Commit 4402bc95fa for openssl.org
commit 4402bc95faa16014ecff27096ca5fdaa5f47b487
Author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Mon Apr 13 16:58:04 2026 +0200
Removes some stale SSLv3 support around the code and updated documentation to reflect removal.
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Jun 30 11:04:18 2026
(Merged from https://github.com/openssl/openssl/pull/30824)
diff --git a/doc/designs/quic-design/quic-api-ssl-funcs.md b/doc/designs/quic-design/quic-api-ssl-funcs.md
index 6333bafab8..37229c26e6 100644
--- a/doc/designs/quic-design/quic-api-ssl-funcs.md
+++ b/doc/designs/quic-design/quic-api-ssl-funcs.md
@@ -108,9 +108,6 @@ Notes:
| `SSL_test_functions` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
| `SSL_select_next_proto` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
| **⇒ Methods** | | | | | |
-| `SSLv3_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
-| `SSLv3_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
-| `SSLv3_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
| `TLS_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
| `TLS_client_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
| `TLS_server_method` | Global | 🟩U | 🟦U | 🟩NC | 🟢Done |
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index c7e1291c83..db8b6e55e1 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -269,12 +269,12 @@ Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
Cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
keys.
-=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
+=item B<TLSv1.2>, B<TLSv1.0>
-Lists cipher suites introduced in TLS v1.2, TLS v1.0 or SSL v3.0 respectively.
+Lists cipher suites introduced in TLS v1.2 or TLS v1.0 respectively.
Note: there are no cipher suites specific to TLS v1.1.
-Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
-then both TLSv1.0 and SSLv3.0 cipher suites are available.
+Since this is only the minimum version, if, for example, TLSv1.2 is negotiated
+then both TLSv1.2 and TLSv1.0 cipher suites are available.
Note: these cipher strings B<do not> change the negotiated version of SSL or
TLS, they only affect the list of available cipher suites.
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index 4a159a68b8..d0cee8adf1 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -46,13 +46,11 @@ B<cipher> is NULL, it returns "(NONE)".
SSL_CIPHER_standard_name() returns a pointer to the standard RFC name of
B<cipher>. If the B<cipher> is NULL, it returns "(NONE)". If the B<cipher>
-has no standard name, it returns B<NULL>. If B<cipher> was defined in both
-SSLv3 and TLS, it returns the TLS name.
+has no standard name, it returns B<NULL>.
OPENSSL_cipher_name() returns a pointer to the OpenSSL name of B<stdname>.
If the B<stdname> is NULL, or B<stdname> has no corresponding OpenSSL name,
-it returns "(NONE)". Where both exist, B<stdname> should be the TLS name rather
-than the SSLv3 name.
+it returns "(NONE)".
SSL_CIPHER_get_bits() returns the number of secret bits used for B<cipher>.
If B<cipher> is NULL, 0 is returned.
diff --git a/doc/man3/SSL_COMP_add_compression_method.pod b/doc/man3/SSL_COMP_add_compression_method.pod
index 4b32023959..56f708ca88 100644
--- a/doc/man3/SSL_COMP_add_compression_method.pod
+++ b/doc/man3/SSL_COMP_add_compression_method.pod
@@ -40,7 +40,7 @@ maintain the internal table of compression methods.
=head1 NOTES
-The TLS standard (or SSLv3) allows the integration of compression methods
+The TLS standard allows the integration of compression methods
into the communication. The TLS RFC does however not specify compression
methods or their corresponding identifiers, so there is currently no compatible
way to integrate compression with unknown peers. It is therefore currently not
@@ -48,7 +48,7 @@ recommended to integrate compression into applications. Applications for
non-public use may agree on certain compression methods. Using different
compression methods with the same identifier will lead to connection failure.
-An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1)
+An OpenSSL client speaking a protocol that allows compression (TLSv1)
will unconditionally send the list of all compression methods enabled with
SSL_COMP_add_compression_method() to the server during the handshake.
Unlike the mechanisms to set a cipher list, there is no method available to
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ed15a784fa..15f969eb61 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -246,7 +246,7 @@ See L<openssl-ciphers(1)> for more information.
=item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>
Sets the minimum and maximum supported protocol.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+Currently supported protocol values are B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None>
for no limit.
If either the lower or upper bound is not specified then only the other bound
@@ -309,12 +309,15 @@ operations are permitted.
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
-Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
-setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+Disables protocol support for TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
+setting the corresponding options B<SSL_OP_NO_TLSv1>,
B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
respectively. These options are deprecated, use B<-min_protocol> and
B<-max_protocol> instead.
