diff -up a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
+++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
* or by using the SSL_CONF library.
*/
ret->options |= SSL_OP_NO_COMPRESSION;
+ /*
+ * Disable SSLv3 by default. Applications can
+ * re-enable it by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ * or by using the SSL_CONF library.
+ */
+ ret->options |= SSL_OP_NO_SSLv3;
ret->tlsext_status_type = -1;
diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(TLS_server_method());
TEST_check(server2_ctx != NULL);
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
}
client_ctx = SSL_CTX_new(TLS_client_method());
@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
resume_client_ctx = SSL_CTX_new(TLS_client_method());
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
}
}
TEST_check(server_ctx != NULL);
TEST_check(client_ctx != NULL);
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
+++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
+
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
+
/*
* Since we will use low security ciphersuites and keys for testing set
* security level to zero by default. Tests can override this by adding