vtls: refuse setting any SSL version

... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773

1 files changed, 5 insertions, 3 deletions

diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
index 8cfcdbe7f..2841c160b 100644
--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2019, 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -43,9 +43,9 @@ default TLS v1.0 since 7.39.0 (unless the TLS library has a stricter rule).
 .IP CURL_SSLVERSION_TLSv1
 TLS v1.0 or later
 .IP CURL_SSLVERSION_SSLv2
-SSL v2 (but not SSLv3)
+SSL v2 - refused
 .IP CURL_SSLVERSION_SSLv3
-SSL v3 (but not SSLv2)
+SSL v3 - refused
 .IP CURL_SSLVERSION_TLSv1_0
 TLS v1.0 or later (Added in 7.34.0)
 .IP CURL_SSLVERSION_TLSv1_1
@@ -102,6 +102,8 @@ if(curl) {
 }
 .fi
 .SH AVAILABILITY
+SSLv2 and SSLv3 are refused completely since curl 7.77.0
+
 SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may
 vary depending on which backend libcurl has been built to use.