+Note that B<-no_ssl3> is a no-op since support for SSLv3 was removed in OpenSSL
+4.0.
+
=item B<-anti_replay>, B<-no_anti_replay>
Switches replay protection, on or off respectively. With replay protection on,
@@ -493,7 +496,7 @@ This is a synonym for the "Groups" command.
This sets the minimum supported SSL, TLS or DTLS version.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+Currently supported protocol values are B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
apply only to DTLS-based contexts.
@@ -505,7 +508,7 @@ The value B<None> applies to both types of contexts and disables the limits.
This sets the maximum supported SSL, TLS or DTLS version.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+Currently supported protocol values are B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
apply only to DTLS-based contexts.
@@ -528,7 +531,7 @@ effect.
Only enabling some protocol versions does not disable the other protocol
versions.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+Currently supported protocol values are B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The special value B<ALL> refers to all supported versions.
@@ -560,7 +563,7 @@ B<Compression>: SSL/TLS compression support, disabled by default. Inverse
of B<SSL_OP_NO_COMPRESSION>.
B<EmptyFragments>: use empty fragments as a countermeasure against a
-SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
+TLS 1.0 protocol vulnerability affecting CBC ciphers. It
is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>.
@@ -728,16 +731,15 @@ argument.
The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls:
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
+ SSL_CONF_cmd(ctx, "Protocol", "-TLSv1");
SSL_CONF_cmd(ctx, userparam, uservalue);
-it will disable SSLv3 support by default but the user can override it. If
+it will disable TLSv1 support by default but the user can override it. If
however the call sequence is:
SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
-
-SSLv3 is B<always> disabled and attempt to override this by the user are
+ SSL_CONF_cmd(ctx, "Protocol", "-TLSv1");
+TLSv1 is B<always> disabled and attempt to override this by the user are
ignored.
By checking the return code of SSL_CONF_cmd() it is possible to query if a
@@ -792,22 +794,22 @@ Set supported signature algorithms:
There are various ways to select the supported protocols.
-This set the minimum protocol version to TLSv1, and so disables SSLv3.
+This sets the minimum protocol version to TLSv1.1, and so disables TLSv1.
This is the recommended way to disable protocols.
- SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
+ SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.1");
-The following also disables SSLv3:
+The following also disables TLSv1:
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
+ SSL_CONF_cmd(ctx, "Protocol", "-TLSv1");
The following will first enable all protocols, and then disable
-SSLv3.
+TLSv1.
If no protocol versions were disabled before this has the same effect as
-"-SSLv3", but if some versions were disables this will re-enable them before
-disabling SSLv3.
+"-TLSv1", but if some versions were disables this will re-enable them before
+disabling TLSv1.
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
+ SSL_CONF_cmd(ctx, "Protocol", "ALL,-TLSv1");
Only enable TLSv1.2:
diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod
index d9b61dcce9..c1bf21ac42 100644
--- a/doc/man3/SSL_CTX_set_min_proto_version.pod
+++ b/doc/man3/SSL_CTX_set_min_proto_version.pod
@@ -39,7 +39,7 @@ controlled by system configuration.
Getters return 0 in case B<ctx> or B<ssl> have been configured to
automatically use the lowest or highest version supported by the library.
-Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>,
+Currently supported versions are B<TLS1_VERSION>,
B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<TLS1_3_VERSION> for TLS and
B<DTLS1_VERSION>, B<DTLS1_2_VERSION> for DTLS.
diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod
index c1748bbd8a..7acc796a24 100644
--- a/doc/man3/SSL_CTX_set_msg_callback.pod
+++ b/doc/man3/SSL_CTX_set_msg_callback.pod
@@ -108,8 +108,8 @@ processed.
Due to automatic protocol version negotiation, I<version> is not
necessarily the protocol version used by the sender of the message: If
-a TLS 1.0 ClientHello message is received by an SSL 3.0-only server,
-I<version> will be B<SSL3_VERSION>.
+a TLS 1.1 ClientHello message is received by an TLS 1-only server,
+I<version> will be B<TLS1_VERSION>.
Pseudo content type values may be sent at various points during the processing
of data. The following pseudo content types are currently defined:
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index ae6f11cd54..400e492f3a 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -71,7 +71,7 @@ CSP 3.x.
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-Disables a countermeasure against an SSL 3.0/TLS 1.0 protocol
+Disables a countermeasure against an TLS 1.0 protocol
vulnerability affecting CBC ciphers, which cannot be handled by some
broken SSL implementations. This option has no effect for connections
using other ciphers.
