Remove support for OPENSSL_NO_TLSEXT

Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/Configure b/Configure
index f0a8acc..6cc05bd 100755
--- a/Configure
+++ b/Configure
@@ -1086,10 +1086,6 @@
 	$disabled{"tls1"} = "forced";
 	}
 
-if (defined($disabled{"tls1"}))
-	{
-	$disabled{"tlsext"} = "forced";
-	}
 
 if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
     || defined($disabled{"dh"}))
@@ -1097,12 +1093,6 @@
 	$disabled{"gost"} = "forced";
 	}
 
-# SRP and HEARTBEATS require TLSEXT
-if (defined($disabled{"tlsext"}))
-	{
-	$disabled{"srp"} = "forced";
-	$disabled{"heartbeats"} = "forced";
-	}
 
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {
diff --git a/INSTALL.VMS b/INSTALL.VMS
index 084b279..8f0d847 100644
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -136,7 +136,7 @@
                         DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
                         ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
                         MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
-                        SEED, SOCK, SRP, SRTP, TLSEXT, WHIRLPOOL.  So, for
+                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
                         example, having the logical name OPENSSL_NO_RSA with
                         the value YES means that the LIBCRYPTO.OLB library
                         will not contain an RSA implementation.
diff --git a/apps/apps.c b/apps/apps.c
index ab6eb40..593c036 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2202,7 +2202,6 @@
 
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
 /*-
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -2238,7 +2237,6 @@
     *outlen = len + 1;
     return out;
 }
-#endif                          /* ndef OPENSSL_NO_TLSEXT */
 
 void print_cert_checks(BIO *bio, X509 *x,
                        const char *checkhost,
diff --git a/apps/apps.h b/apps/apps.h
index 7033d2e..33b2e65 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -514,9 +514,7 @@
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # endif
 
-# ifndef OPENSSL_NO_TLSEXT
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
-# endif                         /* ndef OPENSSL_NO_TLSEXT */
 
 void print_cert_checks(BIO *bio, X509 *x,
                        const char *checkhost,
diff --git a/apps/s_client.c b/apps/s_client.c
index c3c5bce..8c5412c 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -198,9 +198,7 @@
 static int c_brief = 0;
 
 static void print_stuff(BIO *berr, SSL *con, int full);
-#ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg);
-#endif
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -269,8 +267,6 @@
 }
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
     BIO *biodebug;
@@ -289,7 +285,7 @@
     return SSL_TLSEXT_ERR_OK;
 }
 
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
 
 /* This is a context that we pass to all callbacks */
 typedef struct srp_arg_st {
@@ -301,7 +297,7 @@
     int strength /* minimal size for N */ ;
 } SRP_ARG;
 
-#  define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
+# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
 
 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
 {
@@ -377,7 +373,7 @@
     return 0;
 }
 
-#  define PWD_STRLEN 1024
+# define PWD_STRLEN 1024
 
 static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
 {
@@ -398,11 +394,11 @@
     return pass;
 }
 
-# endif
+#endif
 
 char *srtp_profiles = NULL;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /* This the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
     unsigned char *data;
@@ -435,7 +431,7 @@
         SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
     return SSL_TLSEXT_ERR_OK;
 }
-# endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
+#endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
 
 static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
                                    const unsigned char *in, size_t inlen,
@@ -457,8 +453,6 @@
     return 1;
 }
 
-#endif
-
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY,
@@ -563,7 +557,6 @@
     {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"},
 #endif
     {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
-#ifndef OPENSSL_NO_TLSEXT
     {"servername", OPT_SERVERNAME, 's',
      "Set TLS extension servername in ClientHello"},
     {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
@@ -573,10 +566,9 @@
      "types  Send empty ClientHello extensions (comma-separated numbers)"},
     {"alpn", OPT_ALPN, 's',
      "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     {"nextprotoneg", OPT_NEXTPROTONEG, 's',
      "Enable NPN extension, considering named protocols supported (comma-separated list)"},
-# endif
 #endif
     {"CRL", OPT_CRL, '<'},
     {"crl_download", OPT_CRL_DOWNLOAD, '-'},
@@ -673,16 +665,14 @@
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
     struct timeval tv;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     char *servername = NULL;
     const char *alpn_in = NULL;
     tlsextctx tlsextcbp = { NULL, 0 };
-# define MAX_SI_TYPES 100
+#define MAX_SI_TYPES 100
     unsigned short serverinfo_types[MAX_SI_TYPES];
     int serverinfo_count = 0, start = 0, len;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
-# endif
 #endif
 #ifndef OPENSSL_NO_SRP
     char *srppass = NULL;
@@ -870,14 +860,12 @@
         case OPT_DEBUG:
             c_debug = 1;
             break;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_TLSEXTDEBUG:
             c_tlsextdebug = 1;
             break;
         case OPT_STATUS:
             c_status_req = 1;
             break;
-#endif
 #ifdef WATT32
         case OPT_WDEBUG:
             dbug_init();
@@ -1027,7 +1015,6 @@
         case OPT_VERIFYCAFILE:
             vfyCAfile = opt_arg();
             break;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_NEXTPROTONEG:
             next_proto_neg_in = opt_arg();
             break;
@@ -1046,16 +1033,13 @@
                 }
             }
             break;
-#endif
         case OPT_STARTTLS:
             if (!opt_pair(opt_arg(), services, &starttls_proto))
                 goto end;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_SERVERNAME:
             servername = opt_arg();
             /* meth=TLSv1_client_method(); */
             break;
-#endif
 #ifndef OPENSSL_NO_JPAKE
         case OPT_JPAKE:
             jpake_secret = opt_arg();
@@ -1101,7 +1085,7 @@
     }
 #endif
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     next_proto.status = -1;
     if (next_proto_neg_in) {
         next_proto.data =
@@ -1250,11 +1234,10 @@
     if (exc)
         ssl_ctx_set_excert(ctx, exc);
 
-#if !defined(OPENSSL_NO_TLSEXT)
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto.data)
         SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
-# endif
+#endif
     if (alpn_in) {
         unsigned short alpn_len;
         unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
@@ -1270,8 +1253,7 @@
         }
         OPENSSL_free(alpn);
     }
-#endif
-#ifndef OPENSSL_NO_TLSEXT
+
     for (i = 0; i < serverinfo_count; i++) {
         if (!SSL_CTX_add_client_custom_ext(ctx,
                                            serverinfo_types[i],
@@ -1282,7 +1264,6 @@
                     serverinfo_types[i]);
         }
     }
-#endif
 
     if (state)
         SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
@@ -1299,7 +1280,6 @@
     if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
         goto end;
 
-#ifndef OPENSSL_NO_TLSEXT
     if (servername != NULL) {
         tlsextcbp.biodebug = bio_err;
         SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
@@ -1321,7 +1301,6 @@
                                                   ssl_srp_verify_param_cb);
     }
 # endif
-#endif
 
     con = SSL_new(ctx);
     if (sess_in) {
@@ -1350,7 +1329,6 @@
     if (fallback_scsv)
         SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
 
-#ifndef OPENSSL_NO_TLSEXT
     if (servername != NULL) {
         if (!SSL_set_tlsext_host_name(con, servername)) {
             BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
@@ -1358,7 +1336,6 @@
             goto end;
         }
     }
-#endif
 
  re_start:
 #ifdef NO_SYS_UN_H
@@ -1449,7 +1426,7 @@
             SSL_set_msg_callback(con, msg_cb);
         SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
     }
-#ifndef OPENSSL_NO_TLSEXT
+
     if (c_tlsextdebug) {
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_c_out);
@@ -1459,7 +1436,6 @@
         SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
     }
-#endif
 #ifndef OPENSSL_NO_JPAKE
     if (jpake_secret)
         jpake_client_auth(bio_c_out, sbio, jpake_secret);
@@ -1680,13 +1656,13 @@
             tty_on = 1;
             if (in_init) {
                 in_init = 0;
-#ifndef OPENSSL_NO_TLSEXT
+
                 if (servername != NULL && !SSL_session_reused(con)) {
                     BIO_printf(bio_c_out,
                                "Server did %sacknowledge servername extension.\n",
                                tlsextcbp.ack ? "" : "not ");
                 }
-#endif
+
                 if (sess_out) {
                     BIO *stmp = BIO_new_file(sess_out, "w");
                     if (stmp) {
@@ -2028,7 +2004,7 @@
             print_stuff(bio_c_out, con, 1);
         SSL_free(con);
     }
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     OPENSSL_free(next_proto.data);
 #endif
     SSL_CTX_free(ctx);
@@ -2155,8 +2131,7 @@
     }
 #endif
 
-#if !defined(OPENSSL_NO_TLSEXT)
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto.status != -1) {
         const unsigned char *proto;
         unsigned int proto_len;
@@ -2165,7 +2140,7 @@
         BIO_write(bio, proto, proto_len);
         BIO_write(bio, "\n", 1);
     }
-# endif
+#endif
     {
         const unsigned char *proto;
         unsigned int proto_len;
@@ -2177,7 +2152,6 @@
         } else
             BIO_printf(bio, "No ALPN negotiated\n");
     }
-#endif
 
