Blob Blame History Raw
diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
index 8a190d2..6b4c5ae 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
      * or by using the SSL_CONF library.
      */
     ret->options |= SSL_OP_NO_COMPRESSION;
+    /*
+     * Disable SSLv3 by default.  Applications can
+     * re-enable it by configuring
+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+     * or by using the SSL_CONF library.
+     */
+    ret->options |= SSL_OP_NO_SSLv3;
 
     ret->tlsext_status_type = -1;
 
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
index 2cbbddd..1a409d1 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
             SSL_TEST_SERVERNAME_CB_NONE) {
             server2_ctx = SSL_CTX_new(TLS_server_method());
             TEST_check(server2_ctx != NULL);
+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
         }
         client_ctx = SSL_CTX_new(TLS_client_method());
         TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
                                                      TLS_MAX_VERSION));
             TEST_check(resume_server_ctx != NULL);
             TEST_check(resume_client_ctx != NULL);
+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
         }
     }
 
     TEST_check(server_ctx != NULL);
     TEST_check(client_ctx != NULL);
+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
 
     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
 
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
index e77c692..e586072 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[])
         ERR_print_errors(bio_err);
         goto end;
     }
+
+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
+
     /*
      * Since we will use low security ciphersuites and keys for testing set
      * security level to zero by default. Tests can override this by adding
-- 
2.17.0