Remove support for DTLS_BAD_VER. We do not support non-standard and

incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.

ok bcook@ miod@

20 files changed, 46 insertions, 98 deletions

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index b479c61322..567a074535 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.34 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: d1_both.c,v 1.35 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -346,8 +346,7 @@ dtls1_do_write(SSL *s, int type)
                                 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
                                 int xlen;
 
-                                if (frag_off == 0 &&
-                                    s->version != DTLS1_BAD_VER) {
+                                if (frag_off == 0) {
                                         /*
                                          * Reconstruct message header is if it
                                          * is being sent in single fragment
@@ -441,10 +440,9 @@ again:
         s2n (msg_hdr->seq, p);
         l2n3(0, p);
         l2n3(msg_len, p);
-        if (s->version != DTLS1_BAD_VER) {
-                p -= DTLS1_HM_HEADER_LENGTH;
-                msg_len += DTLS1_HM_HEADER_LENGTH;
-        }
+
+        p -= DTLS1_HM_HEADER_LENGTH;
+        msg_len += DTLS1_HM_HEADER_LENGTH;
 
         ssl3_finish_mac(s, p, msg_len);
         if (s->msg_callback)
@@ -971,12 +969,6 @@ dtls1_send_change_cipher_spec(SSL *s, int a, int b)
                 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
                 s->init_num = DTLS1_CCS_HEADER_LENGTH;
 
-                if (s->version == DTLS1_BAD_VER) {
-                        s->d1->next_handshake_write_seq++;
-                        s2n(s->d1->handshake_write_seq, p);
-                        s->init_num += 2;
-                }
-
                 s->init_off = 0;
 
                 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 2b736b9243..5a755c3bbe 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.49 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.50 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -171,7 +171,7 @@ DTLSv1_client_method(void)
 static const SSL_METHOD *
 dtls1_get_client_method(int ver)
 {
-        if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
+        if (ver == DTLS1_VERSION)
                 return (DTLSv1_client_method());
         return (NULL);
 }
@@ -214,8 +214,7 @@ dtls1_connect(SSL *s)
                         if (cb != NULL)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
-                            (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) {
+                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {
                                 SSLerr(SSL_F_DTLS1_CONNECT,
                                     ERR_R_INTERNAL_ERROR);
                                 ret = -1;
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index e7eca4a8cd..708f3d7206 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.30 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.31 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -246,10 +246,8 @@ dtls1_clear(SSL *s)
         }
 
         ssl3_clear(s);
-        if (s->options & SSL_OP_CISCO_ANYCONNECT)
-                s->version = DTLS1_BAD_VER;
-        else
-                s->version = DTLS1_VERSION;
+
+        s->version = DTLS1_VERSION;
 }
 
 long
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index c3574b43bd..ca716a2222 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.46 2015/07/19 01:07:40 doug Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.47 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -971,9 +971,6 @@ start:
 
                 dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-                if (s->version == DTLS1_BAD_VER)
-                        ccs_hdr_len = 3;
-
                 /* 'Change Cipher Spec' is just a single byte, so we know
                  * exactly what the record payload has to look like */
                 /* XDTLS: check that epoch is consistent */
@@ -1006,10 +1003,6 @@ start:
                 /* do this whenever CCS is processed */
                 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
 
-                if (s->version == DTLS1_BAD_VER)
-                        s->d1->handshake_read_seq++;
-
-
                 goto start;
         }
 
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 698292f33f..e41c119b9c 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.56 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -335,11 +335,9 @@ dtls1_accept(SSL *s)
                         s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
 
                         /* HelloVerifyRequest resets Finished MAC */
-                        if (s->version != DTLS1_BAD_VER) {
-                                if (!ssl3_init_finished_mac(s)) {
-                                        ret = -1;
-                                        goto end;
-                                }
+                        if (!ssl3_init_finished_mac(s)) {
+                                ret = -1;
+                                goto end;
                         }
                         break;
 
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 1d65dc5821..5aed28e99a 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.17 2015/02/09 10:53:28 jsing Exp $ */
+/* $OpenBSD: dtls1.h,v 1.18 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -73,7 +73,6 @@ extern "C" {
 #endif
 
 #define DTLS1_VERSION                   0xFEFF
-#define DTLS1_BAD_VER                   0x0100
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     256
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index b2c4f8e0d2..4bbc160d58 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.116 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.117 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1650,7 +1650,7 @@ ssl3_get_client_key_exchange(SSL *s)
                 rsa = pkey->pkey.rsa;
 
                 /* TLS and [incidentally] DTLS{0xFEFF} */
-                if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
+                if (s->version > SSL3_VERSION) {
                         if (2 > n)
                                 goto truncated;
                         n2s(p, i);
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index b479c61322..567a074535 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.34 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: d1_both.c,v 1.35 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -346,8 +346,7 @@ dtls1_do_write(SSL *s, int type)
                                 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
                                 int xlen;
 
-                                if (frag_off == 0 &&
-                                    s->version != DTLS1_BAD_VER) {
+                                if (frag_off == 0) {
                                         /*
                                          * Reconstruct message header is if it
                                          * is being sent in single fragment
@@ -441,10 +440,9 @@ again:
         s2n (msg_hdr->seq, p);
         l2n3(0, p);
         l2n3(msg_len, p);
-        if (s->version != DTLS1_BAD_VER) {
-                p -= DTLS1_HM_HEADER_LENGTH;
-                msg_len += DTLS1_HM_HEADER_LENGTH;
-        }
+
+        p -= DTLS1_HM_HEADER_LENGTH;
+        msg_len += DTLS1_HM_HEADER_LENGTH;
 
         ssl3_finish_mac(s, p, msg_len);
         if (s->msg_callback)
@@ -971,12 +969,6 @@ dtls1_send_change_cipher_spec(SSL *s, int a, int b)
                 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
                 s->init_num = DTLS1_CCS_HEADER_LENGTH;
 
-                if (s->version == DTLS1_BAD_VER) {
-                        s->d1->next_handshake_write_seq++;
-                        s2n(s->d1->handshake_write_seq, p);
-                        s->init_num += 2;
-                }
-
                 s->init_off = 0;
 
                 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 2b736b9243..5a755c3bbe 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.49 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.50 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -171,7 +171,7 @@ DTLSv1_client_method(void)
 static const SSL_METHOD *
 dtls1_get_client_method(int ver)
 {
-        if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
+        if (ver == DTLS1_VERSION)
                 return (DTLSv1_client_method());
         return (NULL);
 }
@@ -214,8 +214,7 @@ dtls1_connect(SSL *s)
                         if (cb != NULL)
                                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
-                            (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) {
+                        if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) {
                                 SSLerr(SSL_F_DTLS1_CONNECT,
                                     ERR_R_INTERNAL_ERROR);
                                 ret = -1;
diff --git a/src/lib/libssl/src/ssl/d1_lib.c b/src/lib/libssl/src/ssl/d1_lib.c
index e7eca4a8cd..708f3d7206 100644
--- a/src/lib/libssl/src/ssl/d1_lib.c
+++ b/src/lib/libssl/src/ssl/d1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_lib.c,v 1.30 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: d1_lib.c,v 1.31 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -246,10 +246,8 @@ dtls1_clear(SSL *s)
         }
 
         ssl3_clear(s);
-        if (s->options & SSL_OP_CISCO_ANYCONNECT)
-                s->version = DTLS1_BAD_VER;
-        else
-                s->version = DTLS1_VERSION;
+
+        s->version = DTLS1_VERSION;
 }
 
 long
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index c3574b43bd..ca716a2222 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_pkt.c,v 1.46 2015/07/19 01:07:40 doug Exp $ */
+/* $OpenBSD: d1_pkt.c,v 1.47 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -971,9 +971,6 @@ start:
 
                 dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-                if (s->version == DTLS1_BAD_VER)
-                        ccs_hdr_len = 3;
-
                 /* 'Change Cipher Spec' is just a single byte, so we know
                  * exactly what the record payload has to look like */
                 /* XDTLS: check that epoch is consistent */
@@ -1006,10 +1003,6 @@ start:
                 /* do this whenever CCS is processed */
                 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
 
-                if (s->version == DTLS1_BAD_VER)
-                        s->d1->handshake_read_seq++;
-
-
                 goto start;
         }
 
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index 698292f33f..e41c119b9c 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.56 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -335,11 +335,9 @@ dtls1_accept(SSL *s)
                         s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
 
                         /* HelloVerifyRequest resets Finished MAC */
-                        if (s->version != DTLS1_BAD_VER) {
-                                if (!ssl3_init_finished_mac(s)) {
-                                        ret = -1;
-                                        goto end;
-                                }
+                        if (!ssl3_init_finished_mac(s)) {
+                                ret = -1;
+                                goto end;
                         }
                         break;
 
diff --git a/src/lib/libssl/src/ssl/dtls1.h b/src/lib/libssl/src/ssl/dtls1.h
index 1d65dc5821..5aed28e99a 100644
--- a/src/lib/libssl/src/ssl/dtls1.h
+++ b/src/lib/libssl/src/ssl/dtls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dtls1.h,v 1.17 2015/02/09 10:53:28 jsing Exp $ */
+/* $OpenBSD: dtls1.h,v 1.18 2015/09/10 17:57:50 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -73,7 +73,6 @@ extern "C" {
 #endif
 
