configure: disable ssl2/ssl3 by default

configure

@@ -112,10 +112,15 @@ parser.add_option("--systemtap-includes",
     dest="systemtap_includes",
     help=optparse.SUPPRESS_HELP)
 
-parser.add_option("--no-ssl2",
+parser.add_option("--ssl2",
     action="store_true",
-    dest="no_ssl2",
-    help="Disable OpenSSL v2")
+    dest="ssl2",
+    help="Enable SSL v2")
+
+parser.add_option("--ssl3",
+    action="store_true",
+    dest="ssl3",
+    help="Enable SSL v3")
 
 parser.add_option("--shared-zlib",
     action="store_true",
@@ -620,9 +625,12 @@ def configure_openssl(o):
   if options.without_ssl:
     return
 
-  if options.no_ssl2:
+  if not options.ssl2:
     o['defines'] += ['OPENSSL_NO_SSL2=1']
 
+  if not options.ssl3:
+    o['defines'] += ['OPENSSL_NO_SSL3=1']
+
   if options.shared_openssl:
     (libs, cflags) = pkg_config('openssl') or ('-lssl -lcrypto', '')
 

doc/api/tls.markdown

@@ -38,6 +38,14 @@ To create .pfx or .p12, do this:
   - `certfile`: all CA certs concatenated in one file like
     `cat ca1-cert.pem ca2-cert.pem > ca-cert.pem`
 
+## Protocol support
+
+Node.js is compiled without SSL2/SSL3 protocol support by default. These
+protocols are insecure and could be easily compromised as was shown by
+[CVE-2014-3566][]. However, in some situations, it may cause
+problems with legacy clients/servers (such as Internet Explorer 6). If you do
+really wish to use them, please rebuild node.js with `./configure --with-ssl3`.
+
 
 ## Client-initiated renegotiation attack mitigation
 
@@ -569,3 +577,4 @@ The numeric representation of the remote port. For example, `443`.
 [Stream]: stream.html#stream_stream
 [SSL_METHODS]: http://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS
 [tls.Server]: #tls_class_tls_server
+[CVE-2014-3566]: https://access.redhat.com/articles/1232123