From 311034b69bd6b7ae027d41317e33881f8826efb4 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Fri, 7 Nov 2014 02:21:29 +0100
Subject: [PATCH] force at least TLSv1.0 in curves tolerance test

because to advertise curves to server we need extensions and
extensions are only available in TLSv1.0 or later, we need to force
OpenSSL not to send SSLv2 compatible hello if it thinks it's ok to
do (when there are SSLv2 ciphers present in cipherstring it will try to)
---
 cipherscan | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cipherscan b/cipherscan
index 905baf5..9da6d9b 100755
--- a/cipherscan
+++ b/cipherscan
@@ -745,6 +745,9 @@ test_ecc_curves() {
         sslcommand+=" -CAfile $CACERTS"
     fi
     sslcommand+=" -status $SCLIENTARGS -connect $TARGET -cipher $ecc_ciphers"
+    # force the TLS to send a TLS1.0 client hello at least, as with SSLv2
+    # ciphers present it will try to send a SSLv2 compatible client hello
+    sslcommand+=" -no_ssl2 -no_ssl3"
 
     #
     # here we use the same logic as with detecting cipher suites: first