20 files changed, 36 insertions, 178 deletions
diff --git a/src/lib/libcrypto/opensslfeatures.h b/src/lib/libcrypto/opensslfeatures.h
index 45848c5a35..6b6784754d 100644
--- a/src/lib/libcrypto/opensslfeatures.h
+++ b/src/lib/libcrypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 458eb37d5f..a99a7691bd 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_client_method());
        if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
         */
-        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
        version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
        mask &= ~SSL_OP_NO_TLSv1;
-        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-                version = SSL3_VERSION;
-        mask &= ~SSL_OP_NO_SSLv3;
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
                } else if (version == TLS1_VERSION) {
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
-                } else if (version == SSL3_VERSION) {
-                        version_major = SSL3_VERSION_MAJOR;
-                        version_minor = SSL3_VERSION_MINOR;
                } else {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
            (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
                /* we have sslv3 or tls1 (server hello or alert) */
-                if ((p[2] == SSL3_VERSION_MINOR) &&
+                if ((p[2] == TLS1_VERSION_MINOR) &&
-                    !(s->options & SSL_OP_NO_SSLv3)) {
-                        s->version = SSL3_VERSION;
-                        s->method = SSLv3_client_method();
-                } else if ((p[2] == TLS1_VERSION_MINOR) &&
                    !(s->options & SSL_OP_NO_TLSv1)) {
                        s->version = TLS1_VERSION;
                        s->method = TLSv1_client_method();
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_server_method());
        if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                                s->version = SSL3_VERSION;
+                                                type = 1;
-                                                /* type=2; */
-                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
                                                type = 1;
                                        }
                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
+                                        type = 1;
-                                        /* type=2; */
-                                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                } else if (!(s->options & SSL_OP_NO_SSLv2))
                                        type = 1;
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
                                }
                        } else {
-                                /* client requests SSL 3.0 */
+                                if (!(s->options & SSL_OP_NO_TLSv1)) {
-                                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
                else
-                        s->method = SSLv3_server_method();
+                        s->method = TLSv1_server_method();
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b739711732..30f679eac3 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -170,12 +170,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-        return &SSLv3_client_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index c8bdac0214..42396a21e9 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
        s->s3->total_renegotiations = 0;
        s->s3->num_renegotiations = 0;
        s->s3->in_read_app_data = 0;
-        s->version = SSL3_VERSION;
+        s->version = TLS1_VERSION;
        free(s->next_proto_negotiated);
        s->next_proto_negotiated = NULL;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 7d2ec4d132..5574884b89 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -166,12 +166,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-        return &SSLv3_server_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/crypto/opensslfeatures.h b/src/lib/libssl/src/crypto/opensslfeatures.h
index 45848c5a35..6b6784754d 100644
--- a/src/lib/libssl/src/crypto/opensslfeatures.h
+++ b/src/lib/libssl/src/crypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 458eb37d5f..a99a7691bd 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_client_method());
        if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
         */
-        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+        mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
        version = TLS1_2_VERSION;
        if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
                version = TLS1_VERSION;
        mask &= ~SSL_OP_NO_TLSv1;
-        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-                version = SSL3_VERSION;
-        mask &= ~SSL_OP_NO_SSLv3;
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
                } else if (version == TLS1_VERSION) {
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
-                } else if (version == SSL3_VERSION) {
-                        version_major = SSL3_VERSION_MAJOR;
-                        version_minor = SSL3_VERSION_MINOR;
                } else {
                        SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
                        return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
            (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
                /* we have sslv3 or tls1 (server hello or alert) */
-                if ((p[2] == SSL3_VERSION_MINOR) &&
+                if ((p[2] == TLS1_VERSION_MINOR) &&
-                    !(s->options & SSL_OP_NO_SSLv3)) {
-                        s->version = SSL3_VERSION;
-                        s->method = SSLv3_client_method();
-                } else if ((p[2] == TLS1_VERSION_MINOR) &&
                    !(s->options & SSL_OP_NO_TLSv1)) {
                        s->version = TLS1_VERSION;
                        s->method = TLSv1_client_method();
diff --git a/src/lib/libssl/src/ssl/s23_meth.c b/src/lib/libssl/src/ssl/s23_meth.c
index 04152eda41..acc8315b91 100644
--- a/src/lib/libssl/src/ssl/s23_meth.c
+++ b/src/lib/libssl/src/ssl/s23_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_meth.c,v 1.19 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_meth.c,v 1.20 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -106,8 +106,6 @@ SSLv23_method(void)
 static const SSL_METHOD *
 ssl23_get_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_method());
        if (ver == TLS1_1_VERSION)
