[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Sat May 16 08:23:47 UTC 2015


The branch master has been updated
       via  b2ce0337e8430f7d4d1e692415efc89ed02a8ea3 (commit)
       via  a304d385900b72467808ba0c2db91f2fc26e0160 (commit)
       via  d45ba43dab962bdc84158efc0cdddd5f5a08cf5e (commit)
       via  a27e81ee54112d8db40e409f45f1e9b88ccbf6b1 (commit)
       via  a3680c8f9c33d4190c367572645980ccdb9d5bbf (commit)
       via  13c9bb3ecec5f847b4c5295249e039d386e2d10e (commit)
       via  32ec41539b5b23bc42503589fcc5be65d648d1f5 (commit)
      from  756eff7a31b5b46577e8529645b254ccc256a8ae (commit)


- Log -----------------------------------------------------------------
commit b2ce0337e8430f7d4d1e692415efc89ed02a8ea3
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 15 09:14:03 2015 +0100

    Further version negotiation updates
    
    More miscellaneous updates to version negotiation following feedback.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit a304d385900b72467808ba0c2db91f2fc26e0160
Author: Matt Caswell <matt at openssl.org>
Date:   Thu May 14 13:48:47 2015 +0100

    Move SSLv3_*method() functions
    
    Move these functions into t1_clnt.c, t1_srvr.c and t1_meth.c and take
    advantage of the existing tls1_get*_method() functions that all the other
    methods are using. Since these now have to support SSLv3 anyway we might
    as well use the same set of get functions for both TLS and SSLv3.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit d45ba43dab962bdc84158efc0cdddd5f5a08cf5e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 24 15:05:27 2015 +0100

    Updates following review comments
    
    Miscellaneous updates following review comments on the version negotiation
    rewrite patches.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit a27e81ee54112d8db40e409f45f1e9b88ccbf6b1
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 31 14:29:53 2015 +0100

    Version negotiation rewrite doc updates
    
    Update various documentation references to the new TLS_*_method names. Also
    add a CHANGES entry.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit a3680c8f9c33d4190c367572645980ccdb9d5bbf
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 31 13:57:46 2015 +0100

    Version negotiation rewrite cleanup
    
    Following the version negotiation rewrite all of the previous code that was
    dedicated to version negotiation can now be deleted - all six source files
    of it!!
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit 13c9bb3ecec5f847b4c5295249e039d386e2d10e
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 31 00:18:31 2015 +0100

    Client side version negotiation rewrite
    
    Continuing from the previous commit this changes the way we do client side
    version negotiation. Similarly all of the s23* "up front" state machine code
    has been avoided and again things now work much the same way as they already
    did for DTLS, i.e. we just do most of the work in the
    ssl3_get_server_hello() function.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

commit 32ec41539b5b23bc42503589fcc5be65d648d1f5
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Mar 27 23:01:51 2015 +0000

    Server side version negotiation rewrite
    
    This commit changes the way that we do server side protocol version
    negotiation. Previously we had a whole set of code that had an "up front"
    state machine dedicated to the negotiating the protocol version. This adds
    significant complexity to the state machine. Historically the justification
    for doing this was the support of SSLv2 which works quite differently to
    SSLv3+. However, we have now removed support for SSLv2 so there is little
    reason to maintain this complexity.
    
    The one slight difficulty is that, although we no longer support SSLv2, we
    do still support an SSLv3+ ClientHello in an SSLv2 backward compatible
    ClientHello format. This is generally only used by legacy clients. This
    commit adds support within the SSLv3 code for these legacy format
    ClientHellos.
    
    Server side version negotiation now works in much the same was as DTLS,
    i.e. we introduce the concept of TLS_ANY_VERSION. If s->version is set to
    that then when a ClientHello is received it will work out the most
    appropriate version to respond with. Also, SSLv23_method and
    SSLv23_server_method have been replaced with TLS_method and
    TLS_server_method respectively. The old SSLv23* names still exist as
    macros pointing at the new name, although they are deprecated.
    
    Subsequent commits will look at client side version negotiation, as well of
    removal of the old s23* code.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                             |   9 +
 apps/Makefile                       | 130 +++----
 apps/ciphers.c                      |   2 +-
 apps/ocsp.c                         |   2 +-
 apps/s_client.c                     |   2 +-
 apps/s_server.c                     |   2 +-
 apps/s_time.c                       |   2 +-
 crypto/threads/mttest.c             |   2 +-
 demos/bio/client-arg.c              |   2 +-
 demos/bio/client-conf.c             |   2 +-
 demos/bio/saccept.c                 |   2 +-
 demos/bio/sconnect.c                |   2 +-
 demos/bio/server-arg.c              |   2 +-
 demos/bio/server-conf.c             |   2 +-
 demos/easy_tls/easy-tls.c           |   4 +-
 demos/ssl/cli.cpp                   |   2 +-
 demos/ssl/serv.cpp                  |   2 +-
 demos/state_machine/state_machine.c |   2 +-
 doc/crypto/BIO_f_ssl.pod            |   4 +-
 doc/crypto/err.pod                  |   6 +-
 doc/ssl/SSL_CTX_new.pod             |  35 +-
 doc/ssl/SSL_clear.pod               |   2 +-
 doc/ssl/ssl.pod                     |   7 -
 include/openssl/ssl.h               |  27 +-
 include/openssl/ssl23.h             |  84 ----
 include/openssl/tls1.h              |   3 +
 ssl/Makefile                        | 487 +++++++++---------------
 ssl/install-ssl.com                 |   2 +-
 ssl/record/README                   |  16 +-
 ssl/record/rec_layer_s23.c          | 114 ------
 ssl/record/rec_layer_s3.c           |  44 +++
 ssl/record/record.h                 |  10 +-
 ssl/record/record_locl.h            |   2 +
 ssl/record/ssl3_record.c            | 105 +++--
 ssl/s23_clnt.c                      | 595 -----------------------------
 ssl/s23_lib.c                       | 165 --------
 ssl/s23_meth.c                      |  82 ----
 ssl/s23_srvr.c                      | 585 ----------------------------
 ssl/s3_both.c                       |  99 +++--
 ssl/s3_clnt.c                       | 265 ++++++++++---
 ssl/s3_lib.c                        |  28 +-
 ssl/s3_meth.c                       |  74 ----
 ssl/s3_srvr.c                       | 741 ++++++++++++++++++++++++------------
 ssl/ssl-lib.com                     |   3 +-
 ssl/ssl_err.c                       |  11 +-
 ssl/ssl_lib.c                       | 158 --------
 ssl/ssl_locl.h                      |  56 ---
 ssl/ssl_stat.c                      |  44 ---
 ssl/t1_clnt.c                       |  21 +-
 ssl/t1_lib.c                        |   8 +-
 ssl/t1_meth.c                       |  20 +-
 ssl/t1_srvr.c                       |  21 +-
 test/Makefile                       |  20 +-
 test/ssltest.c                      |   2 +-
 util/ssleay.num                     |   9 +-
 55 files changed, 1321 insertions(+), 2807 deletions(-)
 delete mode 100644 include/openssl/ssl23.h
 delete mode 100644 ssl/record/rec_layer_s23.c
 delete mode 100644 ssl/s23_clnt.c
 delete mode 100644 ssl/s23_lib.c
 delete mode 100644 ssl/s23_meth.c
 delete mode 100644 ssl/s23_srvr.c
 delete mode 100644 ssl/s3_meth.c

diff --git a/CHANGES b/CHANGES
index 337b9b1..8600b81 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,15 @@
  _______________
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
+
+  *) Version negotiation has been rewritten. In particular SSLv23_method(),
+     SSLv23_client_method() and SSLv23_server_method() have been deprecated,
+     and turned into macros which simply call the new preferred function names
+     TLS_method(), TLS_client_method() and TLS_server_method(). All new code
+     should use the new names instead. Also as part of this change the ssl23.h
+     header file has been removed.
+     [Matt Caswell]
+
   *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
      code and the associated standard is no longer considered fit-for-purpose.
      [Matt Caswell]
diff --git a/apps/Makefile b/apps/Makefile
index 9952b3d..29bad61 100644
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -191,12 +191,12 @@ apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
 apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
 apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 apps.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-apps.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-apps.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-apps.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-apps.o: ../include/openssl/x509v3.h apps.c apps.h progs.h
+apps.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+apps.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+apps.o: ../include/openssl/ui.h ../include/openssl/x509.h
+apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h
+apps.o: progs.h
 asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -244,11 +244,11 @@ ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c progs.h
+ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+ciphers.o: ciphers.c progs.h
 cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h
 cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -428,11 +428,11 @@ engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 engine.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-engine.o: ../include/openssl/x509v3.h apps.h engine.c progs.h
+engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+engine.o: engine.c progs.h
 errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -448,11 +448,11 @@ errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 errstr.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-errstr.o: ../include/openssl/x509v3.h apps.h errstr.c progs.h
+errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+errstr.o: errstr.c progs.h
 gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -534,12 +534,11 @@ ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c
-ocsp.o: progs.h
+ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c progs.h
 openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -555,12 +554,11 @@ openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-openssl.o: openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
 opt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 opt.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 opt.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -783,12 +781,11 @@ s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_cb.o: progs.h s_apps.h s_cb.c
+s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_cb.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_cb.c
 s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -805,12 +802,12 @@ s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 s_client.o: ../include/openssl/sha.h ../include/openssl/srp.h
 s_client.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_client.o: progs.h s_apps.h s_client.c timeouts.h
+s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_client.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_client.c
+s_client.o: timeouts.h
 s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -828,12 +825,12 @@ s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 s_server.o: ../include/openssl/sha.h ../include/openssl/srp.h
 s_server.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_server.o: progs.h s_apps.h s_server.c timeouts.h
+s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_server.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_server.c
+s_server.o: timeouts.h
 s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -848,12 +845,11 @@ s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s_socket.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_socket.o: progs.h s_apps.h s_socket.c
+s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_socket.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_socket.c
 s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -869,11 +865,11 @@ s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_time.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_time.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_time.c
+s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_time.o: progs.h s_apps.h s_time.c
 sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -889,11 +885,11 @@ sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-sess_id.o: ../include/openssl/x509v3.h apps.h progs.h sess_id.c
+sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+sess_id.o: progs.h sess_id.c
 smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
diff --git a/apps/ciphers.c b/apps/ciphers.c
index 232fd60..47132fd 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -94,7 +94,7 @@ int ciphers_main(int argc, char **argv)
     SSL_CTX *ctx = NULL;
     SSL *ssl = NULL;
     STACK_OF(SSL_CIPHER) *sk = NULL;
-    const SSL_METHOD *meth = SSLv23_server_method();
+    const SSL_METHOD *meth = TLS_server_method();
     int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
 #ifndef OPENSSL_NO_SSL_TRACE
     int stdname = 0;
diff --git a/apps/ocsp.c b/apps/ocsp.c
index d52da18..c71b0d6 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1261,7 +1261,7 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
         BIO_set_conn_port(cbio, port);
     if (use_ssl == 1) {
         BIO *sbio;
-        ctx = SSL_CTX_new(SSLv23_client_method());
+        ctx = SSL_CTX_new(TLS_client_method());
         if (ctx == NULL) {
             BIO_printf(bio_err, "Error creating SSL context.\n");
             goto end;
diff --git a/apps/s_client.c b/apps/s_client.c
index ba411f2..339e451 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -636,7 +636,7 @@ int s_client_main(int argc, char **argv)
     SSL_CONF_CTX *cctx = NULL;
     STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
     STACK_OF(X509_CRL) *crls = NULL;
-    const SSL_METHOD *meth = SSLv23_client_method();
+    const SSL_METHOD *meth = TLS_client_method();
     char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL, *mbuf =
         NULL;
     char *cert_file = NULL, *key_file = NULL, *chain_file = NULL, *prog;
diff --git a/apps/s_server.c b/apps/s_server.c
index 2ef902a..61d13f3 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -987,7 +987,7 @@ int s_server_main(int argc, char *argv[])
     ENGINE *e = NULL;
     EVP_PKEY *s_key = NULL, *s_dkey = NULL;
     SSL_CONF_CTX *cctx = NULL;
-    const SSL_METHOD *meth = SSLv23_server_method();
+    const SSL_METHOD *meth = TLS_server_method();
     SSL_EXCERT *exc = NULL;
     STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
     STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
diff --git a/apps/s_time.c b/apps/s_time.c
index 5bca72b..74decd2 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -167,7 +167,7 @@ int s_time_main(int argc, char **argv)
     int exitNow = 0;            /* Set when it's time to exit main */
 #endif
 
-    meth = SSLv23_client_method();
+    meth = TLS_client_method();
     verify_depth = 0;
     verify_error = X509_V_OK;
 
diff --git a/crypto/threads/mttest.c b/crypto/threads/mttest.c
index f6f8df2..3218c32 100644
--- a/crypto/threads/mttest.c
+++ b/crypto/threads/mttest.c
@@ -194,7 +194,7 @@ int main(int argc, char *argv[])
     SSL_CTX *c_ctx = NULL;
     char *scert = TEST_SERVER_CERT;
     char *ccert = TEST_CLIENT_CERT;
-    SSL_METHOD *ssl_method = SSLv23_method();
+    SSL_METHOD *ssl_method = TLS_method();
 
     RAND_seed(rnd_seed, sizeof rnd_seed);
 
diff --git a/demos/bio/client-arg.c b/demos/bio/client-arg.c
index 8507e04..99ebff1 100644
--- a/demos/bio/client-arg.c
+++ b/demos/bio/client-arg.c
@@ -17,7 +17,7 @@ int main(int argc, char **argv)
     ERR_load_SSL_strings();
     SSL_library_init();
 
-    ctx = SSL_CTX_new(SSLv23_client_method());
+    ctx = SSL_CTX_new(TLS_client_method());
     cctx = SSL_CONF_CTX_new();
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
     SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
diff --git a/demos/bio/client-conf.c b/demos/bio/client-conf.c
index b75088a..2a78315 100644
--- a/demos/bio/client-conf.c
+++ b/demos/bio/client-conf.c
@@ -37,7 +37,7 @@ int main(int argc, char **argv)
         goto end;
     }
 
-    ctx = SSL_CTX_new(SSLv23_client_method());
+    ctx = SSL_CTX_new(TLS_client_method());
     cctx = SSL_CONF_CTX_new();
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
diff --git a/demos/bio/saccept.c b/demos/bio/saccept.c
index 505d98b..0d173aa 100644
--- a/demos/bio/saccept.c
+++ b/demos/bio/saccept.c
@@ -45,7 +45,7 @@ int main(int argc, char *argv[])
     /* Add ciphers and message digests */
     OpenSSL_add_ssl_algorithms();
 
-    ctx = SSL_CTX_new(SSLv23_server_method());
+    ctx = SSL_CTX_new(TLS_server_method());
     if (!SSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
         goto err;
     if (!SSL_CTX_use_PrivateKey_file(ctx, CERT_FILE, SSL_FILETYPE_PEM))
diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c
index 6e4ca65..865d503 100644
--- a/demos/bio/sconnect.c
+++ b/demos/bio/sconnect.c
@@ -43,7 +43,7 @@ char *argv[];
 
     /* Setup all the global SSL stuff */
     OpenSSL_add_ssl_algorithms();
-    ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+    ssl_ctx = SSL_CTX_new(TLS_client_method());
 
     /* Lets make a SSL structure */
     ssl = SSL_new(ssl_ctx);
diff --git a/demos/bio/server-arg.c b/demos/bio/server-arg.c
index b188f6a..242ca6c 100644
--- a/demos/bio/server-arg.c
+++ b/demos/bio/server-arg.c
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
     /* Add ciphers and message digests */
     OpenSSL_add_ssl_algorithms();
 
-    ctx = SSL_CTX_new(SSLv23_server_method());
+    ctx = SSL_CTX_new(TLS_server_method());
 
     cctx = SSL_CONF_CTX_new();
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
diff --git a/demos/bio/server-conf.c b/demos/bio/server-conf.c
index cc9fe8a..bf3dd06 100644
--- a/demos/bio/server-conf.c
+++ b/demos/bio/server-conf.c
@@ -49,7 +49,7 @@ int main(int argc, char *argv[])
         goto err;
     }
 
-    ctx = SSL_CTX_new(SSLv23_server_method());
+    ctx = SSL_CTX_new(TLS_server_method());
     cctx = SSL_CONF_CTX_new();
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
     SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c
index 9346720..b951290 100644
--- a/demos/easy_tls/easy-tls.c
+++ b/demos/easy_tls/easy-tls.c
@@ -667,8 +667,8 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
         return NULL;
 
     ret =
-        SSL_CTX_new((a.client_p ? SSLv23_client_method :
-                     SSLv23_server_method) ());
+        SSL_CTX_new((a.client_p ? TLS_client_method :
+                     TLS_server_method) ());
 
     if (ret == NULL)
         goto err;
diff --git a/demos/ssl/cli.cpp b/demos/ssl/cli.cpp
index cb5d329..3459f0f 100644
--- a/demos/ssl/cli.cpp
+++ b/demos/ssl/cli.cpp
@@ -38,7 +38,7 @@ void main ()
   SSL_METHOD *meth;
 
   SSLeay_add_ssl_algorithms();
-  meth = SSLv23_client_method();
+  meth = TLS_client_method();
   SSL_load_error_strings();
   ctx = SSL_CTX_new (meth);                        CHK_NULL(ctx);
 
diff --git a/demos/ssl/serv.cpp b/demos/ssl/serv.cpp
index 6d4cefd..9cb77f8 100644
--- a/demos/ssl/serv.cpp
+++ b/demos/ssl/serv.cpp
@@ -55,7 +55,7 @@ void main ()
 
   SSL_load_error_strings();
   SSLeay_add_ssl_algorithms();
-  meth = SSLv23_server_method();
+  meth = TLS_server_method();
   ctx = SSL_CTX_new (meth);
   if (!ctx) {
     ERR_print_errors_fp(stderr);
diff --git a/demos/state_machine/state_machine.c b/demos/state_machine/state_machine.c
index 1dd8c2b..98802a1 100644
--- a/demos/state_machine/state_machine.c
+++ b/demos/state_machine/state_machine.c
@@ -119,7 +119,7 @@ SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile,
 
     die_unless(pMachine);
 
-    pMachine->pCtx = SSL_CTX_new(SSLv23_server_method());
+    pMachine->pCtx = SSL_CTX_new(TLS_server_method());
     die_unless(pMachine->pCtx);
 
     n = SSL_CTX_use_certificate_file(pMachine->pCtx, szCertificateFile,
diff --git a/doc/crypto/BIO_f_ssl.pod b/doc/crypto/BIO_f_ssl.pod
index a9f23f1..a0531b0 100644
--- a/doc/crypto/BIO_f_ssl.pod
+++ b/doc/crypto/BIO_f_ssl.pod
@@ -148,7 +148,7 @@ unencrypted example in L<BIO_s_connect(3)|BIO_s_connect(3)>.
   * do it automatically
   */
 
- ctx = SSL_CTX_new(SSLv23_client_method());
+ ctx = SSL_CTX_new(TLS_client_method());
 
  /* We'd normally set some stuff like the verify paths and
   * mode here because as things stand this will connect to
@@ -212,7 +212,7 @@ a client and also echoes the request to standard output.
 