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index b490c74039..38bd87b5f0 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -78,7 +78,7 @@ DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any
cipher suites using CCM with a 64 bit authentication tag are prohibited. Note
that signatures using SHA1 and MD5 are also forbidden at this level as they
-have less than 80 security bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and
+have less than 80 security bits. Additionally, TLS 1.0, TLS 1.1 and
DTLS 1.0 are all disabled at this level.
=item B<Level 2>
diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod
index 22433e5e37..d26b41fcfe 100644
--- a/doc/man3/SSL_CTX_set_split_send_fragment.pod
+++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod
@@ -38,7 +38,7 @@ able to process multiple simultaneous crypto operations. This
capability could be utilised to parallelise the processing of a single
connection. For example a single write can be split into multiple records and
each one encrypted independently and in parallel. Note: this would only work in
-TLS1.1+. There was no support in SSLv3, TLSv1.0 or DTLS (any version). This
+TLS1.1+. There was no support in TLSv1.0 or DTLS (any version). This
capability is known as "pipelining" within OpenSSL.
In order to benefit from the pipelining capability, you would need to have an
diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
index e4871590f7..4176bc467b 100644
--- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -29,8 +29,7 @@ see L<openssl_user_macros(7)>:
SSL_CTX_set_tlsext_ticket_key_evp_cb() sets a callback function I<cb> for handling
session tickets for the ssl context I<sslctx>. Session tickets, defined in
RFC5077 provide an enhanced session resumption capability where the server
-implementation is not required to maintain per session state. It only applies
-to TLS and there is no SSLv3 implementation.
+implementation is not required to maintain per session state.
The callback function I<cb> will be called for every client instigated TLS
session when session ticket extension is presented in the TLS hello
diff --git a/doc/man3/SSL_get_version.pod b/doc/man3/SSL_get_version.pod
index b7c2d8156b..2d9fd78cfc 100644
--- a/doc/man3/SSL_get_version.pod
+++ b/doc/man3/SSL_get_version.pod
@@ -100,10 +100,6 @@ of the following:
=over 4
-=item SSL3_VERSION
-
-The connection uses the SSLv3 protocol.
-
=item TLS1_VERSION
The connection uses the TLSv1.0 protocol.
diff --git a/include/internal/ssl3_cbc.h b/include/internal/ssl3_cbc.h
index 89a3efa25d..84c2ccb813 100644
--- a/include/internal/ssl3_cbc.h
+++ b/include/internal/ssl3_cbc.h
@@ -13,13 +13,6 @@
#include <openssl/evp.h>
/* tls_pad.c */
-int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
- size_t origreclen,
- unsigned char *recdata,
- unsigned char **mac,
- int *alloced,
- size_t block_size, size_t mac_size,
- OSSL_LIB_CTX *libctx);
int tls1_cbc_remove_padding_and_mac(size_t *reclen,
size_t origreclen,
@@ -40,6 +33,6 @@ __owur int ssl3_cbc_digest_record(const EVP_MD *md,
size_t data_size,
size_t data_plus_mac_plus_padding_size,
const unsigned char *mac_secret,
- size_t mac_secret_length, char is_sslv3);
+ size_t mac_secret_length);
#endif /* !defined(OSSL_INTERNAL_SSL3_CBC_H) */
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index fb044db957..7fc254d75e 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -346,7 +346,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
#define SSL_OP_ALLOW_NO_DHE_KEX SSL_OP_BIT(10)
/*
- * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+ * Disable TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
* the workaround is not needed. Unfortunately some broken SSL/TLS
* implementations cannot handle it at all, which is why we include it
diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index b1041b5550..747a30f287 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -176,8 +176,7 @@ static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
return 0;
}
- if (ctx->base.tlsversion == SSL3_VERSION
- || ctx->base.tlsversion == TLS1_VERSION) {
+ if (ctx->base.tlsversion == TLS1_VERSION) {
if (!ossl_assert(ctx->base.removetlsfixed >= AES_BLOCK_SIZE)) {
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
return 0;
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index 36c3864c9a..a6320d2d81 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -276,15 +276,9 @@ int ossl_cipher_generic_block_update(void *vctx, unsigned char *out,
return 0;
}
padval = (unsigned char)(padnum - 1);
- if (ctx->tlsversion == SSL3_VERSION) {
- if (padnum > 1)
- memset(out + inl, 0, padnum - 1);
- *(out + inl + padnum - 1) = padval;
- } else {
- /* we need to add 'padnum' padding bytes of value padval */
- for (loop = inl; loop < inl + padnum; loop++)
- out[loop] = padval;
- }
+ /* we need to add 'padnum' padding bytes of value padval */
+ for (loop = inl; loop < inl + padnum; loop++)
+ out[loop] = padval;
inl += padnum;
}
diff --git a/providers/implementations/ciphers/ciphercommon_block.c b/providers/implementations/ciphers/ciphercommon_block.c
index 634bae4c1c..8ce491ddca 100644
--- a/providers/implementations/ciphers/ciphercommon_block.c
+++ b/providers/implementations/ciphers/ciphercommon_block.c
@@ -123,7 +123,7 @@ int ossl_cipher_unpadblock(unsigned char *buf, size_t *buflen, size_t blocksize)
* time.
*
* libctx: Our library context
- * tlsversion: The TLS version in use, e.g. SSL3_VERSION, TLS1_VERSION, etc
+ * tlsversion: The TLS version in use, e.g. TLS1_VERSION, etc
* buf: The decrypted TLS record data
* buflen: The length of the decrypted TLS record data. Updated with the new
* length after the padding is removed
@@ -147,11 +147,6 @@ int ossl_cipher_tlsunpadblock(OSSL_LIB_CTX *libctx, unsigned int tlsversion,
int ret;
switch (tlsversion) {
- case SSL3_VERSION:
- return ssl3_cbc_remove_padding_and_mac(buflen, *buflen, buf, mac,
- alloced, blocksize, macsize,
- libctx);
-
case TLS1_2_VERSION:
case DTLS1_2_VERSION:
case TLS1_1_VERSION:
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
index f3dcdf962b..201d311bfe 100644
--- a/providers/implementations/macs/hmac_prov.c
+++ b/providers/implementations/macs/hmac_prov.c
@@ -239,8 +239,7 @@ static int hmac_update(void *vmacctx, const unsigned char *data,
datalen,
macctx->tls_data_size,
macctx->key,
- macctx->keylen,
- 0);
+ macctx->keylen);
}
return HMAC_Update(macctx->ctx, data, datalen);
diff --git a/ssl/methods.c b/ssl/methods.c
index 37bd37f719..4c7d46efdb 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -13,7 +13,7 @@
#include "ssl_local.h"
/*-
- * TLS/SSLv3 methods
+ * TLS methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
@@ -42,7 +42,7 @@ IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
ossl_statem_accept, ossl_statem_connect, TLSv1_enc_data)
#endif
/*-
- * TLS/SSLv3 server methods
+ * TLS server methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_server_method,
@@ -71,7 +71,7 @@ IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
ssl_undefined_function, TLSv1_enc_data)
#endif
/*-
- * TLS/SSLv3 client methods
+ * TLS client methods
*/
IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
TLS_client_method,
diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h
index d6db9850c0..c5cdfc6cfc 100644
--- a/ssl/record/methods/recmethod_local.h
+++ b/ssl/record/methods/recmethod_local.h
@@ -287,8 +287,7 @@ struct ossl_record_layer_st {
/*
* Do we need to send a prefix empty record before application data as a
- * countermeasure against known-IV weakness (necessary for SSLv3 and
- * TLSv1.0)
+ * countermeasure against known-IV weakness (necessary for TLSv1.0)
*/
int need_empty_fragments;
@@ -326,9 +325,6 @@ struct ossl_record_layer_st {
size_t block_padding;
size_t hs_padding;
- /* Only used by SSLv3 */
- unsigned char mac_secret[EVP_MAX_MD_SIZE];
-
/* TLSv1.0/TLSv1.1/TLSv1.2 */
int use_etm;
diff --git a/ssl/record/methods/ssl3_cbc.c b/ssl/record/methods/ssl3_cbc.c
index 3702c03c52..133067ab15 100644
--- a/ssl/record/methods/ssl3_cbc.c
+++ b/ssl/record/methods/ssl3_cbc.c
@@ -105,8 +105,7 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
#define LARGEST_DIGEST_CTX SHA512_CTX
/*-
- * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
- * record.
+ * ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS record.
*
* ctx: the EVP_MD_CTX from which we take the hash function.
* ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
@@ -118,7 +117,6 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
* has been removed.
* data_plus_mac_plus_padding_size: the public length of the whole
* record, including MAC and padding.
- * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
*
* On entry: we know that data is data_plus_mac_plus_padding_size in length
* Returns 1 on success or 0 on error
@@ -131,7 +129,7 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
size_t data_size,
size_t data_plus_mac_plus_padding_size,
const unsigned char *mac_secret,
- size_t mac_secret_length, char is_sslv3)
+ size_t mac_secret_length)
{
union {
OSSL_UNION_ALIGN;
@@ -140,9 +138,8 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
void (*md_final_raw)(void *ctx, unsigned char *md_out);
void (*md_transform)(void *ctx, const unsigned char *block);
size_t md_size, md_block_size = 64;
- size_t sslv3_pad_length = 40, header_length, variance_blocks,
- len, max_mac_bytes, num_blocks,
- num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
+ size_t header_length, variance_blocks, len, max_mac_bytes, num_blocks,
+ num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
size_t bits; /* at most 18 bits */
unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
/* hmac_pad is the masked HMAC key. */
@@ -176,7 +173,6 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
md_final_raw = tls1_md5_final_raw;
md_transform = (void (*)(void *ctx, const unsigned char *block))MD5_Transform;
md_size = 16;
- sslv3_pad_length = 48;
length_is_big_endian = 0;
#endif
} else if (EVP_MD_is_a(md, "SHA1")) {
@@ -229,22 +225,11 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
return 0;
header_length = 13;
- if (is_sslv3) {
- header_length = mac_secret_length
- + sslv3_pad_length
- + 8 /* sequence number */
- + 1 /* record type */
- + 2; /* record length */
- }
/*
* variance_blocks is the number of blocks of the hash that we have to
* calculate in constant time because they could be altered by the
- * padding value. In SSLv3, the padding must be minimal so the end of
- * the plaintext varies by, at most, 15+20 = 35 bytes. (We conservatively
- * assume that the MAC size varies from 0..20 bytes.) In case the 9 bytes
- * of hash termination (0x80 + 64-bit length) don't fit in the final
- * block, we say that the final two blocks can vary based on the padding.
+ * padding value.
* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
* required to be minimal. Therefore we say that the final |variance_blocks|
* blocks can
@@ -252,14 +237,11 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
* short and there obviously cannot be this many blocks then
* variance_blocks can be reduced.
*/
- variance_blocks = is_sslv3 ? 2
- : (((255 + 1 + md_size + md_block_size - 1)
- / md_block_size)
- + 1);
+ variance_blocks = ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1;
+
/*
* From now on we're dealing with the MAC, which conceptually has 13
- * bytes of `header' before the start of the data (TLS) or 71/75 bytes
- * (SSLv3)
+ * bytes of `header' before the start of the data (TLS)
*/
len = data_plus_mac_plus_padding_size + header_length;
/*
@@ -302,37 +284,30 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
* in bits.
*/
index_b = (mac_end_offset + md_length_size) / md_block_size;
+
+ if (num_blocks > variance_blocks) {
+ num_starting_blocks = num_blocks - variance_blocks;
+ k = md_block_size * num_starting_blocks;
+ }
+
/*
* bits is the hash-length in bits. It includes the additional hash block
* for the masked HMAC key, or whole of |header| in the case of SSLv3.
*/
+ bits = 8 * mac_end_offset;
/*
- * For SSLv3, if we're going to have any starting blocks then we need at
- * least two because the header is larger than a single block.
+ * Compute the initial HMAC block.
*/
- if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) {
- num_starting_blocks = num_blocks - variance_blocks;
- k = md_block_size * num_starting_blocks;
- }
-
- bits = 8 * mac_end_offset;
- if (!is_sslv3) {
- /*
- * Compute the initial HMAC block. For SSLv3, the padding and secret
- * bytes are included in |header| because they take more than a
- * single block.
