16 files changed, 6 insertions, 486 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 69f3d45734..80a4c076bf 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1220,14 +1220,7 @@ start:
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences are not as expected (and
-                        * because this is not really needed for clients except for detecting
-       * protocol violations): */
-                        s->state = SSL_ST_BEFORE |
-                            (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
                        s->renegotiate = 1;
                        s->new_session = 1;
                }
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 8010d72fa7..c63ede8680 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -324,12 +324,7 @@ ssl23_get_client_hello(SSL *s)
                         * so we simply assume TLS 1.0 to avoid protocol version downgrade
                         * attacks. */
                        if (p[3] == 0 && p[4] < 6) {
-#if 0
-                                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL);
-                                goto err;
-#else
                                v[1] = TLS1_VERSION_MINOR;
-#endif
                        }
                        /* if major version number > 3 set minor to a value
                         * which will use the highest version 3 we support.
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index abae12a8d1..8aef4b4f3d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -920,15 +920,9 @@ ssl3_get_server_hello(SSL *s)
        if (s->session->cipher)
                s->session->cipher_id = s->session->cipher->id;
        if (s->hit && (s->session->cipher_id != c->id)) {
-/* Workaround is now obsolete */
+                al = SSL_AD_ILLEGAL_PARAMETER;
-#if 0
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+                goto f_err;
-#endif
-                {
-                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                        goto f_err;
-                }
        }
        s->s3->tmp.new_cipher = c;
        /* Don't digest cached records if TLS v1.2: we may need them for
@@ -1763,14 +1757,6 @@ ssl3_get_certificate_request(SSL *s)
        /* get the CA RDNs */
        n2s(p, llen);
-#if 0
-        {
-                FILE *out;
-                out = fopen("/tmp/vsign.der", "w");
-                fwrite(p, 1, llen, out);
-                fclose(out);
-        }
-#endif
        if ((unsigned long)(p - d + llen) != n) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 288d885d9e..7833779f6b 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -605,58 +605,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
                168,
                168,
        },
-/* Fortezza ciphersuite from SSL 3.0 spec */
-#if 0
-/* Cipher 1C */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_NULL_SHA,
-                SSL3_CK_FZA_DMS_NULL_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_eNULL,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_STRONG_NONE,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                0,
-                0,
-        },
-/* Cipher 1D */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_FZA_SHA,
-                SSL3_CK_FZA_DMS_FZA_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_eFZA,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_STRONG_NONE,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                0,
-                0,
-        },
-/* Cipher 1E */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_RC4_SHA,
-                SSL3_CK_FZA_DMS_RC4_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_MEDIUM,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                128,
-                128,
-        },
-#endif
 #ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers*/
 /* Cipher 1E */
@@ -1268,123 +1216,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
        },
 #endif /* OPENSSL_NO_CAMELLIA */
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-        /* New TLS Export CipherSuites from expired ID */
-#if 0
-        /* Cipher 60 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC4,
-                SSL_MD5,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 61 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC2,
-                SSL_MD5,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-#endif
-        /* Cipher 62 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_DES,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                56,
-        },
-        /* Cipher 63 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-                TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_DES,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                56,
-        },
-        /* Cipher 64 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 65 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-                TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 66 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-                TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_NOT_EXP|SSL_MEDIUM,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                128,
-                128,
-        },
-#endif
        /* TLS v1.2 ciphersuites */
        /* Cipher 67 */
        {
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index d6c8756a1a..e901268a34 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -313,9 +313,6 @@ again:
                ssl_minor= *(p++);
                version = (ssl_major << 8)|ssl_minor;
                n2s(p, rr->length);
-#if 0
-                fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
                /* Lets check version */
                if (!s->first_packet) {
@@ -495,10 +492,6 @@ again:
        if (rr->length == 0)
                goto again;
-#if 0
-        fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
        return (1);
 f_err:
@@ -1214,14 +1207,7 @@ start:
        if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences are not as expected (and
-                        * because this is not really needed for clients except for detecting
-       * protocol violations): */
-                        s->state = SSL_ST_BEFORE |
-                            (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
                        s->renegotiate = 1;
                        s->new_session = 1;
                }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 19e0495fe6..79b89d7e95 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1129,24 +1129,6 @@ ssl3_get_client_hello(SSL *s)
                                break;
                        }
                }
-/*
- * Disabled because it can be used in a ciphersuite downgrade
- * attack: CVE-2010-4180.