 #ifndef OPENSSL_NO_SRTP
     {
@@ -2216,8 +2190,6 @@
     (void)BIO_flush(bio);
 }
 
-#ifndef OPENSSL_NO_TLSEXT
-
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
     const unsigned char *p;
@@ -2241,5 +2213,3 @@
     OCSP_RESPONSE_free(rsp);
     return 1;
 }
-
-#endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 5500cea..6bbabcc 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -218,9 +218,7 @@
 static int accept_socket = -1;
 
 #define TEST_CERT       "server.pem"
-#ifndef OPENSSL_NO_TLSEXT
-# define TEST_CERT2      "server2.pem"
-#endif
+#define TEST_CERT2      "server2.pem"
 
 extern int verify_depth, verify_return_error, verify_quiet;
 
@@ -229,9 +227,7 @@
 static const char *s_cert_file = TEST_CERT, *s_key_file =
     NULL, *s_chain_file = NULL;
 
-#ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
-#endif
 static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
 #ifdef FIONBIO
 static int s_nbio = 0;
@@ -239,19 +235,15 @@
 static int s_nbio_test = 0;
 int s_crlf = 0;
 static SSL_CTX *ctx = NULL;
-#ifndef OPENSSL_NO_TLSEXT
 static SSL_CTX *ctx2 = NULL;
-#endif
 static int www = 0;
 
 static BIO *bio_s_out = NULL;
 static BIO *bio_s_msg = NULL;
 static int s_debug = 0;
-#ifndef OPENSSL_NO_TLSEXT
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
 static int cert_status_cb(SSL *s, void *arg);
-#endif
 static int no_resume_ephemeral = 0;
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -272,12 +264,9 @@
 static int cert_chain = 0;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
 static BIO *serverinfo_in = NULL;
 static const char *s_serverinfo_file = NULL;
 
-#endif
-
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity = "Client_identity";
 char *psk_key = NULL;           /* by default PSK is not used */
@@ -401,11 +390,9 @@
     s_cert_file = TEST_CERT;
     s_key_file = NULL;
     s_chain_file = NULL;
-#ifndef OPENSSL_NO_TLSEXT
     s_cert_file2 = TEST_CERT2;
     s_key_file2 = NULL;
     ctx2 = NULL;
-#endif
     s_nbio = 0;
     s_nbio_test = 0;
     ctx = NULL;
@@ -575,8 +562,6 @@
 }
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-
 /* This is a context that we pass to callbacks */
 typedef struct tlsextctx_st {
     char *servername;
@@ -732,7 +717,7 @@
     goto done;
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /* This is the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
     unsigned char *data;
@@ -749,7 +734,7 @@
 
     return SSL_TLSEXT_ERR_OK;
 }
-# endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
+#endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
 
 /* This the context that we pass to alpn_cb */
 typedef struct tlsextalpnctx_st {
@@ -789,7 +774,6 @@
 
     return SSL_TLSEXT_ERR_OK;
 }
-#endif                          /* ndef OPENSSL_NO_TLSEXT */
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
 {
@@ -849,10 +833,8 @@
      "Turn on peer certificate verification, must have a cert"},
     {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
     {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"},
-#ifndef OPENSSL_NO_TLSEXT
     {"serverinfo", OPT_SERVERINFO, 's',
      "PEM serverinfo file for certificate"},
-#endif
     {"certform", OPT_CERTFORM, 'F',
      "Certificate format (PEM or DER) PEM default"},
     {"key", OPT_KEY, '<',
@@ -924,7 +906,6 @@
      "Generate SSL/TLS session IDs prefixed by arg"},
     {"rand", OPT_RAND, 's',
      "Load the file(s) into the random number generator"},
-#ifndef OPENSSL_NO_TLSEXT
     {"servername", OPT_SERVERNAME, 's',
      "Servername for HostName TLS extension"},
     {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
@@ -935,15 +916,14 @@
      "-Private Key file to use for servername if not in -cert2"},
     {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
      "Hex dump of all TLS extensions received"},
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     {"nextprotoneg", OPT_NEXTPROTONEG, 's',
      "Set the advertised protocols for the NPN extension (comma-separated list)"},
-# endif
+#endif
     {"use_srtp", OPT_SRTP_PROFILES, '<',
      "Offer SRTP key management with a colon-separated profile list"},
     {"alpn", OPT_ALPN, 's',
      "Set the advertised protocols for the ALPN extension (comma-separated list)"},
-#endif
     {"keymatexport", OPT_KEYMATEXPORT, 's',
      "Export keying material using label"},
     {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
@@ -1016,17 +996,15 @@
     unsigned short port = PORT;
     unsigned char *context = NULL;
     OPTION_CHOICE o;
-#ifndef OPENSSL_NO_TLSEXT
     EVP_PKEY *s_key2 = NULL;
     X509 *s_cert2 = NULL;
     tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
     tlsextnextprotoctx next_proto = { NULL, 0 };
-# endif
+#endif
     const char *alpn_in = NULL;
     tlsextalpnctx alpn_ctx = { NULL, 0 };
-#endif
 #ifndef OPENSSL_NO_PSK
     /* by default do not send a PSK identity hint */
     static char *psk_identity_hint = NULL;
@@ -1122,11 +1100,9 @@
         case OPT_CRL_DOWNLOAD:
             crl_download = 1;
             break;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_SERVERINFO:
             s_serverinfo_file = opt_arg();
             break;
-#endif
         case OPT_CERTFORM:
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
                 goto opthelp;
@@ -1241,7 +1217,6 @@
         case OPT_DEBUG:
             s_debug = 1;
             break;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_TLSEXTDEBUG:
             s_tlsextdebug = 1;
             break;
@@ -1265,7 +1240,6 @@
                 goto end;
             }
             break;
-#endif
         case OPT_MSG:
             s_msg = 1;
             break;
@@ -1395,7 +1369,6 @@
         case OPT_RAND:
             inrand = opt_arg();
             break;
-#ifndef OPENSSL_NO_TLSEXT
         case OPT_SERVERNAME:
             tlsextcbp.servername = opt_arg();
             break;
@@ -1408,15 +1381,14 @@
         case OPT_KEY2:
             s_key_file2 = opt_arg();
             break;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
         case OPT_NEXTPROTONEG:
             next_proto_neg_in = opt_arg();
             break;
-# endif
+#endif
         case OPT_ALPN:
             alpn_in = opt_arg();
             break;
-#endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
         case OPT_JPAKE:
             jpake_secret = opt_arg();
@@ -1468,10 +1440,9 @@
 
     if (s_key_file == NULL)
         s_key_file = s_cert_file;
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_key_file2 == NULL)
         s_key_file2 = s_cert_file2;
-#endif
 
     if (!load_excert(&exc))
         goto end;
@@ -1497,7 +1468,7 @@
             if (!s_chain)
                 goto end;
         }
-#ifndef OPENSSL_NO_TLSEXT
+
         if (tlsextcbp.servername) {
             s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e,
                               "second server certificate private key file");
@@ -1514,10 +1485,8 @@
                 goto end;
             }
         }
-#endif                          /* OPENSSL_NO_TLSEXT */
     }
-#if !defined(OPENSSL_NO_TLSEXT)
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto_neg_in) {
         unsigned short len;
         next_proto.data = next_protos_parse(&len, next_proto_neg_in);
@@ -1527,7 +1496,7 @@
     } else {
         next_proto.data = NULL;
     }
-# endif
+#endif
     alpn_ctx.data = NULL;
     if (alpn_in) {
         unsigned short len;
@@ -1536,7 +1505,6 @@
             goto end;
         alpn_ctx.len = len;
     }
-#endif
 
     if (crl_file) {
         X509_CRL *crl;
@@ -1610,10 +1578,8 @@
         s_key_file = NULL;
         s_dcert_file = NULL;
         s_dkey_file = NULL;
-#ifndef OPENSSL_NO_TLSEXT
         s_cert_file2 = NULL;
         s_key_file2 = NULL;
-#endif
     }
 
     ctx = SSL_CTX_new(meth);
@@ -1678,7 +1644,7 @@
         ERR_print_errors(bio_err);
         goto end;
     }
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_cert2) {
         ctx2 = SSL_CTX_new(meth);
         if (ctx2 == NULL) {
@@ -1732,14 +1698,13 @@
         if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL))
             goto end;
     }
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     if (next_proto.data)
         SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
                                               &next_proto);
-# endif
+#endif
     if (alpn_ctx.data)
         SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
-#endif
 
