Remove support for OPENSSL_NO_TLSEXT

Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-15 10:49:56 +01:00
parent 552bf8ec5e
commit e481f9b90b
27 changed files with 328 additions and 619 deletions
--- a/10
+++ b/10
@@ -1086,10 +1086,6 @@ if (defined($disabled{"md5"}) || defined($disabled{"sha"})
 	$disabled{"tls1"} = "forced";
 	}
 if (defined($disabled{"tls1"}))
 	{
 	$disabled{"tlsext"} = "forced";
 	}
 if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
    || defined($disabled{"dh"}))
@@ -1097,12 +1093,6 @@ if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
 	$disabled{"gost"} = "forced";
 	}
 # SRP and HEARTBEATS require TLSEXT
 if (defined($disabled{"tlsext"}))
 	{
 	$disabled{"srp"} = "forced";
 	$disabled{"heartbeats"} = "forced";
 	}
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -136,7 +136,7 @@ Currently, the logical names supported are:
                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
-                        SEED, SOCK, SRP, SRTP, TLSEXT, WHIRLPOOL.  So, for
+                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
                        example, having the logical name OPENSSL_NO_RSA with
                        the value YES means that the LIBCRYPTO.OLB library
                        will not contain an RSA implementation.
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2202,7 +2202,6 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 /*-
 * next_protos_parse parses a comma separated list of strings into a string
 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -2238,7 +2237,6 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
    *outlen = len + 1;
    return out;
 }
 #endif                          /* ndef OPENSSL_NO_TLSEXT */
 void print_cert_checks(BIO *bio, X509 *x,
                       const char *checkhost,
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -514,9 +514,7 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # endif
 # ifndef OPENSSL_NO_TLSEXT
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 # endif                         /* ndef OPENSSL_NO_TLSEXT */
 void print_cert_checks(BIO *bio, X509 *x,
                       const char *checkhost,
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -198,9 +198,7 @@ static int c_ign_eof = 0;
 static int c_brief = 0;
 static void print_stuff(BIO *berr, SSL *con, int full);
 #ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg);
 #endif
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -269,8 +267,6 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
 }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
    BIO *biodebug;
@@ -457,8 +453,6 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
    return 1;
 }
 #endif
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY,
@@ -563,7 +557,6 @@ OPTIONS s_client_options[] = {
    {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"},
 #endif
    {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
 #ifndef OPENSSL_NO_TLSEXT
    {"servername", OPT_SERVERNAME, 's',
     "Set TLS extension servername in ClientHello"},
    {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
@@ -576,7 +569,6 @@ OPTIONS s_client_options[] = {
 #ifndef OPENSSL_NO_NEXTPROTONEG
    {"nextprotoneg", OPT_NEXTPROTONEG, 's',
     "Enable NPN extension, considering named protocols supported (comma-separated list)"},
 # endif
 #endif
    {"CRL", OPT_CRL, '<'},
    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
@@ -673,7 +665,6 @@ int s_client_main(int argc, char **argv)
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
    struct timeval tv;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    char *servername = NULL;
    const char *alpn_in = NULL;
    tlsextctx tlsextcbp = { NULL, 0 };
@@ -683,7 +674,6 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_NEXTPROTONEG
    const char *next_proto_neg_in = NULL;
 #endif
 #endif
 #ifndef OPENSSL_NO_SRP
    char *srppass = NULL;
    int srp_lateuser = 0;
@@ -870,14 +860,12 @@ int s_client_main(int argc, char **argv)
        case OPT_DEBUG:
            c_debug = 1;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_TLSEXTDEBUG:
            c_tlsextdebug = 1;
            break;
        case OPT_STATUS:
            c_status_req = 1;
            break;
 #endif
 #ifdef WATT32
        case OPT_WDEBUG:
            dbug_init();
@@ -1027,7 +1015,6 @@ int s_client_main(int argc, char **argv)
        case OPT_VERIFYCAFILE:
            vfyCAfile = opt_arg();
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_NEXTPROTONEG:
            next_proto_neg_in = opt_arg();
            break;
@@ -1046,16 +1033,13 @@ int s_client_main(int argc, char **argv)
                }
            }
            break;
 #endif
        case OPT_STARTTLS:
            if (!opt_pair(opt_arg(), services, &starttls_proto))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_SERVERNAME:
            servername = opt_arg();
            /* meth=TLSv1_client_method(); */
            break;
 #endif
 #ifndef OPENSSL_NO_JPAKE
        case OPT_JPAKE:
            jpake_secret = opt_arg();
@@ -1101,7 +1085,7 @@ int s_client_main(int argc, char **argv)
    }
 #endif
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    next_proto.status = -1;
    if (next_proto_neg_in) {
        next_proto.data =
@@ -1250,7 +1234,6 @@ int s_client_main(int argc, char **argv)
    if (exc)
        ssl_ctx_set_excert(ctx, exc);
 #if !defined(OPENSSL_NO_TLSEXT)
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
    if (next_proto.data)
        SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
@@ -1270,8 +1253,7 @@ int s_client_main(int argc, char **argv)
        }
        OPENSSL_free(alpn);
    }
-#endif
+
 #ifndef OPENSSL_NO_TLSEXT
    for (i = 0; i < serverinfo_count; i++) {
        if (!SSL_CTX_add_client_custom_ext(ctx,
                                           serverinfo_types[i],
@@ -1282,7 +1264,6 @@ int s_client_main(int argc, char **argv)
                    serverinfo_types[i]);
        }
    }
 #endif
    if (state)
        SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
@@ -1299,7 +1280,6 @@ int s_client_main(int argc, char **argv)
    if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
        goto end;
 #ifndef OPENSSL_NO_TLSEXT
    if (servername != NULL) {
        tlsextcbp.biodebug = bio_err;
        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
@@ -1320,7 +1300,6 @@ int s_client_main(int argc, char **argv)
            SSL_CTX_set_srp_verify_param_callback(ctx,
                                                  ssl_srp_verify_param_cb);
    }
 # endif
 # endif
    con = SSL_new(ctx);
@@ -1350,7 +1329,6 @@ int s_client_main(int argc, char **argv)
    if (fallback_scsv)
        SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
 #ifndef OPENSSL_NO_TLSEXT
    if (servername != NULL) {
        if (!SSL_set_tlsext_host_name(con, servername)) {
            BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
@@ -1358,7 +1336,6 @@ int s_client_main(int argc, char **argv)
            goto end;
        }
    }
 #endif
 re_start:
 #ifdef NO_SYS_UN_H
@@ -1449,7 +1426,7 @@ int s_client_main(int argc, char **argv)
            SSL_set_msg_callback(con, msg_cb);
        SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
    }
-#ifndef OPENSSL_NO_TLSEXT
+
    if (c_tlsextdebug) {
        SSL_set_tlsext_debug_callback(con, tlsext_cb);
        SSL_set_tlsext_debug_arg(con, bio_c_out);
@@ -1459,7 +1436,6 @@ int s_client_main(int argc, char **argv)
        SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
        SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
    }
 #endif
 #ifndef OPENSSL_NO_JPAKE
    if (jpake_secret)
        jpake_client_auth(bio_c_out, sbio, jpake_secret);
@@ -1680,13 +1656,13 @@ int s_client_main(int argc, char **argv)
            tty_on = 1;
            if (in_init) {
                in_init = 0;
-#ifndef OPENSSL_NO_TLSEXT
+
                if (servername != NULL && !SSL_session_reused(con)) {
                    BIO_printf(bio_c_out,
                               "Server did %sacknowledge servername extension.\n",
                               tlsextcbp.ack ? "" : "not ");
                }
-#endif
+
                if (sess_out) {
                    BIO *stmp = BIO_new_file(sess_out, "w");
                    if (stmp) {
@@ -2028,7 +2004,7 @@ int s_client_main(int argc, char **argv)
            print_stuff(bio_c_out, con, 1);
        SSL_free(con);
    }
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    OPENSSL_free(next_proto.data);
 #endif
    SSL_CTX_free(ctx);
@@ -2155,7 +2131,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
    }
 #endif
 #if !defined(OPENSSL_NO_TLSEXT)
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
    if (next_proto.status != -1) {
        const unsigned char *proto;
@@ -2177,7 +2152,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        } else
            BIO_printf(bio, "No ALPN negotiated\n");
    }
 #endif
 #ifndef OPENSSL_NO_SRTP
    {
@@ -2216,8 +2190,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
    (void)BIO_flush(bio);
 }
 #ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
    const unsigned char *p;
@@ -2241,5 +2213,3 @@ static int ocsp_resp_cb(SSL *s, void *arg)
    OCSP_RESPONSE_free(rsp);
    return 1;
 }
 #endif
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -218,9 +218,7 @@ static int bufsize = BUFSIZZ;
 static int accept_socket = -1;
 #define TEST_CERT       "server.pem"
 #ifndef OPENSSL_NO_TLSEXT
 #define TEST_CERT2      "server2.pem"
 #endif
 extern int verify_depth, verify_return_error, verify_quiet;
@@ -229,9 +227,7 @@ static int s_server_session_id_context = 1; /* anything will do */
 static const char *s_cert_file = TEST_CERT, *s_key_file =
    NULL, *s_chain_file = NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
 #endif
 static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
 #ifdef FIONBIO
 static int s_nbio = 0;
@@ -239,19 +235,15 @@ static int s_nbio = 0;
 static int s_nbio_test = 0;
 int s_crlf = 0;
 static SSL_CTX *ctx = NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static SSL_CTX *ctx2 = NULL;
 #endif
 static int www = 0;
 static BIO *bio_s_out = NULL;
 static BIO *bio_s_msg = NULL;
 static int s_debug = 0;
 #ifndef OPENSSL_NO_TLSEXT
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
 static int cert_status_cb(SSL *s, void *arg);
 #endif
 static int no_resume_ephemeral = 0;
