From 4d132fdc372189fa2be2978dc75a3654032aaec6 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 11 Apr 2018 17:47:36 +0000
Subject: Nuke SSL_OP_TLS_ROLLBACK_BUG - this is a workaround for buggy clients
 from around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This
 also helps to clean up the RSA key exchange code.

ok "kill it with fire" beck@ tb@
---
 src/lib/libssl/ssl.h | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'src/lib/libssl/ssl.h')

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 78a6787d43..143dd8a003 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.154 2018/03/20 15:28:12 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.155 2018/04/11 17:47:36 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -507,11 +507,6 @@ struct ssl_session_st {
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE			0x00400000L
-/* If set, a server will allow a client to issue a SSLv3.0 version number
- * as latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks. */
-#define SSL_OP_TLS_ROLLBACK_BUG				0x00800000L
 
 #define SSL_OP_NO_TLSv1					0x04000000L
 #define SSL_OP_NO_TLSv1_2				0x08000000L
@@ -545,6 +540,7 @@ struct ssl_session_st {
 #define SSL_OP_TLSEXT_PADDING				0x0
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x0
 #define SSL_OP_TLS_D5_BUG				0x0
+#define SSL_OP_TLS_ROLLBACK_BUG				0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
-- 
cgit v1.2.3-55-g6feb