 #ifndef OPENSSL_NO_DH
     if (!no_dhe) {
@@ -1765,7 +1730,7 @@
             DH_free(dh);
             goto end;
         }
-# ifndef OPENSSL_NO_TLSEXT
+
         if (ctx2) {
             if (!dhfile) {
                 DH *dh2 = load_dh_param(s_cert_file2);
@@ -1786,24 +1751,22 @@
                 goto end;
             }
         }
-# endif
         DH_free(dh);
     }
 #endif
 
     if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
         goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_serverinfo_file != NULL
         && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
         ERR_print_errors(bio_err);
         goto end;
     }
-#endif
-#ifndef OPENSSL_NO_TLSEXT
+
     if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
         goto end;
-#endif
+
     if (s_dcert != NULL) {
         if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
             goto end;
@@ -1811,21 +1774,18 @@
 #ifndef OPENSSL_NO_RSA
     if (!no_tmp_rsa) {
         SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
-#  ifndef OPENSSL_NO_TLSEXT
         if (ctx2)
             SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
-#  endif
     }
 #endif
 
     if (no_resume_ephemeral) {
         SSL_CTX_set_not_resumable_session_callback(ctx,
                                                    not_resumable_sess_cb);
-#ifndef OPENSSL_NO_TLSEXT
+
         if (ctx2)
             SSL_CTX_set_not_resumable_session_callback(ctx2,
                                                        not_resumable_sess_cb);
-#endif
     }
 #ifndef OPENSSL_NO_PSK
 # ifdef OPENSSL_NO_JPAKE
@@ -1860,7 +1820,6 @@
     SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
     SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
 
-#ifndef OPENSSL_NO_TLSEXT
     if (ctx2) {
         SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
         if (!SSL_CTX_set_session_id_context(ctx2,
@@ -1876,7 +1835,6 @@
         SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
         SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
     }
-#endif
 
 #ifndef OPENSSL_NO_SRP
     if (srp_verifier_file != NULL) {
@@ -1898,10 +1856,9 @@
 #endif
     if (CAfile != NULL) {
         SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
-#ifndef OPENSSL_NO_TLSEXT
+
         if (ctx2)
             SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
-#endif
     }
 
     BIO_printf(bio_s_out, "ACCEPT\n");
@@ -1937,7 +1894,6 @@
     OPENSSL_free(dpass);
     X509_VERIFY_PARAM_free(vpm);
     free_sessions();
-#ifndef OPENSSL_NO_TLSEXT
     OPENSSL_free(tlscstatp.host);
     OPENSSL_free(tlscstatp.port);
     OPENSSL_free(tlscstatp.path);
@@ -1945,11 +1901,10 @@
     X509_free(s_cert2);
     EVP_PKEY_free(s_key2);
     BIO_free(serverinfo_in);
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     OPENSSL_free(next_proto.data);
-# endif
-    OPENSSL_free(alpn_ctx.data);
 #endif
+    OPENSSL_free(alpn_ctx.data);
     ssl_excert_free(exc);
     sk_OPENSSL_STRING_free(ssl_args);
     SSL_CONF_CTX_free(cctx);
@@ -2018,7 +1973,7 @@
 
     if (con == NULL) {
         con = SSL_new(ctx);
-#ifndef OPENSSL_NO_TLSEXT
+
         if (s_tlsextdebug) {
             SSL_set_tlsext_debug_callback(con, tlsext_cb);
             SSL_set_tlsext_debug_arg(con, bio_s_out);
@@ -2027,7 +1982,7 @@
             SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
             SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
         }
-#endif
+
         if (context
                 && !SSL_set_session_id_context(con,
                         context, strlen((char *)context))) {
@@ -2109,12 +2064,11 @@
             SSL_set_msg_callback(con, msg_cb);
         SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
     }
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_tlsextdebug) {
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_s_out);
     }
-#endif
 
     width = s + 1;
     for (;;) {
@@ -2399,7 +2353,7 @@
     X509 *peer;
     long verify_error;
     char buf[BUFSIZ];
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     const unsigned char *next_proto_neg;
     unsigned next_proto_neg_len;
 #endif
@@ -2476,7 +2430,7 @@
 #endif
     BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
     if (next_proto_neg) {
         BIO_printf(bio_s_out, "NEXTPROTO is ");
@@ -2574,12 +2528,12 @@
 
     if ((con = SSL_new(ctx)) == NULL)
         goto err;
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_tlsextdebug) {
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_s_out);
     }
-#endif
+
     if (context && !SSL_set_session_id_context(con, context,
                         strlen((char *)context)))
         goto err;
@@ -2920,12 +2874,11 @@
 
     if ((con = SSL_new(ctx)) == NULL)
         goto err;
-#ifndef OPENSSL_NO_TLSEXT
+
     if (s_tlsextdebug) {
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_s_out);
     }
-#endif
     if (context && !SSL_set_session_id_context(con, context,
                         strlen((char *)context))) {
         ERR_print_errors(bio_err);
diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
index af203b8..4e9fd84 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -21,9 +21,6 @@
 implementation is not required to maintain per session state. It only applies
 to TLS and there is no SSLv3 implementation.
 
-The callback is available when the OpenSSL library was built without 
-I<OPENSSL_NO_TLSEXT> being defined.
-
 The callback function I<cb> will be called for every client instigated TLS
 session when session ticket extension is presented in the TLS hello
 message. It is the responsibility of this function to create or retrieve the
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index a93145b..9694e24 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -338,8 +338,6 @@
                                          STACK_OF(SSL_CIPHER) *peer_ciphers,
                                          SSL_CIPHER **cipher, void *arg);
 
-# ifndef OPENSSL_NO_TLSEXT
-
 /* Typedefs for handling custom extensions */
 
 typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type,
@@ -353,8 +351,6 @@
                                     const unsigned char *in,
                                     size_t inlen, int *al, void *parse_arg);
 
-# endif
-
 /* Allow initial connection to servers that don't support RI */
 # define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 /* Removed from OpenSSL 0.9.8q and 1.0.0c */
@@ -771,12 +767,10 @@
                                     unsigned *len);
 # endif
 
-# ifndef OPENSSL_NO_TLSEXT
 __owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                           const unsigned char *in, unsigned int inlen,
                           const unsigned char *client,
                           unsigned int client_len);
-# endif
 
 # define OPENSSL_NPN_UNSUPPORTED 0
 # define OPENSSL_NPN_NEGOTIATED  1
@@ -867,7 +861,6 @@
 const char *SSL_get_psk_identity(const SSL *s);
 # endif
 
-# ifndef OPENSSL_NO_TLSEXT
 /* Register callbacks to handle custom TLS Extensions for client or server. */
 
 __owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
@@ -886,8 +879,6 @@
 
 __owur int SSL_extension_supported(unsigned int ext_type);
 
-# endif
-
 # define SSL_NOTHING     1
 # define SSL_WRITING     2
 # define SSL_READING     3
@@ -1112,40 +1103,38 @@
 # define SSL_CTRL_SET_MAX_CERT_LIST              51
 # define SSL_CTRL_SET_MAX_SEND_FRAGMENT          52
 /* see tls1.h for macros based on these */
-# ifndef OPENSSL_NO_TLSEXT
-#  define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB       53
-#  define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG      54
-#  define SSL_CTRL_SET_TLSEXT_HOSTNAME            55
-#  define SSL_CTRL_SET_TLSEXT_DEBUG_CB            56
-#  define SSL_CTRL_SET_TLSEXT_DEBUG_ARG           57
-#  define SSL_CTRL_GET_TLSEXT_TICKET_KEYS         58
-#  define SSL_CTRL_SET_TLSEXT_TICKET_KEYS         59
-/*#  define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT    60 */
-/*#  define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */
-/*#  define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB       63
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG   64
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE     65
-#  define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS     66
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS     67
-#  define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS      68
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS      69
-#  define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP        70
-#  define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP        71
-#  define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB       72
-#  define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB    75
-#  define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB                76
-#  define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB             77
-#  define SSL_CTRL_SET_SRP_ARG            78
-#  define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME               79
-#  define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH               80
-#  define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD               81
-#  ifndef OPENSSL_NO_HEARTBEATS
-#   define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT                         85
-#   define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING          86
-#   define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS      87
-#  endif
-# endif                         /* OPENSSL_NO_TLSEXT */
+# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB       53
+# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG      54
+# define SSL_CTRL_SET_TLSEXT_HOSTNAME            55
+# define SSL_CTRL_SET_TLSEXT_DEBUG_CB            56
+# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG           57
+# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS         58
+# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS         59
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT    60 */
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */
+/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB       63
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG   64
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE     65
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS     66
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS     67
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS      68
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS      69
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP        70
+# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP        71
+# define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB       72
+# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB    75
+# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB                76
+# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB             77
+# define SSL_CTRL_SET_SRP_ARG            78
+# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME               79
+# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH               80
+# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD               81
+# ifndef OPENSSL_NO_HEARTBEATS
+#  define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT                         85
+#  define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING          86
+#  define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS      87
+# endif
 # define DTLS_CTRL_GET_TIMEOUT           73
 # define DTLS_CTRL_HANDLE_TIMEOUT        74
 # define DTLS_CTRL_LISTEN                        75
@@ -1390,15 +1379,12 @@
 __owur int SSL_use_certificate(SSL *ssl, X509 *x);
 __owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 
-# ifndef OPENSSL_NO_TLSEXT
 /* Set serverinfo data for the current active cert. */
 __owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
                            size_t serverinfo_length);
-#  ifndef OPENSSL_NO_STDIO
+# ifndef OPENSSL_NO_STDIO
 __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
-#  endif                        /* NO_STDIO */
-
-# endif
+# endif                        /* NO_STDIO */
 
