diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
+++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ ss->opt.enableSSL2 = on;
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (on) {
ss->opt.v2CompatibleHello = on;
}
+#endif
ss->preferredCipher = NULL;
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ break;
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
}
break;
}
+#endif
ss->opt.v2CompatibleHello = on;
if (!on) {
ss->opt.enableSSL2 = on;
@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
if (ssl_IsRemovedCipherSuite(which)) {
rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+#else
rv = ssl2_SetPolicy(which, policy);
+#endif
} else {
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
}