  /* Might seed PRNG here */
 
- ctx = SSL_CTX_new(SSLv23_server_method());
+ ctx = SSL_CTX_new(TLS_server_method());
 
  if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
 	|| !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod
index 4b10f59..1a19a19 100644
--- a/doc/crypto/err.pod
+++ b/doc/crypto/err.pod
@@ -79,16 +79,16 @@ Each sub-library has a specific macro XXXerr() that is used to report
 errors. Its first argument is a function code B<XXX_F_...>, the second
 argument is a reason code B<XXX_R_...>. Function codes are derived
 from the function names; reason codes consist of textual error
-descriptions. For example, the function ssl23_read() reports a
+descriptions. For example, the function ssl3_read_bytes() reports a
 "handshake failure" as follows:
 
- SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
 
 Function and reason codes should consist of upper case characters,
 numbers and underscores only. The error file generation script translates
 function codes into function names by looking in the header files
 for an appropriate function name, if none is found it just uses
-the capitalized form such as "SSL23_READ" in the above example.
+the capitalized form such as "SSL3_READ_BYTES" in the above example.
 
 The trailing section of a reason code (after the "_R_") is translated
 into lower case and underscores changed to spaces.
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 0da3f7b..c788b9b 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions
+SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions
 
 =head1 SYNOPSIS
 
@@ -28,31 +28,30 @@ client only type. B<method> can be of the following types:
 A TLS/SSL connection established with these methods will only understand the
 SSLv3 protocol. A client will send out SSLv3 client hello messages
 and will indicate that it only understands SSLv3. A server will only understand
-SSLv3 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method().
+SSLv3 client hello messages.
 
 =item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
 
 A TLS/SSL connection established with these methods will only understand the
 TLSv1 protocol. A client will send out TLSv1 client hello messages
 and will indicate that it only understands TLSv1. A server will only understand
-TLSv1 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method(). It will also not understand
-SSLv3 client hello messages.
+TLSv1 client hello messages.
 
 =item TLSv1_1_method(void), TLSv1_1_server_method(void), TLSv1_1_client_method(void)
 
 A TLS/SSL connection established with these methods will only understand the
 TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages
 and will indicate that it only understands TLSv1.1. A server will only
-understand TLSv1.1 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*_method(). It will also not understand
-SSLv3 client hello messages.
+understand TLSv1.1 client hello messages.
 
-=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+=item TLSv1_2_method(void), TLSv1_2_server_method(void), TLSv1_2_client_method(void)
+
+A TLS/SSL connection established with these methods will only understand the
+TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages
+and will indicate that it only understands TLSv1.2. A server will only
+understand TLSv1.2 client hello messages.
+
+=item TLS_method(void), TLS_server_method(void), TLS_client_method(void)
 
 A TLS/SSL connection established with these methods may understand the
 SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
@@ -63,6 +62,12 @@ will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
 fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
 protocols. This is the best choice when compatibility is a concern.
 
+=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+
+Use of these functions is deprecated. They have been replaced with TLS_Method(),
+TLS_server_method() and TLS_client_method() respectively. New code should use
+those functions instead.
+
 =back
 
 The list of protocols available can later be limited using the
@@ -98,7 +103,9 @@ The return value points to an allocated SSL_CTX object.
 =head1 HISTORY
 
 SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in
-OpenSSL 1.1.0.
+OpenSSL 1.1.0. SSLv23_method, SSLv23_server_method and SSLv23_client_method were
+deprecated and TLS_method, TLS_server_method and TLS_client_method
+were introduced in OpenSSL 1.1.0.
 
 =head1 SEE ALSO
 
diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod
index ba192bd..1b9ea1f 100644
--- a/doc/ssl/SSL_clear.pod
+++ b/doc/ssl/SSL_clear.pod
@@ -30,7 +30,7 @@ settings corresponding. This explicitly means, that e.g. the special method
 used during the session will be kept for the next handshake. So if the
 session was a TLSv1 session, a SSL client object will use a TLSv1 client
 method for the next handshake and a SSL server object will use a TLSv1
-server method, even if SSLv23_*_methods were chosen on startup. This
+server method, even if TLS_*_methods were chosen on startup. This
 will might lead to connection failures (see L<SSL_new(3)|SSL_new(3)>)
 for a description of the method's properties.
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 5af0fc6..a094356 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -103,13 +103,6 @@ That's the sub header file dealing with the SSLv3 protocol only.
 I<Usually you don't have to include it explicitly because
 it's already included by ssl.h>.
 
-=item B<ssl23.h>
-
-That's the sub header file dealing with the combined use of different
-protocol version.
-I<Usually you don't have to include it explicitly because
-it's already included by ssl.h>.
-
 =item B<tls1.h>
 
 That's the sub header file dealing with the TLSv1 protocol only.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 27e44cc..a93145b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -910,7 +910,6 @@ __owur int SSL_extension_supported(unsigned int ext_type);
 # include <openssl/ssl3.h>
 # include <openssl/tls1.h>      /* This is mostly sslv3 with a few tweaks */
 # include <openssl/dtls1.h>     /* Datagram TLS */
-# include <openssl/ssl23.h>
 # include <openssl/srtp.h>      /* Support for the use_srtp extension */
 
 #ifdef  __cplusplus
@@ -1562,12 +1561,16 @@ __owur const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
 __owur const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
 # endif
 
-__owur const SSL_METHOD *SSLv23_method(void); /* Negotiate highest available SSL/TLS
-                                        * version */
-__owur const SSL_METHOD *SSLv23_server_method(void); /* Negotiate highest available
-                                               * SSL/TLS version */
-__owur const SSL_METHOD *SSLv23_client_method(void); /* Negotiate highest available
-                                               * SSL/TLS version */
+#ifdef OPENSSL_USE_DEPRECATED
+#define SSLv23_method           TLS_method
+#define SSLv23_server_method    TLS_server_method
+#define SSLv23_client_method    TLS_client_method
+#endif
+
+/* Negotiate highest available SSL/TLS version */
+__owur const SSL_METHOD *TLS_method(void);
+__owur const SSL_METHOD *TLS_server_method(void);
+__owur const SSL_METHOD *TLS_client_method(void);
 
 __owur const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
 __owur const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
@@ -1928,14 +1931,6 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_DTLS1_SEND_SERVER_HELLO                    266
 # define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE             267
 # define SSL_F_DTLS1_WRITE_APP_DATA_BYTES                 268
-# define SSL_F_SSL23_ACCEPT                               115
-# define SSL_F_SSL23_CLIENT_HELLO                         116
-# define SSL_F_SSL23_CONNECT                              117
-# define SSL_F_SSL23_GET_CLIENT_HELLO                     118
-# define SSL_F_SSL23_GET_SERVER_HELLO                     119
-# define SSL_F_SSL23_PEEK                                 237
-# define SSL_F_SSL23_READ                                 120
-# define SSL_F_SSL23_WRITE                                121
 # define SSL_F_SSL3_ACCEPT                                128
 # define SSL_F_SSL3_ADD_CERT_TO_BUF                       296
 # define SSL_F_SSL3_CALLBACK_CTRL                         233
@@ -2073,6 +2068,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_SET_SESSION_ID_CONTEXT                 218
 # define SSL_F_SSL_SET_SESSION_TICKET_EXT                 294
 # define SSL_F_SSL_SET_TRUST                              228
+# define SSL_F_SSL_SET_VERSION                            347
 # define SSL_F_SSL_SET_WFD                                196
 # define SSL_F_SSL_SHUTDOWN                               224
 # define SSL_F_SSL_SRP_CTX_INIT                           313
@@ -2289,7 +2285,6 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES           362
 # define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG      363
 # define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE            364
-# define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
 # define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT             321
 # define SSL_R_SSL3_EXT_INVALID_SERVERNAME                319
 # define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE           320
diff --git a/include/openssl/ssl23.h b/include/openssl/ssl23.h
deleted file mode 100644
index 9de4685..0000000
--- a/include/openssl/ssl23.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/* ssl/ssl23.h */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_SSL23_H
-# define HEADER_SSL23_H
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/*
- * client
- */
-/* write to server */
-# define SSL23_ST_CW_CLNT_HELLO_A        (0x210|SSL_ST_CONNECT)
-# define SSL23_ST_CW_CLNT_HELLO_B        (0x211|SSL_ST_CONNECT)
-/* read from server */
-# define SSL23_ST_CR_SRVR_HELLO_A        (0x220|SSL_ST_CONNECT)
-# define SSL23_ST_CR_SRVR_HELLO_B        (0x221|SSL_ST_CONNECT)
-
-/* server */
-/* read from client */
-# define SSL23_ST_SR_CLNT_HELLO_A        (0x210|SSL_ST_ACCEPT)
-# define SSL23_ST_SR_CLNT_HELLO_B        (0x211|SSL_ST_ACCEPT)
-
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index e1beaf3..d107396 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -167,6 +167,9 @@ extern "C" {
 # define TLS1_2_VERSION                  0x0303
 # define TLS_MAX_VERSION                 TLS1_2_VERSION
 
+/* Special value for method supporting multiple versions */
+# define TLS_ANY_VERSION                 0x10000
+
 # define TLS1_VERSION_MAJOR              0x03
 # define TLS1_VERSION_MINOR              0x01
 
diff --git a/ssl/Makefile b/ssl/Makefile
index bb00516..ad2f99f 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -17,9 +17,8 @@ GENERAL=Makefile README ssl-lib.com install.com
 LIB=$(TOP)/libssl.a
 SHARED_LIB= libssl$(SHLIB_EXT)
 LIBSRC=	\
-	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c record/rec_layer_s3.c \
+	s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c record/rec_layer_s3.c \
 	s3_both.c s3_cbc.c s3_msg.c \
-	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c record/rec_layer_s23.c \
 	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c t1_ext.c \
 	d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  record/rec_layer_d1.c d1_msg.c \
 	d1_both.c d1_srtp.c \
@@ -29,9 +28,8 @@ LIBSRC=	\
 	bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \
 	record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c
 LIBOBJ= \
-	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o record/rec_layer_s3.o \
+	s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o record/rec_layer_s3.o \
 	s3_both.o s3_cbc.o s3_msg.o \
-	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o record/rec_layer_s23.o \
 	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o t1_ext.o \
 	d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  record/rec_layer_d1.o d1_msg.o \
 	d1_both.o d1_srtp.o\
@@ -106,10 +104,10 @@ bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 bio_ssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c record/record.h ssl_locl.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+bio_ssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bio_ssl.c
+bio_ssl.o: record/record.h ssl_locl.h
 d1_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -125,11 +123,10 @@ d1_both.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 d1_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 d1_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 d1_both.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-d1_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-d1_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_both.c
-d1_both.o: record/record.h ssl_locl.h
+d1_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+d1_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_both.o: ../include/openssl/x509_vfy.h d1_both.c record/record.h ssl_locl.h
 d1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -147,10 +144,10 @@ d1_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 d1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_clnt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_clnt.o: ../include/openssl/x509_vfy.h d1_clnt.c record/record.h ssl_locl.h
+d1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_clnt.c
+d1_clnt.o: record/record.h ssl_locl.h
 d1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -166,10 +163,10 @@ d1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 d1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_lib.o: ../include/openssl/x509_vfy.h d1_lib.c record/record.h ssl_locl.h
+d1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_lib.c
+d1_lib.o: record/record.h ssl_locl.h
 d1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -185,10 +182,10 @@ d1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 d1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_meth.o: ../include/openssl/x509_vfy.h d1_meth.c record/record.h ssl_locl.h
+d1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_meth.c
+d1_meth.o: record/record.h ssl_locl.h
 d1_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -204,10 +201,10 @@ d1_msg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 d1_msg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_msg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_msg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_msg.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_msg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_msg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_msg.o: ../include/openssl/x509_vfy.h d1_msg.c record/record.h ssl_locl.h
+d1_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_msg.c
+d1_msg.o: record/record.h ssl_locl.h
 d1_srtp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_srtp.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 d1_srtp.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -223,10 +220,10 @@ d1_srtp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 d1_srtp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_srtp.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_srtp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_srtp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_srtp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_srtp.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_srtp.o: ../include/openssl/x509_vfy.h d1_srtp.c record/record.h ssl_locl.h
+d1_srtp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_srtp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_srtp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srtp.c
+d1_srtp.o: record/record.h ssl_locl.h
 d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -244,10 +241,10 @@ d1_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 d1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 d1_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 d1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-d1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_srvr.o: ../include/openssl/x509_vfy.h d1_srvr.c record/record.h ssl_locl.h
+d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
+d1_srvr.o: record/record.h ssl_locl.h
 dtls1_bitmap.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dtls1_bitmap.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 dtls1_bitmap.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -263,11 +260,10 @@ dtls1_bitmap.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 dtls1_bitmap.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 dtls1_bitmap.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 dtls1_bitmap.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-dtls1_bitmap.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-dtls1_bitmap.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dtls1_bitmap.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-dtls1_bitmap.o: ../include/openssl/x509_vfy.h dtls1_bitmap.c
-dtls1_bitmap.o: record/../record/record.h record/../ssl_locl.h
+dtls1_bitmap.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+dtls1_bitmap.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+dtls1_bitmap.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+dtls1_bitmap.o: dtls1_bitmap.c record/../record/record.h record/../ssl_locl.h
 dtls1_bitmap.o: record/dtls1_bitmap.c record/record_locl.h
 rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rec_layer_d1.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -284,33 +280,12 @@ rec_layer_d1.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 rec_layer_d1.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 rec_layer_d1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 rec_layer_d1.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-rec_layer_d1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-rec_layer_d1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-rec_layer_d1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-rec_layer_d1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-rec_layer_d1.o: rec_layer_d1.c record/../record/record.h record/../ssl_locl.h
+rec_layer_d1.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+rec_layer_d1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+rec_layer_d1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+rec_layer_d1.o: ../include/openssl/x509_vfy.h rec_layer_d1.c
+rec_layer_d1.o: record/../record/record.h record/../ssl_locl.h
 rec_layer_d1.o: record/rec_layer_d1.c record/record_locl.h
-rec_layer_s23.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rec_layer_s23.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-rec_layer_s23.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-rec_layer_s23.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-rec_layer_s23.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-rec_layer_s23.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-rec_layer_s23.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-rec_layer_s23.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rec_layer_s23.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rec_layer_s23.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rec_layer_s23.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rec_layer_s23.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-rec_layer_s23.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rec_layer_s23.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-rec_layer_s23.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-rec_layer_s23.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-rec_layer_s23.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rec_layer_s23.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-rec_layer_s23.o: ../include/openssl/x509_vfy.h rec_layer_s23.c
-rec_layer_s23.o: record/../record/record.h record/../ssl_locl.h
-rec_layer_s23.o: record/rec_layer_s23.c
 rec_layer_s3.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rec_layer_s3.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 rec_layer_s3.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -326,90 +301,12 @@ rec_layer_s3.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 rec_layer_s3.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 rec_layer_s3.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 rec_layer_s3.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-rec_layer_s3.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-rec_layer_s3.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-rec_layer_s3.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-rec_layer_s3.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-rec_layer_s3.o: rec_layer_s3.c record/../record/record.h record/../ssl_locl.h
+rec_layer_s3.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+rec_layer_s3.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+rec_layer_s3.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+rec_layer_s3.o: ../include/openssl/x509_vfy.h rec_layer_s3.c
+rec_layer_s3.o: record/../record/record.h record/../ssl_locl.h
 rec_layer_s3.o: record/rec_layer_s3.c record/record_locl.h
-s23_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s23_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s23_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s23_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s23_clnt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s23_clnt.o: record/record.h s23_clnt.c ssl_locl.h
-s23_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s23_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s23_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s23_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s23_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s23_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s23_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_lib.o: ../include/openssl/x509_vfy.h record/record.h s23_lib.c ssl_locl.h
-s23_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s23_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s23_meth.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s23_meth.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s23_meth.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s23_meth.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s23_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_meth.o: ../include/openssl/x509_vfy.h record/record.h s23_meth.c ssl_locl.h
-s23_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s23_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s23_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s23_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s23_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s23_srvr.o: record/record.h s23_srvr.c ssl_locl.h
 s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -425,11 +322,10 @@ s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 s3_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_both.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_both.o: record/record.h s3_both.c ssl_locl.h
+s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_both.o: ../include/openssl/x509_vfy.h record/record.h s3_both.c ssl_locl.h
 s3_cbc.o: ../e_os.h ../include/internal/constant_time_locl.h
 s3_cbc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -446,11 +342,10 @@ s3_cbc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_cbc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_cbc.o: record/record.h s3_cbc.c ssl_locl.h
+s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_cbc.o: ../include/openssl/x509_vfy.h record/record.h s3_cbc.c ssl_locl.h
 s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -468,11 +363,10 @@ s3_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_clnt.o: record/record.h s3_clnt.c ssl_locl.h
+s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_clnt.o: ../include/openssl/x509_vfy.h record/record.h s3_clnt.c ssl_locl.h
 s3_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s3_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -488,11 +382,10 @@ s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s3_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s3_enc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_enc.o: record/record.h s3_enc.c ssl_locl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h record/record.h s3_enc.c ssl_locl.h
 s3_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s3_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h
@@ -506,32 +399,13 @@ s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_lib.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
 s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 s3_lib.o: ../include/openssl/x509_vfy.h record/record.h s3_lib.c ssl_locl.h
-s3_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_meth.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_meth.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_meth.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_meth.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_meth.o: ../include/openssl/x509_vfy.h record/record.h s3_meth.c ssl_locl.h
 s3_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s3_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -547,10 +421,10 @@ s3_msg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 s3_msg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 s3_msg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 s3_msg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_msg.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_msg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_msg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_msg.o: ../include/openssl/x509_vfy.h record/record.h s3_msg.c ssl_locl.h
+s3_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s3_msg.o: record/record.h s3_msg.c ssl_locl.h
 s3_srvr.o: ../e_os.h ../include/internal/constant_time_locl.h
 s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -569,10 +443,10 @@ s3_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 s3_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_srvr.o: ../include/openssl/x509_vfy.h record/record.h s3_srvr.c ssl_locl.h
+s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s3_srvr.o: record/record.h s3_srvr.c ssl_locl.h
 ssl3_buffer.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl3_buffer.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl3_buffer.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -588,12 +462,11 @@ ssl3_buffer.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl3_buffer.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl3_buffer.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl3_buffer.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl3_buffer.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl3_buffer.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl3_buffer.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl3_buffer.o: ../include/openssl/x509_vfy.h record/../record/record.h
-ssl3_buffer.o: record/../ssl_locl.h record/record_locl.h record/ssl3_buffer.c
-ssl3_buffer.o: ssl3_buffer.c
+ssl3_buffer.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl3_buffer.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl3_buffer.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl3_buffer.o: record/../record/record.h record/../ssl_locl.h
+ssl3_buffer.o: record/record_locl.h record/ssl3_buffer.c ssl3_buffer.c
 ssl3_record.o: ../e_os.h ../include/internal/constant_time_locl.h
 ssl3_record.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl3_record.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -610,12 +483,12 @@ ssl3_record.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl3_record.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 ssl3_record.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl3_record.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl3_record.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl3_record.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl3_record.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl3_record.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl3_record.o: record/../record/record.h record/../ssl_locl.h
-ssl3_record.o: record/record_locl.h record/ssl3_record.c ssl3_record.c
+ssl3_record.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl3_record.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl3_record.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl3_record.o: ../include/openssl/x509_vfy.h record/../record/record.h
+ssl3_record.o: record/../ssl_locl.h record/record_locl.h record/ssl3_record.c
+ssl3_record.o: ssl3_record.c
 ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -631,10 +504,10 @@ ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_algs.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_algs.o: ../include/openssl/x509_vfy.h record/record.h ssl_algs.c ssl_locl.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_algs.o: record/record.h ssl_algs.c ssl_locl.h
 ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1t.h
 ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -650,11 +523,10 @@ ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ssl_asn1.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_asn1.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_asn1.o: record/record.h ssl_asn1.c ssl_locl.h
+ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_asn1.o: ../include/openssl/x509_vfy.h record/record.h ssl_asn1.c ssl_locl.h
 ssl_cert.o: ../e_os.h ../include/internal/o_dir.h ../include/openssl/asn1.h
 ssl_cert.o: ../include/openssl/bio.h ../include/openssl/bn.h
 ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -672,11 +544,10 @@ ssl_cert.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_cert.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_cert.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_cert.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_cert.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-ssl_cert.o: record/record.h ssl_cert.c ssl_locl.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_cert.o: ../include/openssl/x509v3.h record/record.h ssl_cert.c ssl_locl.h
 ssl_ciph.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -692,11 +563,10 @@ ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ssl_ciph.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
 ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_ciph.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_ciph.o: record/record.h ssl_ciph.c ssl_locl.h
+ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h record/record.h ssl_ciph.c ssl_locl.h
 ssl_conf.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_conf.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_conf.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -713,10 +583,10 @@ ssl_conf.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_conf.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_conf.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_conf.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_conf.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_conf.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_conf.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_conf.o: ../include/openssl/x509_vfy.h record/record.h ssl_conf.c ssl_locl.h
+ssl_conf.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_conf.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_conf.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_conf.o: record/record.h ssl_conf.c ssl_locl.h
 ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_err.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
@@ -730,10 +600,10 @@ ssl_err.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_err.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_err.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_err.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err.c
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c
 ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
@@ -747,10 +617,10 @@ ssl_err2.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_err2.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_err2.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_err2.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err2.c
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
 ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -768,11 +638,11 @@ ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_lib.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssl_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_lib.o: ../include/openssl/x509v3.h record/record.h ssl_lib.c ssl_locl.h
+ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+ssl_lib.o: record/record.h ssl_lib.c ssl_locl.h
 ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -788,10 +658,10 @@ ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_rsa.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h ssl_rsa.c
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_rsa.o: record/record.h ssl_locl.h ssl_rsa.c
 ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -808,10 +678,10 @@ ssl_sess.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_sess.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_sess.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h ssl_sess.c
+ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_sess.o: record/record.h ssl_locl.h ssl_sess.c
 ssl_stat.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -827,10 +697,10 @@ ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_stat.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_stat.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h ssl_stat.c
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_stat.o: record/record.h ssl_locl.h ssl_stat.c
 ssl_txt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -846,10 +716,10 @@ ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_txt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_txt.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h ssl_txt.c
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_txt.o: record/record.h ssl_locl.h ssl_txt.c
 ssl_utst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_utst.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_utst.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -865,10 +735,10 @@ ssl_utst.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ssl_utst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 ssl_utst.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 ssl_utst.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_utst.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssl_utst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_utst.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_utst.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h ssl_utst.c
+ssl_utst.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_utst.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_utst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_utst.o: record/record.h ssl_locl.h ssl_utst.c
 t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -884,11 +754,10 @@ t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 t1_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_clnt.o: record/record.h ssl_locl.h t1_clnt.c
+t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_clnt.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_clnt.c
 t1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -905,10 +774,10 @@ t1_enc.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 t1_enc.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_enc.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_enc.c
+t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_enc.o: record/record.h ssl_locl.h t1_enc.c
 t1_ext.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_ext.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_ext.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -924,10 +793,10 @@ t1_ext.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_ext.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 t1_ext.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 t1_ext.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_ext.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_ext.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_ext.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_ext.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_ext.c
+t1_ext.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_ext.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_ext.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_ext.o: record/record.h ssl_locl.h t1_ext.c
 t1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 t1_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -945,11 +814,11 @@ t1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_lib.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 t1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 t1_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_lib.o: ../include/openssl/x509v3.h record/record.h ssl_locl.h t1_lib.c
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+t1_lib.o: record/record.h ssl_locl.h t1_lib.c
 t1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -965,10 +834,10 @@ t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 t1_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_meth.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_meth.c
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_meth.o: record/record.h ssl_locl.h t1_meth.c
 t1_reneg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_reneg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_reneg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -984,10 +853,10 @@ t1_reneg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_reneg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 t1_reneg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 t1_reneg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_reneg.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_reneg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_reneg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_reneg.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_reneg.c
+t1_reneg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_reneg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_reneg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_reneg.o: record/record.h ssl_locl.h t1_reneg.c
 t1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -1003,11 +872,10 @@ t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 t1_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_srvr.o: record/record.h ssl_locl.h t1_srvr.c
+t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_srvr.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_srvr.c
 t1_trce.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_trce.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 t1_trce.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@@ -1023,10 +891,10 @@ t1_trce.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 t1_trce.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 t1_trce.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 t1_trce.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_trce.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_trce.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_trce.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_trce.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_trce.c
+t1_trce.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_trce.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_trce.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_trce.o: record/record.h ssl_locl.h t1_trce.c
 tls_srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 tls_srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 tls_srp.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -1043,8 +911,7 @@ tls_srp.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 tls_srp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 tls_srp.o: ../include/openssl/sha.h ../include/openssl/srp.h
 tls_srp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-tls_srp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-tls_srp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-tls_srp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-tls_srp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-tls_srp.o: record/record.h ssl_locl.h tls_srp.c
+tls_srp.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+tls_srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+tls_srp.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+tls_srp.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h tls_srp.c
diff --git a/ssl/install-ssl.com b/ssl/install-ssl.com
index 55e1a6a..c213357 100755
--- a/ssl/install-ssl.com
+++ b/ssl/install-ssl.com
@@ -70,7 +70,7 @@ $ if f$parse("wrk_sslinclude:") .eqs. "" then -
 $ if f$parse("wrk_sslxlib:") .eqs. "" then -
    create /directory /log wrk_sslxlib:
 $!
-$ exheader := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, srtp.h
+$ exheader := ssl.h, ssl2.h, ssl3.h, tls1.h, dtls1.h, srtp.h
 $ libs := ssl_libssl
 $!
 $ xexe_dir := [-.'archd'.exe.ssl]
diff --git a/ssl/record/README b/ssl/record/README
index 6870b53..987e9fd 100644
--- a/ssl/record/README
+++ b/ssl/record/README
@@ -21,7 +21,7 @@ The source files map to components as follows:
 dtls1_bitmap.c                                   -> DTLS1_BITMAP component
 ssl3_buffer.c                                    -> SSL3_BUFFER component
 ssl3_record.c                                    -> SSL3_RECORD component
-rec_layer_s23.c, rec_layer_s3.c, rec_layer_d1.c  -> RECORD_LAYER component
+rec_layer_s3.c, rec_layer_d1.c                   -> RECORD_LAYER component
 
 The RECORD_LAYER component is a facade pattern, i.e. it provides a simplified
 interface to the record layer for the rest of libssl. The other 3 components are
@@ -46,9 +46,6 @@ Conceptually it looks like this:
                    |                      |
                    |    RECORD_LAYER      |
                    |                      |
-                   |    rec_layer_s23.c   |
-                   |          ^           |
-                   |          |           |
                    |    rec_layer_s3.c    |
                    |          ^           |
                    | _________|__________ |
@@ -69,10 +66,9 @@ Conceptually it looks like this:
   |_______________|    |_______________|    |________________|
 
 
-The three RECORD_LAYER source files build progressively on each other, i.e.
-the simplest is rec_layer_s23.c. This provides the most basic functions used
-for version negotiation. Next rec_layer_s3.c adds the SSL/TLS layer. Finally
-rec_layer_d1.c builds off of the SSL/TLS code to provide DTLS specific
-capabilities. It uses some DTLS specific RECORD_LAYER component members which
-should only be accessed from rec_layer_d1.c. These are held in the
+The two RECORD_LAYER source files build on each other, i.e.
+the main one is rec_layer_s3.c which provides the core SSL/TLS layer. The second
+one is rec_layer_d1.c which builds off of the SSL/TLS code to provide DTLS
+specific capabilities. It uses some DTLS specific RECORD_LAYER component members
+which should only be accessed from rec_layer_d1.c. These are held in the
 DTLS1_RECORD_LAYER struct.
diff --git a/ssl/record/rec_layer_s23.c b/ssl/record/rec_layer_s23.c
deleted file mode 100644
index eb09be1..0000000
--- a/ssl/record/rec_layer_s23.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* ssl/record/rec_layer_s23.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <errno.h>
-#define USE_SOCKETS
-#include "../ssl_locl.h"
-#include <openssl/evp.h>
-#include <openssl/buffer.h>
-
-int ssl23_write_bytes(SSL *s)
-{
-    int i, num, tot;
-    char *buf;
-
-    buf = s->init_buf->data;
-    tot = s->init_off;
-    num = s->init_num;
-    for (;;) {
-        s->rwstate = SSL_WRITING;
-        i = BIO_write(s->wbio, &(buf[tot]), num);
-        if (i <= 0) {
-            s->init_off = tot;
-            s->init_num = num;
-            return (i);
-        }
-        s->rwstate = SSL_NOTHING;
-        if (i == num)
-            return (tot + i);
-
-        num -= i;
-        tot += i;
-    }
-}
-
-/* return regularly only when we have read (at least) 'n' bytes */
-int ssl23_read_bytes(SSL *s, int n)
-{
-    unsigned char *p;
-    int j;
-
-    if (s->rlayer.packet_length < (unsigned int)n) {
-        p = s->rlayer.packet;
-
-        for (;;) {
-            s->rwstate = SSL_READING;
-            j = BIO_read(s->rbio,
-                (char *)&(p[s->rlayer.packet_length]),
-                n - s->rlayer.packet_length);
-            if (j <= 0)
-                return (j);
-            s->rwstate = SSL_NOTHING;
-            s->rlayer.packet_length += j;
-            if (s->rlayer.packet_length >= (unsigned int)n)
-                return (s->rlayer.packet_length);
-        }
-    }
-    return (n);
-}
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index eccb517..456fac4 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1110,6 +1110,35 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
      */
 
     /*
+     * Lets just double check that we've not got an SSLv2 record
+     */
+    if (rr->rec_version == SSL2_VERSION) {
+        /*
+         * Should never happen. ssl3_get_record() should only give us an SSLv2
+         * record back if this is the first packet and we are looking for an
+         * initial ClientHello. Therefore |type| should always be equal to
+         * |rr->type|. If not then something has gone horribly wrong
+         */
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
+
+    if(s->method->version == TLS_ANY_VERSION
+            && (s->server || rr->type != SSL3_RT_ALERT)) {
+        /*
+         * If we've got this far and still haven't decided on what version
+         * we're using then this must be a client side alert we're dealing with
+         * (we don't allow heartbeats yet). We shouldn't be receiving anything
+         * other than a ClientHello if we are a server.
+         */
+        s->version = rr->rec_version;
+        al = SSL_AD_UNEXPECTED_MESSAGE;
+        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE);
+        goto f_err;
+    }
+
+    /*
      * In case of record types for which we have 'fragment' storage, fill
      * that so that we can process the data at a fixed place.
      */
@@ -1464,4 +1493,19 @@ void ssl3_record_sequence_update(unsigned char *seq)
     }
 }
 
+/*
+ * Returns true if the current rrec was sent in SSLv2 backwards compatible
+ * format and false otherwise.
+ */
+int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl)
+{
+    return SSL3_RECORD_is_sslv2_record(&rl->rrec);
+}
 
+/*
+ * Returns the length in bytes of the current rrec
+ */
+int RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl)
+{
+    return SSL3_RECORD_get_length(&rl->rrec);
+}
diff --git a/ssl/record/record.h b/ssl/record/record.h
index 6bccb71..cf1607c 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -132,6 +132,10 @@ typedef struct ssl3_buffer_st {
 #define SEQ_NUM_SIZE                            8
 
 typedef struct ssl3_record_st {
+    /* Record layer version */
+    /* r */
+    int rec_version;
+
     /* type of record */
     /* r */
     int type;
@@ -298,6 +302,8 @@ typedef struct record_layer_st {
  *                                                                           *
  *****************************************************************************/
 
+#define MIN_SSL2_RECORD_LEN     9
+
 #define RECORD_LAYER_set_read_ahead(rl, ra)     ((rl)->read_ahead = (ra))
 #define RECORD_LAYER_get_read_ahead(rl)         ((rl)->read_ahead)
 #define RECORD_LAYER_get_packet(rl)             ((rl)->packet)
@@ -319,9 +325,9 @@ void RECORD_LAYER_dup(RECORD_LAYER *dst, RECORD_LAYER *src);
 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
 int RECORD_LAYER_setup_comp_buffer(RECORD_LAYER *rl);
+int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+int RECORD_LAYER_get_rrec_length(RECORD_LAYER *rl);
 __owur int ssl3_pending(const SSL *s);
-__owur int ssl23_read_bytes(SSL *s, int n);
-__owur int ssl23_write_bytes(SSL *s);
 __owur int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
 __owur int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                          unsigned int len, int create_empty_fragment);
diff --git a/ssl/record/record_locl.h b/ssl/record/record_locl.h
index 72f8e55..b2222d7 100644
--- a/ssl/record/record_locl.h
+++ b/ssl/record/record_locl.h
@@ -186,6 +186,8 @@ int ssl3_release_write_buffer(SSL *s);
 #define SSL3_RECORD_set_off(r, o)               ((r)->off = (o))
 #define SSL3_RECORD_add_off(r, o)               ((r)->off += (o))
 #define SSL3_RECORD_get_epoch(r)                ((r)->epoch)
+#define SSL3_RECORD_is_sslv2_record(r) \
+            ((r)->rec_version == SSL2_VERSION)
 
 void SSL3_RECORD_clear(SSL3_RECORD *r);
 void SSL3_RECORD_release(SSL3_RECORD *r);
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 0328127..b0eb7cc 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -166,6 +166,7 @@ void SSL3_RECORD_set_seq_num(SSL3_RECORD *r, const unsigned char *seq_num)
  */
 #define MAX_EMPTY_RECORDS 32
 
+#define SSL2_RT_HEADER_LENGTH   2
 /*-
  * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
@@ -216,20 +217,49 @@ int ssl3_get_record(SSL *s)
         RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY);
 
         p = RECORD_LAYER_get_packet(&s->rlayer);
-        if (s->msg_callback)
-            s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
-                            s->msg_callback_arg);
 
-        /* Pull apart the header into the SSL3_RECORD */
-        rr->type = *(p++);
-        ssl_major = *(p++);
-        ssl_minor = *(p++);
-        version = (ssl_major << 8) | ssl_minor;
-        n2s(p, rr->length);
+        /*
+         * Check whether this is a regular record or an SSLv2 style record. The
+         * latter is only used in an initial ClientHello for old clients. We
+         * check s->read_hash and s->enc_read_ctx to ensure this does not apply
+         * during renegotiation
+         */
+        if (s->first_packet && s->server && !s->read_hash && !s->enc_read_ctx
+                && (p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
+            /* SSLv2 style record */
+            rr->type = SSL3_RT_HANDSHAKE;
+            rr->rec_version = SSL2_VERSION;
+
+            rr->length = ((p[0] & 0x7f) << 8) | p[1];
+
+            if (rr->length > SSL3_BUFFER_get_len(&s->rlayer.rbuf)
+                                    - SSL2_RT_HEADER_LENGTH) {
+                al = SSL_AD_RECORD_OVERFLOW;
+                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
+                goto f_err;
+            }
 
-        /* Lets check version */
-        if (!s->first_packet) {
-            if (version != s->version) {
+            if (rr->length < MIN_SSL2_RECORD_LEN) {
+                al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_LENGTH_TOO_SHORT);
+                goto f_err;
+            }
+        } else {
+            /* SSLv3+ style record */
+            if (s->msg_callback)
+                s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s,
+                                s->msg_callback_arg);
+
+            /* Pull apart the header into the SSL3_RECORD */
+            rr->type = *(p++);
+            ssl_major = *(p++);
+            ssl_minor = *(p++);
+            version = (ssl_major << 8) | ssl_minor;
+            rr->rec_version = version;
+            n2s(p, rr->length);
+
+            /* Lets check version */
+            if (!s->first_packet && version != s->version) {
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
                 if ((s->version & 0xFF00) == (version & 0xFF00)
                     && !s->enc_write_ctx && !s->write_hash)
@@ -240,47 +270,54 @@ int ssl3_get_record(SSL *s)
                 al = SSL_AD_PROTOCOL_VERSION;
                 goto f_err;
             }
-        }
 
-        if ((version >> 8) != SSL3_VERSION_MAJOR) {
-            SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
-            goto err;
-        }
+            if ((version >> 8) != SSL3_VERSION_MAJOR) {
+                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
+                goto err;
+            }
 
-        if (rr->length >
-                SSL3_BUFFER_get_len(&s->rlayer.rbuf)
-                - SSL3_RT_HEADER_LENGTH) {
-            al = SSL_AD_RECORD_OVERFLOW;
-            SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
-            goto f_err;
+            if (rr->length >
+                    SSL3_BUFFER_get_len(&s->rlayer.rbuf)
+                    - SSL3_RT_HEADER_LENGTH) {
+                al = SSL_AD_RECORD_OVERFLOW;
+                SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);
+                goto f_err;
+            }
         }
 
         /* now s->rlayer.rstate == SSL_ST_READ_BODY */
     }
 
-    /* s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data */
-
-    if (rr->length >
-        RECORD_LAYER_get_packet_length(&s->rlayer) - SSL3_RT_HEADER_LENGTH) {
-        /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+    /*
+     * s->rlayer.rstate == SSL_ST_READ_BODY, get and decode the data.
+     * Calculate how much more data we need to read for the rest of the record
+     */
+    if (rr->rec_version == SSL2_VERSION) {
+        i = rr->length + SSL2_RT_HEADER_LENGTH - SSL3_RT_HEADER_LENGTH;
+    } else {
         i = rr->length;
+    }
+    if (i > 0) {
+        /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+
         n = ssl3_read_n(s, i, i, 1);
         if (n <= 0)
             return (n);         /* error or non-blocking io */
-        /*
-         * now n == rr->length, and s->packet_length == SSL3_RT_HEADER_LENGTH
-         * + rr->length
-         */
     }
 
     /* set state for later operations */
     RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_HEADER);
 
     /*
-     * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+     * At this point, s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length,
+     * or s->packet_length == SSL2_RT_HEADER_LENGTH + rr->length
      * and we have that many bytes in s->packet
      */
-    rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
+    if(rr->rec_version == SSL2_VERSION) {
+        rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL2_RT_HEADER_LENGTH]);
+    } else {
+        rr->input = &(RECORD_LAYER_get_packet(&s->rlayer)[SSL3_RT_HEADER_LENGTH]);
+    }
 
     /*
      * ok, we can now read from 's->packet' data into 'rr' rr->input points
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
deleted file mode 100644
index 3434340..0000000
--- a/ssl/s23_clnt.c
+++ /dev/null
@@ -1,595 +0,0 @@
-/* ssl/s23_clnt.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core at openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay at cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh at cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-
-static const SSL_METHOD *ssl23_get_client_method(int ver);
-static int ssl23_client_hello(SSL *s);
-static int ssl23_get_server_hello(SSL *s);
-static const SSL_METHOD *ssl23_get_client_method(int ver)
-{
-#ifndef OPENSSL_NO_SSL3
-    if (ver == SSL3_VERSION)
-        return (SSLv3_client_method());
-#endif
-    if (ver == TLS1_VERSION)
-        return (TLSv1_client_method());
-    else if (ver == TLS1_1_VERSION)
-        return (TLSv1_1_client_method());
-    else if (ver == TLS1_2_VERSION)
-        return (TLSv1_2_client_method());
-    else
-        return (NULL);
-}
-
-IMPLEMENT_ssl23_meth_func(SSLv23_client_method,
-                          ssl_undefined_function,
-                          ssl23_connect, ssl23_get_client_method)
-
-int ssl23_connect(SSL *s)
-{
-    BUF_MEM *buf = NULL;
-    unsigned long Time = (unsigned long)time(NULL);
-    void (*cb) (const SSL *ssl, int type, int val) = NULL;
-    int ret = -1;
-    int new_state, state;
-
-    RAND_add(&Time, sizeof(Time), 0);
-    ERR_clear_error();
-    clear_sys_error();
-
-    if (s->info_callback != NULL)
-        cb = s->info_callback;
-    else if (s->ctx->info_callback != NULL)
-        cb = s->ctx->info_callback;
-
-    s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s)) {
-        if (!SSL_clear(s))
-            return -1;
-    }
-
-    for (;;) {
-        state = s->state;
-
-        switch (s->state) {
-        case SSL_ST_BEFORE:
-        case SSL_ST_CONNECT:
-        case SSL_ST_BEFORE | SSL_ST_CONNECT:
-        case SSL_ST_OK | SSL_ST_CONNECT:
-
-            if (s->session != NULL) {
-                SSLerr(SSL_F_SSL23_CONNECT,
-                       SSL_R_SSL23_DOING_SESSION_ID_REUSE);
-                ret = -1;
-                goto end;
-            }
-            s->server = 0;
-            if (cb != NULL)
-                cb(s, SSL_CB_HANDSHAKE_START, 1);
-
-            /* s->version=TLS1_VERSION; */
-            s->type = SSL_ST_CONNECT;
-
-            if (s->init_buf == NULL) {
-                if ((buf = BUF_MEM_new()) == NULL) {
-                    ret = -1;
-                    goto end;
-                }
-                if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
-                    ret = -1;
-                    goto end;
-                }
-                s->init_buf = buf;
-                buf = NULL;
-            }
-
-            if (!ssl3_setup_buffers(s)) {
-                ret = -1;
-                goto end;
-            }
-
-            ssl3_init_finished_mac(s);
-
-            s->state = SSL23_ST_CW_CLNT_HELLO_A;
-            s->ctx->stats.sess_connect++;
-            s->init_num = 0;
-            break;
-
-        case SSL23_ST_CW_CLNT_HELLO_A:
-        case SSL23_ST_CW_CLNT_HELLO_B:
-
-            s->shutdown = 0;
-            ret = ssl23_client_hello(s);
-            if (ret <= 0)
-                goto end;
-            s->state = SSL23_ST_CR_SRVR_HELLO_A;
-            s->init_num = 0;
-
-            break;
-
-        case SSL23_ST_CR_SRVR_HELLO_A:
-        case SSL23_ST_CR_SRVR_HELLO_B:
-            ret = ssl23_get_server_hello(s);
-            if (ret >= 0)
-                cb = NULL;
-            goto end;
-            /* break; */
-
-        default:
-            SSLerr(SSL_F_SSL23_CONNECT, SSL_R_UNKNOWN_STATE);
-            ret = -1;
-            goto end;
-            /* break; */
-        }
-
-        if (s->debug) {
-            (void)BIO_flush(s->wbio);
-        }
-
-        if ((cb != NULL) && (s->state != state)) {
-            new_state = s->state;
-            s->state = state;
-            cb(s, SSL_CB_CONNECT_LOOP, 1);
-            s->state = new_state;
-        }
-    }
- end:
-    s->in_handshake--;
-    BUF_MEM_free(buf);
-    if (cb != NULL)
-        cb(s, SSL_CB_CONNECT_EXIT, ret);
-    return (ret);
-}
-
-/*
- * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
- * failure, 1 on success.
- */
-int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
-{
-    int send_time = 0;
-
-    if (len < 4)
-        return 0;
-    if (server)
-        send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
-    else
-        send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
-    if (send_time) {
-        unsigned long Time = (unsigned long)time(NULL);
-        unsigned char *p = result;
-        l2n(Time, p);
-        return RAND_bytes(p, len - 4);
-    } else
-        return RAND_bytes(result, len);
-}
-
-static int ssl23_client_hello(SSL *s)
-{
-    unsigned char *buf;
-    unsigned char *p, *d;
-    int i;
-    unsigned long l;
-    int version = 0, version_major, version_minor;
-    int al = 0;
-#ifndef OPENSSL_NO_COMP
-    int j;
-    SSL_COMP *comp;
-#endif
-    int ret;
-    unsigned long mask, options = s->options;
-
-    /*
-     * SSL_OP_NO_X disables all protocols above X *if* there are
-     * some protocols below X enabled. This is required in order
-     * to maintain "version capability" vector contiguous. So
-     * that if application wants to disable TLS1.0 in favour of
-     * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
-     * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
-     */
-    mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1
-#if !defined(OPENSSL_NO_SSL3)
-        | SSL_OP_NO_SSLv3
-#endif
-        ;
-#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
-    version = TLS1_2_VERSION;
-
-    if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
-        version = TLS1_1_VERSION;
-#else
-    version = TLS1_1_VERSION;
-#endif
-    mask &= ~SSL_OP_NO_TLSv1_1;
-    if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
-        version = TLS1_VERSION;
-    mask &= ~SSL_OP_NO_TLSv1;
-#if !defined(OPENSSL_NO_SSL3)
-    if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
-        version = SSL3_VERSION;
-    mask &= ~SSL_OP_NO_SSLv3;
-#endif
-
-    buf = (unsigned char *)s->init_buf->data;
-    if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-        p = s->s3->client_random;
-        if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
-            return -1;
-
-        if (version == TLS1_2_VERSION) {
-            version_major = TLS1_2_VERSION_MAJOR;
-            version_minor = TLS1_2_VERSION_MINOR;
-        } else if (tls1_suiteb(s)) {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO,
-                   SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
-            return -1;
-        } else if (version == TLS1_1_VERSION) {
-            version_major = TLS1_1_VERSION_MAJOR;
-            version_minor = TLS1_1_VERSION_MINOR;
-        } else if (version == TLS1_VERSION) {
-            version_major = TLS1_VERSION_MAJOR;
-            version_minor = TLS1_VERSION_MINOR;
-        } else if (FIPS_mode()) {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO,
-                   SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-            return -1;
-        } else if (version == SSL3_VERSION) {
-            version_major = SSL3_VERSION_MAJOR;
-            version_minor = SSL3_VERSION_MINOR;
-        } else {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_PROTOCOLS_AVAILABLE);
-            return (-1);
-        }
-
-        s->client_version = version;
-
-        /* create Client Hello in SSL 3.0/TLS 1.0 format */
-
-        /*
-         * do the record header (5 bytes) and handshake message header (4
-         * bytes) last
-         */
-        d = p = &(buf[9]);
-
-        *(p++) = version_major;
-        *(p++) = version_minor;
-
-        /* Random stuff */
-        memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
-        p += SSL3_RANDOM_SIZE;
-
-        /* Session ID (zero since there is no reuse) */
-        *(p++) = 0;
-
-        /* Ciphers supported (using SSL 3.0/TLS 1.0 format) */
-        i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]),
-                                     ssl3_put_cipher_by_char);
-        if (i == 0) {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
-            return -1;
-        }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-        /*
-         * Some servers hang if client hello > 256 bytes as hack workaround
-         * chop number of supported ciphers to keep it well below this if we
-         * use TLS v1.2
-         */
-        if (TLS1_get_version(s) >= TLS1_2_VERSION
-            && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-            i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
-        s2n(i, p);
-        p += i;
-
-        /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
-        *(p++) = 1;
-#else
-        if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
-            j = 0;
-        else
-            j = sk_SSL_COMP_num(s->ctx->comp_methods);
-        *(p++) = 1 + j;
-        for (i = 0; i < j; i++) {
-            comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-            *(p++) = comp->id;
-        }
-#endif
-        *(p++) = 0;             /* Add the NULL method */
-
-#ifndef OPENSSL_NO_TLSEXT
-        /* TLS extensions */
-        if (ssl_prepare_clienthello_tlsext(s) <= 0) {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
-            return -1;
-        }
-        if ((p =
-             ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
-                                        &al)) == NULL) {
-            ssl3_send_alert(s, SSL3_AL_FATAL, al);
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-            return -1;
-        }
-#endif
-
-        l = p - d;
-
-        /* fill in 4-byte handshake header */
-        d = &(buf[5]);
-        *(d++) = SSL3_MT_CLIENT_HELLO;
-        l2n3(l, d);
-
-        l += 4;
-
-        if (l > SSL3_RT_MAX_PLAIN_LENGTH) {
-            SSLerr(SSL_F_SSL23_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-            return -1;
-        }
-
-        /* fill in 5-byte record header */
-        d = buf;
-        *(d++) = SSL3_RT_HANDSHAKE;
-        *(d++) = version_major;
-        /*
-         * Some servers hang if we use long client hellos and a record number
-         * > TLS 1.0.
-         */
-        if (TLS1_get_client_version(s) > TLS1_VERSION)
-            *(d++) = 1;
-        else
-            *(d++) = version_minor;
-        s2n((int)l, d);
-
-        /* number of bytes to write */
-        s->init_num = p - buf;
-        s->init_off = 0;
-
-        ssl3_finish_mac(s, &(buf[5]), s->init_num - 5);
-
-        s->state = SSL23_ST_CW_CLNT_HELLO_B;
-        s->init_off = 0;
-    }
-
-    /* SSL3_ST_CW_CLNT_HELLO_B */
-    ret = ssl23_write_bytes(s);
-
-    if ((ret >= 2) && s->msg_callback) {
-        /* Client Hello has been sent; tell msg_callback */
-        s->msg_callback(1, version, SSL3_RT_HEADER, s->init_buf->data, 5, s,
-                        s->msg_callback_arg);
-        s->msg_callback(1, version, SSL3_RT_HANDSHAKE, s->init_buf->data + 5,
-                        ret - 5, s, s->msg_callback_arg);
-    }
-
-    return ret;
-}
-
-static int ssl23_get_server_hello(SSL *s)
-{
-    unsigned char buf[8];
-    unsigned char *p;
-    int i;
-    int n;
-
-    n = ssl23_read_bytes(s, 7);
-
-    if (n != 7)
-        return (n);
-    p = RECORD_LAYER_get_packet(&s->rlayer);
-
-    memcpy(buf, p, n);
-
-    if (p[1] == SSL3_VERSION_MAJOR &&
-        p[2] <= TLS1_2_VERSION_MINOR &&
-        ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
-         (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) {
-        /* we have sslv3 or tls1 (server hello or alert) */
-
-#ifndef OPENSSL_NO_SSL3
-        if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) {
-            if (FIPS_mode()) {
-                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
-                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-                goto err;
-            }
-            s->version = SSL3_VERSION;
-            s->method = SSLv3_client_method();
-        } else
-#endif
-        if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) {
-            s->version = TLS1_VERSION;
-            s->method = TLSv1_client_method();
-        } else if ((p[2] == TLS1_1_VERSION_MINOR) &&
-                   !(s->options & SSL_OP_NO_TLSv1_1)) {
-            s->version = TLS1_1_VERSION;
-            s->method = TLSv1_1_client_method();
-        } else if ((p[2] == TLS1_2_VERSION_MINOR) &&
-                   !(s->options & SSL_OP_NO_TLSv1_2)) {
-            s->version = TLS1_2_VERSION;
-            s->method = TLSv1_2_client_method();
-        } else {
-            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-            goto err;
-        }
-
-        /* ensure that TLS_MAX_VERSION is up-to-date */
-        OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-
-        if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
-            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
-            goto err;
-        }
-
-        if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) {
-            /* fatal alert */
-
-            void (*cb) (const SSL *ssl, int type, int val) = NULL;
-            int j;
-
-            if (s->info_callback != NULL)
-                cb = s->info_callback;
-            else if (s->ctx->info_callback != NULL)
-                cb = s->ctx->info_callback;
-
-            i = p[5];
-            if (cb != NULL) {
-                j = (i << 8) | p[6];
-                cb(s, SSL_CB_READ_ALERT, j);
-            }
-
-            if (s->msg_callback) {
-                s->msg_callback(0, s->version, SSL3_RT_HEADER, p, 5, s,
-                                s->msg_callback_arg);
-                s->msg_callback(0, s->version, SSL3_RT_ALERT, p + 5, 2, s,
-                                s->msg_callback_arg);
-            }
-
-            s->rwstate = SSL_NOTHING;
-            SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_AD_REASON_OFFSET + p[6]);
-            goto err;
-        }
-
-        if (!ssl_init_wbio_buffer(s, 1))
-            goto err;
-
-        /* we are in this state */
-        s->state = SSL3_ST_CR_SRVR_HELLO_A;
-
-        /*
-         * put the 7 bytes we have read into the input buffer for SSLv3
-         */
-        if (!RECORD_LAYER_set_data(&s->rlayer, buf, n))
-            goto err;
-
-        s->handshake_func = s->method->ssl_connect;
-    } else {
-        SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, SSL_R_UNKNOWN_PROTOCOL);
-        goto err;
-    }
-    s->init_num = 0;
-
-    /*
-     * Since, if we are sending a ssl23 client hello, we are not reusing a
-     * session-id
-     */
-    if (!ssl_get_new_session(s, 0))
-        goto err;
-
-    return (SSL_connect(s));
- err:
-    return (-1);
-}
diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c
deleted file mode 100644
index 0c79941..0000000
--- a/ssl/s23_lib.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/* ssl/s23_lib.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-
-long ssl23_default_timeout(void)
-{
-    return (300);
-}
-
-int ssl23_num_ciphers(void)
-{
-    return (ssl3_num_ciphers());
-}
-
-const SSL_CIPHER *ssl23_get_cipher(unsigned int u)
-{
-    return (ssl3_get_cipher(u));
-}
-
-/*
- * This function needs to check if the ciphers required are actually
- * available
- */
-const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
-{
-    return (ssl3_get_cipher_by_char(p));
-}
-
-int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
-{
-    long l;
-
-    /* We can write SSLv3 ciphers */
-    /* but no ECC ciphers */
-    if (c->algorithm_mkey == SSL_kECDHr ||
-        c->algorithm_mkey == SSL_kECDHe ||
-        c->algorithm_mkey == SSL_kEECDH ||
-        c->algorithm_auth == SSL_aECDH || c->algorithm_auth == SSL_aECDSA)
-        return 0;
-    if (p != NULL) {
-        l = c->id;
-        p[0] = ((unsigned char)(l >> 16L)) & 0xFF;
-        p[1] = ((unsigned char)(l >> 8L)) & 0xFF;
-        p[2] = ((unsigned char)(l)) & 0xFF;
-    }
-    return (3);
-}
-
-int ssl23_read(SSL *s, void *buf, int len)
-{
-    int n;
-
-    clear_sys_error();
-    if (SSL_in_init(s) && (!s->in_handshake)) {
-        n = s->handshake_func(s);
-        if (n < 0)
-            return (n);
-        if (n == 0) {
-            SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
-            return (-1);
-        }
-        return (SSL_read(s, buf, len));
-    } else {
-        ssl_undefined_function(s);
-        return (-1);
-    }
-}
-
-int ssl23_peek(SSL *s, void *buf, int len)
-{
-    int n;
-
-    clear_sys_error();
-    if (SSL_in_init(s) && (!s->in_handshake)) {
-        n = s->handshake_func(s);
-        if (n < 0)
-            return (n);
-        if (n == 0) {
-            SSLerr(SSL_F_SSL23_PEEK, SSL_R_SSL_HANDSHAKE_FAILURE);
-            return (-1);
-        }
-        return (SSL_peek(s, buf, len));
-    } else {
-        ssl_undefined_function(s);
-        return (-1);
-    }
-}
-
-int ssl23_write(SSL *s, const void *buf, int len)
-{
-    int n;
-
-    clear_sys_error();
-    if (SSL_in_init(s) && (!s->in_handshake)) {
-        n = s->handshake_func(s);
-        if (n < 0)
-            return (n);
-        if (n == 0) {
-            SSLerr(SSL_F_SSL23_WRITE, SSL_R_SSL_HANDSHAKE_FAILURE);
-            return (-1);
-        }
-        return (SSL_write(s, buf, len));
-    } else {
-        ssl_undefined_function(s);
-        return (-1);
-    }
-}
diff --git a/ssl/s23_meth.c b/ssl/s23_meth.c
deleted file mode 100644
index 757c5a9..0000000
--- a/ssl/s23_meth.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/* ssl/s23_meth.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-
-static const SSL_METHOD *ssl23_get_method(int ver);
-static const SSL_METHOD *ssl23_get_method(int ver)
-{
-#ifndef OPENSSL_NO_SSL3
-    if (ver == SSL3_VERSION)
-        return (SSLv3_method());
-    else
-#endif
-    if (ver == TLS1_VERSION)
-        return (TLSv1_method());
-    else if (ver == TLS1_1_VERSION)
-        return (TLSv1_1_method());
-    else if (ver == TLS1_2_VERSION)
-        return (TLSv1_2_method());
-    else
-        return (NULL);
-}
-
-IMPLEMENT_ssl23_meth_func(SSLv23_method,
-                          ssl23_accept, ssl23_connect, ssl23_get_method)
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
deleted file mode 100644
index 50d634e..0000000
--- a/ssl/s23_srvr.c
+++ /dev/null
@@ -1,585 +0,0 @@
-/* ssl/s23_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core at openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay at cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh at cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/buffer.h>
-#include <openssl/rand.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-
-static const SSL_METHOD *ssl23_get_server_method(int ver);
-int ssl23_get_client_hello(SSL *s);
-static const SSL_METHOD *ssl23_get_server_method(int ver)
-{
-#ifndef OPENSSL_NO_SSL3
-    if (ver == SSL3_VERSION)
-        return (SSLv3_server_method());
-#endif
-    if (ver == TLS1_VERSION)
-        return (TLSv1_server_method());
-    else if (ver == TLS1_1_VERSION)
-        return (TLSv1_1_server_method());
-    else if (ver == TLS1_2_VERSION)
-        return (TLSv1_2_server_method());
-    else
-        return (NULL);
-}
-
-IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
-                          ssl23_accept,
-                          ssl_undefined_function, ssl23_get_server_method)
-
-int ssl23_accept(SSL *s)
-{
-    BUF_MEM *buf;
-    unsigned long Time = (unsigned long)time(NULL);
-    void (*cb) (const SSL *ssl, int type, int val) = NULL;
-    int ret = -1;
-    int new_state, state;
-
-    RAND_add(&Time, sizeof(Time), 0);
-    ERR_clear_error();
-    clear_sys_error();
-
-    if (s->info_callback != NULL)
-        cb = s->info_callback;
-    else if (s->ctx->info_callback != NULL)
-        cb = s->ctx->info_callback;
-
-    s->in_handshake++;
-    if (!SSL_in_init(s) || SSL_in_before(s)) {
-        if (!SSL_clear(s))
-            return -1;
-    }
-
-    for (;;) {
-        state = s->state;
-
-        switch (s->state) {
-        case SSL_ST_BEFORE:
-        case SSL_ST_ACCEPT:
-        case SSL_ST_BEFORE | SSL_ST_ACCEPT:
-        case SSL_ST_OK | SSL_ST_ACCEPT:
-
-            s->server = 1;
-            if (cb != NULL)
-                cb(s, SSL_CB_HANDSHAKE_START, 1);
-
-            /* s->version=SSL3_VERSION; */
-            s->type = SSL_ST_ACCEPT;
-
-            if (s->init_buf == NULL) {
-                if ((buf = BUF_MEM_new()) == NULL) {
-                    ret = -1;
-                    goto end;
-                }
-                if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
-                    BUF_MEM_free(buf);
-                    ret = -1;
-                    goto end;
-                }
-                s->init_buf = buf;
-            }
-
-            ssl3_init_finished_mac(s);
-
-            s->state = SSL23_ST_SR_CLNT_HELLO_A;
-            s->ctx->stats.sess_accept++;
-            s->init_num = 0;
-            break;
-
-        case SSL23_ST_SR_CLNT_HELLO_A:
-        case SSL23_ST_SR_CLNT_HELLO_B:
-
-            s->shutdown = 0;
-            ret = ssl23_get_client_hello(s);
-            if (ret >= 0)
-                cb = NULL;
-            goto end;
-            /* break; */
-
-        default:
-            SSLerr(SSL_F_SSL23_ACCEPT, SSL_R_UNKNOWN_STATE);
-            ret = -1;
-            goto end;
-            /* break; */
-        }
-
-        if ((cb != NULL) && (s->state != state)) {
-            new_state = s->state;
-            s->state = state;
-            cb(s, SSL_CB_ACCEPT_LOOP, 1);
-            s->state = new_state;
-        }
-    }
- end:
-    s->in_handshake--;
-    if (cb != NULL)
-        cb(s, SSL_CB_ACCEPT_EXIT, ret);
-    return (ret);
-}
-
-int ssl23_get_client_hello(SSL *s)
-{
-    /*-
-     * Request this many bytes in initial read.
-     * We can detect SSL 3.0/TLS 1.0 Client Hellos
-     * ('type == 3') correctly only when the following
-     * is in a single record, which is not guaranteed by
-     * the protocol specification:
-     * Byte  Content
-     *  0     type            \
-     *  1/2   version          > record header
-     *  3/4   length          /
-     *  5     msg_type        \
-     *  6-8   length           > Client Hello message
-     *  9/10  client_version  /
-     */
-    unsigned char buf_space[11];
-    unsigned char *buf = &(buf_space[0]);
-    unsigned char *p, *d, *d_len, *dd;
-    unsigned int i;
-    unsigned int csl, sil, cl;
-    int n = 0, j;
-    int type = 0;
-    int v[2];
-
-    if (s->state == SSL23_ST_SR_CLNT_HELLO_A) {
-        /* read the initial header */
-        v[0] = v[1] = 0;
-
-        if (!ssl3_setup_buffers(s))
-            goto err;
-
-        n = ssl23_read_bytes(s, sizeof buf_space);
-        if (n != sizeof buf_space)
-            return (n);         /* n == -1 || n == 0 */
-
-        p = RECORD_LAYER_get_packet(&s->rlayer);
-
-        memcpy(buf, p, n);
-
-        if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) {
-            /*
-             * SSLv2 header
-             */
-            if ((p[3] == 0x00) && (p[4] == 0x02)) {
-                v[0] = p[3];
-                v[1] = p[4];
-                /* SSLv2 */
-            } else if (p[3] == SSL3_VERSION_MAJOR) {
-                v[0] = p[3];
-                v[1] = p[4];
-                /* SSLv3/TLSv1 */
-                if (p[4] >= TLS1_VERSION_MINOR) {
-                    if (p[4] >= TLS1_2_VERSION_MINOR &&
-                        !(s->options & SSL_OP_NO_TLSv1_2)) {
-                        s->version = TLS1_2_VERSION;
-                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                    } else if (p[4] >= TLS1_1_VERSION_MINOR &&
-                               !(s->options & SSL_OP_NO_TLSv1_1)) {
-                        s->version = TLS1_1_VERSION;
-                        /*
-                         * type=2;
-                         *//*
-                         * done later to survive restarts
-                         */
-                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                    } else if (!(s->options & SSL_OP_NO_TLSv1)) {
-                        s->version = TLS1_VERSION;
-                        /*
-                         * type=2;
-                         *//*
-                         * done later to survive restarts
-                         */
-                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                    } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                        s->version = SSL3_VERSION;
-                        /* type=2; */
-                        s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                    }
-                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                    s->version = SSL3_VERSION;
-                    /* type=2; */
-                    s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                }
-            }
-        }
-        /* p[4] < 5 ... silly record length? */
-        else if ((p[0] == SSL3_RT_HANDSHAKE) &&
-                 (p[1] == SSL3_VERSION_MAJOR) &&
-                 (p[5] == SSL3_MT_CLIENT_HELLO) && ((p[3] == 0 && p[4] < 5)
-                                                    || (p[9] >= p[1]))) {
-            /*
-             * SSLv3 or tls1 header
-             */
-
-            v[0] = p[1];        /* major version (= SSL3_VERSION_MAJOR) */
-            /*
-             * We must look at client_version inside the Client Hello message
-             * to get the correct minor version. However if we have only a
-             * pathologically small fragment of the Client Hello message, this
-             * would be difficult, and we'd have to read more records to find
-             * out. No known SSL 3.0 client fragments ClientHello like this,
-             * so we simply reject such connections to avoid protocol version
-             * downgrade attacks.
-             */
-            if (p[3] == 0 && p[4] < 6) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_SMALL);
-                goto err;
-            }
-            /*
-             * if major version number > 3 set minor to a value which will
-             * use the highest version 3 we support. If TLS 2.0 ever appears
-             * we will need to revise this....
-             */
-            if (p[9] > SSL3_VERSION_MAJOR)
-                v[1] = 0xff;
-            else
-                v[1] = p[10];   /* minor version according to client_version */
-            if (v[1] >= TLS1_VERSION_MINOR) {
-                if (v[1] >= TLS1_2_VERSION_MINOR &&
-                    !(s->options & SSL_OP_NO_TLSv1_2)) {
-                    s->version = TLS1_2_VERSION;
-                    type = 3;
-                } else if (v[1] >= TLS1_1_VERSION_MINOR &&
-                           !(s->options & SSL_OP_NO_TLSv1_1)) {
-                    s->version = TLS1_1_VERSION;
-                    type = 3;
-                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
-                    s->version = TLS1_VERSION;
-                    type = 3;
-                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
-                    s->version = SSL3_VERSION;
-                    type = 3;
-                }
-            } else {
-                /* client requests SSL 3.0 */
-                if (!(s->options & SSL_OP_NO_SSLv3)) {
-                    s->version = SSL3_VERSION;
-                    type = 3;
-                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
-                    /*
-                     * we won't be able to use TLS of course, but this will
-                     * send an appropriate alert
-                     */
-                    s->version = TLS1_VERSION;
-                    type = 3;
-                }
-            }
-        } else if ((strncmp("GET ", (char *)p, 4) == 0) ||
-                   (strncmp("POST ", (char *)p, 5) == 0) ||
-                   (strncmp("HEAD ", (char *)p, 5) == 0) ||
-                   (strncmp("PUT ", (char *)p, 4) == 0)) {
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTP_REQUEST);
-            goto err;
-        } else if (strncmp("CONNECT", (char *)p, 7) == 0) {
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_HTTPS_PROXY_REQUEST);
-            goto err;
-        }
-    }
-
-    /* ensure that TLS_MAX_VERSION is up-to-date */
-    OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-
-    if (s->version < TLS1_2_VERSION && tls1_suiteb(s)) {
-        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-               SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
-        goto err;
-    }
-
-    if (FIPS_mode() && (s->version < TLS1_VERSION)) {
-        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-               SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
-        goto err;
-    }
-
-    if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
-        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW);
-        goto err;
-    }
-
-    if (s->state == SSL23_ST_SR_CLNT_HELLO_B) {
-        /*
-         * we have SSLv3/TLSv1 in an SSLv2 header (other cases skip this
-         * state)
-         */
-
-        type = 2;
-        p = RECORD_LAYER_get_packet(&s->rlayer);
-        v[0] = p[3];            /* == SSL3_VERSION_MAJOR */
-        v[1] = p[4];
-
-        /*-
-         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
-         * header is sent directly on the wire, not wrapped as a TLS
-         * record. It's format is:
-         * Byte  Content
-         * 0-1   msg_length
-         * 2     msg_type
-         * 3-4   version
-         * 5-6   cipher_spec_length
-         * 7-8   session_id_length
-         * 9-10  challenge_length
-         * ...   ...
-         */
-        n = ((p[0] & 0x7f) << 8) | p[1];
-        if (n > (1024 * 4)) {
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);
-            goto err;
-        }
-        if (n < 9) {
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-                   SSL_R_RECORD_LENGTH_MISMATCH);
-            goto err;
-        }
-
-        j = ssl23_read_bytes(s, n + 2);
-        /*
-         * We previously read 11 bytes, so if j > 0, we must have j == n+2 ==
-         * s->packet_length. We have at least 11 valid packet bytes.
-         */
-        if (j <= 0)
-            return (j);
-
-        ssl3_finish_mac(s, RECORD_LAYER_get_packet(&s->rlayer) + 2,
-                        RECORD_LAYER_get_packet_length(&s->rlayer) - 2);
-
-        /* CLIENT-HELLO */
-        if (s->msg_callback)
-            s->msg_callback(0, SSL2_VERSION, 0,
-                            RECORD_LAYER_get_packet(&s->rlayer) + 2,
-                            RECORD_LAYER_get_packet_length(&s->rlayer) - 2, s,
-                            s->msg_callback_arg);
-
-        p = RECORD_LAYER_get_packet(&s->rlayer);
-        p += 5;
-        n2s(p, csl);
-        n2s(p, sil);
-        n2s(p, cl);
-        d = (unsigned char *)s->init_buf->data;
-        if ((csl + sil + cl + 11)
-                != RECORD_LAYER_get_packet_length(&s->rlayer)) {
-            /* We can't have TLS
-             * extensions in SSL
-             * 2.0 format *
-             * Client Hello, can
-             * we? Error
-             * condition should
-             * be * '>'
-             * otherweise */
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
-                   SSL_R_RECORD_LENGTH_MISMATCH);
-            goto err;
-        }
-
-        /* record header: msg_type ... */
-        *(d++) = SSL3_MT_CLIENT_HELLO;
-        /* ... and length (actual value will be written later) */
-        d_len = d;
-        d += 3;
-
-        /* client_version */
-        *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
-        *(d++) = v[1];
-
-        /* lets populate the random area */
-        /* get the challenge_length */
-        i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl;
-        memset(d, 0, SSL3_RANDOM_SIZE);
-        memcpy(&(d[SSL3_RANDOM_SIZE - i]), &(p[csl + sil]), i);
-        d += SSL3_RANDOM_SIZE;
-
-        /* no session-id reuse */
-        *(d++) = 0;
-
-        /* ciphers */
-        j = 0;
-        dd = d;
-        d += 2;
-        for (i = 0; i < csl; i += 3) {
-            if (p[i] != 0)
-                continue;
-            *(d++) = p[i + 1];
-            *(d++) = p[i + 2];
-            j += 2;
-        }
-        s2n(j, dd);
-
-        /* COMPRESSION */
-        *(d++) = 1;
-        *(d++) = 0;
-
-#if 0
-        /* copy any remaining data with may be extensions */
-        p = p + csl + sil + cl;
-        while (p < s->packet + s->packet_length) {
-            *(d++) = *(p++);
-        }
-#endif
-
-        i = (d - (unsigned char *)s->init_buf->data) - 4;
-        l2n3((long)i, d_len);
-
-        /* get the data reused from the init_buf */
-        s->s3->tmp.reuse_message = 1;
-        s->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO;
-        s->s3->tmp.message_size = i;
-    }
-
-    /* imaginary new state (for program structure): */
-    /* s->state = SSL23_SR_CLNT_HELLO_C */
-
-    if ((type == 2) || (type == 3)) {
-        /*
-         * we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style)
-         */
-        const SSL_METHOD *new_method;
-        new_method = ssl23_get_server_method(s->version);
-        if (new_method == NULL) {
-            SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-            goto err;
-        }
-        s->method = new_method;
-
-        if (!ssl_init_wbio_buffer(s, 1))
-            goto err;
-
-        /* we are in this state */
-        s->state = SSL3_ST_SR_CLNT_HELLO_A;
-
-        if (type == 3) {
-            /*
-             * put the 'n' bytes we have read into the input buffer for SSLv3
-             */
-            if (!RECORD_LAYER_set_data(&s->rlayer, buf, n))
-                goto err;
-        } else {
-            if (!RECORD_LAYER_set_data(&s->rlayer, NULL, 0))
-                goto err;
-        }
-        s->handshake_func = s->method->ssl_accept;
-    } else {
-        /* bad, very bad */
-        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
-        goto err;
-    }
-    s->init_num = 0;
-
-    if (buf != buf_space)
-        OPENSSL_free(buf);
-    return (SSL_accept(s));
- err:
-    if (buf != buf_space)
-        OPENSSL_free(buf);
-    return (-1);
-}
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index bf5e8c7..17a8054 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -356,21 +356,21 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
         }
         *ok = 1;
         s->state = stn;
-        s->init_msg = s->init_buf->data + 4;
+        s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
         s->init_num = (int)s->s3->tmp.message_size;
         return s->init_num;
     }
 
