--- openssl-fips-0.9.8e.rh/ssl/s23_clnt.c	2014-11-16 21:10:08.000000000 +0100
+++ openssl-fips-0.9.8e/ssl/s23_clnt.c	2014-11-16 21:17:31.000000000 +0100
@@ -68,13 +68,7 @@
 static int ssl23_get_server_hello(SSL *s);
 static SSL_METHOD *ssl23_get_client_method(int ver)
 	{
-#ifndef OPENSSL_NO_SSL2
-	if (ver == SSL2_VERSION)
-		return(SSLv2_client_method());
-#endif
-	if (ver == SSL3_VERSION)
-		return(SSLv3_client_method());
-	else if (ver == TLS1_VERSION)
+	if (ver == TLS1_VERSION)
 		return(TLSv1_client_method());
 	else
 		return(NULL);
@@ -442,69 +436,8 @@
 	if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
 		(p[5] == 0x00) && (p[6] == 0x02))
 		{
-#ifdef OPENSSL_NO_SSL2
 		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
-#else
-		/* we are talking sslv2 */
-		/* we need to clean up the SSLv3 setup and put in the
-		 * sslv2 stuff. */
-		int ch_len;
-
-		if (s->options & SSL_OP_NO_SSLv2)
-			{
-			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-			goto err;
-			}
-		if (s->s2 == NULL)
-			{
-			if (!ssl2_new(s))
-				goto err;
-			}
-		else
-			ssl2_clear(s);
-
-		if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
-			ch_len=SSL2_CHALLENGE_LENGTH;
-		else
-			ch_len=SSL2_MAX_CHALLENGE_LENGTH;
-
-		/* write out sslv2 challenge */
-		i=(SSL3_RANDOM_SIZE < ch_len)
-			?SSL3_RANDOM_SIZE:ch_len;
-		s->s2->challenge_length=i;
-		memcpy(s->s2->challenge,
-			&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
-
-		if (s->s3 != NULL) ssl3_free(s);
-
-		if (!BUF_MEM_grow_clean(s->init_buf,
-			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-			{
-			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
-			goto err;
-			}
-
-		s->state=SSL2_ST_GET_SERVER_HELLO_A;
-		if (!(s->client_version == SSL2_VERSION))
-			/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
-			s->s2->ssl2_rollback=1;
-
-		/* setup the 5 bytes we have read so we get them from
-		 * the sslv2 buffer */
-		s->rstate=SSL_ST_READ_HEADER;
-		s->packet_length=n;
-		s->packet= &(s->s2->rbuf[0]);
-		memcpy(s->packet,buf,n);
-		s->s2->rbuf_left=n;
-		s->s2->rbuf_offs=0;
-
-		/* we have already written one */
-		s->s2->write_sequence=1;
-
-		s->method=SSLv2_client_method();
-		s->handshake_func=s->method->ssl_connect;
-#endif
 		}
 	else if ((p[0] == SSL3_RT_HANDSHAKE) &&
 		 (p[1] == SSL3_VERSION_MAJOR) &&
@@ -539,8 +472,8 @@
 				goto err;
 				}
 #endif
-			s->version=SSL3_VERSION;
-			s->method=SSLv3_client_method();
+			SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+			goto err;
 			}
 		else if ((p[2] == TLS1_VERSION_MINOR) &&
 			!(s->options & SSL_OP_NO_TLSv1))
--- openssl-fips-0.9.8e.rh/ssl/s23_srvr.c	2014-11-16 21:10:08.000000000 +0100
+++ openssl-fips-0.9.8e/ssl/s23_srvr.c	2014-11-16 21:17:57.000000000 +0100
@@ -120,13 +120,7 @@
 int ssl23_get_client_hello(SSL *s);
 static SSL_METHOD *ssl23_get_server_method(int ver)
 	{
-#ifndef OPENSSL_NO_SSL2
-	if (ver == SSL2_VERSION)
-		return(SSLv2_server_method());
-#endif
-	if (ver == SSL3_VERSION)
-		return(SSLv3_server_method());
-	else if (ver == TLS1_VERSION)
+	if (ver == TLS1_VERSION)
 		return(TLSv1_server_method());
 	else
 		return(NULL);
@@ -492,50 +486,8 @@
 
 	if (type == 1)
 		{
-#ifdef OPENSSL_NO_SSL2
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
-#else
-		/* we are talking sslv2 */
-		/* we need to clean up the SSLv3/TLSv1 setup and put in the
-		 * sslv2 stuff. */
-
-		if (s->s2 == NULL)
-			{
-			if (!ssl2_new(s))
-				goto err;
-			}
-		else
-			ssl2_clear(s);
-
-		if (s->s3 != NULL) ssl3_free(s);
-
-		if (!BUF_MEM_grow_clean(s->init_buf,
-			SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-			{
-			goto err;
-			}
-
-		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
-			s->s2->ssl2_rollback=0;
-		else
-			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
-			 * (SSL 3.0 draft/RFC 2246, App. E.2) */
-			s->s2->ssl2_rollback=1;
-
-		/* setup the n bytes we have read so we get them from
-		 * the sslv2 buffer */
-		s->rstate=SSL_ST_READ_HEADER;
-		s->packet_length=n;
-		s->packet= &(s->s2->rbuf[0]);
-		memcpy(s->packet,buf,n);
-		s->s2->rbuf_left=n;
-		s->s2->rbuf_offs=0;
-
-		s->method=SSLv2_server_method();
-		s->handshake_func=s->method->ssl_accept;
-#endif
 		}
 
 	if ((type == 2) || (type == 3))
@@ -568,7 +520,10 @@
 		if (s->version == TLS1_VERSION)
 			s->method = TLSv1_server_method();
 		else
-			s->method = SSLv3_server_method();
+			{
+			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL);
+			goto err;
+			}
 #if 0 /* ssl3_get_client_hello does this */
 		s->client_version=(v[0]<<8)|v[1];
 #endif
--- openssl-fips-0.9.8e.rh/ssl/ssl.h	2014-11-16 21:10:08.000000000 +0100
+++ openssl-fips-0.9.8e/ssl/ssl.h	2014-11-16 21:10:47.000000000 +0100
@@ -318,7 +318,7 @@
 /* The following cipher list is used by default.
  * It also is substituted when an application-defined cipher list string
  * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST	"AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */
+#define SSL_DEFAULT_CIPHER_LIST	"DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-SHA:RC4-SHA"
 
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 #define SSL_SENT_SHUTDOWN	1
--- openssl-fips-0.9.8e.rh/ssl/ssltest.c	2014-11-16 21:10:08.000000000 +0100
+++ openssl-fips-0.9.8e/ssl/ssltest.c	2014-11-16 21:23:22.000000000 +0100
@@ -250,12 +250,6 @@
 #ifndef OPENSSL_NO_ECDH
 	fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
 #endif
-#ifndef OPENSSL_NO_SSL2
-	fprintf(stderr," -ssl2         - use SSLv2\n");
-#endif
-#ifndef OPENSSL_NO_SSL3
-	fprintf(stderr," -ssl3         - use SSLv3\n");
-#endif
 #ifndef OPENSSL_NO_TLS1
 	fprintf(stderr," -tls1         - use TLSv1\n");
 #endif
@@ -511,8 +505,6 @@
 			no_dhe=1;
 		else if	(strcmp(*argv,"-no_ecdhe") == 0)
 			no_ecdhe=1;
-		else if	(strcmp(*argv,"-ssl2") == 0)
-			ssl2=1;
 		else if	(strcmp(*argv,"-tls1") == 0)
 			tls1=1;
 		else if	(strcmp(*argv,"-ssl3") == 0)
@@ -722,24 +714,10 @@
 	}
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
-	if (ssl2)
-		meth=SSLv2_method();
-	else 
 	if (tls1)
 		meth=TLSv1_method();
 	else
-	if (ssl3)
-		meth=SSLv3_method();
-	else
 		meth=SSLv23_method();
-#else
-#ifdef OPENSSL_NO_SSL2
-	meth=SSLv3_method();
-#else
-	meth=SSLv2_method();
-#endif
-#endif
 
 	c_ctx=SSL_CTX_new(meth);
 	s_ctx=SSL_CTX_new(meth);
@@ -2263,37 +2241,6 @@
 	const SSL_METHOD *meth;
 	SSL_CIPHER *ci, *tci = NULL;
 
-#ifndef OPENSSL_NO_SSL2
-	fprintf(stderr, "testing SSLv2 cipher list order: ");
-	meth = SSLv2_method();
-	while ((ci = meth->get_cipher(i++)) != NULL)
-		{
-		if (tci != NULL)
-			if (ci->id >= tci->id)
-				{
-				fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
-				return 0;
-				}
-		tci = ci;
-		}
-	fprintf(stderr, "ok\n");
-#endif
-#ifndef OPENSSL_NO_SSL3
-	fprintf(stderr, "testing SSLv3 cipher list order: ");
-	meth = SSLv3_method();
-	tci = NULL;
-	while ((ci = meth->get_cipher(i++)) != NULL)
-		{
-		if (tci != NULL)
-			if (ci->id >= tci->id)
-				{
-				fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
-				return 0;
-				}
-		tci = ci;
-		}
-	fprintf(stderr, "ok\n");
-#endif
 #ifndef OPENSSL_NO_TLS1
 	fprintf(stderr, "testing TLSv1 cipher list order: ");
 	meth = TLSv1_method();
--- openssl-fips-0.9.8e.rh/test/testssl	2014-11-16 21:10:08.000000000 +0100
+++ openssl-fips-0.9.8e/test/testssl	2014-11-17 09:46:19.000000000 +0100
@@ -32,32 +32,6 @@
 
 #############################################################################
 
-echo test sslv2
-$ssltest -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication
-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication
-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
-echo test sslv3
-$ssltest -ssl3 $extra || exit 1
-
-echo test sslv3 with server authentication
-$ssltest -ssl3 -server_auth $CA $extra || exit 1
-
-echo test sslv3 with client authentication
-$ssltest -ssl3 -client_auth $CA $extra || exit 1
-
-echo test sslv3 with both client and server authentication
-$ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
-
 echo test sslv2/sslv3
 $ssltest $extra || exit 1
 
@@ -70,32 +44,6 @@
 echo test sslv2/sslv3 with both client and server authentication
 $ssltest -server_auth -client_auth $CA $extra || exit 1
 
-echo test sslv2 via BIO pair
-$ssltest -bio_pair -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication via BIO pair
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
-echo test sslv3 via BIO pair
-$ssltest -bio_pair -ssl3 $extra || exit 1
-
-echo test sslv3 with server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
-
-echo test sslv3 with client authentication via BIO pair
-$ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
-
-echo test sslv3 with both client and server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
-
 echo test sslv2/sslv3 via BIO pair
 $ssltest $extra || exit 1
 
@@ -125,9 +73,6 @@
   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
     echo "Testing $cipher"
     prot=""
-    if [ $protocol == "SSLv3" ] ; then
-      prot="-ssl3"
-    fi
     $ssltest -cipher $cipher $prot
     if [ $? -ne 0 ] ; then
 	  echo "Failed $cipher"