 #define DTLS1_VERSION                   0xFEFF
-#define DTLS1_BAD_VER                   0x0100
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     256
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index b2c4f8e0d2..4bbc160d58 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.116 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.117 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1650,7 +1650,7 @@ ssl3_get_client_key_exchange(SSL *s)
                 rsa = pkey->pkey.rsa;
 
                 /* TLS and [incidentally] DTLS{0xFEFF} */
-                if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
+                if (s->version > SSL3_VERSION) {
                         if (2 > n)
                                 goto truncated;
                         n2s(p, i);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index e7873f5ed4..7c815df8e1 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.94 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -302,7 +302,6 @@ extern "C" {
 #define SSL_TXT_STREEBOG512             "STREEBOG512"
 
 #define SSL_TXT_DTLS1           "DTLSv1"
-#define SSL_TXT_DTLS1_BAD       "DTLSv1-bad"
 #define SSL_TXT_SSLV2           "SSLv2"
 #define SSL_TXT_SSLV3           "SSLv3"
 #define SSL_TXT_TLSV1           "TLSv1"
@@ -535,8 +534,6 @@ struct ssl_session_st {
 #define SSL_OP_COOKIE_EXCHANGE                          0x00002000L
 /* Don't use RFC4507 ticket extension */
 #define SSL_OP_NO_TICKET                                0x00004000L
-/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */
-#define SSL_OP_CISCO_ANYCONNECT                         0x00008000L
 
 /* As server, disallow session resumption on renegotiation */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
@@ -590,6 +587,7 @@ struct ssl_session_st {
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 #define SSL_OP_TLS_D5_BUG                               0x0
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x0
+#define SSL_OP_CISCO_ANYCONNECT                         0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 8df885e9f7..7ace9fe688 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.107 2015/09/09 19:42:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.108 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2545,8 +2545,6 @@ const char *
 ssl_version_string(int ver)
 {
         switch (ver) {
-        case DTLS1_BAD_VER:
-                return (SSL_TXT_DTLS1_BAD);
         case DTLS1_VERSION:
                 return (SSL_TXT_DTLS1);
         case TLS1_VERSION:
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index 5d18c8a0b4..7052e8aa56 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.47 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.48 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -303,7 +303,6 @@ ssl_get_new_session(SSL *s, int session)
                 case TLS1_VERSION:
                 case TLS1_1_VERSION:
                 case TLS1_2_VERSION:
-                case DTLS1_BAD_VER:
                 case DTLS1_VERSION:
                         ss->ssl_version = s->version;
                         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e7873f5ed4..7c815df8e1 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.94 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -302,7 +302,6 @@ extern "C" {
 #define SSL_TXT_STREEBOG512             "STREEBOG512"
 
 #define SSL_TXT_DTLS1           "DTLSv1"
-#define SSL_TXT_DTLS1_BAD       "DTLSv1-bad"
 #define SSL_TXT_SSLV2           "SSLv2"
 #define SSL_TXT_SSLV3           "SSLv3"
 #define SSL_TXT_TLSV1           "TLSv1"
@@ -535,8 +534,6 @@ struct ssl_session_st {
 #define SSL_OP_COOKIE_EXCHANGE                          0x00002000L
 /* Don't use RFC4507 ticket extension */
 #define SSL_OP_NO_TICKET                                0x00004000L
-/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */
-#define SSL_OP_CISCO_ANYCONNECT                         0x00008000L
 
 /* As server, disallow session resumption on renegotiation */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
@@ -590,6 +587,7 @@ struct ssl_session_st {
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 #define SSL_OP_TLS_D5_BUG                               0x0
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x0
+#define SSL_OP_CISCO_ANYCONNECT                         0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8df885e9f7..7ace9fe688 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.107 2015/09/09 19:42:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.108 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2545,8 +2545,6 @@ const char *
 ssl_version_string(int ver)
 {
         switch (ver) {
-        case DTLS1_BAD_VER:
-                return (SSL_TXT_DTLS1_BAD);
         case DTLS1_VERSION:
                 return (SSL_TXT_DTLS1);
         case TLS1_VERSION:
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 5d18c8a0b4..7052e8aa56 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.47 2015/09/10 15:56:26 jsing Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.48 2015/09/10 17:57:50 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -303,7 +303,6 @@ ssl_get_new_session(SSL *s, int session)
                 case TLS1_VERSION:
                 case TLS1_1_VERSION:
                 case TLS1_2_VERSION:
-                case DTLS1_BAD_VER:
                 case DTLS1_VERSION:
                         ss->ssl_version = s->version;
                         ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;