LGTM

I think this looks good to me. @kib, can you weigh in on the symbol versioning being used here? Should we also update the Symbol.map file as well? What's the protocol around that look like?

In D25493#563650, @cem wrote:

Do you intend to MFC OPENSSL_NO_SSL3?

In D25493#563618, @cem wrote:

If you know of an example of some software that explicitly invokes every version it knows about (and tries SSLv3 before a TLS version), I've love to see an example.

I'd take returning NULL over the status quo, where we ship SSLv3 in 2020.

This feels heavy handed (abort and KILL). Would we be better to mirror the actual API and return NULL to indicate this doesn't work?

Per discussion with Kyle offline, we are going to defer this change until after the 11.4 release. We are just in a tough spot to inject a change of this size this late into the release process.

Adding releng. They would deal with in-progress releases, not secteam. We get to deal with them *after* release. :-)

In D24965#549710, @brnrd wrote:

Fix pkg-plist

• Add options for ktls and legacy
• Modules in an options group

In D24965#549680, @brnrd wrote:

Thanks! The Modules are one of the big changes in 3.0, should've picked that up.
It is now enabled by default, good to make it an option!
Guess we're missing a change to pkg-plist here?

===================================================================
--- pkg-plist   (revision 535366)
+++ pkg-plist   (working copy)
@@ -136,7 +136,7 @@
 lib/libssl.a
 %%SHARED%%lib/libssl.so
 %%SHARED%%lib/libssl.so.%%SHLIBVER%%
-%%SHARED%%lib/ossl-modules/fips.so
+%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so
 %%SHARED%%lib/ossl-modules/legacy.so
 libdata/pkgconfig/libcrypto.pc
 libdata/pkgconfig/libssl.pc

With OpenSSL 3.0, it includes a FIPS provider and appropriate switches for the build. Thought it would be good to hook this up.

In D24945#549309, @jkim wrote:

It's okay but we need to disable SSLv3 from fetch(3) first. Please see D24947.

In D24945#549197, @cem wrote:

We should also disable SSL2, if we do not already. And perhaps TLS 1.0?

Secteam and jkim to review. Per a comment from jmg. we should turn of SSLv3 in the OpenSSL build. I did a quick build test with this an confirmed the symbols related to SSLv3 are not in the resulting libssl library.

Ports secteam, can you please review and approve? Thanks!

Looks good to me. I haven't tested it, but seeing as it is the same patch as OpenBSD's it should do what is expected.

Have we checked to see how often this is used in tree?