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index b524124681..7b2107680e 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        if (ver == TLS1_VERSION)
                return (TLSv1_server_method());
        if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                                s->version = SSL3_VERSION;
+                                                type = 1;
-                                                /* type=2; */
-                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
                                                type = 1;
                                        }
                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
+                                        type = 1;
-                                        /* type=2; */
-                                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
                                } else if (!(s->options & SSL_OP_NO_SSLv2))
                                        type = 1;
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
                                }
                        } else {
-                                /* client requests SSL 3.0 */
+                                if (!(s->options & SSL_OP_NO_TLSv1)) {
-                                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                                        s->version = SSL3_VERSION;
-                                        type = 3;
-                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else if (s->version == TLS1_VERSION)
-                        s->method = TLSv1_server_method();
                else
-                        s->method = SSLv3_server_method();
+                        s->method = TLSv1_server_method();
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index b739711732..30f679eac3 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -170,12 +170,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-        return &SSLv3_client_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_client_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index c8bdac0214..42396a21e9 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
        s->s3->total_renegotiations = 0;
        s->s3->num_renegotiations = 0;
        s->s3->in_read_app_data = 0;
-        s->version = SSL3_VERSION;
+        s->version = TLS1_VERSION;
        free(s->next_proto_negotiated);
        s->next_proto_negotiated = NULL;
diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c
index c5f043e944..43fcbd4ade 100644
--- a/src/lib/libssl/src/ssl/s3_meth.c
+++ b/src/lib/libssl/src/ssl/s3_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_meth.c,v 1.15 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,12 +62,6 @@
 #include "ssl_locl.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_method,
-    "SSLv3_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_method(int ver);
 const SSL_METHOD SSLv3_method_data = {
@@ -102,16 +96,8 @@ const SSL_METHOD SSLv3_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_method(void)
-{
-        return &SSLv3_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 7d2ec4d132..5574884b89 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -166,12 +166,6 @@
 #include "bytestring.h"
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
        .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-        return &SSLv3_server_method_data;
-}
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-        if (ver == SSL3_VERSION)
-                return (SSLv3_server_method());
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 0cd220778b..e7873f5ed4 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-const SSL_METHOD *SSLv3_method(void);           /* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);    /* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);    /* SSLv3 */
 const SSL_METHOD *SSLv23_method(void);          /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);   /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);   /* SSLv3 or TLSv1.* */
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 629ad03554..a93c16de65 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
                return (SSL_TXT_DTLS1_BAD);
        case DTLS1_VERSION:
                return (SSL_TXT_DTLS1);
-        case SSL3_VERSION:
-                return (SSL_TXT_SSLV3);
        case TLS1_VERSION:
                return (SSL_TXT_TLSV1);
        case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
            max_version >= TLS1_VERSION)
                return (TLS1_VERSION);
-        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-            max_version >= SSL3_VERSION)
-                return (SSL3_VERSION);
        return (0);
 }
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c
index ef5b9be56d..a688b9ef41 100644
--- a/src/lib/libssl/src/ssl/ssl_sess.c
+++ b/src/lib/libssl/src/ssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
        if (session) {
                switch (s->version) {
-                case SSL3_VERSION:
                case TLS1_VERSION:
                case TLS1_1_VERSION:
                case TLS1_2_VERSION:
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 0cd220778b..e7873f5ed4 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-const SSL_METHOD *SSLv3_method(void);           /* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);    /* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);    /* SSLv3 */
 const SSL_METHOD *SSLv23_method(void);          /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);   /* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);   /* SSLv3 or TLSv1.* */
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 629ad03554..a93c16de65 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
                return (SSL_TXT_DTLS1_BAD);
        case DTLS1_VERSION:
                return (SSL_TXT_DTLS1);
-        case SSL3_VERSION:
-                return (SSL_TXT_SSLV3);
        case TLS1_VERSION:
                return (SSL_TXT_TLSV1);
        case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
            max_version >= TLS1_VERSION)
                return (TLS1_VERSION);
-        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-            max_version >= SSL3_VERSION)
-                return (SSL3_VERSION);
        return (0);
 }
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index ef5b9be56d..a688b9ef41 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
        if (session) {
                switch (s->version) {
-                case SSL3_VERSION:
                case TLS1_VERSION:
                case TLS1_1_VERSION:
                case TLS1_2_VERSION: