Fuck it. No SSLv3; not now, not ever. The API of the future will only

support the protocols of the future. (Perhaps a bit late in burning this bridge entirely, but there's no time like the present, esp. with other players now leaning against back compat.)
author: tedu <> 2014-10-15 21:02:39 +0000
committer: tedu <> 2014-10-15 21:02:39 +0000
commit: 2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb (patch)
tree: a80225330726269957b46a792f2aa1c2f53cf33a
parent: d5b0286cbea65b7d5d2d3df897f0a0c680102b46 (diff)
download: openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.tar.gz
openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.tar.bz2
openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.zip
3 files changed, 4 insertions, 8 deletions
diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index b500c83063..06c7d54cc2 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.17 2014/10/15 14:11:47 jsing Exp $ */
+/* $OpenBSD: ressl.c,v 1.18 2014/10/15 21:02:39 tedu Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -172,14 +172,12 @@ int
 ressl_configure_ssl(struct ressl *ctx)
 {
        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
-        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
-        if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
-                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
        if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h
index 8fa2788077..4ca2507f5a 100644
--- a/src/lib/libressl/ressl.h
+++ b/src/lib/libressl/ressl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.h,v 1.20 2014/10/14 22:05:28 tedu Exp $ */
+/* $OpenBSD: ressl.h,v 1.21 2014/10/15 21:02:39 tedu Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -20,7 +20,6 @@
 #define RESSL_API       20141008
-#define RESSL_PROTOCOL_SSLv3    (1 << 0)
 #define RESSL_PROTOCOL_TLSv1_0  (1 << 1)
 #define RESSL_PROTOCOL_TLSv1_1  (1 << 2)
 #define RESSL_PROTOCOL_TLSv1_2  (1 << 3)
diff --git a/src/lib/libressl/ressl_init.3 b/src/lib/libressl/ressl_init.3
index 90a35fba7d..1ba6b460b5 100644
--- a/src/lib/libressl/ressl_init.3
+++ b/src/lib/libressl/ressl_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ressl_init.3,v 1.7 2014/10/15 19:57:43 jmc Exp $
+.\" $OpenBSD: ressl_init.3,v 1.8 2014/10/15 21:02:39 tedu Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -217,7 +217,6 @@ sets which versions of the protocol may be used.
 Possible values are the bitwise OR of:
 .Pp
 .Bl -tag -width "RESSL_PROTOCOL_TLSv1_2" -offset indent -compact
-.It Dv RESSL_PROTOCOL_SSLv3
 .It Dv RESSL_PROTOCOL_TLSv1_0
 .It Dv RESSL_PROTOCOL_TLSv1_1
 .It Dv RESSL_PROTOCOL_TLSv1_2
author	tedu <>	2014-10-15 21:02:39 +0000
committer	tedu <>	2014-10-15 21:02:39 +0000
commit	2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb (patch)
tree	a80225330726269957b46a792f2aa1c2f53cf33a
parent	d5b0286cbea65b7d5d2d3df897f0a0c680102b46 (diff)
download	openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.tar.gz openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.tar.bz2 openbsd-2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb.zip