@@ 0,0 1,24 @@
+Subject: Disable SSLv2 and SSLv3.
+
+The only remaining methods are TLSv1.* (the code never distinguishes
+between TLSv1.0, TLSv1.1, and TLSv1.2).
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 320906c..ddcd4fc 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
+ #endif				/* defined(USE_SSL) &&
+ 				 * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2, 3");
+ #endif
+ 
+ global int is_redisplay init(FALSE);
+-- 
+2.6.4
+


@@ 0,0 1,24 @@
+Subject: Disable weak ciphers
+
+Disable RC4, "export ciphers", and all keys < 128 bits.
+
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
+---
+ url.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/url.c b/url.c
+index ed6062e..e86b1f3 100644
+--- a/url.c
++++ b/url.c
+@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
+ 	SSL_load_error_strings();
+ 	if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
+ 	    goto eend;
++	SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
+ 	option = SSL_OP_ALL;
+ 	if (ssl_forbid_method) {
+ 	    if (strchr(ssl_forbid_method, '2'))
+-- 
+2.6.4
+


@@ 0,0 1,24 @@
+Subject: Force ssl_verify_server on.
+
+By default, SSL/TLS certificates are not verified. This enables the
+verification.
+---
+ fm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fm.h b/fm.h
+index 8378939..320906c 100644
+--- a/fm.h
++++ b/fm.h
+@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+ 
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+-- 
+2.6.4
+