 # ifndef OPENSSL_NO_STDIO
 __owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index d107396..40205e1 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -311,9 +311,7 @@
 # define TLSEXT_curve_P_256                              23
 # define TLSEXT_curve_P_384                              24
 
-# ifndef OPENSSL_NO_TLSEXT
-
-#  define TLSEXT_MAXLEN_host_name 255
+# define TLSEXT_MAXLEN_host_name 255
 
 __owur const char *SSL_get_servername(const SSL *s, const int type);
 __owur int SSL_get_servername_type(const SSL *s);
@@ -339,71 +337,70 @@
 
 __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
 
-#  define SSL_set_tlsext_host_name(s,name) \
+# define SSL_set_tlsext_host_name(s,name) \
 SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
 
-#  define SSL_set_tlsext_debug_callback(ssl, cb) \
+# define SSL_set_tlsext_debug_callback(ssl, cb) \
 SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb)
 
-#  define SSL_set_tlsext_debug_arg(ssl, arg) \
+# define SSL_set_tlsext_debug_arg(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg)
 
-#  define SSL_set_tlsext_status_type(ssl, type) \
+# define SSL_set_tlsext_status_type(ssl, type) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL)
 
-#  define SSL_get_tlsext_status_exts(ssl, arg) \
+# define SSL_get_tlsext_status_exts(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg)
 
-#  define SSL_set_tlsext_status_exts(ssl, arg) \
+# define SSL_set_tlsext_status_exts(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS,0, (void *)arg)
 
-#  define SSL_get_tlsext_status_ids(ssl, arg) \
+# define SSL_get_tlsext_status_ids(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg)
 
-#  define SSL_set_tlsext_status_ids(ssl, arg) \
+# define SSL_set_tlsext_status_ids(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg)
 
-#  define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \
+# define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \
 SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0, (void *)arg)
 
-#  define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \
+# define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \
 SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void *)arg)
 
-#  define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
+# define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
 SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
 
-#  define SSL_TLSEXT_ERR_OK 0
-#  define SSL_TLSEXT_ERR_ALERT_WARNING 1
-#  define SSL_TLSEXT_ERR_ALERT_FATAL 2
-#  define SSL_TLSEXT_ERR_NOACK 3
+# define SSL_TLSEXT_ERR_OK 0
+# define SSL_TLSEXT_ERR_ALERT_WARNING 1
+# define SSL_TLSEXT_ERR_ALERT_FATAL 2
+# define SSL_TLSEXT_ERR_NOACK 3
 
-#  define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
+# define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
 SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
 
-#  define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \
+# define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \
         SSL_CTX_ctrl((ctx),SSL_CTRL_GET_TLSEXT_TICKET_KEYS,(keylen),(keys))
-#  define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
+# define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
         SSL_CTX_ctrl((ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,(keylen),(keys))
 
-#  define SSL_CTX_set_tlsext_status_cb(ssl, cb) \
+# define SSL_CTX_set_tlsext_status_cb(ssl, cb) \
 SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB,(void (*)(void))cb)
 
-#  define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
+# define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
 SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
 
-#  define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
+# define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
 SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 
-#  ifndef OPENSSL_NO_HEARTBEATS
-#   define SSL_TLSEXT_HB_ENABLED                           0x01
-#   define SSL_TLSEXT_HB_DONT_SEND_REQUESTS        0x02
-#   define SSL_TLSEXT_HB_DONT_RECV_REQUESTS        0x04
+# ifndef OPENSSL_NO_HEARTBEATS
+#  define SSL_TLSEXT_HB_ENABLED                           0x01
+#  define SSL_TLSEXT_HB_DONT_SEND_REQUESTS        0x02
+#  define SSL_TLSEXT_HB_DONT_RECV_REQUESTS        0x04
 
-#   define SSL_get_tlsext_heartbeat_pending(ssl) \
+#  define SSL_get_tlsext_heartbeat_pending(ssl) \
         SSL_ctrl((ssl),SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING,0,NULL)
-#   define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
+#  define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
         SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
-#  endif
 # endif
 
 /* PSK ciphersuites from 4279 */
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index ed67f9d..8940abc 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -405,7 +405,7 @@
                 ret = ssl3_get_server_certificate(s);
                 if (ret <= 0)
                     goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                 if (s->tlsext_status_expected)
                     s->state = SSL3_ST_CR_CERT_STATUS_A;
                 else
@@ -414,12 +414,7 @@
                 skip = 1;
                 s->state = SSL3_ST_CR_KEY_EXCH_A;
             }
-#else
-            } else
-                skip = 1;
 
-            s->state = SSL3_ST_CR_KEY_EXCH_A;
-#endif
             s->init_num = 0;
             break;
 
@@ -640,21 +635,17 @@
                          0, NULL);
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
                 /*
                  * Allow NewSessionTicket if ticket expected
                  */
                 if (s->tlsext_ticket_expected)
                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                 else
-#endif
-
                     s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
             }
             s->init_num = 0;
             break;
 
-#ifndef OPENSSL_NO_TLSEXT
         case SSL3_ST_CR_SESSION_TICKET_A:
         case SSL3_ST_CR_SESSION_TICKET_B:
             ret = ssl3_get_new_session_ticket(s);
@@ -672,7 +663,6 @@
             s->state = SSL3_ST_CR_KEY_EXCH_A;
             s->init_num = 0;
             break;
-#endif
 
         case SSL3_ST_CR_FINISHED_A:
         case SSL3_ST_CR_FINISHED_B:
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index ac2a006..dfdc573 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -425,14 +425,10 @@
                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                          sizeof(sctpauthkey), sctpauthkey);
 #endif
-#ifndef OPENSSL_NO_TLSEXT
                 if (s->tlsext_ticket_expected)
                     s->state = SSL3_ST_SW_SESSION_TICKET_A;
                 else
                     s->state = SSL3_ST_SW_CHANGE_A;
-#else
-                s->state = SSL3_ST_SW_CHANGE_A;
-#endif
             } else
                 s->state = SSL3_ST_SW_CERT_A;
             s->init_num = 0;
@@ -447,7 +443,7 @@
                 ret = ssl3_send_server_certificate(s);
                 if (ret <= 0)
                     goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                 if (s->tlsext_status_expected)
                     s->state = SSL3_ST_SW_CERT_STATUS_A;
                 else
@@ -456,12 +452,6 @@
                 skip = 1;
                 s->state = SSL3_ST_SW_KEY_EXCH_A;
             }
-#else
-            } else
-                skip = 1;
-
-            s->state = SSL3_ST_SW_KEY_EXCH_A;
-#endif
             s->init_num = 0;
             break;
 
@@ -712,16 +702,13 @@
             dtls1_stop_timer(s);
             if (s->hit)
                 s->state = SSL_ST_OK;
-#ifndef OPENSSL_NO_TLSEXT
             else if (s->tlsext_ticket_expected)
                 s->state = SSL3_ST_SW_SESSION_TICKET_A;
-#endif
             else
                 s->state = SSL3_ST_SW_CHANGE_A;
             s->init_num = 0;
             break;
 
-#ifndef OPENSSL_NO_TLSEXT
         case SSL3_ST_SW_SESSION_TICKET_A:
         case SSL3_ST_SW_SESSION_TICKET_B:
             ret = ssl3_send_newsession_ticket(s);
@@ -740,8 +727,6 @@
             s->init_num = 0;
             break;
 
-#endif
-
         case SSL3_ST_SW_CHANGE_A:
         case SSL3_ST_SW_CHANGE_B:
 
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4977e9c..ace0838 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -165,9 +165,7 @@
 
 static int ssl_set_version(SSL *s);
 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
-#ifndef OPENSSL_NO_TLSEXT
 static int ssl3_check_finished(SSL *s);
-#endif
 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
                                     unsigned char *p,
                                     int (*put_cb) (const SSL_CIPHER *,
@@ -309,12 +307,10 @@
 
             if (s->hit) {
                 s->state = SSL3_ST_CR_FINISHED_A;
-#ifndef OPENSSL_NO_TLSEXT
                 if (s->tlsext_ticket_expected) {
                     /* receive renewed session ticket */
                     s->state = SSL3_ST_CR_SESSION_TICKET_A;
                 }
-#endif
             } else {
                 s->state = SSL3_ST_CR_CERT_A;
             }
@@ -322,7 +318,6 @@
             break;
         case SSL3_ST_CR_CERT_A:
         case SSL3_ST_CR_CERT_B:
-#ifndef OPENSSL_NO_TLSEXT
             /* Noop (ret = 0) for everything but EAP-FAST. */
             ret = ssl3_check_finished(s);
             if (ret < 0)
@@ -333,7 +328,7 @@
                 s->init_num = 0;
                 break;
             }
-#endif
+
             /* Check if it is anon DH/ECDH, SRP auth */
             /* or PSK */
             if (!
@@ -343,7 +338,7 @@
                 ret = ssl3_get_server_certificate(s);
                 if (ret <= 0)
                     goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                 if (s->tlsext_status_expected)
                     s->state = SSL3_ST_CR_CERT_STATUS_A;
                 else
@@ -352,12 +347,7 @@
                 skip = 1;
                 s->state = SSL3_ST_CR_KEY_EXCH_A;
             }
-#else
-            } else
-                skip = 1;
 
