diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 4ad73af722b..28ee7f56bcd 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.250 2026/04/03 13:11:00 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.251 2026/06/14 14:25:55 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -402,8 +402,7 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
 #define SSL_OP_NO_DTLSv1_2				0x80000000L
 
 /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
-#define SSL_OP_ALL \
-    (SSL_OP_LEGACY_SERVER_CONNECT)
+#define SSL_OP_ALL					0x0
 
 /* Obsolete flags kept for compatibility. No sane code should use them. */
 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION	0x0
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 8cce4460361..b81713a637a 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.334 2026/05/09 11:29:51 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.335 2026/06/14 14:25:55 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2178,11 +2178,7 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->tlsext_status_cb = 0;
 	ret->tlsext_status_arg = NULL;
 
-	/*
-	 * Default is to connect to non-RI servers. When RI is more widely
-	 * deployed might change this.
-	 */
-	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
+	ret->options = 0;
 
 	return (ret);
  err: