From: Andrew Dinh <andrewd@openssl.org>
Date: Tue, 16 Dec 2025 20:44:18 +0000 (+0400)
Subject: Add no-ssl3 back as a no-op
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6821363f28148b8ff6fedde0fcac6271f17e8e6e;p=thirdparty%2Fopenssl.git

Add no-ssl3 back as a no-op

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29338)
---

diff --git a/apps/include/opt.h b/apps/include/opt.h
index a9b50c3f008..a2facb02521 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -157,7 +157,7 @@
  */
 #define OPT_S_ENUM                                                    \
     OPT_S__FIRST = 3000,                                              \
-    OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2,                     \
+    OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2,       \
     OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET,        \
     OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG,           \
     OPT_S_LEGACYCONN,                                                 \
@@ -176,6 +176,7 @@
 
 #define OPT_S_OPTIONS                                                                                           \
     OPT_SECTION("TLS/SSL"),                                                                                     \
+        { "no_ssl3", OPT_S_NOSSL3, '-', "Just disable SSLv3" },                                                 \
         { "no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1" },                                                 \
         { "no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" },                                           \
         { "no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2" },                                           \
@@ -238,6 +239,7 @@
     OPT_S__FIRST:                 \
     case OPT_S__LAST:             \
     break;                        \
+    case OPT_S_NOSSL3:            \
     case OPT_S_NOTLS1:            \
     case OPT_S_NOTLS1_1:          \
     case OPT_S_NOTLS1_2:          \
@@ -274,8 +276,8 @@
     case OPT_S_NO_ETM:            \
     case OPT_S_NO_EMS
 
-#define IS_NO_PROT_FLAG(o)                    \
-    (o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
+#define IS_NO_PROT_FLAG(o)                                         \
+    (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
         || o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
 
 /*
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index ff66bcb2605..00ef668d6f4 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -597,7 +597,7 @@ OpenSSL was built.
 
 =over 4
 
-=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
+=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 When a specific TLS version is required, only that version will be offered or
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 82d37a60742..5bc8ac61c5c 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -131,6 +131,7 @@ $OpenSSL::safe::opt_trust_item = ""
 
 # TLS Version Options
 $OpenSSL::safe::opt_versiontls_synopsis = ""
+. "[B<-no_ssl3>]\n"
 . "[B<-no_tls1>]\n"
 . "[B<-no_tls1_1>]\n"
 . "[B<-no_tls1_2>]\n"
@@ -140,7 +141,7 @@ $OpenSSL::safe::opt_versiontls_synopsis = ""
 . "[B<-tls1_2>]\n"
 . "[B<-tls1_3>]";
 $OpenSSL::safe::opt_versiontls_item = ""
-. "=item B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n"
+. "=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n"
 . "B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>\n"
 . "\n"
 . "See L<openssl(1)/TLS Version Options>.";