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -272,12 +264,9 @@ static long socket_mtu;
 static int cert_chain = 0;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 static BIO *serverinfo_in = NULL;
 static const char *s_serverinfo_file = NULL;
 #endif
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity = "Client_identity";
 char *psk_key = NULL;           /* by default PSK is not used */
@@ -401,11 +390,9 @@ static void s_server_init(void)
    s_cert_file = TEST_CERT;
    s_key_file = NULL;
    s_chain_file = NULL;
 #ifndef OPENSSL_NO_TLSEXT
    s_cert_file2 = TEST_CERT2;
    s_key_file2 = NULL;
    ctx2 = NULL;
 #endif
    s_nbio = 0;
    s_nbio_test = 0;
    ctx = NULL;
@@ -575,8 +562,6 @@ static int ebcdic_puts(BIO *bp, const char *str)
 }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
    char *servername;
@@ -789,7 +774,6 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
    return SSL_TLSEXT_ERR_OK;
 }
 #endif                          /* ndef OPENSSL_NO_TLSEXT */
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
 {
@@ -849,10 +833,8 @@ OPTIONS s_server_options[] = {
     "Turn on peer certificate verification, must have a cert"},
    {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
    {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"},
 #ifndef OPENSSL_NO_TLSEXT
    {"serverinfo", OPT_SERVERINFO, 's',
     "PEM serverinfo file for certificate"},
 #endif
    {"certform", OPT_CERTFORM, 'F',
     "Certificate format (PEM or DER) PEM default"},
    {"key", OPT_KEY, '<',
@@ -924,7 +906,6 @@ OPTIONS s_server_options[] = {
     "Generate SSL/TLS session IDs prefixed by arg"},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
 #ifndef OPENSSL_NO_TLSEXT
    {"servername", OPT_SERVERNAME, 's',
     "Servername for HostName TLS extension"},
    {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
@@ -943,7 +924,6 @@ OPTIONS s_server_options[] = {
     "Offer SRTP key management with a colon-separated profile list"},
    {"alpn", OPT_ALPN, 's',
     "Set the advertised protocols for the ALPN extension (comma-separated list)"},
 #endif
    {"keymatexport", OPT_KEYMATEXPORT, 's',
     "Export keying material using label"},
    {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
@@ -1016,7 +996,6 @@ int s_server_main(int argc, char *argv[])
    unsigned short port = PORT;
    unsigned char *context = NULL;
    OPTION_CHOICE o;
 #ifndef OPENSSL_NO_TLSEXT
    EVP_PKEY *s_key2 = NULL;
    X509 *s_cert2 = NULL;
    tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
@@ -1026,7 +1005,6 @@ int s_server_main(int argc, char *argv[])
 #endif
    const char *alpn_in = NULL;
    tlsextalpnctx alpn_ctx = { NULL, 0 };
 #endif
 #ifndef OPENSSL_NO_PSK
    /* by default do not send a PSK identity hint */
    static char *psk_identity_hint = NULL;
@@ -1122,11 +1100,9 @@ int s_server_main(int argc, char *argv[])
        case OPT_CRL_DOWNLOAD:
            crl_download = 1;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_SERVERINFO:
            s_serverinfo_file = opt_arg();
            break;
 #endif
        case OPT_CERTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
                goto opthelp;
@@ -1241,7 +1217,6 @@ int s_server_main(int argc, char *argv[])
        case OPT_DEBUG:
            s_debug = 1;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_TLSEXTDEBUG:
            s_tlsextdebug = 1;
            break;
@@ -1265,7 +1240,6 @@ int s_server_main(int argc, char *argv[])
                goto end;
            }
            break;
 #endif
        case OPT_MSG:
            s_msg = 1;
            break;
@@ -1395,7 +1369,6 @@ int s_server_main(int argc, char *argv[])
        case OPT_RAND:
            inrand = opt_arg();
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case OPT_SERVERNAME:
            tlsextcbp.servername = opt_arg();
            break;
@@ -1416,7 +1389,6 @@ int s_server_main(int argc, char *argv[])
        case OPT_ALPN:
            alpn_in = opt_arg();
            break;
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
        case OPT_JPAKE:
            jpake_secret = opt_arg();
@@ -1468,10 +1440,9 @@ int s_server_main(int argc, char *argv[])
    if (s_key_file == NULL)
        s_key_file = s_cert_file;
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_key_file2 == NULL)
        s_key_file2 = s_cert_file2;
 #endif
    if (!load_excert(&exc))
        goto end;
@@ -1497,7 +1468,7 @@ int s_server_main(int argc, char *argv[])
            if (!s_chain)
                goto end;
        }
-#ifndef OPENSSL_NO_TLSEXT
+
        if (tlsextcbp.servername) {
            s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e,
                              "second server certificate private key file");
@@ -1514,9 +1485,7 @@ int s_server_main(int argc, char *argv[])
                goto end;
            }
        }
 #endif                          /* OPENSSL_NO_TLSEXT */
    }
 #if !defined(OPENSSL_NO_TLSEXT)
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
    if (next_proto_neg_in) {
        unsigned short len;
@@ -1536,7 +1505,6 @@ int s_server_main(int argc, char *argv[])
            goto end;
        alpn_ctx.len = len;
    }
 #endif
    if (crl_file) {
        X509_CRL *crl;
@@ -1610,10 +1578,8 @@ int s_server_main(int argc, char *argv[])
        s_key_file = NULL;
        s_dcert_file = NULL;
        s_dkey_file = NULL;
 #ifndef OPENSSL_NO_TLSEXT
        s_cert_file2 = NULL;
        s_key_file2 = NULL;
 #endif
    }
    ctx = SSL_CTX_new(meth);
@@ -1678,7 +1644,7 @@ int s_server_main(int argc, char *argv[])
        ERR_print_errors(bio_err);
        goto end;
    }
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_cert2) {
        ctx2 = SSL_CTX_new(meth);
        if (ctx2 == NULL) {
@@ -1739,7 +1705,6 @@ int s_server_main(int argc, char *argv[])
 #endif
    if (alpn_ctx.data)
        SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
 #endif
 #ifndef OPENSSL_NO_DH
    if (!no_dhe) {
@@ -1765,7 +1730,7 @@ int s_server_main(int argc, char *argv[])
            DH_free(dh);
            goto end;
        }
-# ifndef OPENSSL_NO_TLSEXT
+
        if (ctx2) {
            if (!dhfile) {
                DH *dh2 = load_dh_param(s_cert_file2);
@@ -1786,24 +1751,22 @@ int s_server_main(int argc, char *argv[])
                goto end;
            }
        }
 # endif
        DH_free(dh);
    }
 #endif
    if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
        goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_serverinfo_file != NULL
        && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
        ERR_print_errors(bio_err);
        goto end;
    }
-#endif
+
 #ifndef OPENSSL_NO_TLSEXT
    if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
        goto end;
-#endif
+
    if (s_dcert != NULL) {
        if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
            goto end;
@@ -1811,21 +1774,18 @@ int s_server_main(int argc, char *argv[])
 #ifndef OPENSSL_NO_RSA
    if (!no_tmp_rsa) {
        SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
 #  ifndef OPENSSL_NO_TLSEXT
        if (ctx2)
            SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
 #  endif
    }
 #endif
    if (no_resume_ephemeral) {
        SSL_CTX_set_not_resumable_session_callback(ctx,
                                                   not_resumable_sess_cb);
-#ifndef OPENSSL_NO_TLSEXT
+
        if (ctx2)
            SSL_CTX_set_not_resumable_session_callback(ctx2,
                                                       not_resumable_sess_cb);
 #endif
    }
 #ifndef OPENSSL_NO_PSK
 # ifdef OPENSSL_NO_JPAKE
@@ -1860,7 +1820,6 @@ int s_server_main(int argc, char *argv[])
    SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
    SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
 #ifndef OPENSSL_NO_TLSEXT
    if (ctx2) {
        SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
        if (!SSL_CTX_set_session_id_context(ctx2,
@@ -1876,7 +1835,6 @@ int s_server_main(int argc, char *argv[])
        SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
        SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
    }
 #endif
 #ifndef OPENSSL_NO_SRP
    if (srp_verifier_file != NULL) {
@@ -1898,10 +1856,9 @@ int s_server_main(int argc, char *argv[])
 #endif
    if (CAfile != NULL) {
        SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
-#ifndef OPENSSL_NO_TLSEXT
+
        if (ctx2)
            SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
 #endif
    }
    BIO_printf(bio_s_out, "ACCEPT\n");
@@ -1937,7 +1894,6 @@ int s_server_main(int argc, char *argv[])
    OPENSSL_free(dpass);
    X509_VERIFY_PARAM_free(vpm);
    free_sessions();
 #ifndef OPENSSL_NO_TLSEXT
    OPENSSL_free(tlscstatp.host);
    OPENSSL_free(tlscstatp.port);
    OPENSSL_free(tlscstatp.path);
@@ -1949,7 +1905,6 @@ int s_server_main(int argc, char *argv[])
    OPENSSL_free(next_proto.data);
 #endif
    OPENSSL_free(alpn_ctx.data);
 #endif
    ssl_excert_free(exc);
    sk_OPENSSL_STRING_free(ssl_args);
    SSL_CONF_CTX_free(cctx);
@@ -2018,7 +1973,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
    if (con == NULL) {
        con = SSL_new(ctx);
-#ifndef OPENSSL_NO_TLSEXT
+
        if (s_tlsextdebug) {
            SSL_set_tlsext_debug_callback(con, tlsext_cb);
            SSL_set_tlsext_debug_arg(con, bio_s_out);
@@ -2027,7 +1982,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
            SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
            SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
        }
-#endif
+
        if (context
                && !SSL_set_session_id_context(con,
                        context, strlen((char *)context))) {
@@ -2109,12 +2064,11 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
            SSL_set_msg_callback(con, msg_cb);
        SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
    }
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_tlsextdebug) {
        SSL_set_tlsext_debug_callback(con, tlsext_cb);
        SSL_set_tlsext_debug_arg(con, bio_s_out);
    }
 #endif
    width = s + 1;
    for (;;) {
@@ -2399,7 +2353,7 @@ static int init_ssl_connection(SSL *con)
    X509 *peer;
    long verify_error;
    char buf[BUFSIZ];
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    const unsigned char *next_proto_neg;
    unsigned next_proto_neg_len;
 #endif
@@ -2476,7 +2430,7 @@ static int init_ssl_connection(SSL *con)
 #endif
    BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
    if (next_proto_neg) {
        BIO_printf(bio_s_out, "NEXTPROTO is ");
@@ -2574,12 +2528,12 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
    if ((con = SSL_new(ctx)) == NULL)
        goto err;
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_tlsextdebug) {
        SSL_set_tlsext_debug_callback(con, tlsext_cb);
        SSL_set_tlsext_debug_arg(con, bio_s_out);
    }
-#endif
+
    if (context && !SSL_set_session_id_context(con, context,
                        strlen((char *)context)))
        goto err;
@@ -2920,12 +2874,11 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
    if ((con = SSL_new(ctx)) == NULL)
        goto err;
-#ifndef OPENSSL_NO_TLSEXT
+
    if (s_tlsextdebug) {
        SSL_set_tlsext_debug_callback(con, tlsext_cb);
        SSL_set_tlsext_debug_arg(con, bio_s_out);
    }
 #endif
    if (context && !SSL_set_session_id_context(con, context,
                        strlen((char *)context))) {
        ERR_print_errors(bio_err);
--- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -21,9 +21,6 @@ RFC5077 provide an enhanced session resumption capability where the server
 implementation is not required to maintain per session state. It only applies
 to TLS and there is no SSLv3 implementation.
 The callback is available when the OpenSSL library was built without 
 I<OPENSSL_NO_TLSEXT> being defined.
 The callback function I<cb> will be called for every client instigated TLS
 session when session ticket extension is presented in the TLS hello
 message. It is the responsibility of this function to create or retrieve the
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -338,8 +338,6 @@ typedef int (*tls_session_secret_cb_fn) (SSL *s, void *secret,
                                         STACK_OF(SSL_CIPHER) *peer_ciphers,
                                         SSL_CIPHER **cipher, void *arg);
 # ifndef OPENSSL_NO_TLSEXT
 /* Typedefs for handling custom extensions */
 typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type,
@@ -353,8 +351,6 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
                                    const unsigned char *in,
                                    size_t inlen, int *al, void *parse_arg);
 # endif
 /* Allow initial connection to servers that don't support RI */
 # define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 /* Removed from OpenSSL 0.9.8q and 1.0.0c */
@@ -771,12 +767,10 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
                                    unsigned *len);
 # endif
 # ifndef OPENSSL_NO_TLSEXT
 __owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                          const unsigned char *in, unsigned int inlen,
                          const unsigned char *client,
                          unsigned int client_len);
 # endif
 # define OPENSSL_NPN_UNSUPPORTED 0
 # define OPENSSL_NPN_NEGOTIATED  1
@@ -867,7 +861,6 @@ const char *SSL_get_psk_identity_hint(const SSL *s);
 const char *SSL_get_psk_identity(const SSL *s);
 # endif
 # ifndef OPENSSL_NO_TLSEXT
 /* Register callbacks to handle custom TLS Extensions for client or server. */
 __owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
@@ -886,8 +879,6 @@ __owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
 __owur int SSL_extension_supported(unsigned int ext_type);
 # endif
 # define SSL_NOTHING     1
 # define SSL_WRITING     2
 # define SSL_READING     3
@@ -1112,7 +1103,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_SET_MAX_CERT_LIST              51
 # define SSL_CTRL_SET_MAX_SEND_FRAGMENT          52
 /* see tls1.h for macros based on these */
 # ifndef OPENSSL_NO_TLSEXT
 # define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB       53
 # define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG      54
 # define SSL_CTRL_SET_TLSEXT_HOSTNAME            55
@@ -1145,7 +1135,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #  define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING          86
 #  define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS      87
 # endif
 # endif                         /* OPENSSL_NO_TLSEXT */
 # define DTLS_CTRL_GET_TIMEOUT           73
 # define DTLS_CTRL_HANDLE_TIMEOUT        74
 # define DTLS_CTRL_LISTEN                        75
@@ -1390,7 +1379,6 @@ __owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d,
 __owur int SSL_use_certificate(SSL *ssl, X509 *x);
 __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 # ifndef OPENSSL_NO_TLSEXT
 /* Set serverinfo data for the current active cert. */
 __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
                           size_t serverinfo_length);
@@ -1398,8 +1386,6 @@ __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
 __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
 # endif                        /* NO_STDIO */
 # endif
 # ifndef OPENSSL_NO_STDIO
 __owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 __owur int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -311,8 +311,6 @@ extern "C" {
 # define TLSEXT_curve_P_256                              23
 # define TLSEXT_curve_P_384                              24
 # ifndef OPENSSL_NO_TLSEXT
 # define TLSEXT_MAXLEN_host_name 255
 __owur const char *SSL_get_servername(const SSL *s, const int type);
@@ -404,7 +402,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #  define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
        SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
 # endif
 # endif
 /* PSK ciphersuites from 4279 */
 # define TLS1_CK_PSK_WITH_RC4_128_SHA                    0x0300008A
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -405,7 +405,7 @@ int dtls1_connect(SSL *s)
                ret = ssl3_get_server_certificate(s);
                if (ret <= 0)
                    goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                if (s->tlsext_status_expected)
                    s->state = SSL3_ST_CR_CERT_STATUS_A;
                else
@@ -414,12 +414,7 @@ int dtls1_connect(SSL *s)
                skip = 1;
                s->state = SSL3_ST_CR_KEY_EXCH_A;
            }
 #else
            } else
                skip = 1;
            s->state = SSL3_ST_CR_KEY_EXCH_A;
 #endif
            s->init_num = 0;
            break;
@@ -640,21 +635,17 @@ int dtls1_connect(SSL *s)
                         0, NULL);
 #endif
 #ifndef OPENSSL_NO_TLSEXT
                /*
                 * Allow NewSessionTicket if ticket expected
                 */
                if (s->tlsext_ticket_expected)
                    s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                else
 #endif
                    s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
            }
            s->init_num = 0;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case SSL3_ST_CR_SESSION_TICKET_A:
        case SSL3_ST_CR_SESSION_TICKET_B:
            ret = ssl3_get_new_session_ticket(s);
@@ -672,7 +663,6 @@ int dtls1_connect(SSL *s)
            s->state = SSL3_ST_CR_KEY_EXCH_A;
            s->init_num = 0;
            break;
 #endif
        case SSL3_ST_CR_FINISHED_A:
        case SSL3_ST_CR_FINISHED_B:
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -425,14 +425,10 @@ int dtls1_accept(SSL *s)
                BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                         sizeof(sctpauthkey), sctpauthkey);
 #endif
 #ifndef OPENSSL_NO_TLSEXT
                if (s->tlsext_ticket_expected)
                    s->state = SSL3_ST_SW_SESSION_TICKET_A;
                else
                    s->state = SSL3_ST_SW_CHANGE_A;
 #else
                s->state = SSL3_ST_SW_CHANGE_A;
 #endif
            } else
                s->state = SSL3_ST_SW_CERT_A;
            s->init_num = 0;
@@ -447,7 +443,7 @@ int dtls1_accept(SSL *s)
                ret = ssl3_send_server_certificate(s);
                if (ret <= 0)
                    goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                if (s->tlsext_status_expected)
                    s->state = SSL3_ST_SW_CERT_STATUS_A;
                else
@@ -456,12 +452,6 @@ int dtls1_accept(SSL *s)
                skip = 1;
                s->state = SSL3_ST_SW_KEY_EXCH_A;
            }
 #else
            } else
                skip = 1;
            s->state = SSL3_ST_SW_KEY_EXCH_A;
 #endif
            s->init_num = 0;
            break;
@@ -712,16 +702,13 @@ int dtls1_accept(SSL *s)
            dtls1_stop_timer(s);
            if (s->hit)
                s->state = SSL_ST_OK;
 #ifndef OPENSSL_NO_TLSEXT
            else if (s->tlsext_ticket_expected)
                s->state = SSL3_ST_SW_SESSION_TICKET_A;
 #endif
            else
                s->state = SSL3_ST_SW_CHANGE_A;
            s->init_num = 0;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case SSL3_ST_SW_SESSION_TICKET_A:
        case SSL3_ST_SW_SESSION_TICKET_B:
            ret = ssl3_send_newsession_ticket(s);
@@ -740,8 +727,6 @@ int dtls1_accept(SSL *s)
            s->init_num = 0;
            break;
 #endif
        case SSL3_ST_SW_CHANGE_A:
        case SSL3_ST_SW_CHANGE_B:
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -165,9 +165,7 @@
 static int ssl_set_version(SSL *s);
 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
 #ifndef OPENSSL_NO_TLSEXT
 static int ssl3_check_finished(SSL *s);
 #endif
 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
                                    unsigned char *p,
                                    int (*put_cb) (const SSL_CIPHER *,
@@ -309,12 +307,10 @@ int ssl3_connect(SSL *s)
            if (s->hit) {
                s->state = SSL3_ST_CR_FINISHED_A;
 #ifndef OPENSSL_NO_TLSEXT
                if (s->tlsext_ticket_expected) {
                    /* receive renewed session ticket */
                    s->state = SSL3_ST_CR_SESSION_TICKET_A;
                }
 #endif
            } else {
                s->state = SSL3_ST_CR_CERT_A;
            }
@@ -322,7 +318,6 @@ int ssl3_connect(SSL *s)
            break;
        case SSL3_ST_CR_CERT_A:
        case SSL3_ST_CR_CERT_B:
 #ifndef OPENSSL_NO_TLSEXT
            /* Noop (ret = 0) for everything but EAP-FAST. */
            ret = ssl3_check_finished(s);
            if (ret < 0)
@@ -333,7 +328,7 @@ int ssl3_connect(SSL *s)
                s->init_num = 0;
                break;
            }
-#endif
+
            /* Check if it is anon DH/ECDH, SRP auth */
            /* or PSK */
            if (!
@@ -343,7 +338,7 @@ int ssl3_connect(SSL *s)
                ret = ssl3_get_server_certificate(s);
                if (ret <= 0)
                    goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                if (s->tlsext_status_expected)
                    s->state = SSL3_ST_CR_CERT_STATUS_A;
                else
@@ -352,12 +347,7 @@ int ssl3_connect(SSL *s)
                skip = 1;
                s->state = SSL3_ST_CR_KEY_EXCH_A;
            }
 #else
            } else
                skip = 1;
            s->state = SSL3_ST_CR_KEY_EXCH_A;
 #endif
            s->init_num = 0;
            break;
@@ -470,7 +460,7 @@ int ssl3_connect(SSL *s)
            if (ret <= 0)
                goto end;
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
            s->state = SSL3_ST_CW_FINISHED_A;
 #else
            if (s->s3->next_proto_neg_seen)
@@ -505,7 +495,7 @@ int ssl3_connect(SSL *s)
            break;
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
        case SSL3_ST_CW_NEXT_PROTO_A:
        case SSL3_ST_CW_NEXT_PROTO_B:
            ret = ssl3_send_next_proto(s);
@@ -538,21 +528,17 @@ int ssl3_connect(SSL *s)
                    s->s3->delay_buf_pop_ret = 0;
                }
            } else {
 #ifndef OPENSSL_NO_TLSEXT
                /*
                 * Allow NewSessionTicket if ticket expected
                 */
                if (s->tlsext_ticket_expected)
                    s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                else
 #endif
                    s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
            }
            s->init_num = 0;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case SSL3_ST_CR_SESSION_TICKET_A:
        case SSL3_ST_CR_SESSION_TICKET_B:
            ret = ssl3_get_new_session_ticket(s);
@@ -570,7 +556,6 @@ int ssl3_connect(SSL *s)
            s->state = SSL3_ST_CR_KEY_EXCH_A;
            s->init_num = 0;
            break;
 #endif
        case SSL3_ST_CR_FINISHED_A:
        case SSL3_ST_CR_FINISHED_B:
@@ -783,15 +768,11 @@ int ssl3_client_hello(SSL *s)
            goto err;
        if ((sess == NULL) || (sess->ssl_version != s->version) ||
 #ifdef OPENSSL_NO_TLSEXT
            !sess->session_id_length ||
 #else
            /*
             * In the case of EAP-FAST, we can have a pre-shared
             * "ticket" without a session ID.
             */
            (!sess->session_id_length && !sess->tlsext_tick) ||
 #endif
            (sess->not_resumable)) {
            if (!ssl_get_new_session(s, 0))
                goto err;
@@ -922,7 +903,6 @@ int ssl3_client_hello(SSL *s)
 #endif
        *(p++) = 0;             /* Add the NULL method */
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions */
        if (ssl_prepare_clienthello_tlsext(s) <= 0) {
            SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
@@ -935,7 +915,6 @@ int ssl3_client_hello(SSL *s)
            SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            goto err;
        }
 #endif
        l = p - d;
        if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
@@ -1082,7 +1061,7 @@ int ssl3_get_server_hello(SSL *s)
        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
        goto f_err;
    }
-#ifndef OPENSSL_NO_TLSEXT
+
    /*
     * Check if we can resume the session based on external pre-shared secret.
     * EAP-FAST (RFC 4851) supports two types of session resumption.
@@ -1111,7 +1090,6 @@ int ssl3_get_server_hello(SSL *s)
            goto f_err;
        }
    }
 #endif                          /* OPENSSL_NO_TLSEXT */
    if (j != 0 && j == s->session->session_id_length
        && memcmp(p, s->session->session_id, j) == 0) {
@@ -1237,13 +1215,11 @@ int ssl3_get_server_hello(SSL *s)
    }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    /* TLS extensions */
    if (!ssl_parse_serverhello_tlsext(s, &p, d, n)) {
        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
        goto err;
    }
 #endif
    if (p != (d + n)) {
        /* wrong packet length */
@@ -2240,7 +2216,6 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
    return (X509_NAME_cmp(*a, *b));
 }
 #ifndef OPENSSL_NO_TLSEXT
 int ssl3_get_new_session_ticket(SSL *s)
 {
    int ok, al, ret = 0, ticklen;
@@ -2363,7 +2338,6 @@ int ssl3_get_cert_status(SSL *s)
    s->state = SSL_ST_ERR;
    return (-1);
 }
 #endif
 int ssl3_get_server_done(SSL *s)
 {
@@ -3457,7 +3431,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
    return (0);
 }
 #ifndef OPENSSL_NO_TLSEXT
 /*
 * Normally, we can tell if the server is resuming the session from
 * the session ID. EAP-FAST (RFC 4851), however, relies on the next server
@@ -3531,7 +3504,6 @@ int ssl3_send_next_proto(SSL *s)
    return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
 }
 #endif
 #endif
 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
 {
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2908,9 +2908,7 @@ void ssl3_free(SSL *s)
    BIO_free(s->s3->handshake_buffer);
    if (s->s3->handshake_dgst)
        ssl3_free_digest_list(s);
 #ifndef OPENSSL_NO_TLSEXT
    OPENSSL_free(s->s3->alpn_selected);
 #endif
 #ifndef OPENSSL_NO_SRP
    SSL_SRP_CTX_free(s);
@@ -2939,12 +2937,8 @@ void ssl3_clear(SSL *s)
 #ifndef OPENSSL_NO_EC
    EC_KEY_free(s->s3->tmp.ecdh);
    s->s3->tmp.ecdh = NULL;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 # ifndef OPENSSL_NO_EC
    s->s3->is_probably_safari = 0;
 #endif                         /* !OPENSSL_NO_EC */
 #endif                          /* !OPENSSL_NO_TLSEXT */
    init_extra = s->s3->init_extra;
    BIO_free(s->s3->handshake_buffer);
@@ -2952,12 +2946,12 @@ void ssl3_clear(SSL *s)
    if (s->s3->handshake_dgst) {
        ssl3_free_digest_list(s);
    }
-#if !defined(OPENSSL_NO_TLSEXT)
+
    if (s->s3->alpn_selected) {
        free(s->s3->alpn_selected);
        s->s3->alpn_selected = NULL;
    }
-#endif
+
    memset(s->s3, 0, sizeof(*s->s3));
    s->s3->init_extra = init_extra;
@@ -2969,7 +2963,7 @@ void ssl3_clear(SSL *s)
    s->s3->in_read_app_data = 0;
    s->version = SSL3_VERSION;
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    OPENSSL_free(s->next_proto_negotiated);
    s->next_proto_negotiated = NULL;
    s->next_proto_negotiated_len = 0;
@@ -3109,7 +3103,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
            return (ret);
        }
 #endif                          /* !OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_TLSEXT
    case SSL_CTRL_SET_TLSEXT_HOSTNAME:
        if (larg == TLSEXT_NAMETYPE_host_name) {
            OPENSSL_free(s->tlsext_hostname);
@@ -3193,8 +3186,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        break;
 #endif
 #endif                          /* !OPENSSL_NO_TLSEXT */
    case SSL_CTRL_CHAIN:
        if (larg)
            return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
@@ -3443,12 +3434,11 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
        }
        break;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
        s->tlsext_debug_cb = (void (*)(SSL *, int, int,
                                       unsigned char *, int, void *))fp;
        break;
-#endif
+
    case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
        {
            s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
@@ -3578,7 +3568,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
            return (0);
        }
 #endif                          /* !OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_TLSEXT
    case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
        ctx->tlsext_servername_arg = parg;
        break;
@@ -3650,11 +3639,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
                                    &ctx->tlsext_ellipticcurvelist_length,
                                    parg);
 #  ifndef OPENSSL_NO_EC
    case SSL_CTRL_SET_ECDH_AUTO:
        ctx->cert->ecdh_tmp_auto = larg;
        return 1;
 #  endif
 #endif
    case SSL_CTRL_SET_SIGALGS:
        return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@@ -3680,8 +3667,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
    case SSL_CTRL_SET_CHAIN_CERT_STORE:
        return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
 #endif                          /* !OPENSSL_NO_TLSEXT */
        /* A Thawte special :-) */
    case SSL_CTRL_EXTRA_CHAIN_CERT:
        if (ctx->extra_certs == NULL) {
@@ -3759,7 +3744,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
        }
        break;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
        ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
        break;
@@ -3790,7 +3774,6 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
        ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
            (char *(*)(SSL *, void *))fp;
        break;
 # endif
 #endif
    case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
        {
@@ -3927,7 +3910,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
        }
 #ifndef OPENSSL_NO_TLSEXT
 # ifndef OPENSSL_NO_EC
        /*
         * if we are considering an ECC cipher suite that uses an ephemeral
@@ -3936,7 +3918,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
        if (alg_k & SSL_kECDHE)
            ok = ok && tls1_check_ec_tmp_key(s, c->id);
 # endif                         /* OPENSSL_NO_EC */
 #endif                          /* OPENSSL_NO_TLSEXT */
        if (!ok)
            continue;
@@ -3946,7 +3927,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
            if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
                              c->strength_bits, 0, c))
                continue;
-#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+#if !defined(OPENSSL_NO_EC)
            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
                && s->s3->is_probably_safari) {
                if (!ret)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -387,19 +387,15 @@ int ssl3_accept(SSL *s)
            ret = ssl3_send_server_hello(s);
            if (ret <= 0)
                goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    s->state = SSL3_ST_SW_SESSION_TICKET_A;
                else
                    s->state = SSL3_ST_SW_CHANGE_A;
-            }
+            } else {
 #else
            if (s->hit)
                s->state = SSL3_ST_SW_CHANGE_A;
 #endif
            else
                s->state = SSL3_ST_SW_CERT_A;
            }
            s->init_num = 0;
            break;
@@ -414,7 +410,7 @@ int ssl3_accept(SSL *s)
                ret = ssl3_send_server_certificate(s);
                if (ret <= 0)
                    goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                if (s->tlsext_status_expected)
                    s->state = SSL3_ST_SW_CERT_STATUS_A;
                else
@@ -423,12 +419,6 @@ int ssl3_accept(SSL *s)
                skip = 1;
                s->state = SSL3_ST_SW_KEY_EXCH_A;
            }
 #else
            } else
                skip = 1;
            s->state = SSL3_ST_SW_KEY_EXCH_A;
 #endif
            s->init_num = 0;
            break;
@@ -587,7 +577,7 @@ int ssl3_accept(SSL *s)
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
                s->state = SSL3_ST_SR_FINISHED_A;
 #else
                if (s->s3->next_proto_neg_seen)
@@ -666,7 +656,7 @@ int ssl3_accept(SSL *s)
            if (ret <= 0)
                goto end;
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
            s->state = SSL3_ST_SR_FINISHED_A;
 #else
            if (s->s3->next_proto_neg_seen)
@@ -677,7 +667,7 @@ int ssl3_accept(SSL *s)
            s->init_num = 0;
            break;
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
        case SSL3_ST_SR_NEXT_PROTO_A:
        case SSL3_ST_SR_NEXT_PROTO_B:
            /*
@@ -718,16 +708,13 @@ int ssl3_accept(SSL *s)
                goto end;
            if (s->hit)
                s->state = SSL_ST_OK;
 #ifndef OPENSSL_NO_TLSEXT
            else if (s->tlsext_ticket_expected)
                s->state = SSL3_ST_SW_SESSION_TICKET_A;
 #endif
            else
                s->state = SSL3_ST_SW_CHANGE_A;
            s->init_num = 0;
            break;
 #ifndef OPENSSL_NO_TLSEXT
        case SSL3_ST_SW_SESSION_TICKET_A:
        case SSL3_ST_SW_SESSION_TICKET_B:
            ret = ssl3_send_newsession_ticket(s);
@@ -746,8 +733,6 @@ int ssl3_accept(SSL *s)
            s->init_num = 0;
            break;
 #endif
        case SSL3_ST_SW_CHANGE_A:
        case SSL3_ST_SW_CHANGE_B:
@@ -790,7 +775,7 @@ int ssl3_accept(SSL *s)
                goto end;
            s->state = SSL3_ST_SW_FLUSH;
            if (s->hit) {
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
                s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
 #else
                if (s->s3->next_proto_neg_seen) {
@@ -1361,7 +1346,6 @@ int ssl3_get_client_hello(SSL *s)
        }
    }
 #ifndef OPENSSL_NO_TLSEXT
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
        if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) {
@@ -1418,7 +1402,6 @@ int ssl3_get_client_hello(SSL *s)
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
 #endif
    /*
     * Worst case, we will use the NULL compression, but if we have other
@@ -1602,13 +1585,13 @@ int ssl3_send_server_hello(SSL *s)
    if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
        buf = (unsigned char *)s->init_buf->data;
-#ifdef OPENSSL_NO_TLSEXT
+
        p = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
            s->state = SSL_ST_ERR;
            return -1;
        }
-#endif
+
        /* Do the message type and length last */
        d = p = ssl_handshake_start(s);
@@ -1663,7 +1646,7 @@ int ssl3_send_server_hello(SSL *s)
        else
            *(p++) = s->s3->tmp.new_compression->id;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
+
        if (ssl_prepare_serverhello_tlsext(s) <= 0) {
            SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
            s->state = SSL_ST_ERR;
@@ -1677,7 +1660,7 @@ int ssl3_send_server_hello(SSL *s)
            s->state = SSL_ST_ERR;
            return -1;
        }
-#endif
+
        /* do the header */
        l = (p - d);
        if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
@@ -3266,7 +3249,6 @@ int ssl3_send_server_certificate(SSL *s)
    return ssl_do_write(s);
 }
 #ifndef OPENSSL_NO_TLSEXT
 /* send a new session ticket (not necessarily for a new session) */
 int ssl3_send_newsession_ticket(SSL *s)
 {
@@ -3535,8 +3517,6 @@ int ssl3_get_next_proto(SSL *s)
 }
 #endif
 #endif
 #define SSLV2_CIPHER_LEN    3
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p,
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -101,11 +101,9 @@ typedef struct {
    X509 *peer;
    ASN1_OCTET_STRING *session_id_context;
    long verify_result;
 #ifndef OPENSSL_NO_TLSEXT
    ASN1_OCTET_STRING *tlsext_hostname;
    long tlsext_tick_lifetime_hint;
    ASN1_OCTET_STRING *tlsext_tick;
 #endif
 #ifndef OPENSSL_NO_PSK
    ASN1_OCTET_STRING *psk_identity_hint;
    ASN1_OCTET_STRING *psk_identity;
@@ -128,17 +126,13 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = {
    ASN1_EXP_OPT(SSL_SESSION_ASN1, peer, X509, 3),
    ASN1_EXP_OPT(SSL_SESSION_ASN1, session_id_context, ASN1_OCTET_STRING, 4),
    ASN1_EXP_OPT(SSL_SESSION_ASN1, verify_result, ZLONG, 5),
 #ifndef OPENSSL_NO_TLSEXT
    ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_hostname, ASN1_OCTET_STRING, 6),
 #endif
 #ifndef OPENSSL_NO_PSK
    ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity_hint, ASN1_OCTET_STRING, 7),
    ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity, ASN1_OCTET_STRING, 8),
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_lifetime_hint, ZLONG, 9),
    ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick, ASN1_OCTET_STRING, 10),
 #endif
    ASN1_EXP_OPT(SSL_SESSION_ASN1, comp_id, ASN1_OCTET_STRING, 11),
 #ifndef OPENSSL_NO_SRP
    ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12),
@@ -185,9 +179,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
    unsigned char comp_id_data;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    ASN1_OCTET_STRING tlsext_hostname, tlsext_tick;
 #endif
 #ifndef OPENSSL_NO_SRP
    ASN1_OCTET_STRING srp_username;
@@ -238,7 +230,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
    as.peer = in->peer;
 #ifndef OPENSSL_NO_TLSEXT
    ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname,
                      in->tlsext_hostname);
    if (in->tlsext_tick) {
@@ -247,7 +238,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
    }
    if (in->tlsext_tick_lifetime_hint > 0)
        as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint;
 #endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_PSK
    ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint,
                      in->psk_identity_hint);
@@ -373,10 +363,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
    /* NB: this defaults to zero which is X509_V_OK */
    ret->verify_result = as->verify_result;
 #ifndef OPENSSL_NO_TLSEXT
    if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname))
        goto err;
 #endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_PSK
    if (!ssl_session_strndup(&ret->psk_identity_hint, as->psk_identity_hint))
@@ -385,7 +373,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
        goto err;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
    if (as->tlsext_tick) {
        ret->tlsext_tick = as->tlsext_tick->data;
@@ -394,7 +381,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
    } else {
        ret->tlsext_tick = NULL;
    }
 #endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_COMP
    if (as->comp_id) {
        if (as->comp_id->length != 1) {
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -265,7 +265,7 @@ CERT *ssl_cert_dup(CERT *cert)
                goto err;
            }
        }
-#ifndef OPENSSL_NO_TLSEXT
+        rpk->valid_flags = 0;
        if (cert->pkeys[i].serverinfo != NULL) {
            /* Just copy everything. */
            ret->pkeys[i].serverinfo =
@@ -280,7 +280,6 @@ CERT *ssl_cert_dup(CERT *cert)
                   cert->pkeys[i].serverinfo,
                   cert->pkeys[i].serverinfo_length);
        }
 #endif
    }
    ret->references = 1;
@@ -334,12 +333,10 @@ CERT *ssl_cert_dup(CERT *cert)
    ret->sec_level = cert->sec_level;
    ret->sec_ex = cert->sec_ex;
 #ifndef OPENSSL_NO_TLSEXT
    if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
        goto err;
    if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
        goto err;
 #endif
    return (ret);
@@ -364,11 +361,9 @@ void ssl_cert_clear_certs(CERT *c)
        cpk->privatekey = NULL;
        sk_X509_pop_free(cpk->chain, X509_free);
        cpk->chain = NULL;
 #ifndef OPENSSL_NO_TLSEXT
        OPENSSL_free(cpk->serverinfo);
        cpk->serverinfo = NULL;
        cpk->serverinfo_length = 0;
 #endif
    }
 }
@@ -409,10 +404,8 @@ void ssl_cert_free(CERT *c)
    OPENSSL_free(c->ctypes);
    X509_STORE_free(c->verify_store);
    X509_STORE_free(c->chain_store);
 #ifndef OPENSSL_NO_TLSEXT
    custom_exts_free(&c->cli_ext);
    custom_exts_free(&c->srv_ext);
 #endif
    OPENSSL_free(c);
 }
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -433,9 +433,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
    SSL_CONF_CMD_SWITCH("bugs", 0),
    SSL_CONF_CMD_SWITCH("no_comp", 0),
    SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
 #ifndef OPENSSL_NO_TLSEXT
    SSL_CONF_CMD_SWITCH("no_ticket", 0),
 #endif
    SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
    SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
    SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
@@ -477,9 +475,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
    {SSL_OP_ALL, 0},            /* bugs */
    {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
    {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
 #ifndef OPENSSL_NO_TLSEXT
    {SSL_OP_NO_TICKET, 0},      /* no_ticket */
 #endif
    {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
    /* legacy_renegotiation */
    {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -315,7 +315,6 @@ SSL *SSL_new(SSL_CTX *ctx)
    CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
    s->ctx = ctx;
 #ifndef OPENSSL_NO_TLSEXT
    s->tlsext_debug_cb = 0;
    s->tlsext_debug_arg = NULL;
    s->tlsext_ticket_expected = 0;
@@ -360,7 +359,6 @@ SSL *SSL_new(SSL_CTX *ctx)
               s->ctx->alpn_client_proto_list_len);
        s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
    }
 #endif
    s->verify_result = X509_V_OK;
@@ -557,7 +555,6 @@ void SSL_free(SSL *s)
    ssl_cert_free(s->cert);
    /* Free up if allocated */
 #ifndef OPENSSL_NO_TLSEXT
    OPENSSL_free(s->tlsext_hostname);
    SSL_CTX_free(s->initial_ctx);
 #ifndef OPENSSL_NO_EC
@@ -568,7 +565,6 @@ void SSL_free(SSL *s)
    sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
    OPENSSL_free(s->tlsext_ocsp_resp);
    OPENSSL_free(s->alpn_client_proto_list);
 #endif
    sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
@@ -579,7 +575,7 @@ void SSL_free(SSL *s)
    SSL_CTX_free(s->ctx);
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
    OPENSSL_free(s->next_proto_negotiated);
 #endif
@@ -1394,7 +1390,6 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
    return (buf);
 }
 #ifndef OPENSSL_NO_TLSEXT
 /** return a servername extension value if provided in Client Hello, or NULL.
 * So far, only host_name types are defined (RFC 3546).
 */
@@ -1610,7 +1605,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
        *len = ssl->s3->alpn_selected_len;
 }
 #endif                          /* !OPENSSL_NO_TLSEXT */
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
                               const char *label, size_t llen,
@@ -1765,7 +1759,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
    ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 #ifndef OPENSSL_NO_TLSEXT
    ret->tlsext_servername_callback = 0;
    ret->tlsext_servername_arg = NULL;
    /* Setup RFC4507 ticket keys */
@@ -1781,7 +1774,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
    ret->next_protos_advertised_cb = 0;
    ret->next_proto_select_cb = 0;
 #endif
 #endif
 #ifndef OPENSSL_NO_PSK
    ret->psk_identity_hint = NULL;
    ret->psk_client_callback = NULL;
@@ -1881,13 +1873,11 @@ void SSL_CTX_free(SSL_CTX *a)
        ENGINE_finish(a->client_cert_engine);
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
    OPENSSL_free(a->tlsext_ecpointformatlist);
    OPENSSL_free(a->tlsext_ellipticcurvelist);
 #endif
    OPENSSL_free(a->alpn_client_proto_list);
 #endif
    OPENSSL_free(a);
 }
@@ -2273,7 +2263,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
    return c->pkeys[idx].privatekey;
 }
 #ifndef OPENSSL_NO_TLSEXT
 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                   size_t *serverinfo_length)
 {
@@ -2293,7 +2282,6 @@ int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
    *serverinfo_length = c->pkeys[i].serverinfo_length;
    return 1;
 }
 #endif
 void ssl_update_cache(SSL *s, int mode)
 {
@@ -2818,10 +2806,8 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
    CERT *new_cert;
    if (ssl->ctx == ctx)
        return ssl->ctx;
 #ifndef OPENSSL_NO_TLSEXT
    if (ctx == NULL)
        ctx = ssl->initial_ctx;
 #endif
    new_cert = ssl_cert_dup(ctx->cert);
    if (new_cert == NULL) {
        return NULL;
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -652,7 +652,6 @@ struct ssl_session_st {
     * implement a maximum cache size.
     */
    struct ssl_session_st *prev, *next;
 # ifndef OPENSSL_NO_TLSEXT
    char *tlsext_hostname;
 # ifndef OPENSSL_NO_EC
    size_t tlsext_ecpointformatlist_length;
@@ -664,7 +663,6 @@ struct ssl_session_st {
    unsigned char *tlsext_tick; /* Session ticket */
    size_t tlsext_ticklen;      /* Session ticket length */
    unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
 # endif
 # ifndef OPENSSL_NO_SRP
    char *srp_username;
 # endif
@@ -850,7 +848,6 @@ struct ssl_ctx_st {
    ENGINE *client_cert_engine;
 #  endif
 #  ifndef OPENSSL_NO_TLSEXT
    /* TLS extensions servername callback */
    int (*tlsext_servername_callback) (SSL *, int *, void *);
    void *tlsext_servername_arg;
@@ -868,7 +865,6 @@ struct ssl_ctx_st {
    /* Callback for status request */
    int (*tlsext_status_cb) (SSL *ssl, void *arg);
    void *tlsext_status_arg;
 #  endif
 #  ifndef OPENSSL_NO_PSK
    char *psk_identity_hint;
@@ -886,8 +882,6 @@ struct ssl_ctx_st {
    SRP_CTX srp_ctx;            /* ctx for SRP authentication */
 #  endif
 #  ifndef OPENSSL_NO_TLSEXT
 #  ifndef OPENSSL_NO_NEXTPROTONEG
    /* Next protocol negotiation information */
    /* (for experimental NPN extension). */
@@ -941,7 +935,6 @@ struct ssl_ctx_st {
    /* SRTP profiles we are willing to do from RFC 5764 */
    STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
 #  endif
    /*
     * Callback for disabling session caching and ticket support on a session
     * basis, depending on the chosen cipher.
@@ -1096,7 +1089,7 @@ struct ssl_st {
    /* what was passed, used for SSLv3/TLS rollback check */
    int client_version;
    unsigned int max_send_fragment;
-#  ifndef OPENSSL_NO_TLSEXT
+
    /* TLS extension debug callback */
    void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
                             unsigned char *data, int len, void *arg);
@@ -1172,9 +1165,7 @@ struct ssl_st {
     */
    unsigned char *alpn_client_proto_list;
    unsigned alpn_client_proto_list_len;
-#  else
+
 #   define session_ctx ctx
 #  endif                        /* OPENSSL_NO_TLSEXT */
    /*-
     * 1 if we are renegotiating.
     * 2 if we are a server and are inside a handshake
@@ -1328,8 +1319,6 @@ typedef struct ssl3_state_st {
    int next_proto_neg_seen;
 #  endif
 #  ifndef OPENSSL_NO_TLSEXT
    /*
     * ALPN information (we are in the process of transitioning from NPN to
     * ALPN.)
@@ -1351,8 +1340,6 @@ typedef struct ssl3_state_st {
     */
    char is_probably_safari;
 #   endif                       /* !OPENSSL_NO_EC */
 #  endif                        /* !OPENSSL_NO_TLSEXT */
 } SSL3_STATE;
@@ -1462,7 +1449,7 @@ typedef struct cert_pkey_st {
    EVP_PKEY *privatekey;
    /* Chain for this certificate */
    STACK_OF(X509) *chain;
-# ifndef OPENSSL_NO_TLSEXT
+
    /*-
     * serverinfo data for this certificate.  The data is in TLS Extension
     * wire format, specifically it's a series of records like:
@@ -1472,7 +1459,6 @@ typedef struct cert_pkey_st {
     */
    unsigned char *serverinfo;
    size_t serverinfo_length;
 # endif
 } CERT_PKEY;
 /* Retrieve Suite B flags */
 # define tls1_suiteb(s)  (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
@@ -1916,10 +1902,8 @@ int ssl_undefined_function(SSL *s);
 __owur int ssl_undefined_void_function(void);
 __owur int ssl_undefined_const_function(const SSL *s);
 __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
 #  ifndef OPENSSL_NO_TLSEXT
 __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                   size_t *serverinfo_length);
 #  endif
 __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
 __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
 void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
@@ -2031,11 +2015,9 @@ __owur int ssl3_send_client_key_exchange(SSL *s);
 __owur int ssl3_get_key_exchange(SSL *s);
 __owur int ssl3_get_server_certificate(SSL *s);
 __owur int ssl3_check_cert_and_algorithm(SSL *s);
 #  ifndef OPENSSL_NO_TLSEXT
 #  ifndef OPENSSL_NO_NEXTPROTONEG
 __owur int ssl3_send_next_proto(SSL *s);
 #  endif
 #  endif
 int dtls1_client_hello(SSL *s);
@@ -2106,7 +2088,6 @@ __owur int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
 __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
 #  endif                        /* OPENSSL_NO_EC */
 #  ifndef OPENSSL_NO_TLSEXT
 __owur int tls1_shared_list(SSL *s,
                     const unsigned char *l1, size_t l1len,
                     const unsigned char *l2, size_t l2len, int nmatch);
@@ -2145,7 +2126,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
                     int idx);
 void tls1_set_cert_validity(SSL *s);
 #  endif
 #  ifndef OPENSSL_NO_DH
 __owur DH *ssl_get_auto_dh(SSL *s);
 #  endif
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -738,7 +738,6 @@ int SSL_use_certificate_chain_file(SSL *ssl, const char *file)
 }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 static int serverinfo_find_extension(const unsigned char *serverinfo,
                                     size_t serverinfo_length,
                                     unsigned int extension_type,
@@ -1001,4 +1000,3 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
    return ret;
 }
 #endif                         /* OPENSSL_NO_STDIO */
 #endif                          /* OPENSSL_NO_TLSEXT */
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -207,14 +207,12 @@ SSL_SESSION *SSL_SESSION_new(void)
    ss->prev = NULL;
    ss->next = NULL;
    ss->compress_meth = 0;
 #ifndef OPENSSL_NO_TLSEXT
    ss->tlsext_hostname = NULL;
 #ifndef OPENSSL_NO_EC
    ss->tlsext_ecpointformatlist_length = 0;
    ss->tlsext_ecpointformatlist = NULL;
    ss->tlsext_ellipticcurvelist_length = 0;
    ss->tlsext_ellipticcurvelist = NULL;
 # endif
 #endif
    CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 #ifndef OPENSSL_NO_PSK
@@ -322,7 +320,7 @@ int ssl_get_new_session(SSL *s, int session)
            SSL_SESSION_free(ss);
            return (0);
        }
-#ifndef OPENSSL_NO_TLSEXT
+
        /*-
         * If RFC5077 ticket, use empty session ID (as server).
         * Note that:
@@ -342,7 +340,7 @@ int ssl_get_new_session(SSL *s, int session)
            ss->session_id_length = 0;
            goto sess_id_done;
        }
-#endif
+
        /* Choose which callback will set the session ID */
        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
        if (s->generate_session_id)
@@ -378,7 +376,7 @@ int ssl_get_new_session(SSL *s, int session)
            SSL_SESSION_free(ss);
            return (0);
        }
-#ifndef OPENSSL_NO_TLSEXT
+
 sess_id_done:
        if (s->tlsext_hostname) {
            ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
@@ -388,7 +386,6 @@ int ssl_get_new_session(SSL *s, int session)
                return 0;
            }
        }
 #endif
    } else {
        ss->session_id_length = 0;
    }
@@ -435,9 +432,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
    SSL_SESSION *ret = NULL;
    int fatal = 0;
    int try_session_cache = 1;
 #ifndef OPENSSL_NO_TLSEXT
    int r;
 #endif
    if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH)
        goto err;
@@ -450,7 +445,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
    if (len == 0)
        try_session_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
    /* sets s->tlsext_ticket_expected */
    r = tls1_process_ticket(s, session_id, len, limit, &ret);
    switch (r) {
@@ -467,7 +461,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
    default:
        abort();
    }
 #endif
    if (try_session_cache &&
        ret == NULL &&
@@ -589,7 +582,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 err:
    if (ret != NULL) {
        SSL_SESSION_free(ret);
-#ifndef OPENSSL_NO_TLSEXT
+
        if (!try_session_cache) {
            /*
             * The session was from a ticket, so we should issue a ticket for
@@ -597,7 +590,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
             */
            s->tlsext_ticket_expected = 1;
        }
 #endif
    }
    if (fatal)
        return -1;
@@ -734,7 +726,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
    ssl_sess_cert_free(ss->sess_cert);
    X509_free(ss->peer);
    sk_SSL_CIPHER_free(ss->ciphers);
 #ifndef OPENSSL_NO_TLSEXT
    OPENSSL_free(ss->tlsext_hostname);
    OPENSSL_free(ss->tlsext_tick);
 #ifndef OPENSSL_NO_EC
@@ -743,7 +734,6 @@ void SSL_SESSION_free(SSL_SESSION *ss)
    ss->tlsext_ellipticcurvelist_length = 0;
    OPENSSL_free(ss->tlsext_ellipticcurvelist);
 #endif                         /* OPENSSL_NO_EC */
 #endif
 #ifndef OPENSSL_NO_PSK
    OPENSSL_free(ss->psk_identity_hint);
    OPENSSL_free(ss->psk_identity);
@@ -877,7 +867,6 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
    return (s->session_timeout);
 }
 #ifndef OPENSSL_NO_TLSEXT
 int SSL_set_session_secret_cb(SSL *s,
                              int (*tls_session_secret_cb) (SSL *s,
                                                            void *secret,
@@ -932,7 +921,6 @@ int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
    return 0;
 }
 #endif                          /* OPENSSL_NO_TLSEXT */
 typedef struct timeout_param_st {
    SSL_CTX *ctx;
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -182,7 +182,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
    if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
        goto err;
 #endif
 #ifndef OPENSSL_NO_TLSEXT
    if (x->tlsext_tick_lifetime_hint) {
        if (BIO_printf(bp,
                       "\n    TLS session ticket lifetime hint: %ld (seconds)",
@@ -196,7 +195,6 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
            <= 0)
            goto err;
    }
 #endif
 #ifndef OPENSSL_NO_COMP
    if (x->compress_meth != 0) {
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -57,7 +57,6 @@
 #include "ssl_locl.h"
 #ifndef OPENSSL_NO_TLSEXT
 /* Find a custom extension from the list. */
 static custom_ext_method *custom_ext_find(custom_ext_methods *exts,
@@ -291,4 +290,3 @@ int SSL_extension_supported(unsigned int ext_type)
        return 0;
    }
 }
 #endif
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -123,13 +123,11 @@
 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
 #ifndef OPENSSL_NO_TLSEXT
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                              const unsigned char *sess_id, int sesslen,
                              SSL_SESSION **psess);
 static int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
 #endif
 SSL3_ENC_METHOD const TLSv1_enc_data = {
    tls1_enc,
@@ -208,9 +206,7 @@ int tls1_new(SSL *s)
 void tls1_free(SSL *s)
 {
 #ifndef OPENSSL_NO_TLSEXT
    OPENSSL_free(s->tlsext_session_ticket);
 #endif                          /* OPENSSL_NO_TLSEXT */
    ssl3_free(s);
 }
@@ -912,8 +908,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 #endif                          /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_TLSEXT
 /*
 * List of supported signature algorithms and hashes. Should make this
 * customisable at some point, for now include everything we support.
@@ -4174,7 +4168,6 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
    return tls1_check_chain(s, x, pk, chain, -1);
 }
 #endif
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -289,7 +289,6 @@ $cflags.=" -DOPENSSL_NO_DH"   if $no_dh;
 $cflags.=" -DOPENSSL_NO_WHIRLPOOL"   if $no_whirlpool;
 $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_SRP" if $no_srp;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
@@ -1391,7 +1390,6 @@ sub read_options
 		"gaswin" => \$gaswin,
 		"no-ssl3" => \$no_ssl3,
 		"no-ssl3-method" => 0,
 		"no-tlsext" => \$no_tlsext,
 		"no-srp" => \$no_srp,
 		"no-cms" => \$no_cms,
 		"no-jpake" => \$no_jpake,
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -81,7 +81,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
 			 # Engines
 			 "STATIC_ENGINE", "ENGINE", "HW", "GMP",
 			 # TLS
-			 "TLSEXT", "PSK", "SRP", "HEARTBEATS",
+			 "PSK", "SRP", "HEARTBEATS",
 			 # CMS
 			 "CMS",
 			 # CryptoAPI Engine
@@ -124,7 +124,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
 my $no_rsa; my $no_dsa; my $no_dh; my $no_aes;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
 my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
-my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
+my $no_psk; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
 my $no_unit_test; my $no_ssl3_method; my $no_ocb;
@@ -213,7 +213,6 @@ foreach (@ARGV, split(/ /, $options))
 	elsif (/^no-engine$/)	{ $no_engine=1; }
 	elsif (/^no-hw$/)	{ $no_hw=1; }
 	elsif (/^no-gmp$/)	{ $no_gmp=1; }
 	elsif (/^no-tlsext$/)	{ $no_tlsext=1; }
 	elsif (/^no-cms$/)	{ $no_cms=1; }
 	elsif (/^no-ec2m$/)	{ $no_ec2m=1; }
 	elsif (/^no-ec-nistp224-64-gcc-128$/)	{ $no_nistp_gcc=1; }
@@ -1198,7 +1197,6 @@ sub is_valid
 			if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
 			if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
 			if ($keyword eq "GMP" && $no_gmp) { return 0; }
 			if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
 			if ($keyword eq "PSK" && $no_psk) { return 0; }
 			if ($keyword eq "CMS" && $no_cms) { return 0; }
 			if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -240,8 +240,8 @@ SSL_CTX_sess_get_new_cb                 287	EXIST::FUNCTION:
 SSL_CTX_get_client_cert_cb              288	EXIST::FUNCTION:
 SSL_CTX_sess_get_remove_cb              289	EXIST::FUNCTION:
 SSL_set_SSL_CTX                         290	EXIST::FUNCTION:
-SSL_get_servername                      291	EXIST::FUNCTION:TLSEXT
+SSL_get_servername                      291	EXIST::FUNCTION:
-SSL_get_servername_type                 292	EXIST::FUNCTION:TLSEXT
+SSL_get_servername_type                 292	EXIST::FUNCTION:
 SSL_CTX_set_client_cert_engine          293	EXIST::FUNCTION:ENGINE
 SSL_CTX_use_psk_identity_hint           294	EXIST::FUNCTION:PSK
 SSL_CTX_set_psk_client_callback         295	EXIST::FUNCTION:PSK
@@ -309,21 +309,21 @@ SSL_CIPHER_get_id                       349	EXIST::FUNCTION:
 TLSv1_2_method                          350	EXIST::FUNCTION:
 SSL_SESSION_get_id_len                  351	NOEXIST::FUNCTION:
 kssl_ctx_get0_client_princ              352	NOEXIST::FUNCTION:
-SSL_export_keying_material              353	EXIST::FUNCTION:TLSEXT
+SSL_export_keying_material              353	EXIST::FUNCTION:
 SSL_set_tlsext_use_srtp                 354	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_protos_advertised_cb   355	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_protos_adv_cb          355	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_get0_next_proto_negotiated          356	EXIST::FUNCTION:NEXTPROTONEG
 SSL_get_selected_srtp_profile           357	EXIST::FUNCTION:SRTP
 SSL_CTX_set_tlsext_use_srtp             358	EXIST::FUNCTION:SRTP
-SSL_select_next_proto                   359	EXIST::FUNCTION:TLSEXT
+SSL_select_next_proto                   359	EXIST::FUNCTION:
 SSL_get_srtp_profiles                   360	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_proto_select_cb        361	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_proto_sel_cb           361	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_SESSION_get_compress_id             362	EXIST::FUNCTION:
 SSL_get0_param                          363	EXIST::FUNCTION:
 SSL_CTX_get0_privatekey                 364	EXIST::FUNCTION:
-SSL_get_shared_sigalgs                  365	EXIST::FUNCTION:TLSEXT
+SSL_get_shared_sigalgs                  365	EXIST::FUNCTION:
 SSL_CONF_CTX_finish                     366	EXIST::FUNCTION:
 DTLS_method                             367	EXIST::FUNCTION:
 DTLS_client_method                      368	EXIST::FUNCTION:
@@ -336,40 +336,40 @@ SSL_COMP_set0_compress_methods          374	NOEXIST::FUNCTION:
 SSL_COMP_set0_compression_methods       374	EXIST:!VMS:FUNCTION:
 SSL_COMP_set0_compr_methods             374	EXIST:VMS:FUNCTION:
 SSL_CTX_set_cert_cb                     375	EXIST::FUNCTION:
-SSL_CTX_add_client_custom_ext           376	EXIST::FUNCTION:TLSEXT
+SSL_CTX_add_client_custom_ext           376	EXIST::FUNCTION:
 SSL_is_server                           377	EXIST::FUNCTION:
 SSL_CTX_get0_param                      378	EXIST::FUNCTION:
 SSL_CONF_cmd                            379	EXIST::FUNCTION:
 SSL_CTX_get_ssl_method                  380	EXIST::FUNCTION:
 SSL_CONF_CTX_set_ssl_ctx                381	EXIST::FUNCTION:
 SSL_CIPHER_find                         382	EXIST::FUNCTION:
-SSL_CTX_use_serverinfo                  383	EXIST::FUNCTION:TLSEXT
+SSL_CTX_use_serverinfo                  383	EXIST::FUNCTION:
 DTLSv1_2_client_method                  384	EXIST::FUNCTION:
 SSL_get0_alpn_selected                  385	EXIST::FUNCTION:
 SSL_CONF_CTX_clear_flags                386	EXIST::FUNCTION:
 SSL_CTX_set_alpn_protos                 387	EXIST::FUNCTION:
-SSL_CTX_add_server_custom_ext           389	EXIST::FUNCTION:TLSEXT
+SSL_CTX_add_server_custom_ext           389	EXIST::FUNCTION:
 SSL_CTX_get0_certificate                390	EXIST::FUNCTION:
 SSL_CTX_set_alpn_select_cb              391	EXIST::FUNCTION:
 SSL_CONF_cmd_value_type                 392	EXIST::FUNCTION:
 SSL_set_cert_cb                         393	EXIST::FUNCTION:
-SSL_get_sigalgs                         394	EXIST::FUNCTION:TLSEXT
+SSL_get_sigalgs                         394	EXIST::FUNCTION:
 SSL_CONF_CTX_set1_prefix                395	EXIST::FUNCTION:
 SSL_CONF_CTX_new                        396	EXIST::FUNCTION:
 SSL_CONF_CTX_set_flags                  397	EXIST::FUNCTION:
 SSL_CONF_CTX_set_ssl                    398	EXIST::FUNCTION:
-SSL_check_chain                         399	EXIST::FUNCTION:TLSEXT
+SSL_check_chain                         399	EXIST::FUNCTION:
 SSL_certs_clear                         400	EXIST::FUNCTION:
 SSL_CONF_CTX_free                       401	EXIST::FUNCTION:
 SSL_trace                               402	EXIST::FUNCTION:SSL_TRACE
 SSL_CTX_set_cli_supp_data               403	NOEXIST::FUNCTION:
 DTLSv1_2_method                         404	EXIST::FUNCTION:
 DTLS_server_method                      405	EXIST::FUNCTION:
-SSL_CTX_use_serverinfo_file             406	EXIST::FUNCTION:STDIO,TLSEXT
+SSL_CTX_use_serverinfo_file             406	EXIST::FUNCTION:STDIO
 SSL_COMP_free_compress_methods          407	NOEXIST::FUNCTION:
 SSL_COMP_free_compression_methods       407	EXIST:!VMS:FUNCTION:
 SSL_COMP_free_compr_methods             407	EXIST:VMS:FUNCTION:
-SSL_extension_supported                 409	EXIST::FUNCTION:TLSEXT
+SSL_extension_supported                 409	EXIST::FUNCTION:
 SSL_CTX_get_security_callback           410	EXIST::FUNCTION:
 SSL_SESSION_print_keylog                411	EXIST::FUNCTION:
 SSL_CTX_set_not_resumable_session_callback 412	EXIST:!VMS:FUNCTION: