9 files changed, 17 insertions, 80 deletions
diff --git a/lib/libcrypto/opensslfeatures.h b/lib/libcrypto/opensslfeatures.h
index 45848c5a357..6b6784754dd 100644
--- a/lib/libcrypto/opensslfeatures.h
+++ b/lib/libcrypto/opensslfeatures.h
@@ -15,6 +15,8 @@
 # define OPENSSL_NO_SEED
 # define OPENSSL_NO_SRP
 # define OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL3
+# define OPENSSL_NO_SSL3_METHOD
 # define OPENSSL_NO_STORE
 # define OPENSSL_NO_BUF_FREELISTS
 # define OPENSSL_NO_HEARTBEATS
diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c
index 458eb37d5f2..a99a7691bd4 100644
--- a/lib/libssl/s23_clnt.c
+++ b/lib/libssl/s23_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_clnt.c,v 1.40 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_clnt.c,v 1.41 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -196,8 +196,6 @@ SSLv23_client_method(void)
 static const SSL_METHOD *
 ssl23_get_client_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_client_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_client_method());
 	if (ver == TLS1_1_VERSION)
@@ -331,7 +329,7 @@ ssl23_client_hello(SSL *s)
 	 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
 	 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
 	 */
-	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3;
+	mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1;
 	version = TLS1_2_VERSION;
 
 	if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
@@ -340,9 +338,6 @@ ssl23_client_hello(SSL *s)
 	if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
 		version = TLS1_VERSION;
 	mask &= ~SSL_OP_NO_TLSv1;
-	if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-		version = SSL3_VERSION;
-	mask &= ~SSL_OP_NO_SSLv3;
 
 	buf = (unsigned char *)s->init_buf->data;
 	if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
@@ -357,9 +352,6 @@ ssl23_client_hello(SSL *s)
 		} else if (version == TLS1_VERSION) {
 			version_major = TLS1_VERSION_MAJOR;
 			version_minor = TLS1_VERSION_MINOR;
-		} else if (version == SSL3_VERSION) {
-			version_major = SSL3_VERSION_MAJOR;
-			version_minor = SSL3_VERSION_MINOR;
 		} else {
 			SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
 			return (-1);
@@ -494,11 +486,7 @@ ssl23_get_server_hello(SSL *s)
 	    (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
 		/* we have sslv3 or tls1 (server hello or alert) */
 
-		if ((p[2] == SSL3_VERSION_MINOR) &&
-		    !(s->options & SSL_OP_NO_SSLv3)) {
-			s->version = SSL3_VERSION;
-			s->method = SSLv3_client_method();
-		} else if ((p[2] == TLS1_VERSION_MINOR) &&
+		if ((p[2] == TLS1_VERSION_MINOR) &&
 		    !(s->options & SSL_OP_NO_TLSv1)) {
 			s->version = TLS1_VERSION;
 			s->method = TLSv1_client_method();
diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c
index b5241246811..7b2107680e7 100644
--- a/lib/libssl/s23_srvr.c
+++ b/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.41 2015/07/19 07:30:06 doug Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.42 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,8 +194,6 @@ SSLv23_server_method(void)
 static const SSL_METHOD *
 ssl23_get_server_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_server_method());
 	if (ver == TLS1_VERSION)
 		return (TLSv1_server_method());
 	if (ver == TLS1_1_VERSION)
@@ -357,16 +355,12 @@ ssl23_get_client_hello(SSL *s)
 						/* type=2; */ /* done later to survive restarts */
 						s->state = SSL23_ST_SR_CLNT_HELLO_B;
 					} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-						s->version = SSL3_VERSION;
-						/* type=2; */
-						s->state = SSL23_ST_SR_CLNT_HELLO_B;
+						type = 1;
 					} else if (!(s->options & SSL_OP_NO_SSLv2)) {
 						type = 1;
 					}
 				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					/* type=2; */
-					s->state = SSL23_ST_SR_CLNT_HELLO_B;
+					type = 1;
 				} else if (!(s->options & SSL_OP_NO_SSLv2))
 					type = 1;
 