- */
-#if 0
-                if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
-                        /* Special case as client bug workaround: the previously used cipher may
-                         * not be in the current list, the client instead might be trying to
-                         * continue using a cipher that before wasn't chosen due to server
-                         * preferences.  We'll have to reject the connection if the cipher is not
-                         * enabled, though. */
-                        c = sk_SSL_CIPHER_value(ciphers, 0);
-                        if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
-                                s->session->cipher = c;
-                                j = 1;
-                        }
-                }
-#endif
                if (j == 0) {
                        /* we need to have the cipher in the cipher
                         * list if we are asked to reuse it */
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index 69f3d45734..80a4c076bf 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -1220,14 +1220,7 @@ start:
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences are not as expected (and
-                        * because this is not really needed for clients except for detecting
-       * protocol violations): */
-                        s->state = SSL_ST_BEFORE |
-                            (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
                        s->renegotiate = 1;
                        s->new_session = 1;
                }
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index 8010d72fa7..c63ede8680 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -324,12 +324,7 @@ ssl23_get_client_hello(SSL *s)
                         * so we simply assume TLS 1.0 to avoid protocol version downgrade
                         * attacks. */
                        if (p[3] == 0 && p[4] < 6) {
-#if 0
-                                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL);
-                                goto err;
-#else
                                v[1] = TLS1_VERSION_MINOR;
-#endif
                        }
                        /* if major version number > 3 set minor to a value
                         * which will use the highest version 3 we support.
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index abae12a8d1..8aef4b4f3d 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -920,15 +920,9 @@ ssl3_get_server_hello(SSL *s)
        if (s->session->cipher)
                s->session->cipher_id = s->session->cipher->id;
        if (s->hit && (s->session->cipher_id != c->id)) {
-/* Workaround is now obsolete */
+                al = SSL_AD_ILLEGAL_PARAMETER;
-#if 0
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+                goto f_err;
-#endif
-                {
-                        al = SSL_AD_ILLEGAL_PARAMETER;
-                        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-                        goto f_err;
-                }
        }
        s->s3->tmp.new_cipher = c;
        /* Don't digest cached records if TLS v1.2: we may need them for
@@ -1763,14 +1757,6 @@ ssl3_get_certificate_request(SSL *s)
        /* get the CA RDNs */
        n2s(p, llen);
-#if 0
-        {
-                FILE *out;
-                out = fopen("/tmp/vsign.der", "w");
-                fwrite(p, 1, llen, out);
-                fclose(out);
-        }
-#endif
        if ((unsigned long)(p - d + llen) != n) {
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 288d885d9e..7833779f6b 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -605,58 +605,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
                168,
                168,
        },
-/* Fortezza ciphersuite from SSL 3.0 spec */
-#if 0
-/* Cipher 1C */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_NULL_SHA,
-                SSL3_CK_FZA_DMS_NULL_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_eNULL,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_STRONG_NONE,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                0,
-                0,
-        },
-/* Cipher 1D */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_FZA_SHA,
-                SSL3_CK_FZA_DMS_FZA_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_eFZA,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_STRONG_NONE,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                0,
-                0,
-        },
-/* Cipher 1E */
-        {
-                0,
-                SSL3_TXT_FZA_DMS_RC4_SHA,
-                SSL3_CK_FZA_DMS_RC4_SHA,
-                SSL_kFZA,
-                SSL_aFZA,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_SSLV3,
-                SSL_NOT_EXP|SSL_MEDIUM,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                128,
-                128,
-        },
-#endif
 #ifndef OPENSSL_NO_KRB5
 /* The Kerberos ciphers*/
 /* Cipher 1E */
@@ -1268,123 +1216,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
        },
 #endif /* OPENSSL_NO_CAMELLIA */
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-        /* New TLS Export CipherSuites from expired ID */
-#if 0
-        /* Cipher 60 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC4,
-                SSL_MD5,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 61 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC2,
-                SSL_MD5,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-#endif
-        /* Cipher 62 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_DES,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                56,
-        },
-        /* Cipher 63 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-                TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_DES,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                56,
-        },
-        /* Cipher 64 */
-        {
-                1,
-                TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-                SSL_kRSA,
