+++ /dev/null
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
- if (sdebug)
- ssl_ctx_security_debug(ctx, sdebug);
-
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
- }
- if (sdebug)
- ssl_ctx_security_debug(ctx, sdebug);
-+
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- * or by using the SSL_CONF library.
- */
- ret->options |= SSL_OP_NO_COMPRESSION;
-+ /*
-+ * Disable SSLv3 by default. Applications can
-+ * re-enable it by configuring
-+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+ * or by using the SSL_CONF library.
-+ */
-+ ret->options |= SSL_OP_NO_SSLv3;
-
- ret->tlsext_status_type = -1;
-
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
- SSL_TEST_SERVERNAME_CB_NONE) {
- server2_ctx = SSL_CTX_new(TLS_server_method());
- TEST_check(server2_ctx != NULL);
-+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
- }
- client_ctx = SSL_CTX_new(TLS_client_method());
-
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
- resume_client_ctx = SSL_CTX_new(TLS_client_method());
- TEST_check(resume_server_ctx != NULL);
- TEST_check(resume_client_ctx != NULL);
-+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
- }
- }
-
- TEST_check(server_ctx != NULL);
- TEST_check(client_ctx != NULL);
-+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
-
- TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
-
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
- ERR_print_errors(bio_err);
- goto end;
- }
-+
-+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
- /*
- * Since we will use low security ciphersuites and keys for testing set
- * security level to zero by default. Tests can override this by adding