tlsv1 which isn't much better.
This is all completly wrong.
The only method supporting multiple versions in SSLv23_*. All the
other are version specific and the no_sslv2 / SSL_OP_NO_SSLv2
doesn't have any effect on them.
I suggest you always use SSLv23_method(). Maybe you should get
rid of the protocol thing, or just don't let it have any effect.
Kurt