-                SSL_aRSA,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 65 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-                TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_EXPORT|SSL_EXP56,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                56,
-                128,
-        },
-        /* Cipher 66 */
-        {
-                1,
-                TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-                TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-                SSL_kEDH,
-                SSL_aDSS,
-                SSL_RC4,
-                SSL_SHA1,
-                SSL_TLSV1,
-                SSL_NOT_EXP|SSL_MEDIUM,
-                SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-                128,
-                128,
-        },
-#endif
        /* TLS v1.2 ciphersuites */
        /* Cipher 67 */
        {
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index d6c8756a1a..e901268a34 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -313,9 +313,6 @@ again:
                ssl_minor= *(p++);
                version = (ssl_major << 8)|ssl_minor;
                n2s(p, rr->length);
-#if 0
-                fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
                /* Lets check version */
                if (!s->first_packet) {
@@ -495,10 +492,6 @@ again:
        if (rr->length == 0)
                goto again;
-#if 0
-        fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
        return (1);
 f_err:
@@ -1214,14 +1207,7 @@ start:
        if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                    !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences are not as expected (and
-                        * because this is not really needed for clients except for detecting
-       * protocol violations): */
-                        s->state = SSL_ST_BEFORE |
-                            (s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
                        s->renegotiate = 1;
                        s->new_session = 1;
                }
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 19e0495fe6..79b89d7e95 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1129,24 +1129,6 @@ ssl3_get_client_hello(SSL *s)
                                break;
                        }
                }
-/*
- * Disabled because it can be used in a ciphersuite downgrade
- * attack: CVE-2010-4180.
- */
-#if 0
-                if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) {
-                        /* Special case as client bug workaround: the previously used cipher may
-                         * not be in the current list, the client instead might be trying to
-                         * continue using a cipher that before wasn't chosen due to server
-                         * preferences.  We'll have to reject the connection if the cipher is not
-                         * enabled, though. */
-                        c = sk_SSL_CIPHER_value(ciphers, 0);
-                        if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
-                                s->session->cipher = c;
-                                j = 1;
-                        }
-                }
-#endif
                if (j == 0) {
                        /* we need to have the cipher in the cipher
                         * list if we are asked to reuse it */
diff --git a/src/lib/libssl/src/ssl/ssl_algs.c b/src/lib/libssl/src/ssl/ssl_algs.c
index aaecb2da0f..3c7006ed91 100644
--- a/src/lib/libssl/src/ssl/ssl_algs.c
+++ b/src/lib/libssl/src/ssl/ssl_algs.c
@@ -118,11 +118,6 @@ SSL_library_init(void)
 #ifndef OPENSSL_NO_ECDSA
        EVP_add_digest(EVP_ecdsa());
 #endif
-        /* If you want support for phased out ciphers, add the following */
-#if 0
-        EVP_add_digest(EVP_sha());
-        EVP_add_digest(EVP_dss());
-#endif
 #ifndef OPENSSL_NO_COMP
        /* This will initialise the built-in compression algorithms.
           The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 37fff3a38f..dc36747833 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -197,18 +197,10 @@ SSL_clear(SSL *s)
        s->hit = 0;
        s->shutdown = 0;
-#if 0 /* Disabled since version 1.10 of this file (early return not
-       * needed because SSL_clear is not called when doing renegotiation) */
-        /* This is set if we are doing dynamic renegotiation so keep
-         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-        if (s->renegotiate)
-                return (1);
-#else
        if (s->renegotiate) {
                SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
                return 0;
        }
-#endif
        s->type = 0;
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index aaecb2da0f..3c7006ed91 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -118,11 +118,6 @@ SSL_library_init(void)
 #ifndef OPENSSL_NO_ECDSA
        EVP_add_digest(EVP_ecdsa());
 #endif
-        /* If you want support for phased out ciphers, add the following */
-#if 0
-        EVP_add_digest(EVP_sha());
-        EVP_add_digest(EVP_dss());
-#endif
 #ifndef OPENSSL_NO_COMP
        /* This will initialise the built-in compression algorithms.
           The value returned is a STACK_OF(SSL_COMP), but that can
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 37fff3a38f..dc36747833 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -197,18 +197,10 @@ SSL_clear(SSL *s)
        s->hit = 0;
        s->shutdown = 0;
-#if 0 /* Disabled since version 1.10 of this file (early return not
-       * needed because SSL_clear is not called when doing renegotiation) */
-        /* This is set if we are doing dynamic renegotiation so keep
-         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-        if (s->renegotiate)
-                return (1);
-#else
        if (s->renegotiate) {
                SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
                return 0;
        }
-#endif
        s->type = 0;