-            s->state = SSL3_ST_CR_KEY_EXCH_A;
-#endif
             s->init_num = 0;
             break;
 
@@ -470,7 +460,7 @@
             if (ret <= 0)
                 goto end;
 
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
             s->state = SSL3_ST_CW_FINISHED_A;
 #else
             if (s->s3->next_proto_neg_seen)
@@ -505,7 +495,7 @@
 
             break;
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
         case SSL3_ST_CW_NEXT_PROTO_A:
         case SSL3_ST_CW_NEXT_PROTO_B:
             ret = ssl3_send_next_proto(s);
@@ -538,21 +528,17 @@
                     s->s3->delay_buf_pop_ret = 0;
                 }
             } else {
-#ifndef OPENSSL_NO_TLSEXT
                 /*
                  * Allow NewSessionTicket if ticket expected
                  */
                 if (s->tlsext_ticket_expected)
                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                 else
-#endif
-
                     s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
             }
             s->init_num = 0;
             break;
 
-#ifndef OPENSSL_NO_TLSEXT
         case SSL3_ST_CR_SESSION_TICKET_A:
         case SSL3_ST_CR_SESSION_TICKET_B:
             ret = ssl3_get_new_session_ticket(s);
@@ -570,7 +556,6 @@
             s->state = SSL3_ST_CR_KEY_EXCH_A;
             s->init_num = 0;
             break;
-#endif
 
         case SSL3_ST_CR_FINISHED_A:
         case SSL3_ST_CR_FINISHED_B:
@@ -783,15 +768,11 @@
             goto err;
 
         if ((sess == NULL) || (sess->ssl_version != s->version) ||
-#ifdef OPENSSL_NO_TLSEXT
-            !sess->session_id_length ||
-#else
             /*
              * In the case of EAP-FAST, we can have a pre-shared
              * "ticket" without a session ID.
              */
             (!sess->session_id_length && !sess->tlsext_tick) ||
-#endif
             (sess->not_resumable)) {
             if (!ssl_get_new_session(s, 0))
                 goto err;
@@ -922,7 +903,6 @@
 #endif
         *(p++) = 0;             /* Add the NULL method */
 
-#ifndef OPENSSL_NO_TLSEXT
         /* TLS extensions */
         if (ssl_prepare_clienthello_tlsext(s) <= 0) {
             SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
@@ -935,7 +915,6 @@
             SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
             goto err;
         }
-#endif
 
         l = p - d;
         if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
@@ -1082,7 +1061,7 @@
         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG);
         goto f_err;
     }
-#ifndef OPENSSL_NO_TLSEXT
+
     /*
      * Check if we can resume the session based on external pre-shared secret.
      * EAP-FAST (RFC 4851) supports two types of session resumption.
@@ -1111,7 +1090,6 @@
             goto f_err;
         }
     }
-#endif                          /* OPENSSL_NO_TLSEXT */
 
     if (j != 0 && j == s->session->session_id_length
         && memcmp(p, s->session->session_id, j) == 0) {
@@ -1237,13 +1215,11 @@
     }
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
     /* TLS extensions */
     if (!ssl_parse_serverhello_tlsext(s, &p, d, n)) {
         SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT);
         goto err;
     }
-#endif
 
     if (p != (d + n)) {
         /* wrong packet length */
@@ -2240,7 +2216,6 @@
     return (X509_NAME_cmp(*a, *b));
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 int ssl3_get_new_session_ticket(SSL *s)
 {
     int ok, al, ret = 0, ticklen;
@@ -2363,7 +2338,6 @@
     s->state = SSL_ST_ERR;
     return (-1);
 }
-#endif
 
 int ssl3_get_server_done(SSL *s)
 {
@@ -3457,7 +3431,6 @@
     return (0);
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 /*
  * Normally, we can tell if the server is resuming the session from
  * the session ID. EAP-FAST (RFC 4851), however, relies on the next server
@@ -3507,7 +3480,7 @@
     return 0;
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 int ssl3_send_next_proto(SSL *s)
 {
     unsigned int len, padding_len;
@@ -3530,7 +3503,6 @@
 
     return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
 }
-# endif
 #endif
 
 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 78e95fc..3aa9863 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2908,9 +2908,7 @@
     BIO_free(s->s3->handshake_buffer);
     if (s->s3->handshake_dgst)
         ssl3_free_digest_list(s);
-#ifndef OPENSSL_NO_TLSEXT
     OPENSSL_free(s->s3->alpn_selected);
-#endif
 
 #ifndef OPENSSL_NO_SRP
     SSL_SRP_CTX_free(s);
@@ -2939,12 +2937,8 @@
 #ifndef OPENSSL_NO_EC
     EC_KEY_free(s->s3->tmp.ecdh);
     s->s3->tmp.ecdh = NULL;
-#endif
-#ifndef OPENSSL_NO_TLSEXT
-# ifndef OPENSSL_NO_EC
     s->s3->is_probably_safari = 0;
-# endif                         /* !OPENSSL_NO_EC */
-#endif                          /* !OPENSSL_NO_TLSEXT */
+#endif                         /* !OPENSSL_NO_EC */
 
     init_extra = s->s3->init_extra;
     BIO_free(s->s3->handshake_buffer);
@@ -2952,12 +2946,12 @@
     if (s->s3->handshake_dgst) {
         ssl3_free_digest_list(s);
     }
-#if !defined(OPENSSL_NO_TLSEXT)
+
     if (s->s3->alpn_selected) {
         free(s->s3->alpn_selected);
         s->s3->alpn_selected = NULL;
     }
-#endif
+
     memset(s->s3, 0, sizeof(*s->s3));
     s->s3->init_extra = init_extra;
 
@@ -2969,7 +2963,7 @@
     s->s3->in_read_app_data = 0;
     s->version = SSL3_VERSION;
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     OPENSSL_free(s->next_proto_negotiated);
     s->next_proto_negotiated = NULL;
     s->next_proto_negotiated_len = 0;
@@ -3109,7 +3103,6 @@
             return (ret);
         }
 #endif                          /* !OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
     case SSL_CTRL_SET_TLSEXT_HOSTNAME:
         if (larg == TLSEXT_NAMETYPE_host_name) {
             OPENSSL_free(s->tlsext_hostname);
@@ -3172,7 +3165,7 @@
         ret = 1;
         break;
 
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
         if (SSL_IS_DTLS(s))
             ret = dtls1_heartbeat(s);
@@ -3191,9 +3184,7 @@
             s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
         ret = 1;
         break;
-# endif
-
-#endif                          /* !OPENSSL_NO_TLSEXT */
+#endif
 
     case SSL_CTRL_CHAIN:
         if (larg)
@@ -3443,12 +3434,11 @@
         }
         break;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
         s->tlsext_debug_cb = (void (*)(SSL *, int, int,
                                        unsigned char *, int, void *))fp;
         break;
-#endif
+
     case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
         {
             s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
@@ -3578,7 +3568,6 @@
             return (0);
         }
 #endif                          /* !OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
     case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
         ctx->tlsext_servername_arg = parg;
         break;
@@ -3608,7 +3597,7 @@
         ctx->tlsext_status_arg = parg;
         return 1;
 
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
     case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
         ctx->srp_ctx.srp_Mask |= SSL_kSRP;
         OPENSSL_free(ctx->srp_ctx.login);
@@ -3638,9 +3627,9 @@
     case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
         ctx->srp_ctx.strength = larg;
         break;
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     case SSL_CTRL_SET_CURVES:
         return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
                                &ctx->tlsext_ellipticcurvelist_length,
@@ -3650,12 +3639,10 @@
         return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
                                     &ctx->tlsext_ellipticcurvelist_length,
                                     parg);
-#  ifndef OPENSSL_NO_EC
     case SSL_CTRL_SET_ECDH_AUTO:
         ctx->cert->ecdh_tmp_auto = larg;
         return 1;
-#  endif
-# endif
+#endif
     case SSL_CTRL_SET_SIGALGS:
         return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -3680,8 +3667,6 @@
     case SSL_CTRL_SET_CHAIN_CERT_STORE:
         return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
 
-#endif                          /* !OPENSSL_NO_TLSEXT */
-
         /* A Thawte special :-) */
     case SSL_CTRL_EXTRA_CHAIN_CERT:
         if (ctx->extra_certs == NULL) {
@@ -3759,7 +3744,6 @@
         }
         break;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
         ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
         break;
@@ -3775,7 +3759,7 @@
                                              HMAC_CTX *, int))fp;
         break;
 
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
     case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
         ctx->srp_ctx.srp_Mask |= SSL_kSRP;
         ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp;
@@ -3790,7 +3774,6 @@
         ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
             (char *(*)(SSL *, void *))fp;
         break;
-# endif
 #endif
     case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
         {
@@ -3927,7 +3910,6 @@
 #endif
         }
 
