[mod_openssl] issue warning for deprecated options

src/mod_openssl.c

@@ -1759,12 +1759,29 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
                 break;
               case 7: /* ssl.empty-fragments */
                 conf.ssl_empty_fragments = (0 != cpv->v.u);
+                log_error(srv->errh, __FILE__, __LINE__, "SSL: "
+                  "ssl.empty-fragments is deprecated and will soon be "
+                  "removed.  If needed, use: ssl.openssl.ssl-conf-cmd = "
+                  "(\"Options\" => \"EmptyFragments\")");
+                log_error(srv->errh, __FILE__, __LINE__, "SSL: "
+                  "ssl.empty-fragments is a "
+                  "counter-measure against a SSL 3.0/TLS 1.0 protocol "
+                  "vulnerability affecting CBC ciphers, which cannot be handled"
+                  " by some broken (Microsoft) SSL implementations.");
                 break;
               case 8: /* ssl.use-sslv2 */
                 conf.ssl_use_sslv2 = (0 != cpv->v.u);
+                log_error(srv->errh, __FILE__, __LINE__, "SSL: "
+                  "ssl.use-sslv2 is deprecated and will soon be removed.  "
+                  "Many modern TLS libraries no longer support SSLv2.");
                 break;
               case 9: /* ssl.use-sslv3 */
                 conf.ssl_use_sslv3 = (0 != cpv->v.u);
+                log_error(srv->errh, __FILE__, __LINE__, "SSL: "
+                  "ssl.use-sslv3 is deprecated and will soon be removed.  "
+                  "Many modern TLS libraries no longer support SSLv3.  "
+                  "If needed, use: "
+                  "ssl.openssl.ssl-conf-cmd = (\"MinProtocol\" => \"SSLv3\")");
                 break;
               default:/* should not happen */
                 break;