Remove SSL_OP_LEGACY_SERVER_CONNECT from default options.

Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
SSL_OP_ALL define. This means that we will now refuse to connect to a
TLSv1.2 server if it does not support the Renegotiation Indication (RI)
extension. This prevents a class of attacks against TLS clients that are
talking to TLSv1.2-only servers that permit client initiated renegotiation.

Raised by Lucca Hirschi et al from Inria.

ok beck@ tb@

lib/libssl/ssl.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.250 2026/04/03 13:11:00 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.251 2026/06/14 14:25:55 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -402,8 +402,7 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
 #define SSL_OP_NO_DTLSv1_2				0x80000000L
 
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
-#define SSL_OP_ALL \
-    (SSL_OP_LEGACY_SERVER_CONNECT)
+#define SSL_OP_ALL					0x0
 
 /* Obsolete flags kept for compatibility. No sane code should use them. */
 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x0

lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.334 2026/05/09 11:29:51 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.335 2026/06/14 14:25:55 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2178,11 +2178,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->tlsext_status_cb = 0;
 	ret->tlsext_status_arg = NULL;
 
-	/*
-	 * Default is to connect to non-RI servers. When RI is more widely
-	 * deployed might change this.
-	 */
-	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+	ret->options = 0;
 
 	return (ret);
  err: