openssl backend: repair use of TLSv1+ protocols

The use of TLSv1_client_method() means that the protocol used will be
limited to TLSv1.0.  This is not desirable for --secure-protocol values
of "auto" (default) and "pfs".  Fix by using SSLv23_client_method() and
disabling SSLv[23].

Issue reported by Mikolaj Kucharski.

src/ChangeLog

@@ -1,3 +1,8 @@
+2014-12-03  Jérémie Courrèges-Anglas  <jca@wxcvbn.org> (tiny change)
+
+	* openssl.c (ssl_init): Allow pfs to be used with protocols other than
+	TLSv1.
+
 2014-12-01  Tim Ruehsen <tim.ruehsen@gmx.de>
 
 	* connect.c, iri.c, url.c, warc.c: Fix issues reported

src/openssl.c

@@ -203,6 +203,8 @@ ssl_init (void)
   SSLeay_add_all_algorithms ();
   SSLeay_add_ssl_algorithms ();
 
+  long ssl_options = 0;
+
   switch (opt.secure_protocol)
     {
 #ifndef OPENSSL_NO_SSL2
@@ -219,6 +221,9 @@ ssl_init (void)
 
     case secure_protocol_auto:
     case secure_protocol_pfs:
+      meth = SSLv23_client_method ();
+      ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+      break;
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
@@ -253,6 +258,9 @@ ssl_init (void)
   if (!ssl_ctx)
     goto error;
 
+  if (ssl_options)
+    SSL_CTX_set_options (ssl_ctx, ssl_options);
+
   /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html
    * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more)
    */