From 2a0ad3abadc99c32f111a2f2aaa9131c0acf27cb Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Wed, 15 Oct 2014 21:02:39 +0000
Subject: Fuck it. No SSLv3; not now, not ever. The API of the future will only
 support the protocols of the future.

(Perhaps a bit late in burning this bridge entirely, but there's no time
like the present, esp. with other players now leaning against back compat.)
---
 src/lib/libressl/ressl.c      | 6 ++----
 src/lib/libressl/ressl.h      | 3 +--
 src/lib/libressl/ressl_init.3 | 3 +--
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c
index b500c83063..06c7d54cc2 100644
--- a/src/lib/libressl/ressl.c
+++ b/src/lib/libressl/ressl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.c,v 1.17 2014/10/15 14:11:47 jsing Exp $ */
+/* $OpenBSD: ressl.c,v 1.18 2014/10/15 21:02:39 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -172,14 +172,12 @@ int
 ressl_configure_ssl(struct ressl *ctx)
 {
 	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
 
-	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
 	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
 	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
 	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
 
-	if ((ctx->config->protocols & RESSL_PROTOCOL_SSLv3) == 0)
-		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
 	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0)
 		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
 	if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0)
diff --git a/src/lib/libressl/ressl.h b/src/lib/libressl/ressl.h
index 8fa2788077..4ca2507f5a 100644
--- a/src/lib/libressl/ressl.h
+++ b/src/lib/libressl/ressl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl.h,v 1.20 2014/10/14 22:05:28 tedu Exp $ */
+/* $OpenBSD: ressl.h,v 1.21 2014/10/15 21:02:39 tedu Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -20,7 +20,6 @@
 
 #define RESSL_API	20141008
 
-#define RESSL_PROTOCOL_SSLv3	(1 << 0)
 #define RESSL_PROTOCOL_TLSv1_0	(1 << 1)
 #define RESSL_PROTOCOL_TLSv1_1	(1 << 2)
 #define RESSL_PROTOCOL_TLSv1_2	(1 << 3)
diff --git a/src/lib/libressl/ressl_init.3 b/src/lib/libressl/ressl_init.3
index 90a35fba7d..1ba6b460b5 100644
--- a/src/lib/libressl/ressl_init.3
+++ b/src/lib/libressl/ressl_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ressl_init.3,v 1.7 2014/10/15 19:57:43 jmc Exp $
+.\" $OpenBSD: ressl_init.3,v 1.8 2014/10/15 21:02:39 tedu Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -217,7 +217,6 @@ sets which versions of the protocol may be used.
 Possible values are the bitwise OR of:
 .Pp
 .Bl -tag -width "RESSL_PROTOCOL_TLSv1_2" -offset indent -compact
-.It Dv RESSL_PROTOCOL_SSLv3
 .It Dv RESSL_PROTOCOL_TLSv1_0
 .It Dv RESSL_PROTOCOL_TLSv1_1
 .It Dv RESSL_PROTOCOL_TLSv1_2
-- 
cgit v1.2.3-55-g6feb