     p = (unsigned char *)s->init_buf->data;
 
-    if (s->state == st1) {      /* s->init_num < 4 */
+    if (s->state == st1) {
+        /* s->init_num < SSL3_HM_HEADER_LENGTH */
         int skip_message;
 
         do {
-            while (s->init_num < 4) {
+            while (s->init_num < SSL3_HM_HEADER_LENGTH) {
                 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
-                                              &p[s->init_num],
-                                              4 - s->init_num, 0);
+                    &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, 0);
                 if (i <= 0) {
                     s->rwstate = SSL_READING;
                     *ok = 0;
@@ -394,12 +394,11 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
                         if (s->msg_callback)
                             s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
-                                            p, 4, s, s->msg_callback_arg);
+                                            p, SSL3_HM_HEADER_LENGTH, s,
+                                            s->msg_callback_arg);
                     }
-        }
-        while (skip_message);
-
-        /* s->init_num == 4 */
+        } while (skip_message);
+        /* s->init_num == SSL3_HM_HEADER_LENGTH */
 
         if ((mt >= 0) && (*p != mt)) {
             al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -409,26 +408,50 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
         s->s3->tmp.message_type = *(p++);
 
-        n2l3(p, l);
-        if (l > (unsigned long)max) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
-            goto f_err;
-        }
-        if (l > (INT_MAX - 4)) { /* BUF_MEM_grow takes an 'int' parameter */
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
-            goto f_err;
-        }
-        if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) {
-            SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
-            goto err;
-        }
-        s->s3->tmp.message_size = l;
-        s->state = stn;
+        if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+            /*
+             * Only happens with SSLv3+ in an SSLv2 backward compatible
+             * ClientHello
+             */
+             /*
+              * Total message size is the remaining record bytes to read
+              * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
+              */
+            l = RECORD_LAYER_get_rrec_length(&s->rlayer)
+                + SSL3_HM_HEADER_LENGTH;
+            if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l)) {
+                SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+                goto err;
+            }
+            s->s3->tmp.message_size = l;
+            s->state = stn;
 
-        s->init_msg = s->init_buf->data + 4;
-        s->init_num = 0;
+            s->init_msg = s->init_buf->data;
+            s->init_num = SSL3_HM_HEADER_LENGTH;
+        } else {
+            n2l3(p, l);
+            if (l > (unsigned long)max) {
+                al = SSL_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+                goto f_err;
+            }
+            /* BUF_MEM_grow takes an 'int' parameter */
+            if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
+                al = SSL_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+                goto f_err;
+            }
+            if (l && !BUF_MEM_grow_clean(s->init_buf,
+                                        (int)l + SSL3_HM_HEADER_LENGTH)) {
+                SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+                goto err;
+            }
+            s->s3->tmp.message_size = l;
+            s->state = stn;
+
+            s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
+            s->init_num = 0;
+        }
     }
 
     /* next state (stn) */
@@ -456,10 +479,20 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 #endif
 
     /* Feed this message into MAC computation. */
-    ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
-    if (s->msg_callback)
-        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
-                        (size_t)s->init_num + 4, s, s->msg_callback_arg);
+    if(RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+        ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
+        if (s->msg_callback)
+            s->msg_callback(0, SSL2_VERSION, 0,  s->init_buf->data,
+                            (size_t)s->init_num, s, s->msg_callback_arg);
+    } else {
+        ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
+            s->init_num + SSL3_HM_HEADER_LENGTH);
+        if (s->msg_callback)
+            s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
+                            (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
+                            s->msg_callback_arg);
+    }
+
     *ok = 1;
     return s->init_num;
  f_err:
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 2228654..c0dec1e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -163,24 +163,17 @@
 # include <openssl/engine.h>
 #endif
 
+static int ssl_set_version(SSL *s);
 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
 #ifndef OPENSSL_NO_TLSEXT
 static int ssl3_check_finished(SSL *s);
 #endif
+static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
+                                    unsigned char *p,
+                                    int (*put_cb) (const SSL_CIPHER *,
+                                                 unsigned char *));
 
-#ifndef OPENSSL_NO_SSL3_METHOD
-static const SSL_METHOD *ssl3_get_client_method(int ver)
-{
-    if (ver == SSL3_VERSION)
-        return (SSLv3_client_method());
-    else
-        return (NULL);
-}
 
-IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
-                         ssl_undefined_function,
-                         ssl3_connect, ssl3_get_client_method)
-#endif
 int ssl3_connect(SSL *s)
 {
     BUF_MEM *buf = NULL;
@@ -234,14 +227,16 @@ int ssl3_connect(SSL *s)
             if (cb != NULL)
                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-            if ((s->version & 0xff00) != 0x0300) {
+            if ((s->version >> 8) != SSL3_VERSION_MAJOR
+                    && s->version != TLS_ANY_VERSION) {
                 SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
                 s->state = SSL_ST_ERR;
                 ret = -1;
                 goto end;
             }
 
-            if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
+            if (s->version != TLS_ANY_VERSION &&
+                    !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
                 SSLerr(SSL_F_SSL3_CONNECT, SSL_R_VERSION_TOO_LOW);
                 return -1;
             }
@@ -668,6 +663,105 @@ int ssl3_connect(SSL *s)
     return (ret);
 }
 
+/*
+ * Work out what version we should be using for the initial ClientHello if
+ * the version is currently set to (D)TLS_ANY_VERSION.
+ * Returns 1 on success
+ * Returns 0 on error
+ */
+static int ssl_set_version(SSL *s)
+{
+    unsigned long mask, options = s->options;
+
+    if (s->method->version == TLS_ANY_VERSION) {
+        /*
+         * SSL_OP_NO_X disables all protocols above X *if* there are
+         * some protocols below X enabled. This is required in order
+         * to maintain "version capability" vector contiguous. So
+         * that if application wants to disable TLS1.0 in favour of
+         * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
+         * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3.
+         */
+        mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1
+#if !defined(OPENSSL_NO_SSL3)
+            | SSL_OP_NO_SSLv3
+#endif
+            ;
+#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
+        if (options & SSL_OP_NO_TLSv1_2) {
+            if ((options & mask) != mask) {
+                s->version = TLS1_1_VERSION;
+            } else {
+                SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
+                return 0;
+            }
+        } else {
+            s->version = TLS1_2_VERSION;
+        }
+#else
+        if ((options & mask) == mask) {
+            SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
+            return 0;
+        }
+        s->version = TLS1_1_VERSION;
+#endif
+
+        mask &= ~SSL_OP_NO_TLSv1_1;
+        if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
+            s->version = TLS1_VERSION;
+        mask &= ~SSL_OP_NO_TLSv1;
+#if !defined(OPENSSL_NO_SSL3)
+        if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
+            s->version = SSL3_VERSION;
+#endif
+
+        if (s->version != TLS1_2_VERSION && tls1_suiteb(s)) {
+            SSLerr(SSL_F_SSL_SET_VERSION,
+                   SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
+            return 0;
+        }
+
+        if (s->version == SSL3_VERSION && FIPS_mode()) {
+            SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+            return 0;
+        }
+
+    } else if (s->method->version == DTLS_ANY_VERSION) {
+        /* Determine which DTLS version to use */
+        /* If DTLS 1.2 disabled correct the version number */
+        if (options & SSL_OP_NO_DTLSv1_2) {
+            if (tls1_suiteb(s)) {
+                SSLerr(SSL_F_SSL_SET_VERSION,
+                       SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+                return 0;
+            }
+            /*
+             * Disabling all versions is silly: return an error.
+             */
+            if (options & SSL_OP_NO_DTLSv1) {
+                SSLerr(SSL_F_SSL_SET_VERSION, SSL_R_WRONG_SSL_VERSION);
+                return 0;
+            }
+            /*
+             * Update method so we don't use any DTLS 1.2 features.
+             */
+            s->method = DTLSv1_client_method();
+            s->version = DTLS1_VERSION;
+        } else {
+            /*
+             * We only support one version: update method
+             */
+            if (options & SSL_OP_NO_DTLSv1)
+                s->method = DTLSv1_2_client_method();
+            s->version = DTLS1_2_VERSION;
+        }
+    }
+
+    s->client_version = s->version;
+
+    return 1;
+}
+
 int ssl3_client_hello(SSL *s)
 {
     unsigned char *buf;
@@ -683,6 +777,11 @@ int ssl3_client_hello(SSL *s)
     buf = (unsigned char *)s->init_buf->data;
     if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
         SSL_SESSION *sess = s->session;
+
+        /* Work out what SSL/TLS/DTLS version to use */
+        if (ssl_set_version(s) == 0)
+            goto err;
+
         if ((sess == NULL) || (sess->ssl_version != s->version) ||
 #ifdef OPENSSL_NO_TLSEXT
             !sess->session_id_length ||
@@ -697,38 +796,6 @@ int ssl3_client_hello(SSL *s)
             if (!ssl_get_new_session(s, 0))
                 goto err;
         }
-        if (s->method->version == DTLS_ANY_VERSION) {
-            /* Determine which DTLS version to use */
-            int options = s->options;
-            /* If DTLS 1.2 disabled correct the version number */
-            if (options & SSL_OP_NO_DTLSv1_2) {
-                if (tls1_suiteb(s)) {
-                    SSLerr(SSL_F_SSL3_CLIENT_HELLO,
-                           SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
-                    goto err;
-                }
-                /*
-                 * Disabling all versions is silly: return an error.
-                 */
-                if (options & SSL_OP_NO_DTLSv1) {
-                    SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_WRONG_SSL_VERSION);
-                    goto err;
-                }
-                /*
-                 * Update method so we don't use any DTLS 1.2 features.
-                 */
-                s->method = DTLSv1_client_method();
-                s->version = DTLS1_VERSION;
-            } else {
-                /*
-                 * We only support one version: update method
-                 */
-                if (options & SSL_OP_NO_DTLSv1)
-                    s->method = DTLSv1_2_client_method();
-                s->version = DTLS1_2_VERSION;
-            }
-            s->client_version = s->version;
-        }
         /* else use the pre-loaded session */
 
         p = s->s3->client_random;
@@ -934,7 +1001,45 @@ int ssl3_get_server_hello(SSL *s)
     }
 
     d = p = (unsigned char *)s->init_msg;
-    if (s->method->version == DTLS_ANY_VERSION) {
+
+    if (s->method->version == TLS_ANY_VERSION) {
+        int sversion = (p[0] << 8) | p[1];
+
+#if TLS_MAX_VERSION != TLS1_2_VERSION
+#error Code needs updating for new TLS version
+#endif
+#ifndef OPENSSL_NO_SSL3
+        if ((sversion == SSL3_VERSION) && !(s->options & SSL_OP_NO_SSLv3)) {
+            if (FIPS_mode()) {
+                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                al = SSL_AD_PROTOCOL_VERSION;
+                goto f_err;
+            }
+            s->method = SSLv3_client_method();
+        } else
+#endif
+        if ((sversion == TLS1_VERSION) && !(s->options & SSL_OP_NO_TLSv1)) {
+            s->method = TLSv1_client_method();
+        } else if ((sversion == TLS1_1_VERSION) &&
+                   !(s->options & SSL_OP_NO_TLSv1_1)) {
+            s->method = TLSv1_1_client_method();
+        } else if ((sversion == TLS1_2_VERSION) &&
+                   !(s->options & SSL_OP_NO_TLSv1_2)) {
+            s->method = TLSv1_2_client_method();
+        } else {
+            SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
+            al = SSL_AD_PROTOCOL_VERSION;
+            goto f_err;
+        }
+        s->session->ssl_version = s->version = s->method->version;
+
+        if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
+            SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_VERSION_TOO_LOW);
+            al = SSL_AD_PROTOCOL_VERSION;
+            goto f_err;
+        }
+    } else if (s->method->version == DTLS_ANY_VERSION) {
         /* Work out correct protocol version to use */
         int hversion = (p[0] << 8) | p[1];
         int options = s->options;
@@ -955,9 +1060,7 @@ int ssl3_get_server_hello(SSL *s)
             goto f_err;
         }
         s->version = s->method->version;
-    }
-
-    if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
+    } else if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) {
         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
         s->version = (s->version & 0xff00) | p[1];
         al = SSL_AD_PROTOCOL_VERSION;
@@ -3444,3 +3547,65 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
         i = s->ctx->client_cert_cb(s, px509, ppkey);
     return i;
 }
+
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
+                             unsigned char *p,
+                             int (*put_cb) (const SSL_CIPHER *,
+                                            unsigned char *))
+{
+    int i, j = 0;
+    SSL_CIPHER *c;
+    unsigned char *q;
+    int empty_reneg_info_scsv = !s->renegotiate;
+    /* Set disabled masks for this session */
+    ssl_set_client_disabled(s);
+
+    if (sk == NULL)
+        return (0);
+    q = p;
+    if (put_cb == NULL)
+        put_cb = s->method->put_cipher_by_char;
+
+    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+        c = sk_SSL_CIPHER_value(sk, i);
+        /* Skip disabled ciphers */
+        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
+            continue;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+        if (c->id == SSL3_CK_SCSV) {
+            if (!empty_reneg_info_scsv)
+                continue;
+            else
+                empty_reneg_info_scsv = 0;
+        }
+#endif
+        j = put_cb(c, p);
+        p += j;
+    }
+    /*
+     * If p == q, no ciphers; caller indicates an error. Otherwise, add
+     * applicable SCSVs.
+     */
+    if (p != q) {
+        if (empty_reneg_info_scsv) {
+            static SSL_CIPHER scsv = {
+                0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+            };
+            j = put_cb(&scsv, p);
+            p += j;
+#ifdef OPENSSL_RI_DEBUG
+            fprintf(stderr,
+                    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
+#endif
+        }
+        if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
+            static SSL_CIPHER scsv = {
+                0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+            };
+            j = put_cb(&scsv, p);
+            p += j;
+        }
+    }
+
+    return (p - q);
+}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e7f1898..1a67e4e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -155,6 +155,7 @@
 #ifndef OPENSSL_NO_DH
 # include <openssl/dh.h>
 #endif
+#include <openssl/rand.h>
 
 const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
 
@@ -3386,9 +3387,9 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
          * Apparently we're using a version-flexible SSL_METHOD (not at its
          * highest protocol version).
          */
-        if (s->ctx->method->version == SSLv23_method()->version) {
+        if (s->ctx->method->version == TLS_method()->version) {
 #if TLS_MAX_VERSION != TLS1_2_VERSION
-# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
+# error Code needs update for TLS_method() support beyond TLS1_2_VERSION.
 #endif
             if (!(s->options & SSL_OP_NO_TLSv1_2))
                 return s->version == TLS1_2_VERSION;
@@ -4238,3 +4239,26 @@ long ssl_get_algorithm2(SSL *s)
         return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
     return alg2;
 }
+
+/*
+ * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
+ * failure, 1 on success.
+ */
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
+{
+    int send_time = 0;
+
+    if (len < 4)
+        return 0;
+    if (server)
+        send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
+    else
+        send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
+    if (send_time) {
+        unsigned long Time = (unsigned long)time(NULL);
+        unsigned char *p = result;
+        l2n(Time, p);
+        return RAND_bytes(p, len - 4);
+    } else
+        return RAND_bytes(result, len);
+}
diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c
deleted file mode 100644
index e5a5299..0000000
--- a/ssl/s3_meth.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* ssl/s3_meth.c */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-
-#ifndef OPENSSL_NO_SSL3_METHOD
-static const SSL_METHOD *ssl3_get_method(int ver)
-{
-    if (ver == SSL3_VERSION)
-        return (SSLv3_method());
-    else
-        return (NULL);
-}
-
-IMPLEMENT_ssl3_meth_func(SSLv3_method,
-                         ssl3_accept, ssl3_connect, ssl3_get_method)
-#endif
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4ee45eb..ce092a7 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -164,21 +164,10 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 
-#ifndef OPENSSL_NO_SSL3_METHOD
-static const SSL_METHOD *ssl3_get_server_method(int ver);
+static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
+    int num, STACK_OF(SSL_CIPHER) **skp, int sslv2format);
 
-static const SSL_METHOD *ssl3_get_server_method(int ver)
-{
-    if (ver == SSL3_VERSION)
-        return (SSLv3_server_method());
-    else
-        return (NULL);
-}
 
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
-                         ssl3_accept,
-                         ssl_undefined_function, ssl3_get_server_method)
-#endif
 #ifndef OPENSSL_NO_SRP
 static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
 {
@@ -256,7 +245,7 @@ int ssl3_accept(SSL *s)
             if (cb != NULL)
                 cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-            if ((s->version >> 8) != 3) {
+            if ((s->version >> 8 != 3) && s->version != TLS_ANY_VERSION) {
                 SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
                 s->state = SSL_ST_ERR;
                 return -1;
@@ -894,17 +883,18 @@ int ssl3_send_hello_request(SSL *s)
 
 int ssl3_get_client_hello(SSL *s)
 {
-    int i, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
+    int i, complen, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
     unsigned int cookie_len;
     long n;
     unsigned long id;
     unsigned char *p, *d;
     SSL_CIPHER *c;
 #ifndef OPENSSL_NO_COMP
-    unsigned char *q;
+    unsigned char *q = NULL;
     SSL_COMP *comp = NULL;
 #endif
     STACK_OF(SSL_CIPHER) *ciphers = NULL;
+    int protverr = 1;
 
     if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
         goto retry_cert;
@@ -930,29 +920,121 @@ int ssl3_get_client_hello(SSL *s)
     s->first_packet = 0;
     d = p = (unsigned char *)s->init_msg;
 
-    /*
-     * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
-     * for session id length
-     */
-    if (n < 2 + SSL3_RANDOM_SIZE + 1) {
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-        goto f_err;
+    /* First lets get s->client_version set correctly */
+    if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+        /*-
+         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
+         * header is sent directly on the wire, not wrapped as a TLS
+         * record. Our record layer just processes the message length and passes
+         * the rest right through. Its format is:
+         * Byte  Content
+         * 0-1   msg_length - decoded by the record layer
+         * 2     msg_type - s->init_msg points here
+         * 3-4   version
+         * 5-6   cipher_spec_length
+         * 7-8   session_id_length
+         * 9-10  challenge_length
+         * ...   ...
+         */
+
+        if (p[0] != SSL2_MT_CLIENT_HELLO) {
+            /*
+             * Should never happen. We should have tested this in the record
+             * layer in order to have determined that this is a SSLv2 record
+             * in the first place
+             */
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        if ((p[1] == 0x00) && (p[2] == 0x02)) {
+            /* This is real SSLv2. We don't support it. */
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+            goto err;
+        } else if (p[1] == SSL3_VERSION_MAJOR) {
+            /* SSLv3/TLS */
+            s->client_version = (((int)p[1]) << 8) | (int)p[2];
+        } else {
+            /* No idea what protocol this is */
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+            goto err;
+        }
+    } else {
+        /*
+         * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
+         * for session id length
+         */
+        if (n < 2 + SSL3_RANDOM_SIZE + 1) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
+
+        /*
+         * use version from inside client hello, not from record header (may
+         * differ: see RFC 2246, Appendix E, second paragraph)
+         */
+        s->client_version = (((int)p[0]) << 8) | (int)p[1];
     }
 
-    /*
-     * use version from inside client hello, not from record header (may
-     * differ: see RFC 2246, Appendix E, second paragraph)
-     */
-    s->client_version = (((int)p[0]) << 8) | (int)p[1];
-    p += 2;
-
-    if (SSL_IS_DTLS(s) ? (s->client_version > s->version &&
-                          s->method->version != DTLS_ANY_VERSION)
-        : (s->client_version < s->version)) {
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-        if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
-            !s->enc_write_ctx && !s->write_hash) {
+    /* Do SSL/TLS version negotiation if applicable */
+    if (!SSL_IS_DTLS(s)) {
+        if (s->version != TLS_ANY_VERSION) {
+            if (s->client_version >= s->version) {
+                protverr = 0;
+            }
+        } else if (s->client_version >= SSL3_VERSION) {
+            switch(s->client_version) {
+            default:
+            case TLS1_2_VERSION:
+                if(!(s->options & SSL_OP_NO_TLSv1_2)) {
+                    s->version = TLS1_2_VERSION;
+                    s->method = TLSv1_2_server_method();
+                    protverr = 0;
+                    break;
+                }
+                /* Deliberately fall through */
+            case TLS1_1_VERSION:
+                if(!(s->options & SSL_OP_NO_TLSv1_1)) {
+                    s->version = TLS1_1_VERSION;
+                    s->method = TLSv1_1_server_method();
+                    protverr = 0;
+                    break;
+                }
+                /* Deliberately fall through */
+            case TLS1_VERSION:
+                if(!(s->options & SSL_OP_NO_TLSv1)) {
+                    s->version = TLS1_VERSION;
+                    s->method = TLSv1_server_method();
+                    protverr = 0;
+                    break;
+                }
+                /* Deliberately fall through */
+            case SSL3_VERSION:
+#ifndef OPENSSL_NO_SSL3
+                if(!(s->options & SSL_OP_NO_SSLv3)) {
+                    s->version = SSL3_VERSION;
+                    s->method = SSLv3_server_method();
+                    protverr = 0;
+                    break;
+                }
+#else
+                break;
+#endif
+            }
+        }
+    } else if (s->client_version <= s->version
+                || s->method->version == DTLS_ANY_VERSION) {
+        /*
+         * For DTLS we just check versions are potentially compatible. Version
+         * negotiation comes later.
+         */
+        protverr = 0;
+    }
+
+    if (protverr) {
+        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+        if ((!s->enc_write_ctx && !s->write_hash)) {
             /*
              * similar to ssl3_get_record, send alert using remote version
              * number
@@ -963,263 +1045,322 @@ int ssl3_get_client_hello(SSL *s)
         goto f_err;
     }
 
-    /*
-     * If we require cookies and this ClientHello doesn't contain one, just
-     * return since we do not want to allocate any memory yet. So check
-     * cookie length...
-     */
-    if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
-        unsigned int session_length, cookie_length;
+    if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+        /*
+         * Handle an SSLv2 backwards compatible ClientHello
+         * Note, this is only for SSLv3+ using the backward compatible format.
+         * Real SSLv2 is not supported, and is rejected above.
+         */
+        unsigned int csl, sil, cl;
 
-        session_length = *(p + SSL3_RANDOM_SIZE);
+        p += 3;
+        n2s(p, csl);
+        n2s(p, sil);
+        n2s(p, cl);
 
-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
+        if (csl + sil + cl + MIN_SSL2_RECORD_LEN != (unsigned int) n) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
         }
-        cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
 
-        if (cookie_length == 0)
-            return 1;
-    }
-
-    /* load the client random */
-    memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
-    p += SSL3_RANDOM_SIZE;
+        if (csl == 0) {
+            /* we need at least one cipher */
+            al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
+            goto f_err;
+        }
 
-    /* get the session-id */
-    j = *(p++);
+        if (ssl_bytes_to_cipher_list(s, p, csl, &(ciphers), 1) == NULL) {
+            goto err;
+        }
 
-    if (p + j > d + n) {
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-        goto f_err;
-    }
+        /*
+         * Ignore any session id. We don't allow resumption in a backwards
+         * compatible ClientHello
+         */
+        s->hit = 0;
 
-    s->hit = 0;
-    /*
-     * Versions before 0.9.7 always allow clients to resume sessions in
-     * renegotiation. 0.9.7 and later allow this by default, but optionally
-     * ignore resumption requests with flag
-     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
-     * than a change to default behavior so that applications relying on this
-     * for security won't even compile against older library versions).
-     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
-     * request renegotiation but not a new session (s->new_session remains
-     * unset): for servers, this essentially just means that the
-     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be ignored.
-     */
-    if ((s->new_session
-         && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
         if (!ssl_get_new_session(s, 1))
             goto err;
+
+        /* Load the client random */
+        i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl;
+        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
+        memcpy(s->s3->client_random, &(p[csl + sil]), i);
+
+        /* Set p to end of packet to ensure we don't look for extensions */
+        p = d + n;
+
+        /* No compression, so set complen to 0 */
+        complen = 0;
     } else {
-        i = ssl_get_prev_session(s, p, j, d + n);
+        /* If we get here we've got SSLv3+ in an SSLv3+ record */
+
+        p += 2;
+
         /*
-         * Only resume if the session's version matches the negotiated
-         * version.
-         * RFC 5246 does not provide much useful advice on resumption
-         * with a different protocol version. It doesn't forbid it but
-         * the sanity of such behaviour would be questionable.
-         * In practice, clients do not accept a version mismatch and
-         * will abort the handshake with an error.
+         * If we require cookies and this ClientHello doesn't contain one, just
+         * return since we do not want to allocate any memory yet. So check
+         * cookie length...
          */
-        if (i == 1 && s->version == s->session->ssl_version) { /* previous
-                                                                * session */
-            s->hit = 1;
-        } else if (i == -1)
-            goto err;
-        else {                  /* i == 0 */
+        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
+            unsigned int session_length, cookie_length;
 
-            if (!ssl_get_new_session(s, 1))
-                goto err;
-        }
-    }
+            session_length = *(p + SSL3_RANDOM_SIZE);
 
-    p += j;
+            if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+                goto f_err;
+            }
+            cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
 
-    if (SSL_IS_DTLS(s)) {
-        /* cookie stuff */
-        if (p + 1 > d + n) {
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-            goto f_err;
+            if (cookie_length == 0)
+                return 1;
         }
-        cookie_len = *(p++);
 
-        if (p + cookie_len > d + n) {
+        /* load the client random */
+        memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
+        p += SSL3_RANDOM_SIZE;
+
+        /* get the session-id */
+        j = *(p++);
+
+        if (p + j > d + n) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
         }
 
+        s->hit = 0;
         /*
-         * The ClientHello may contain a cookie even if the
-         * HelloVerify message has not been sent--make sure that it
-         * does not cause an overflow.
+         * Versions before 0.9.7 always allow clients to resume sessions in
+         * renegotiation. 0.9.7 and later allow this by default, but optionally
+         * ignore resumption requests with flag
+         * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
+         * than a change to default behavior so that applications relying on
+         * this for security won't even compile against older library versions).
+         * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
+         * request renegotiation but not a new session (s->new_session remains
+         * unset): for servers, this essentially just means that the
+         * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
+         * ignored.
          */
-        if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
-            /* too much data */
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
-            goto f_err;
+        if ((s->new_session
+             && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
+            if (!ssl_get_new_session(s, 1))
+                goto err;
+        } else {
+            i = ssl_get_prev_session(s, p, j, d + n);
+            /*
+             * Only resume if the session's version matches the negotiated
+             * version.
+             * RFC 5246 does not provide much useful advice on resumption
+             * with a different protocol version. It doesn't forbid it but
+             * the sanity of such behaviour would be questionable.
+             * In practice, clients do not accept a version mismatch and
+             * will abort the handshake with an error.
+             */
+            if (i == 1 && s->version == s->session->ssl_version) {
+                /* previous session */
+                s->hit = 1;
+            } else if (i == -1)
+                goto err;
+            else {
+                /* i == 0 */
+                if (!ssl_get_new_session(s, 1))
+                    goto err;
+            }
         }
 
-        /* verify the cookie if appropriate option is set. */
-        if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && cookie_len > 0) {
-            memcpy(s->d1->rcvd_cookie, p, cookie_len);
+        p += j;
 
-            if (s->ctx->app_verify_cookie_cb != NULL) {
-                if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
-                                                 cookie_len) == 0) {
-                    al = SSL_AD_HANDSHAKE_FAILURE;
-                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                           SSL_R_COOKIE_MISMATCH);
-                    goto f_err;
-                }
-                /* else cookie verification succeeded */
-            }
-            /* default verification */
-            else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
-                            s->d1->cookie_len) != 0) {
-                al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+        if (SSL_IS_DTLS(s)) {
+            /* cookie stuff */
+            if (p + 1 > d + n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
             }
-            /* Set to -2 so if successful we return 2 */
-            ret = -2;
-        }
+            cookie_len = *(p++);
 
-        p += cookie_len;
-        if (s->method->version == DTLS_ANY_VERSION) {
-            /* Select version to use */
-            if (s->client_version <= DTLS1_2_VERSION &&
-                !(s->options & SSL_OP_NO_DTLSv1_2)) {
-                s->version = DTLS1_2_VERSION;
-                s->method = DTLSv1_2_server_method();
-            } else if (tls1_suiteb(s)) {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                       SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
-                s->version = s->client_version;
-                al = SSL_AD_PROTOCOL_VERSION;
+            if (p + cookie_len > d + n) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
-            } else if (s->client_version <= DTLS1_VERSION &&
-                       !(s->options & SSL_OP_NO_DTLSv1)) {
-                s->version = DTLS1_VERSION;
-                s->method = DTLSv1_server_method();
-            } else {
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                       SSL_R_WRONG_VERSION_NUMBER);
-                s->version = s->client_version;
-                al = SSL_AD_PROTOCOL_VERSION;
+            }
+
+            /*
+             * The ClientHello may contain a cookie even if the
+             * HelloVerify message has not been sent--make sure that it
+             * does not cause an overflow.
+             */
+            if (cookie_len > sizeof(s->d1->rcvd_cookie)) {
+                /* too much data */
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                 goto f_err;
             }
-            s->session->ssl_version = s->version;
+
+            /* verify the cookie if appropriate option is set. */
+            if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
+                    && cookie_len > 0) {
+                memcpy(s->d1->rcvd_cookie, p, cookie_len);
+
+                if (s->ctx->app_verify_cookie_cb != NULL) {
+                    if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
+                                                     cookie_len) == 0) {
+                        al = SSL_AD_HANDSHAKE_FAILURE;
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                               SSL_R_COOKIE_MISMATCH);
+                        goto f_err;
+                    }
+                    /* else cookie verification succeeded */
+                }
+                /* default verification */
+                else if (memcmp(s->d1->rcvd_cookie, s->d1->cookie,
+                                s->d1->cookie_len) != 0) {
+                    al = SSL_AD_HANDSHAKE_FAILURE;
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+                    goto f_err;
+                }
+                /* Set to -2 so if successful we return 2 */
+                ret = -2;
+            }
+
+            p += cookie_len;
+            if (s->method->version == DTLS_ANY_VERSION) {
+                /* Select version to use */
+                if (s->client_version <= DTLS1_2_VERSION &&
+                    !(s->options & SSL_OP_NO_DTLSv1_2)) {
+                    s->version = DTLS1_2_VERSION;
+                    s->method = DTLSv1_2_server_method();
+                } else if (tls1_suiteb(s)) {
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                           SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+                    s->version = s->client_version;
+                    al = SSL_AD_PROTOCOL_VERSION;
+                    goto f_err;
+                } else if (s->client_version <= DTLS1_VERSION &&
+                           !(s->options & SSL_OP_NO_DTLSv1)) {
+                    s->version = DTLS1_VERSION;
+                    s->method = DTLSv1_server_method();
+                } else {
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                           SSL_R_WRONG_VERSION_NUMBER);
+                    s->version = s->client_version;
+                    al = SSL_AD_PROTOCOL_VERSION;
+                    goto f_err;
+                }
+                s->session->ssl_version = s->version;
+            }
         }
-    }
 
-    if (p + 2 > d + n) {
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-        goto f_err;
-    }
-    n2s(p, i);
+        if (p + 2 > d + n) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
+        n2s(p, i);
 
-    if (i == 0) {
-        al = SSL_AD_ILLEGAL_PARAMETER;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
-        goto f_err;
-    }
+        if (i == 0) {
+            al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
+            goto f_err;
+        }
 
-    /* i bytes of cipher data + 1 byte for compression length later */
-    if ((p + i + 1) > (d + n)) {
-        /* not enough data */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-        goto f_err;
-    }
-    if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) {
-        goto err;
-    }
-    p += i;
+        /* i bytes of cipher data + 1 byte for compression length later */
+        if ((p + i + 1) > (d + n)) {
+            /* not enough data */
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
+        }
+        if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers), 0) == NULL) {
+            goto err;
+        }
+        p += i;
 
-    /* If it is a hit, check that the cipher is in the list */
-    if (s->hit) {
-        j = 0;
-        id = s->session->cipher->id;
+        /* If it is a hit, check that the cipher is in the list */
+        if (s->hit) {
+            j = 0;
+            id = s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-        fprintf(stderr, "client sent %d ciphers\n",
-                sk_SSL_CIPHER_num(ciphers));
+            fprintf(stderr, "client sent %d ciphers\n",
+                    sk_SSL_CIPHER_num(ciphers));
 #endif
-        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
-            c = sk_SSL_CIPHER_value(ciphers, i);
+            for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+                c = sk_SSL_CIPHER_value(ciphers, i);
 #ifdef CIPHER_DEBUG
-            fprintf(stderr, "client [%2d of %2d]:%s\n",
-                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
+                fprintf(stderr, "client [%2d of %2d]:%s\n",
+                        i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
 #endif
-            if (c->id == id) {
-                j = 1;
-                break;
+                if (c->id == id) {
+                    j = 1;
+                    break;
+                }
             }
-        }
-        /*
-         * Disabled because it can be used in a ciphersuite downgrade attack:
-         * CVE-2010-4180.
-         */
-#if 0
-        if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-            && (sk_SSL_CIPHER_num(ciphers) == 1)) {
             /*
-             * Special case as client bug workaround: the previously used
-             * cipher may not be in the current list, the client instead
-             * might be trying to continue using a cipher that before wasn't
-             * chosen due to server preferences.  We'll have to reject the
-             * connection if the cipher is not enabled, though.
+             * Disabled because it can be used in a ciphersuite downgrade
+             * attack:
+             * CVE-2010-4180.
              */
-            c = sk_SSL_CIPHER_value(ciphers, 0);
-            if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
-                s->session->cipher = c;
-                j = 1;
+#if 0
+            if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
+                && (sk_SSL_CIPHER_num(ciphers) == 1)) {
+                /*
+                 * Special case as client bug workaround: the previously used
+                 * cipher may not be in the current list, the client instead
+                 * might be trying to continue using a cipher that before wasn't
+                 * chosen due to server preferences.  We'll have to reject the
+                 * connection if the cipher is not enabled, though.
+                 */
+                c = sk_SSL_CIPHER_value(ciphers, 0);
+                if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) {
+                    s->session->cipher = c;
+                    j = 1;
+                }
             }
-        }
 #endif
-        if (j == 0) {
-            /*
-             * we need to have the cipher in the cipher list if we are asked
-             * to reuse it
-             */
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                   SSL_R_REQUIRED_CIPHER_MISSING);
-            goto f_err;
+            if (j == 0) {
+                /*
+                 * we need to have the cipher in the cipher list if we are asked
+                 * to reuse it
+                 */
+                al = SSL_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+                       SSL_R_REQUIRED_CIPHER_MISSING);
+                goto f_err;
+            }
         }
-    }
 
-    /* compression */
-    i = *(p++);
-    if ((p + i) > (d + n)) {
-        /* not enough data */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-        goto f_err;
-    }
+        /* compression */
+        complen = *(p++);
+        if ((p + complen) > (d + n)) {
+            /* not enough data */
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
+        }
 #ifndef OPENSSL_NO_COMP
-    q = p;
+        q = p;
 #endif
-    for (j = 0; j < i; j++) {
-        if (p[j] == 0)
-            break;
-    }
+        for (j = 0; j < complen; j++) {
+            if (p[j] == 0)
+                break;
+        }
 
-    p += i;
-    if (j >= i) {
-        /* no compress */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
-        goto f_err;
+        p += complen;
+        if (j >= complen) {
+            /* no compress */
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
+            goto f_err;
+        }
     }
+
 #ifndef OPENSSL_NO_TLSEXT
     /* TLS extensions */
     if (s->version >= SSL3_VERSION) {
@@ -1281,7 +1422,7 @@ int ssl3_get_client_hello(SSL *s)
 
     /*
      * Worst case, we will use the NULL compression, but if we have other
-     * options, we will now look for them.  We have i-1 compression
+     * options, we will now look for them.  We have complen-1 compression
      * algorithms from the client, starting at q.
      */
     s->s3->tmp.new_compression = NULL;
@@ -1310,11 +1451,11 @@ int ssl3_get_client_hello(SSL *s)
             goto f_err;
         }
         /* Look for resumed method in compression list */
-        for (m = 0; m < i; m++) {
+        for (m = 0; m < complen; m++) {
             if (q[m] == comp_id)
                 break;
         }
-        if (m >= i) {
+        if (m >= complen) {
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                    SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
@@ -1330,7 +1471,7 @@ int ssl3_get_client_hello(SSL *s)
         for (m = 0; m < nn; m++) {
             comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
             v = comp->id;
-            for (o = 0; o < i; o++) {
+            for (o = 0; o < complen; o++) {
                 if (v == q[o]) {
                     done = 1;
                     break;
@@ -3395,3 +3536,119 @@ int ssl3_get_next_proto(SSL *s)
 # endif
 
 #endif
+
+#define SSLV2_CIPHER_LEN    3
+
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
+                                               int num,
+                                               STACK_OF(SSL_CIPHER) **skp,
+                                               int sslv2format)
+{
+    const SSL_CIPHER *c;
+    STACK_OF(SSL_CIPHER) *sk;
+    int i, n;
+
+    if (s->s3)
+        s->s3->send_connection_binding = 0;
+
+    if(sslv2format) {
+        n = SSLV2_CIPHER_LEN;
+    } else {
+        n = ssl_put_cipher_by_char(s, NULL, NULL);
+    }
+    if (n == 0 || (num % n) != 0) {
+        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+        return (NULL);
+    }
+    if ((skp == NULL) || (*skp == NULL)) {
+        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
+        if(sk == NULL) {
+            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+            return NULL;
+        }
+    } else {
+        sk = *skp;
+        sk_SSL_CIPHER_zero(sk);
+    }
+
+    OPENSSL_free(s->cert->ciphers_raw);
+    s->cert->ciphers_raw = BUF_memdup(p, num);
+    if (s->cert->ciphers_raw == NULL) {
+        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    s->cert->ciphers_rawlen = (size_t)num;
+
+    for (i = 0; i < num; i += n) {
+        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
+        if (s->s3 && (n != 3 || !p[0]) &&
+            (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+            (p[n - 1] == (SSL3_CK_SCSV & 0xff))) {
+            /* SCSV fatal if renegotiating */
+            if (s->renegotiate) {
+                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+                goto err;
+            }
+            s->s3->send_connection_binding = 1;
+            p += n;
+#ifdef OPENSSL_RI_DEBUG
+            fprintf(stderr, "SCSV received by server\n");
+#endif
+            continue;
+        }
+
+        /* Check for TLS_FALLBACK_SCSV */
+        if ((n != 3 || !p[0]) &&
+            (p[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+            (p[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
+            /*
+             * The SCSV indicates that the client previously tried a higher
+             * version. Fail if the current version is an unexpected
+             * downgrade.
+             */
+            if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
+                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                       SSL_R_INAPPROPRIATE_FALLBACK);
+                if (s->s3)
+                    ssl3_send_alert(s, SSL3_AL_FATAL,
+                                    SSL_AD_INAPPROPRIATE_FALLBACK);
+                goto err;
+            }
+            p += n;
+            continue;
+        }
+
+        if(sslv2format) {
+            /*
+             * We only support SSLv2 format ciphers in SSLv3+ using a
+             * SSLv2 backward compatible ClientHello. In this case the first
+             * byte is always 0 for SSLv3 compatible ciphers. Anything else
+             * is an SSLv2 cipher and we ignore it
+             */
+            if(p[0] == 0)
+                c = ssl_get_cipher_by_char(s, &p[1]);
+            else
+                c = NULL;
+        } else {
+            c = ssl_get_cipher_by_char(s, p);
+        }
+        p += n;
+        if (c != NULL) {
+            if (!sk_SSL_CIPHER_push(sk, c)) {
+                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
+        }
+    }
+
+    if (skp != NULL)
+        *skp = sk;
+    return (sk);
+ err:
+    if ((skp == NULL) || (*skp == NULL))
+        sk_SSL_CIPHER_free(sk);
+    return (NULL);
+}
diff --git a/ssl/ssl-lib.com b/ssl/ssl-lib.com
index 9a20b54..5d2b5dd 100644
--- a/ssl/ssl-lib.com
+++ b/ssl/ssl-lib.com
@@ -207,8 +207,7 @@ $ ENDIF
 $!
 $! Define The Different SSL "library" Files.
 $!
-$ LIB_SSL = "s3_meth,  s3_srvr, s3_clnt, s3_lib, s3_enc,s3_pkt,s3_both,s3_cbc,"+ -
-	    "s23_meth,s23_srvr,s23_clnt,s23_lib,       s23_pkt,"+ -
+$ LIB_SSL = "s3_srvr, s3_clnt, s3_lib, s3_enc,s3_pkt,s3_both,s3_cbc,"+ -
 	    "t1_meth,  t1_srvr, t1_clnt, t1_lib, t1_enc,       t1_ext,"+ -
 	    "d1_meth,  d1_srvr, d1_clnt, d1_lib,        d1_pkt,"+ -
 	    "d1_both,d1_srtp,"+ -
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 24891ad..86f8fa8 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -111,14 +111,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),
      "dtls1_send_server_key_exchange"},
     {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"},
-    {ERR_FUNC(SSL_F_SSL23_ACCEPT), "ssl23_accept"},
-    {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO), "SSL23_CLIENT_HELLO"},
-    {ERR_FUNC(SSL_F_SSL23_CONNECT), "ssl23_connect"},
-    {ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO), "SSL23_GET_CLIENT_HELLO"},
-    {ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO), "SSL23_GET_SERVER_HELLO"},
-    {ERR_FUNC(SSL_F_SSL23_PEEK), "ssl23_peek"},
-    {ERR_FUNC(SSL_F_SSL23_READ), "ssl23_read"},
-    {ERR_FUNC(SSL_F_SSL23_WRITE), "ssl23_write"},
     {ERR_FUNC(SSL_F_SSL3_ACCEPT), "ssl3_accept"},
     {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"},
     {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "ssl3_callback_ctrl"},
@@ -297,6 +289,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT), "SSL_set_session_id_context"},
     {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
     {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
+    {ERR_FUNC(SSL_F_SSL_SET_VERSION), "SSL_SET_VERSION"},
     {ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
     {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
     {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
@@ -564,8 +557,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "srtp protection profile list too long"},
     {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),
      "srtp unknown protection profile"},
-    {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),
-     "ssl23 doing session id reuse"},
     {ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),
      "ssl3 ext invalid ecpointformat"},
     {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME),
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3828018..b9ae025 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1394,164 +1394,6 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
     return (buf);
 }
 
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
-                             unsigned char *p,
-                             int (*put_cb) (const SSL_CIPHER *,
-                                            unsigned char *))
-{
-    int i, j = 0;
-    SSL_CIPHER *c;
-    unsigned char *q;
-    int empty_reneg_info_scsv = !s->renegotiate;
-    /* Set disabled masks for this session */
-    ssl_set_client_disabled(s);
-
-    if (sk == NULL)
-        return (0);
-    q = p;
-    if (put_cb == NULL)
-        put_cb = s->method->put_cipher_by_char;
-
-    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-        c = sk_SSL_CIPHER_value(sk, i);
-        /* Skip disabled ciphers */
-        if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
-            continue;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        if (c->id == SSL3_CK_SCSV) {
-            if (!empty_reneg_info_scsv)
-                continue;
-            else
-                empty_reneg_info_scsv = 0;
-        }
-#endif
-        j = put_cb(c, p);
-        p += j;
-    }
-    /*
-     * If p == q, no ciphers; caller indicates an error. Otherwise, add
-     * applicable SCSVs.
-     */
-    if (p != q) {
-        if (empty_reneg_info_scsv) {
-            static SSL_CIPHER scsv = {
-                0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-            };
-            j = put_cb(&scsv, p);
-            p += j;
-#ifdef OPENSSL_RI_DEBUG
-            fprintf(stderr,
-                    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
-#endif
-        }
-        if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
-            static SSL_CIPHER scsv = {
-                0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-            };
-            j = put_cb(&scsv, p);
-            p += j;
-        }
-    }
-
-    return (p - q);
-}
-
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
-                                               int num,
-                                               STACK_OF(SSL_CIPHER) **skp)
-{
-    const SSL_CIPHER *c;
-    STACK_OF(SSL_CIPHER) *sk;
-    int i, n;
-
-    if (s->s3)
-        s->s3->send_connection_binding = 0;
-
-    n = ssl_put_cipher_by_char(s, NULL, NULL);
-    if (n == 0 || (num % n) != 0) {
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-        return (NULL);
-    }
-    if ((skp == NULL) || (*skp == NULL)) {
-        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
-        if(sk == NULL) {
-            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-            return NULL;
-        }
-    } else {
-        sk = *skp;
-        sk_SSL_CIPHER_zero(sk);
-    }
-
-    OPENSSL_free(s->cert->ciphers_raw);
-    s->cert->ciphers_raw = BUF_memdup(p, num);
-    if (s->cert->ciphers_raw == NULL) {
-        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    s->cert->ciphers_rawlen = (size_t)num;
-
-    for (i = 0; i < num; i += n) {
-        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
-        if (s->s3 && (n != 3 || !p[0]) &&
-            (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
-            (p[n - 1] == (SSL3_CK_SCSV & 0xff))) {
-            /* SCSV fatal if renegotiating */
-            if (s->renegotiate) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-                goto err;
-            }
-            s->s3->send_connection_binding = 1;
-            p += n;
-#ifdef OPENSSL_RI_DEBUG
-            fprintf(stderr, "SCSV received by server\n");
-#endif
-            continue;
-        }
-
-        /* Check for TLS_FALLBACK_SCSV */
-        if ((n != 3 || !p[0]) &&
-            (p[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
-            (p[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
-            /*
-             * The SCSV indicates that the client previously tried a higher
-             * version. Fail if the current version is an unexpected
-             * downgrade.
-             */
-            if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                       SSL_R_INAPPROPRIATE_FALLBACK);
-                if (s->s3)
-                    ssl3_send_alert(s, SSL3_AL_FATAL,
-                                    SSL_AD_INAPPROPRIATE_FALLBACK);
-                goto err;
-            }
-            p += n;
-            continue;
-        }
-
-        c = ssl_get_cipher_by_char(s, p);
-        p += n;
-        if (c != NULL) {
-            if (!sk_SSL_CIPHER_push(sk, c)) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-                goto err;
-            }
-        }
-    }
-
-    if (skp != NULL)
-        *skp = sk;
-    return (sk);
- err:
-    if ((skp == NULL) || (*skp == NULL))
-        sk_SSL_CIPHER_free(sk);
-    return (NULL);
-}
-
 #ifndef OPENSSL_NO_TLSEXT
 /** return a servername extension value if provided in Client Hello, or NULL.
  * So far, only host_name types are defined (RFC 3546).
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f9c4e12..91eb119 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1816,43 +1816,6 @@ const SSL_METHOD *func_name(void)  \
         return &func_name##_data; \
         }
 
-# define IMPLEMENT_ssl23_meth_func(func_name, s_accept, s_connect, s_get_meth) \
-const SSL_METHOD *func_name(void)  \
-        { \
-        static const SSL_METHOD func_name##_data= { \
-        TLS1_2_VERSION, \
-        tls1_new, \
-        tls1_clear, \
-        tls1_free, \
-        s_accept, \
-        s_connect, \
-        ssl23_read, \
-        ssl23_peek, \
-        ssl23_write, \
-        ssl_undefined_function, \
-        ssl_undefined_function, \
-        ssl_ok, \
-        ssl3_get_message, \
-        ssl3_read_bytes, \
-        ssl3_write_bytes, \
-        ssl3_dispatch_alert, \
-        ssl3_ctrl, \
-        ssl3_ctx_ctrl, \
-        ssl23_get_cipher_by_char, \
-        ssl23_put_cipher_by_char, \
-        ssl_undefined_const_function, \
-        ssl23_num_ciphers, \
-        ssl23_get_cipher, \
-        s_get_meth, \
-        ssl23_default_timeout, \
-        &TLSv1_2_enc_data, \
-        ssl_undefined_void_function, \
-        ssl3_callback_ctrl, \
-        ssl3_ctx_callback_ctrl, \
-        }; \
-        return &func_name##_data; \
-        }
-
 # define IMPLEMENT_dtls1_meth_func(version, func_name, s_accept, s_connect, \
                                         s_get_meth, enc_data) \
 const SSL_METHOD *func_name(void)  \
@@ -1919,13 +1882,6 @@ __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
 DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
 __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
                           const SSL_CIPHER *const *bp);
-__owur STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
-                                               int num,
-                                               STACK_OF(SSL_CIPHER) **skp);
-__owur int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
-                             unsigned char *p,
-                             int (*put_cb) (const SSL_CIPHER *,
-                                            unsigned char *));
 __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
                                              STACK_OF(SSL_CIPHER) **pref,
                                              STACK_OF(SSL_CIPHER) **sorted,
@@ -2023,15 +1979,6 @@ __owur long ssl3_default_timeout(void);
 __owur int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
 __owur int ssl3_handshake_write(SSL *s);
 
-__owur int ssl23_num_ciphers(void);
-__owur const SSL_CIPHER *ssl23_get_cipher(unsigned int u);
-__owur int ssl23_read(SSL *s, void *buf, int len);
-__owur int ssl23_peek(SSL *s, void *buf, int len);
-__owur int ssl23_write(SSL *s, const void *buf, int len);
-__owur int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
-__owur const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
-__owur long ssl23_default_timeout(void);
-
 __owur int ssl_allow_compression(SSL *s);
 
 __owur long tls1_default_timeout(void);
@@ -2105,9 +2052,6 @@ __owur int ssl3_get_cert_verify(SSL *s);
 __owur int ssl3_get_next_proto(SSL *s);
 #  endif
 
-__owur int ssl23_accept(SSL *s);
-__owur int ssl23_connect(SSL *s);
-
 __owur int tls1_new(SSL *s);
 void tls1_free(SSL *s);
 void tls1_clear(SSL *s);
diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 76b550c..f59553b 100644
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -302,28 +302,6 @@ const char *SSL_state_string_long(const SSL *s)
         break;
 #endif
 
-/* SSLv2/v3 compatibility states */
-/* client */
-    case SSL23_ST_CW_CLNT_HELLO_A:
-        str = "SSLv2/v3 write client hello A";
-        break;
-    case SSL23_ST_CW_CLNT_HELLO_B:
-        str = "SSLv2/v3 write client hello B";
-        break;
-    case SSL23_ST_CR_SRVR_HELLO_A:
-        str = "SSLv2/v3 read server hello A";
-        break;
-    case SSL23_ST_CR_SRVR_HELLO_B:
-        str = "SSLv2/v3 read server hello B";
-        break;
-/* server */
-    case SSL23_ST_SR_CLNT_HELLO_A:
-        str = "SSLv2/v3 read client hello A";
-        break;
-    case SSL23_ST_SR_CLNT_HELLO_B:
-        str = "SSLv2/v3 read client hello B";
-        break;
-
 /* DTLS */
     case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
         str = "DTLS1 read hello verify request A";
@@ -535,28 +513,6 @@ const char *SSL_state_string(const SSL *s)
         break;
 #endif
 
-/* SSLv2/v3 compatibility states */
-/* client */
-    case SSL23_ST_CW_CLNT_HELLO_A:
-        str = "23WCHA";
-        break;
-    case SSL23_ST_CW_CLNT_HELLO_B:
-        str = "23WCHB";
-        break;
-    case SSL23_ST_CR_SRVR_HELLO_A:
-        str = "23RSHA";
-        break;
-    case SSL23_ST_CR_SRVR_HELLO_B:
-        str = "23RSHA";
-        break;
-/* server */
-    case SSL23_ST_SR_CLNT_HELLO_A:
-        str = "23RCHA";
-        break;
-    case SSL23_ST_SR_CLNT_HELLO_B:
-        str = "23RCHB";
-        break;
-
 /* DTLS */
     case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
         str = "DRCHVA";
diff --git a/ssl/t1_clnt.c b/ssl/t1_clnt.c
index 746b4e6..9e117e9 100644
--- a/ssl/t1_clnt.c
+++ b/ssl/t1_clnt.c
@@ -66,25 +66,42 @@
 static const SSL_METHOD *tls1_get_client_method(int ver);
 static const SSL_METHOD *tls1_get_client_method(int ver)
 {
+    if (ver == TLS_ANY_VERSION)
+        return TLS_client_method();
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_client_method();
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_client_method();
     if (ver == TLS1_VERSION)
         return TLSv1_client_method();
+#ifndef OPENSSL_NO_SSL3
+    if (ver == SSL3_VERSION)
+        return (SSLv3_client_method());
+#endif
     return NULL;
 }
 
+IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, TLS_client_method,
+                        ssl_undefined_function,
+                        ssl3_connect,
+                        tls1_get_client_method, TLSv1_2_enc_data)
+
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method,
                         ssl_undefined_function,
                         ssl3_connect,
                         tls1_get_client_method, TLSv1_2_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method,
+IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method,
                         ssl_undefined_function,
                         ssl3_connect,
                         tls1_get_client_method, TLSv1_1_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method,
+IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method,
                         ssl_undefined_function,
                         ssl3_connect, tls1_get_client_method, TLSv1_enc_data)
+
+#ifndef OPENSSL_NO_SSL3_METHOD
+IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
+                         ssl_undefined_function,
+                         ssl3_connect, tls1_get_client_method)
+#endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9d90c1c..af0be02 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1458,13 +1458,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
      */
     if (s->options & SSL_OP_TLSEXT_PADDING) {
         int hlen = ret - (unsigned char *)s->init_buf->data;
-        /*
-         * The code in s23_clnt.c to build ClientHello messages includes the
-         * 5-byte record header in the buffer, while the code in s3_clnt.c
-         * does not.
-         */
-        if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
-            hlen -= 5;
+
         if (hlen > 0xff && hlen < 0x200) {
             hlen = 0x200 - hlen;
             if (hlen >= 4)
diff --git a/ssl/t1_meth.c b/ssl/t1_meth.c
index 335d57b..aa16d3f 100644
--- a/ssl/t1_meth.c
+++ b/ssl/t1_meth.c
@@ -62,23 +62,39 @@
 
 static const SSL_METHOD *tls1_get_method(int ver)
 {
+    if (ver == TLS_ANY_VERSION)
+        return TLS_method();
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_method();
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_method();
     if (ver == TLS1_VERSION)
         return TLSv1_method();
+#ifndef OPENSSL_NO_SSL3
+    if (ver == SSL3_VERSION)
+        return (SSLv3_method());
+    else
+#endif
     return NULL;
 }
 
+IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, TLS_method,
+                        ssl3_accept,
+                        ssl3_connect, tls1_get_method, TLSv1_2_enc_data)
+
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method,
                         ssl3_accept,
                         ssl3_connect, tls1_get_method, TLSv1_2_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method,
+IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method,
                         ssl3_accept,
                         ssl3_connect, tls1_get_method, TLSv1_1_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method,
+IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method,
                         ssl3_accept,
                         ssl3_connect, tls1_get_method, TLSv1_enc_data)
+
+#ifndef OPENSSL_NO_SSL3_METHOD
+IMPLEMENT_ssl3_meth_func(SSLv3_method,
+                         ssl3_accept, ssl3_connect, tls1_get_method)
+#endif
diff --git a/ssl/t1_srvr.c b/ssl/t1_srvr.c
index 8c6b3df..6e54b51 100644
--- a/ssl/t1_srvr.c
+++ b/ssl/t1_srvr.c
@@ -67,26 +67,43 @@
 static const SSL_METHOD *tls1_get_server_method(int ver);
 static const SSL_METHOD *tls1_get_server_method(int ver)
 {
+    if (ver == TLS_ANY_VERSION)
+        return TLS_server_method();
     if (ver == TLS1_2_VERSION)
         return TLSv1_2_server_method();
     if (ver == TLS1_1_VERSION)
         return TLSv1_1_server_method();
     if (ver == TLS1_VERSION)
         return TLSv1_server_method();
+#ifndef OPENSSL_NO_SSL3
+    if (ver == SSL3_VERSION)
+        return (SSLv3_server_method());
+#endif
     return NULL;
 }
 
+IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, TLS_server_method,
+                        ssl3_accept,
+                        ssl_undefined_function,
+                        tls1_get_server_method, TLSv1_2_enc_data)
+
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method,
                         ssl3_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_2_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method,
+IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method,
                         ssl3_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_1_enc_data)
 
-    IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method,
+IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method,
                         ssl3_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_enc_data)
+
+#ifndef OPENSSL_NO_SSL3_METHOD
+IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+                         ssl3_accept,
+                         ssl_undefined_function, tls1_get_server_method)
+#endif
diff --git a/test/Makefile b/test/Makefile
index 6c973ad..691249b 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -741,11 +741,11 @@ heartbeat_test.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 heartbeat_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 heartbeat_test.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 heartbeat_test.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-heartbeat_test.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-heartbeat_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-heartbeat_test.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-heartbeat_test.o: ../include/openssl/x509_vfy.h ../ssl/record/record.h
-heartbeat_test.o: ../ssl/ssl_locl.h heartbeat_test.c testutil.h
+heartbeat_test.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+heartbeat_test.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+heartbeat_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+heartbeat_test.o: ../ssl/record/record.h ../ssl/ssl_locl.h heartbeat_test.c
+heartbeat_test.o: testutil.h
 hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 hmactest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
@@ -849,11 +849,11 @@ ssltest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ssltest.o: ../include/openssl/srp.h ../include/openssl/srtp.h
 ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssltest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-ssltest.o: ../ssl/record/record.h ../ssl/ssl_locl.h ssltest.c
+ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssltest.o: ../include/openssl/x509v3.h ../ssl/record/record.h ../ssl/ssl_locl.h
+ssltest.o: ssltest.c
 testutil.o: ../e_os.h ../include/openssl/e_os2.h
 testutil.o: ../include/openssl/opensslconf.h testutil.c testutil.h
 v3nametest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
diff --git a/test/ssltest.c b/test/ssltest.c
index 1fa2aa2c..95ba1a0 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -1417,7 +1417,7 @@ int main(int argc, char *argv[])
     if (tls1)
         meth = TLSv1_method();
     else
-        meth = SSLv23_method();
+        meth = TLS_method();
 
     c_ctx = SSL_CTX_new(meth);
     s_ctx = SSL_CTX_new(meth);
diff --git a/util/ssleay.num b/util/ssleay.num
index 7fb0714..d595fe0 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -95,9 +95,9 @@ SSL_use_certificate_ASN1                106	EXIST::FUNCTION:
 SSL_use_certificate_file                107	EXIST::FUNCTION:STDIO
 SSL_write                               108	EXIST::FUNCTION:
 SSLeay_add_ssl_algorithms               109	NOEXIST::FUNCTION:
-SSLv23_client_method                    110	EXIST::FUNCTION:RSA
-SSLv23_method                           111	EXIST::FUNCTION:RSA
-SSLv23_server_method                    112	EXIST::FUNCTION:RSA
+SSLv23_client_method                    110	NOEXIST::FUNCTION:
+SSLv23_method                           111	NOEXIST::FUNCTION:
+SSLv23_server_method                    112	NOEXIST::FUNCTION:
 SSLv2_client_method                     113	NOEXIST::FUNCTION:
 SSLv2_method                            114	NOEXIST::FUNCTION:
 SSLv2_server_method                     115	NOEXIST::FUNCTION:
@@ -396,3 +396,6 @@ SSL_set_rbio                            430	EXIST::FUNCTION:
 SSL_CIPHER_get_digest_nid               431	EXIST::FUNCTION:
 SSL_CIPHER_get_cipher_nid               432	EXIST::FUNCTION:
 SSL_use_certificate_chain_file          433	EXIST::FUNCTION:STDIO
+TLS_server_method                       434	EXIST::FUNCTION:
+TLS_method                              435	EXIST::FUNCTION:
+TLS_client_method                       436	EXIST::FUNCTION:


More information about the openssl-commits mailing list