no support for SSL2 any longer. And ignore some funny flags on leaf

certs

src/pkg-tls.c

@@ -161,6 +161,26 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
         X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof buf);
         printf("depth %d: %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
     }
+    if (!preverify_ok) 
+    {
+	int err;
+	int depth;
+
+	/* ignore purpose flag on leaf certs */
+	err = X509_STORE_CTX_get_error(ctx);
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+	if (err == X509_V_ERR_INVALID_PURPOSE && depth == 0) 
+	{
+	    SSL *ssl;
+	    ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+
+	    preverify_ok = 1;
+	    err = X509_V_OK;
+	    SSL_set_verify_result(ssl, X509_V_OK);
+	    X509_STORE_CTX_set_error(ctx, X509_V_OK);
+	}
+
+    }
     return MY_TRUE;
 } /* tls_verify_callback() */
 
@@ -444,7 +464,8 @@ tls_global_init (void)
     }
 
     /* Avoid small subgroup attacks */
-    SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
+    /* do not do SSLv2 */
+    SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
 
     /* OpenSSL successfully initialised */
     tls_available = MY_TRUE;