-#ifndef OPENSSL_NO_TLSEXT
 # ifndef OPENSSL_NO_EC
         /*
          * if we are considering an ECC cipher suite that uses an ephemeral
@@ -3936,7 +3918,6 @@
         if (alg_k & SSL_kECDHE)
             ok = ok && tls1_check_ec_tmp_key(s, c->id);
 # endif                         /* OPENSSL_NO_EC */
-#endif                          /* OPENSSL_NO_TLSEXT */
 
         if (!ok)
             continue;
@@ -3946,7 +3927,7 @@
             if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
                               c->strength_bits, 0, c))
                 continue;
-#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+#if !defined(OPENSSL_NO_EC)
             if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
                 && s->s3->is_probably_safari) {
                 if (!ret)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 6bc80d5..68234ec 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -387,19 +387,15 @@
             ret = ssl3_send_server_hello(s);
             if (ret <= 0)
                 goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
             if (s->hit) {
                 if (s->tlsext_ticket_expected)
                     s->state = SSL3_ST_SW_SESSION_TICKET_A;
                 else
                     s->state = SSL3_ST_SW_CHANGE_A;
-            }
-#else
-            if (s->hit)
-                s->state = SSL3_ST_SW_CHANGE_A;
-#endif
-            else
+            } else {
                 s->state = SSL3_ST_SW_CERT_A;
+            }
             s->init_num = 0;
             break;
 
@@ -414,7 +410,7 @@
                 ret = ssl3_send_server_certificate(s);
                 if (ret <= 0)
                     goto end;
-#ifndef OPENSSL_NO_TLSEXT
+
                 if (s->tlsext_status_expected)
                     s->state = SSL3_ST_SW_CERT_STATUS_A;
                 else
@@ -423,12 +419,6 @@
                 skip = 1;
                 s->state = SSL3_ST_SW_KEY_EXCH_A;
             }
-#else
-            } else
-                skip = 1;
-
-            s->state = SSL3_ST_SW_KEY_EXCH_A;
-#endif
             s->init_num = 0;
             break;
 
@@ -587,7 +577,7 @@
                  * not sent. Also for GOST ciphersuites when the client uses
                  * its key from the certificate for key exchange.
                  */
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
                 s->state = SSL3_ST_SR_FINISHED_A;
 #else
                 if (s->s3->next_proto_neg_seen)
@@ -666,7 +656,7 @@
             if (ret <= 0)
                 goto end;
 
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
             s->state = SSL3_ST_SR_FINISHED_A;
 #else
             if (s->s3->next_proto_neg_seen)
@@ -677,7 +667,7 @@
             s->init_num = 0;
             break;
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
         case SSL3_ST_SR_NEXT_PROTO_A:
         case SSL3_ST_SR_NEXT_PROTO_B:
             /*
@@ -718,16 +708,13 @@
                 goto end;
             if (s->hit)
                 s->state = SSL_ST_OK;
-#ifndef OPENSSL_NO_TLSEXT
             else if (s->tlsext_ticket_expected)
                 s->state = SSL3_ST_SW_SESSION_TICKET_A;
-#endif
             else
                 s->state = SSL3_ST_SW_CHANGE_A;
             s->init_num = 0;
             break;
 
-#ifndef OPENSSL_NO_TLSEXT
         case SSL3_ST_SW_SESSION_TICKET_A:
         case SSL3_ST_SW_SESSION_TICKET_B:
             ret = ssl3_send_newsession_ticket(s);
@@ -746,8 +733,6 @@
             s->init_num = 0;
             break;
 
-#endif
-
         case SSL3_ST_SW_CHANGE_A:
         case SSL3_ST_SW_CHANGE_B:
 
@@ -790,7 +775,7 @@
                 goto end;
             s->state = SSL3_ST_SW_FLUSH;
             if (s->hit) {
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
+#if defined(OPENSSL_NO_NEXTPROTONEG)
                 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
 #else
                 if (s->s3->next_proto_neg_seen) {
@@ -1361,7 +1346,6 @@
         }
     }
 
-#ifndef OPENSSL_NO_TLSEXT
     /* TLS extensions */
     if (s->version >= SSL3_VERSION) {
         if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) {
@@ -1418,7 +1402,6 @@
             s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
         }
     }
-#endif
 
     /*
      * Worst case, we will use the NULL compression, but if we have other
@@ -1602,13 +1585,13 @@
 
     if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
         buf = (unsigned char *)s->init_buf->data;
-#ifdef OPENSSL_NO_TLSEXT
+
         p = s->s3->server_random;
         if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
             s->state = SSL_ST_ERR;
             return -1;
         }
-#endif
+
         /* Do the message type and length last */
         d = p = ssl_handshake_start(s);
 
@@ -1663,7 +1646,7 @@
         else
             *(p++) = s->s3->tmp.new_compression->id;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
+
         if (ssl_prepare_serverhello_tlsext(s) <= 0) {
             SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
             s->state = SSL_ST_ERR;
@@ -1677,7 +1660,7 @@
             s->state = SSL_ST_ERR;
             return -1;
         }
-#endif
+
         /* do the header */
         l = (p - d);
         if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
@@ -3266,7 +3249,6 @@
     return ssl_do_write(s);
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 /* send a new session ticket (not necessarily for a new session) */
 int ssl3_send_newsession_ticket(SSL *s)
 {
@@ -3454,7 +3436,7 @@
     return (ssl3_do_write(s, SSL3_RT_HANDSHAKE));
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * ssl3_get_next_proto reads a Next Protocol Negotiation handshake message.
  * It sets the next_proto member in s if found
@@ -3533,8 +3515,6 @@
 
     return 1;
 }
-# endif
-
 #endif
 
 #define SSLV2_CIPHER_LEN    3
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 51cc72a..7b58518 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -101,11 +101,9 @@
     X509 *peer;
     ASN1_OCTET_STRING *session_id_context;
     long verify_result;
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_OCTET_STRING *tlsext_hostname;
     long tlsext_tick_lifetime_hint;
     ASN1_OCTET_STRING *tlsext_tick;
-#endif
 #ifndef OPENSSL_NO_PSK
     ASN1_OCTET_STRING *psk_identity_hint;
     ASN1_OCTET_STRING *psk_identity;
@@ -128,17 +126,13 @@
     ASN1_EXP_OPT(SSL_SESSION_ASN1, peer, X509, 3),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, session_id_context, ASN1_OCTET_STRING, 4),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, verify_result, ZLONG, 5),
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_hostname, ASN1_OCTET_STRING, 6),
-#endif
 #ifndef OPENSSL_NO_PSK
     ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity_hint, ASN1_OCTET_STRING, 7),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity, ASN1_OCTET_STRING, 8),
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_lifetime_hint, ZLONG, 9),
     ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick, ASN1_OCTET_STRING, 10),
-#endif
     ASN1_EXP_OPT(SSL_SESSION_ASN1, comp_id, ASN1_OCTET_STRING, 11),
 #ifndef OPENSSL_NO_SRP
     ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12),
@@ -185,9 +179,7 @@
     unsigned char comp_id_data;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
     ASN1_OCTET_STRING tlsext_hostname, tlsext_tick;
-#endif
 
 #ifndef OPENSSL_NO_SRP
     ASN1_OCTET_STRING srp_username;
@@ -238,7 +230,6 @@
 
     as.peer = in->peer;
 
-#ifndef OPENSSL_NO_TLSEXT
     ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname,
                       in->tlsext_hostname);
     if (in->tlsext_tick) {
@@ -247,7 +238,6 @@
     }
     if (in->tlsext_tick_lifetime_hint > 0)
         as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint;
-#endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_PSK
     ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint,
                       in->psk_identity_hint);
@@ -373,10 +363,8 @@
     /* NB: this defaults to zero which is X509_V_OK */
     ret->verify_result = as->verify_result;
 
-#ifndef OPENSSL_NO_TLSEXT
     if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname))
         goto err;
-#endif                          /* OPENSSL_NO_TLSEXT */
 
 #ifndef OPENSSL_NO_PSK
     if (!ssl_session_strndup(&ret->psk_identity_hint, as->psk_identity_hint))
@@ -385,7 +373,6 @@
         goto err;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
     ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
     if (as->tlsext_tick) {
         ret->tlsext_tick = as->tlsext_tick->data;
@@ -394,7 +381,6 @@
     } else {
         ret->tlsext_tick = NULL;
     }
-#endif                          /* OPENSSL_NO_TLSEXT */
 #ifndef OPENSSL_NO_COMP
     if (as->comp_id) {
         if (as->comp_id->length != 1) {
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 987b2b7..ab138ec 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -265,7 +265,7 @@
                 goto err;
             }
         }
-#ifndef OPENSSL_NO_TLSEXT
+        rpk->valid_flags = 0;
         if (cert->pkeys[i].serverinfo != NULL) {
             /* Just copy everything. */
             ret->pkeys[i].serverinfo =
@@ -280,7 +280,6 @@
                    cert->pkeys[i].serverinfo,
                    cert->pkeys[i].serverinfo_length);
         }
-#endif
     }
 
     ret->references = 1;
@@ -334,12 +333,10 @@
     ret->sec_level = cert->sec_level;
     ret->sec_ex = cert->sec_ex;
 