- */
- bits += 8 * md_block_size;
- memset(hmac_pad, 0, md_block_size);
- if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
- return 0;
- memcpy(hmac_pad, mac_secret, mac_secret_length);
- for (i = 0; i < md_block_size; i++)
- hmac_pad[i] ^= 0x36;
+ bits += 8 * md_block_size;
+ memset(hmac_pad, 0, md_block_size);
+ if (!ossl_assert(mac_secret_length <= sizeof(hmac_pad)))
+ return 0;
+ memcpy(hmac_pad, mac_secret, mac_secret_length);
+ for (i = 0; i < md_block_size; i++)
+ hmac_pad[i] ^= 0x36;
- md_transform(md_state.c, hmac_pad);
- }
+ md_transform(md_state.c, hmac_pad);
if (length_is_big_endian) {
memset(length_bytes, 0, md_length_size - 4);
@@ -349,37 +324,12 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
}
if (k > 0) {
- if (is_sslv3) {
- size_t overhang;
-
- /*
- * The SSLv3 header is larger than a single block. overhang is
- * the number of bytes beyond a single block that the header
- * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no
- * ciphersuites in SSLv3 that are not SHA1 or MD5 based and
- * therefore we can be confident that the header_length will be
- * greater than |md_block_size|. However we add a sanity check just
- * in case
- */
- if (header_length <= md_block_size) {
- /* Should never happen */
- return 0;
- }
- overhang = header_length - md_block_size;
- md_transform(md_state.c, header);
- memcpy(first_block, header + md_block_size, overhang);
- memcpy(first_block + overhang, data, md_block_size - overhang);
- md_transform(md_state.c, first_block);
- for (i = 1; i < k / md_block_size - 1; i++)
- md_transform(md_state.c, data + md_block_size * i - overhang);
- } else {
- /* k is a multiple of md_block_size. */
- memcpy(first_block, header, 13);
- memcpy(first_block + 13, data, md_block_size - 13);
- md_transform(md_state.c, first_block);
- for (i = 1; i < k / md_block_size; i++)
- md_transform(md_state.c, data + md_block_size * i - 13);
- }
+ /* k is a multiple of md_block_size. */
+ memcpy(first_block, header, 13);
+ memcpy(first_block + 13, data, md_block_size - 13);
+ md_transform(md_state.c, first_block);
+ for (i = 1; i < k / md_block_size; i++)
+ md_transform(md_state.c, data + md_block_size * i - 13);
}
memset(mac_out, 0, sizeof(mac_out));
@@ -449,23 +399,15 @@ int ssl3_cbc_digest_record(const EVP_MD *md,
if (EVP_DigestInit_ex(md_ctx, md, NULL) <= 0)
goto err;
- if (is_sslv3) {
- /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
- memset(hmac_pad, 0x5c, sslv3_pad_length);
-
- if (EVP_DigestUpdate(md_ctx, mac_secret, mac_secret_length) <= 0
- || EVP_DigestUpdate(md_ctx, hmac_pad, sslv3_pad_length) <= 0
- || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
- goto err;
- } else {
- /* Complete the HMAC in the standard manner. */
- for (i = 0; i < md_block_size; i++)
- hmac_pad[i] ^= 0x6a;
- if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
- || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
- goto err;
- }
+ /* Complete the HMAC in the standard manner. */
+ for (i = 0; i < md_block_size; i++)
+ hmac_pad[i] ^= 0x6a;
+
+ if (EVP_DigestUpdate(md_ctx, hmac_pad, md_block_size) <= 0
+ || EVP_DigestUpdate(md_ctx, mac_out, md_size) <= 0)
+ goto err;
+
ret = EVP_DigestFinal(md_ctx, md_out, &md_out_size_u);
if (ret && md_out_size)
*md_out_size = md_out_size_u;
diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c
index f89c365d7f..717e1ed3ff 100644
--- a/ssl/record/methods/tls1_meth.c
+++ b/ssl/record/methods/tls1_meth.c
@@ -530,7 +530,6 @@ end:
#endif /* OPENSSL_NO_COMP */
#endif
-/* This function is also used by the SSLv3 implementation */
int tls1_allocate_write_buffers(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl, size_t *prefix)
@@ -552,7 +551,6 @@ int tls1_allocate_write_buffers(OSSL_RECORD_LAYER *rl,
return 1;
}
-/* This function is also used by the SSLv3 implementation */
int tls1_initialise_write_packets(OSSL_RECORD_LAYER *rl,
OSSL_RECORD_TEMPLATE *templates,
size_t numtempl,
diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index 190e61bb1c..0363bf23bf 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -1401,8 +1401,6 @@ static void tls_int_free(OSSL_RECORD_LAYER *rl)
#endif
OPENSSL_free(rl->iv);
OPENSSL_free(rl->nonce);
- if (rl->version == SSL3_VERSION)
- OPENSSL_cleanse(rl->mac_secret, sizeof(rl->mac_secret));
TLS_RL_RECORD_release(rl->rrec, SSL_MAX_PIPELINES);
diff --git a/ssl/record/methods/tls_pad.c b/ssl/record/methods/tls_pad.c
index 7209506bc4..a017e9221e 100644
--- a/ssl/record/methods/tls_pad.c
+++ b/ssl/record/methods/tls_pad.c
@@ -33,51 +33,6 @@ static int ssl3_cbc_copy_mac(size_t *reclen,
size_t good,
OSSL_LIB_CTX *libctx);
-/*-
- * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
- * record in |recdata| by updating |reclen| in constant time. It also extracts
- * the MAC from the underlying record and places a pointer to it in |mac|. The
- * MAC data can either be newly allocated memory, or a pointer inside the
- * |recdata| buffer. If allocated then |*alloced| is set to 1, otherwise it is
- * set to 0.
