From 591206ff82daa50ce8b4f6fdd8f53047331dd0e6 Mon Sep 17 00:00:00 2001
From: Fabrizio Furano <furano@cern.ch>
Date: Mon, 18 Apr 2016 15:43:07 +0200
Subject: [PATCH 1/2] XrdHttp: make the example config file cleaner

---
 src/XrdHttp/xrootd-http.cf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/XrdHttp/xrootd-http.cf b/src/XrdHttp/xrootd-http.cf
index 1baca955fcd..451dcb221b5 100644
--- a/src/XrdHttp/xrootd-http.cf
+++ b/src/XrdHttp/xrootd-http.cf
@@ -7,15 +7,15 @@
 
 
 if exec xrootd
-   xrd.protocol XrdHttp /usr/local/lib/libXrdHttp.so
+   xrd.protocol XrdHttp /usr/local/lib/libXrdHttp-4.so
 fi
 
 http.cert /etc/grid-security/hostcert.pem
 http.key /etc/grid-security/hostkey.pem
 http.cadir /etc/grid-security/certificates
-http.secretkey CHANGEME
+#http.secretkey CHANGEME
 #http.gridmap /etc/grid-security/mapfile
-#http.secxtractor /usr/lib64/libXrdHttpVOMS.so
+#http.secxtractor /usr/lib64/libXrdHttpVOMS-4.so
 #http.selfhttps2http yes
 
 # As an example of preloading files, let's preload in memory
@@ -29,7 +29,7 @@ http.secretkey CHANGEME
 # Usual basic xrd stuff
 #
 all.role server
-all.manager pcitgt02.cern.ch:1213
+all.manager pcitsdcfab.cern.ch:1213
 all.export /
 oss.localroot /tmp/xrdroot
 

From c16531f297da5b315d1f307d5a935f3594ceff24 Mon Sep 17 00:00:00 2001
From: Fabrizio Furano <furano@cern.ch>
Date: Mon, 18 Apr 2016 15:55:45 +0200
Subject: [PATCH 2/2] XtdHttp: use the strongest SSL protocol available at
 compile time, based on OpenSSL defines

---
 src/XrdHttp/XrdHttpProtocol.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc
index 8ee80b8cbbe..54446747780 100644
--- a/src/XrdHttp/XrdHttpProtocol.cc
+++ b/src/XrdHttp/XrdHttpProtocol.cc
@@ -1321,7 +1321,21 @@ int XrdHttpProtocol::InitSecurity() {
   OpenSSL_add_all_digests();
 
   const SSL_METHOD *meth;
+  
+#ifdef TLS1_2_VERSION
   meth = TLSv1_2_method();
+  eDest.Say(" Using TLS 1.2");
+#elif TLS1_1_VERSION
+  eDest.Say(" Using deprecated TLS version 1.1.")
+  meth = TLSv1_1_method();
+#elif TLS1_VERSION
+  eDest.Say(" Using deprecated TLS version 1.")
+  meth = TLSv1_method();
+#else
+  eDest.Say(" warning: TLS is not available, falling back to SSL23 (deprecated).")
+  meth = SSLv23_method();
+#endif
+  
   sslctx = SSL_CTX_new((SSL_METHOD *)meth);
   //SSL_CTX_set_min_proto_version(sslctx, TLS1_2_VERSION);
   SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_SERVER);