Remove some SSLv2 references

The order of operations is significant. This can be used to set either defaults

or values which cannot be overridden. For example if an application calls:

 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");

 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");

 SSL_CONF_cmd(ctx, userparam, uservalue);

it will disable SSLv2 support by default but the user can override it. If 

it will disable SSLv3 support by default but the user can override it. If

however the call sequence is:

 SSL_CONF_cmd(ctx, userparam, uservalue);

 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");

 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");

SSLv2 is B<always> disabled and attempt to override this by the user are

SSLv3 is B<always> disabled and attempt to override this by the user are

ignored.

By checking the return code of SSL_CTX_cmd() it is possible to query if a

 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");

Enable all protocols except SSLv3 and SSLv2:

Enable all protocols except SSLv3:

 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");

 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");

Only enable TLSv1.2:

When choosing a cipher, use the server's preferences instead of the client

preferences. When not set, the SSL server will always follow the clients

preferences. When set, the SSLv3/TLSv1 server will choose following its

own preferences. Because of the different protocol, for SSLv2 the server

will send its list of preferences to the client and the client chooses.

preferences. When set, the SSL/TLS server will choose following its

own preferences.

=item SSL_OP_PKCS1_CHECK_1

...

=item SSL_OP_NO_SSLv2

Do not use the SSLv2 protocol.

=item SSL_OP_NO_SSLv3

Do not use the SSLv3 protocol.

described in RFC5746. This counters the prefix attack described in

CVE-2009-3555 and elsewhere.

The deprecated and highly broken SSLv2 protocol does not support

renegotiation at all: its use is B<strongly> discouraged.

This attack has far reaching consequences which application writers should be

aware of. In the description below an implementation supporting secure

renegotiation is referred to as I<patched>. A server not supporting secure

whether an error occurred or the connection was shut down cleanly

(SSL_ERROR_ZERO_RETURN).

SSLv2 (deprecated) does not support a shutdown alert protocol, so it can

only be detected, whether the underlying connection was closed. It cannot

be checked, whether the closure was initiated by the peer or by something

else.

=item E<lt>0

The read operation was not successful, because either an error occurred

whether an error occurred or the connection was shut down cleanly

(SSL_ERROR_ZERO_RETURN).

SSLv2 (deprecated) does not support a shutdown alert protocol, so it can

only be detected, whether the underlying connection was closed. It cannot

be checked, why the closure happened.

=item E<lt>0

The write operation was not successful, because either an error occurred

=item B<ssl2.h>

That's the sub header file dealing with the SSLv2 protocol only.

I<Usually you don't have to include it explicitly because

it's already included by ssl.h>.

Unused. Present for backwards compatibility only.

=item B<ssl3.h>

=item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);

Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the

Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the

SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined

in the specification the first time).