- *
- * origreclen: the original record length before any changes were made
- * block_size: the block size of the cipher used to encrypt the record.
- * mac_size: the size of the MAC to be extracted
- * aead: 1 if an AEAD cipher is in use, or 0 otherwise
- * returns:
- * 0: if the record is publicly invalid.
- * 1: if the record is publicly valid. If the padding removal fails then the
- * MAC returned is random.
- */
-int ssl3_cbc_remove_padding_and_mac(size_t *reclen,
- size_t origreclen,
- unsigned char *recdata,
- unsigned char **mac,
- int *alloced,
- size_t block_size, size_t mac_size,
- OSSL_LIB_CTX *libctx)
-{
- size_t padding_length;
- size_t good;
- const size_t overhead = 1 /* padding length byte */ + mac_size;
-
- /*
- * These lengths are all public so we can test them in non-constant time.
- */
- if (overhead > *reclen)
- return 0;
-
- padding_length = recdata[*reclen - 1];
- good = constant_time_ge_s(*reclen, padding_length + overhead);
- /* SSLv3 requires that the padding is minimal. */
- good &= constant_time_ge_s(block_size, padding_length + 1);
- *reclen -= good & (padding_length + 1);
-
- return ssl3_cbc_copy_mac(reclen, origreclen, recdata, mac, alloced,
- block_size, mac_size, good, libctx);
-}
-
/*-
* tls1_cbc_remove_padding_and_mac removes padding from the decrypted, TLS, CBC
* record in |recdata| by updating |reclen| in constant time. It also extracts
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 61e8c4abbe..47e3ff4df3 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -618,7 +618,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
/*
* We have num_of_ciphers descriptions compiled in, depending on the
- * method selected (SSLv3, TLSv1 etc).
+ * method selected (TLSv1, etc.).
* These will later be sorted in a linked list with at most num
* entries.
*/
@@ -2281,7 +2281,7 @@ int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
c = sk_SSL_CIPHER_value(sk, i);
/* Skip disabled ciphers */
- if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
continue;
if (!ssl->method->put_cipher_by_char(c, pkt, &len)) {
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c89f3e4017..2902a5f5aa 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -510,10 +510,6 @@ static int ssl_check_allowed_versions(int min_version, int max_version)
if (max_version == TLS1_1_VERSION)
max_version = TLS1_VERSION;
#endif
-#ifdef OPENSSL_NO_TLS1
- if (max_version == TLS1_VERSION)
- max_version = SSL3_VERSION;
-#endif
#ifdef OPENSSL_NO_TLS1
if (min_version == TLS1_VERSION)
min_version = TLS1_1_VERSION;
@@ -3469,7 +3465,7 @@ STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
return NULL;
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
- if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) {
+ if (!ssl_cipher_disabled(sc, c, SSL_SECOP_CIPHER_SUPPORTED)) {
if (!sk)
sk = sk_SSL_CIPHER_new_null();
if (!sk)
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index a8171c30fa..5c0fa8f925 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -387,7 +387,7 @@ typedef enum {
SSL_PHA_REQUESTED /* request received by client, or sent by server */
} SSL_PHA_STATE;
-/* CipherSuite length. SSLv3 and all TLS versions. */
+/* CipherSuite value length. */
#define TLS_CIPHER_LEN 2
/* used to hold info on the particular ciphers used */
struct ssl_cipher_st {
@@ -447,7 +447,7 @@ struct ssl_method_st {
int (*num_ciphers)(void);
const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
OSSL_TIME (*get_timeout)(void);
- const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
+ const struct ssl3_enc_method *ssl3_enc; /* Extra TLS stuff */
int (*ssl_version)(void);
long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
@@ -927,11 +927,8 @@ struct ssl_ctx_st {
CRYPTO_EX_DATA ex_data;
- const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */
- const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */
-
STACK_OF(X509) *extra_certs;
- STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
+ STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, TLSv1 */
/* Default values used when no per-SSL value is defined follow */
@@ -1279,8 +1276,7 @@ struct ssl_connection_st {
SSL *user_ssl;
/*
- * protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
- * DTLS1_VERSION)
+ * protocol version (one of TLS1_VERSION, DTLS1_VERSION)
*/
int version;
/*
@@ -1375,7 +1371,7 @@ struct ssl_connection_st {
int in_read_app_data;
struct {
- /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
+ /* actually only need to be 12 for TLS */
unsigned char finish_md[EVP_MAX_MD_SIZE * 2];
size_t finish_md_len;
unsigned char peer_finish_md[EVP_MAX_MD_SIZE * 2];
@@ -1626,7 +1622,7 @@ struct ssl_connection_st {
int first_packet;
/*
* What was passed in ClientHello.legacy_version. Used for RSA pre-master
- * secret and SSLv3/TLS (<=1.2) rollback check
+ * secret and (D)TLS (<=1.2) rollback check
*/
int client_version;
/*
@@ -2183,8 +2179,7 @@ typedef struct cert_st {
} CERT;
/*
- * This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit
- * of a mess of functions, but hell, think of it as an opaque structure :-)
+ * This is for the TLSv1.0 differences in crypto/hash stuff.
*/
typedef struct ssl3_enc_method {
int (*setup_key_block)(SSL_CONNECTION *);
@@ -2842,7 +2837,7 @@ __owur int tls_check_sigalg_curve(const SSL_CONNECTION *s, int curve);
__owur int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t, EVP_PKEY *pkey);
__owur int ssl_set_client_disabled(SSL_CONNECTION *s);
__owur int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
- int op, int echde);
+ int op);
__owur int ssl_handshake_hash(SSL_CONNECTION *s,
unsigned char *out, size_t outlen,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1bd1110973..1ba4add39d 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -306,7 +306,7 @@ unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
}
/*
- * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
+ * TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
* the ID with random junk repeatedly until we have no conflict is going to
* complete in one iteration pretty much "most" of the time (btw:
* understatement). So, if it takes us 10 iterations and we still can't avoid
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 6c77296c31..15ed8ef8d5 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1639,7 +1639,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s,
* If it is a disabled cipher we either didn't send it in client hello,
* or it's not allowed for the selected protocol. So we return an error.
*/
- if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
return 0;
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 46e418676e..a90d401679 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2550,18 +2550,6 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst)
s->s3.tmp.new_cipher = s->session->cipher;
}
- /*-
- * we now have the following setup.
- * client_random
- * cipher_list - our preferred list of ciphers
- * ciphers - the client's preferred list of ciphers
- * compression - basically ignored right now
- * ssl version is set - sslv3
- * s->session - The ssl session has been setup.
- * s->hit - session reuse flag
- * s->s3.tmp.new_cipher - the new cipher to use.
- */
-
/*
* Call status_request callback if needed. Has to be done after the
* certificate callbacks etc above.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index df3db34125..b55b101324 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3052,12 +3052,11 @@ int ssl_set_client_disabled(SSL_CONNECTION *s)
* @s: SSL connection that you want to use the cipher on
* @c: cipher to check
* @op: Security check that you want to do
- * @ecdhe: If set to 1 then TLSv1 ECDHE ciphers are also allowed in SSLv3
*
* Returns 1 when it's disabled, 0 when enabled.
*/
int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
- int op, int ecdhe)
+ int op)
{
int minversion = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls;
int maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls;
@@ -3079,15 +3078,6 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c,
return 1;
}
- /*
- * For historical reasons we will allow ECHDE to be selected by a server
- * in SSLv3 if we are a client
- */
- if (minversion == TLS1_VERSION
- && ecdhe
- && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0)
- minversion = SSL3_VERSION;
-
if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0
|| ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0)
return 1;
@@ -3537,7 +3527,7 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
c = sk_SSL_CIPHER_value(sk, i);
/* Skip disabled ciphers */
- if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
continue;
if ((c->algorithm_mkey & (SSL_kGOST | SSL_kGOST18)) != 0)
diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c
index 8a3c7b5fb0..40df6536e3 100644
--- a/test/ssl_old_test.c
+++ b/test/ssl_old_test.c
@@ -1284,7 +1284,7 @@ int main(int argc, char *argv[])
no_protocol = 0;
/*
- * Testing was requested for a compiled-out protocol (e.g. SSLv3).
+ * Testing was requested for a compiled-out protocol (e.g. TLSv1, etc.).
* Ideally, we would error out, but the generic test wrapper can't know
* when to expect failure. So we do nothing and return success.
*/