@@ -415,16 +409,9 @@ ssl23_get_client_hello(SSL *s)
 				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
 					s->version = TLS1_VERSION;
 					type = 3;
-				} else if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
 				}
 			} else {
-				/* client requests SSL 3.0 */
-				if (!(s->options & SSL_OP_NO_SSLv3)) {
-					s->version = SSL3_VERSION;
-					type = 3;
-				} else if (!(s->options & SSL_OP_NO_TLSv1)) {
+				if (!(s->options & SSL_OP_NO_TLSv1)) {
 					/* we won't be able to use TLS of course,
 					 * but this will send an appropriate alert */
 					s->version = TLS1_VERSION;
@@ -587,10 +574,8 @@ ssl23_get_client_hello(SSL *s)
 			s->method = TLSv1_2_server_method();
 		else if (s->version == TLS1_1_VERSION)
 			s->method = TLSv1_1_server_method();
-		else if (s->version == TLS1_VERSION)
-			s->method = TLSv1_server_method();
 		else
-			s->method = SSLv3_server_method();
+			s->method = TLSv1_server_method();
 		s->handshake_func = s->method->ssl_accept;
 	}
 
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index b739711732b..30f679eac35 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.122 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,12 +170,6 @@
 
 #include "bytestring.h"
 
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_client_method,
-    "SSLv3_client_method() enables the use of insecure protocols");
-#endif
-
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
 
@@ -211,17 +205,9 @@ const SSL_METHOD SSLv3_client_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
-const SSL_METHOD *
-SSLv3_client_method(void)
-{
-	return &SSLv3_client_method_data;
-}
-
 static const SSL_METHOD *
 ssl3_get_client_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_client_method());
 	return (NULL);
 }
 
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index c8bdac0214b..42396a21e9d 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.99 2015/07/19 06:23:51 doug Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.100 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2112,7 +2112,7 @@ ssl3_clear(SSL *s)
 	s->s3->total_renegotiations = 0;
 	s->s3->num_renegotiations = 0;
 	s->s3->in_read_app_data = 0;
-	s->version = SSL3_VERSION;
+	s->version = TLS1_VERSION;
 
 	free(s->next_proto_negotiated);
 	s->next_proto_negotiated = NULL;
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 7d2ec4d1328..5574884b896 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.113 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,12 +166,6 @@
 
 #include "bytestring.h"
 
-#ifdef __OpenBSD__
-#include <sys/cdefs.h>
-__warn_references(SSLv3_server_method,
-    "SSLv3_server_method() enables the use of insecure protocols");
-#endif
-
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 const SSL_METHOD SSLv3_server_method_data = {
@@ -206,17 +200,9 @@ const SSL_METHOD SSLv3_server_method_data = {
 	.ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
 };
 
-const SSL_METHOD *
-SSLv3_server_method(void)
-{
-	return &SSLv3_server_method_data;
-}
-
 static const SSL_METHOD *
 ssl3_get_server_method(int ver)
 {
-	if (ver == SSL3_VERSION)
-		return (SSLv3_server_method());
 	return (NULL);
 }
 
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 0cd220778b9..e7873f5ed49 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.92 2015/07/19 06:31:32 doug Exp $ */
+/* $OpenBSD: ssl.h,v 1.93 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1676,10 +1676,6 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-const SSL_METHOD *SSLv3_method(void);		/* SSLv3 */
-const SSL_METHOD *SSLv3_server_method(void);	/* SSLv3 */
-const SSL_METHOD *SSLv3_client_method(void);	/* SSLv3 */
-
 const SSL_METHOD *SSLv23_method(void);		/* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_server_method(void);	/* SSLv3 or TLSv1.* */
 const SSL_METHOD *SSLv23_client_method(void);	/* SSLv3 or TLSv1.* */
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 629ad035542..a93c16de65a 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.105 2015/07/19 20:32:18 doug Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.106 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2549,8 +2549,6 @@ ssl_version_string(int ver)
 		return (SSL_TXT_DTLS1_BAD);
 	case DTLS1_VERSION:
 		return (SSL_TXT_DTLS1);
-	case SSL3_VERSION:
-		return (SSL_TXT_SSLV3);
 	case TLS1_VERSION:
 		return (SSL_TXT_TLSV1);
 	case TLS1_1_VERSION:
@@ -2591,9 +2589,6 @@ ssl_max_server_version(SSL *s)
 	if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
 	    max_version >= TLS1_VERSION)
 		return (TLS1_VERSION);
-	if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
-	    max_version >= SSL3_VERSION)
-		return (SSL3_VERSION);
 
 	return (0);
 }
diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index ef5b9be56d1..a688b9ef410 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.45 2015/07/21 03:34:38 doug Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.46 2015/08/27 06:21:15 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -300,7 +300,6 @@ ssl_get_new_session(SSL *s, int session)
 
 	if (session) {
 		switch (s->version) {
-		case SSL3_VERSION:
 		case TLS1_VERSION:
 		case TLS1_1_VERSION:
 		case TLS1_2_VERSION: