From https://www.openssl.org/news/secadv_20141015.txt Build option no-ssl3 is incomplete (CVE-2014-3568) ================================================== Severity: Low When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014. The fix was developed by Akamai and the OpenSSL team. -------------------------------------------------- To mitigate the POODLE attack (CVE-2014-3566) package wise (for clients which does not implement TLS_FALLBACK_SCSV), dev-libs/openssl should provide a way to apply the no-ssl3 build option to configure. Target e-builds should be those which support this option properly (1.0.1j+, 1.0.0o+, 0.9.8z-p3+)
we do not support negative USE flags the openssl Configure script allows control over SSL 2.0/3.0 and TLS (1.x). no point in adding a USE flag for just one of those.
*** This bug has been marked as a duplicate of bug 510798 ***