-#ifndef OPENSSL_NO_TLSEXT
     if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))
         goto err;
     if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))
         goto err;
-#endif
 
     return (ret);
 
@@ -364,11 +361,9 @@
         cpk->privatekey = NULL;
         sk_X509_pop_free(cpk->chain, X509_free);
         cpk->chain = NULL;
-#ifndef OPENSSL_NO_TLSEXT
         OPENSSL_free(cpk->serverinfo);
         cpk->serverinfo = NULL;
         cpk->serverinfo_length = 0;
-#endif
     }
 }
 
@@ -409,10 +404,8 @@
     OPENSSL_free(c->ctypes);
     X509_STORE_free(c->verify_store);
     X509_STORE_free(c->chain_store);
-#ifndef OPENSSL_NO_TLSEXT
     custom_exts_free(&c->cli_ext);
     custom_exts_free(&c->srv_ext);
-#endif
     OPENSSL_free(c);
 }
 
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 59516a5..65ff021 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -433,9 +433,7 @@
     SSL_CONF_CMD_SWITCH("bugs", 0),
     SSL_CONF_CMD_SWITCH("no_comp", 0),
     SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
-#ifndef OPENSSL_NO_TLSEXT
     SSL_CONF_CMD_SWITCH("no_ticket", 0),
-#endif
     SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
     SSL_CONF_CMD_SWITCH("legacy_renegotiation", 0),
     SSL_CONF_CMD_SWITCH("legacy_server_connect", SSL_CONF_FLAG_SERVER),
@@ -477,9 +475,7 @@
     {SSL_OP_ALL, 0},            /* bugs */
     {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
     {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
-#ifndef OPENSSL_NO_TLSEXT
     {SSL_OP_NO_TICKET, 0},      /* no_ticket */
-#endif
     {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
     /* legacy_renegotiation */
     {SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, 0},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2624b37..3952b6b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -315,7 +315,6 @@
 
     CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
     s->ctx = ctx;
-#ifndef OPENSSL_NO_TLSEXT
     s->tlsext_debug_cb = 0;
     s->tlsext_debug_arg = NULL;
     s->tlsext_ticket_expected = 0;
@@ -360,7 +359,6 @@
                s->ctx->alpn_client_proto_list_len);
         s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
     }
-#endif
 
     s->verify_result = X509_V_OK;
 
@@ -557,18 +555,16 @@
     ssl_cert_free(s->cert);
     /* Free up if allocated */
 
-#ifndef OPENSSL_NO_TLSEXT
     OPENSSL_free(s->tlsext_hostname);
     SSL_CTX_free(s->initial_ctx);
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     OPENSSL_free(s->tlsext_ecpointformatlist);
     OPENSSL_free(s->tlsext_ellipticcurvelist);
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
     sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
     sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
     OPENSSL_free(s->tlsext_ocsp_resp);
     OPENSSL_free(s->alpn_client_proto_list);
-#endif
 
     sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
 
@@ -579,7 +575,7 @@
 
     SSL_CTX_free(s->ctx);
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
     OPENSSL_free(s->next_proto_negotiated);
 #endif
 
@@ -1394,7 +1390,6 @@
     return (buf);
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 /** return a servername extension value if provided in Client Hello, or NULL.
  * So far, only host_name types are defined (RFC 3546).
  */
@@ -1476,7 +1471,7 @@
     return status;
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * SSL_get0_next_proto_negotiated sets *data and *len to point to the
  * client's requested protocol for this connection and returns 0. If the
@@ -1537,7 +1532,7 @@
     ctx->next_proto_select_cb = cb;
     ctx->next_proto_select_cb_arg = arg;
 }
-# endif
+#endif
 
 /*
  * SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
@@ -1610,7 +1605,6 @@
         *len = ssl->s3->alpn_selected_len;
 }
 
-#endif                          /* !OPENSSL_NO_TLSEXT */
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
                                const char *label, size_t llen,
@@ -1765,7 +1759,6 @@
 
     ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
 
-#ifndef OPENSSL_NO_TLSEXT
     ret->tlsext_servername_callback = 0;
     ret->tlsext_servername_arg = NULL;
     /* Setup RFC4507 ticket keys */
@@ -1777,10 +1770,9 @@
     ret->tlsext_status_cb = 0;
     ret->tlsext_status_arg = NULL;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     ret->next_protos_advertised_cb = 0;
     ret->next_proto_select_cb = 0;
-# endif
 #endif
 #ifndef OPENSSL_NO_PSK
     ret->psk_identity_hint = NULL;
@@ -1881,13 +1873,11 @@
         ENGINE_finish(a->client_cert_engine);
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     OPENSSL_free(a->tlsext_ecpointformatlist);
     OPENSSL_free(a->tlsext_ellipticcurvelist);
-# endif
-    OPENSSL_free(a->alpn_client_proto_list);
 #endif
+    OPENSSL_free(a->alpn_client_proto_list);
 
     OPENSSL_free(a);
 }
@@ -2273,7 +2263,6 @@
     return c->pkeys[idx].privatekey;
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                    size_t *serverinfo_length)
 {
@@ -2293,7 +2282,6 @@
     *serverinfo_length = c->pkeys[i].serverinfo_length;
     return 1;
 }
-#endif
 
 void ssl_update_cache(SSL *s, int mode)
 {
@@ -2818,10 +2806,8 @@
     CERT *new_cert;
     if (ssl->ctx == ctx)
         return ssl->ctx;
-#ifndef OPENSSL_NO_TLSEXT
     if (ctx == NULL)
         ctx = ssl->initial_ctx;
-#endif
     new_cert = ssl_cert_dup(ctx->cert);
     if (new_cert == NULL) {
         return NULL;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 04e5908..bdc4d8c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -652,19 +652,17 @@
      * implement a maximum cache size.
      */
     struct ssl_session_st *prev, *next;
-# ifndef OPENSSL_NO_TLSEXT
     char *tlsext_hostname;
-#  ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_EC
     size_t tlsext_ecpointformatlist_length;
     unsigned char *tlsext_ecpointformatlist; /* peer's list */
     size_t tlsext_ellipticcurvelist_length;
     unsigned char *tlsext_ellipticcurvelist; /* peer's list */
-#  endif                       /* OPENSSL_NO_EC */
+# endif                       /* OPENSSL_NO_EC */
     /* RFC4507 info */
     unsigned char *tlsext_tick; /* Session ticket */
     size_t tlsext_ticklen;      /* Session ticket length */
     unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
-# endif
 # ifndef OPENSSL_NO_SRP
     char *srp_username;
 # endif
@@ -850,7 +848,6 @@
     ENGINE *client_cert_engine;
 #  endif
 
-#  ifndef OPENSSL_NO_TLSEXT
     /* TLS extensions servername callback */
     int (*tlsext_servername_callback) (SSL *, int *, void *);
     void *tlsext_servername_arg;
@@ -868,7 +865,6 @@
     /* Callback for status request */
     int (*tlsext_status_cb) (SSL *ssl, void *arg);
     void *tlsext_status_arg;
-#  endif
 
 #  ifndef OPENSSL_NO_PSK
     char *psk_identity_hint;
@@ -886,9 +882,7 @@
     SRP_CTX srp_ctx;            /* ctx for SRP authentication */
 #  endif
 
-#  ifndef OPENSSL_NO_TLSEXT
-
-#   ifndef OPENSSL_NO_NEXTPROTONEG
+#  ifndef OPENSSL_NO_NEXTPROTONEG
     /* Next protocol negotiation information */
     /* (for experimental NPN extension). */
 
@@ -908,7 +902,7 @@
                                  const unsigned char *in,
                                  unsigned int inlen, void *arg);
     void *next_proto_select_cb_arg;
-#   endif
+#  endif
 
     /*
      * ALPN information (we are in the process of transitioning from NPN to
@@ -941,7 +935,6 @@
 
     /* SRTP profiles we are willing to do from RFC 5764 */
     STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-#  endif
     /*
      * Callback for disabling session caching and ticket support on a session
      * basis, depending on the chosen cipher.
@@ -1096,7 +1089,7 @@
     /* what was passed, used for SSLv3/TLS rollback check */
     int client_version;
     unsigned int max_send_fragment;
-#  ifndef OPENSSL_NO_TLSEXT
+
     /* TLS extension debug callback */
     void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
                              unsigned char *data, int len, void *arg);
@@ -1122,14 +1115,14 @@
     int tlsext_ocsp_resplen;
     /* RFC4507 session ticket expected to be received or sent */
     int tlsext_ticket_expected;
-#   ifndef OPENSSL_NO_EC
+#  ifndef OPENSSL_NO_EC
     size_t tlsext_ecpointformatlist_length;
     /* our list */
     unsigned char *tlsext_ecpointformatlist;
     size_t tlsext_ellipticcurvelist_length;
     /* our list */
     unsigned char *tlsext_ellipticcurvelist;
-#   endif                       /* OPENSSL_NO_EC */
+#  endif                       /* OPENSSL_NO_EC */
     /* TLS Session Ticket extension override */
     TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
     /* TLS Session Ticket extension callback */
@@ -1139,7 +1132,7 @@
     tls_session_secret_cb_fn tls_session_secret_cb;
     void *tls_session_secret_cb_arg;
     SSL_CTX *initial_ctx;       /* initial ctx, used to store sessions */
-#   ifndef OPENSSL_NO_NEXTPROTONEG
+#  ifndef OPENSSL_NO_NEXTPROTONEG
     /*
      * Next protocol negotiation. For the client, this is the protocol that
      * we sent in NextProtocol and is set when handling ServerHello
@@ -1149,8 +1142,8 @@
      */
     unsigned char *next_proto_negotiated;
     unsigned char next_proto_negotiated_len;
-#   endif
-#   define session_ctx initial_ctx
+#  endif
+#  define session_ctx initial_ctx
     /* What we'll do */
     STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
     /* What's been chosen */
@@ -1172,9 +1165,7 @@
      */
     unsigned char *alpn_client_proto_list;
     unsigned alpn_client_proto_list_len;
-#  else
-#   define session_ctx ctx
-#  endif                        /* OPENSSL_NO_TLSEXT */
+
     /*-
      * 1 if we are renegotiating.
      * 2 if we are a server and are inside a handshake
@@ -1328,8 +1319,6 @@
     int next_proto_neg_seen;
 #  endif
 
-#  ifndef OPENSSL_NO_TLSEXT
-
     /*
      * ALPN information (we are in the process of transitioning from NPN to
      * ALPN.)
@@ -1351,8 +1340,6 @@
      */
     char is_probably_safari;
 #   endif                       /* !OPENSSL_NO_EC */
-
-#  endif                        /* !OPENSSL_NO_TLSEXT */
 } SSL3_STATE;
 
 
@@ -1462,7 +1449,7 @@
     EVP_PKEY *privatekey;
     /* Chain for this certificate */
     STACK_OF(X509) *chain;
-# ifndef OPENSSL_NO_TLSEXT
+
     /*-
      * serverinfo data for this certificate.  The data is in TLS Extension
      * wire format, specifically it's a series of records like:
@@ -1472,7 +1459,6 @@
      */
     unsigned char *serverinfo;
     size_t serverinfo_length;
-# endif
 } CERT_PKEY;
 /* Retrieve Suite B flags */
 # define tls1_suiteb(s)  (s->cert->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS)
@@ -1916,10 +1902,8 @@
 __owur int ssl_undefined_void_function(void);
 __owur int ssl_undefined_const_function(const SSL *s);
 __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
-#  ifndef OPENSSL_NO_TLSEXT
 __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                    size_t *serverinfo_length);
-#  endif
 __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
 __owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
 void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher);
@@ -2031,10 +2015,8 @@
 __owur int ssl3_get_key_exchange(SSL *s);
 __owur int ssl3_get_server_certificate(SSL *s);
 __owur int ssl3_check_cert_and_algorithm(SSL *s);
-#  ifndef OPENSSL_NO_TLSEXT
-#   ifndef OPENSSL_NO_NEXTPROTONEG
+#  ifndef OPENSSL_NO_NEXTPROTONEG
 __owur int ssl3_send_next_proto(SSL *s);
-#   endif
 #  endif
 
 int dtls1_client_hello(SSL *s);
@@ -2106,7 +2088,6 @@
 __owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
 #  endif                        /* OPENSSL_NO_EC */
 
-#  ifndef OPENSSL_NO_TLSEXT
 __owur int tls1_shared_list(SSL *s,
                      const unsigned char *l1, size_t l1len,
                      const unsigned char *l2, size_t l2len, int nmatch);
@@ -2123,12 +2104,12 @@
 __owur int ssl_prepare_clienthello_tlsext(SSL *s);
 __owur int ssl_prepare_serverhello_tlsext(SSL *s);
 
-#   ifndef OPENSSL_NO_HEARTBEATS
+#  ifndef OPENSSL_NO_HEARTBEATS
 __owur int tls1_heartbeat(SSL *s);
 __owur int dtls1_heartbeat(SSL *s);
 __owur int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
 __owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
-#   endif
+#  endif
 
 __owur int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                         const unsigned char *limit, SSL_SESSION **ret);
@@ -2145,7 +2126,6 @@
                      int idx);
 void tls1_set_cert_validity(SSL *s);
 
-#  endif
 #  ifndef OPENSSL_NO_DH
 __owur DH *ssl_get_auto_dh(SSL *s);
 #  endif
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index a9c832c..f485126 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -738,7 +738,6 @@
 }
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
 static int serverinfo_find_extension(const unsigned char *serverinfo,
                                      size_t serverinfo_length,
                                      unsigned int extension_type,
@@ -910,7 +909,7 @@
     return 1;
 }
 
-# ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
 {
     unsigned char *serverinfo = NULL;
@@ -1000,5 +999,4 @@
     BIO_free(bin);
     return ret;
 }
-# endif                         /* OPENSSL_NO_STDIO */
-#endif                          /* OPENSSL_NO_TLSEXT */
+#endif                         /* OPENSSL_NO_STDIO */
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 2be9592..f1c2095 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -207,14 +207,12 @@
     ss->prev = NULL;
     ss->next = NULL;
     ss->compress_meth = 0;
-#ifndef OPENSSL_NO_TLSEXT
     ss->tlsext_hostname = NULL;
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     ss->tlsext_ecpointformatlist_length = 0;
     ss->tlsext_ecpointformatlist = NULL;
     ss->tlsext_ellipticcurvelist_length = 0;
     ss->tlsext_ellipticcurvelist = NULL;
-# endif
 #endif
     CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
 #ifndef OPENSSL_NO_PSK
@@ -322,7 +320,7 @@
             SSL_SESSION_free(ss);
             return (0);
         }
-#ifndef OPENSSL_NO_TLSEXT
+
         /*-
          * If RFC5077 ticket, use empty session ID (as server).
          * Note that:
@@ -342,7 +340,7 @@
             ss->session_id_length = 0;
             goto sess_id_done;
         }
-#endif
+
         /* Choose which callback will set the session ID */
         CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
         if (s->generate_session_id)
@@ -378,7 +376,7 @@
             SSL_SESSION_free(ss);
             return (0);
         }
-#ifndef OPENSSL_NO_TLSEXT
+
  sess_id_done:
         if (s->tlsext_hostname) {
             ss->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
@@ -388,7 +386,6 @@
                 return 0;
             }
         }
-#endif
     } else {
         ss->session_id_length = 0;
     }
@@ -435,9 +432,7 @@
     SSL_SESSION *ret = NULL;
     int fatal = 0;
     int try_session_cache = 1;
-#ifndef OPENSSL_NO_TLSEXT
     int r;
-#endif
 
     if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH)
         goto err;
@@ -450,7 +445,6 @@
     if (len == 0)
         try_session_cache = 0;
 
-#ifndef OPENSSL_NO_TLSEXT
     /* sets s->tlsext_ticket_expected */
     r = tls1_process_ticket(s, session_id, len, limit, &ret);
     switch (r) {
@@ -467,7 +461,6 @@
     default:
         abort();
     }
-#endif
 
     if (try_session_cache &&
         ret == NULL &&
@@ -589,7 +582,7 @@
  err:
     if (ret != NULL) {
         SSL_SESSION_free(ret);
-#ifndef OPENSSL_NO_TLSEXT
+
         if (!try_session_cache) {
             /*
              * The session was from a ticket, so we should issue a ticket for
@@ -597,7 +590,6 @@
              */
             s->tlsext_ticket_expected = 1;
         }
-#endif
     }
     if (fatal)
         return -1;
@@ -734,16 +726,14 @@
     ssl_sess_cert_free(ss->sess_cert);
     X509_free(ss->peer);
     sk_SSL_CIPHER_free(ss->ciphers);
-#ifndef OPENSSL_NO_TLSEXT
     OPENSSL_free(ss->tlsext_hostname);
     OPENSSL_free(ss->tlsext_tick);
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     ss->tlsext_ecpointformatlist_length = 0;
     OPENSSL_free(ss->tlsext_ecpointformatlist);
     ss->tlsext_ellipticcurvelist_length = 0;
     OPENSSL_free(ss->tlsext_ellipticcurvelist);
-# endif                         /* OPENSSL_NO_EC */
-#endif
+#endif                         /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_PSK
     OPENSSL_free(ss->psk_identity_hint);
     OPENSSL_free(ss->psk_identity);
@@ -877,7 +867,6 @@
     return (s->session_timeout);
 }
 
-#ifndef OPENSSL_NO_TLSEXT
 int SSL_set_session_secret_cb(SSL *s,
                               int (*tls_session_secret_cb) (SSL *s,
                                                             void *secret,
@@ -932,7 +921,6 @@
 
     return 0;
 }
-#endif                          /* OPENSSL_NO_TLSEXT */
 
 typedef struct timeout_param_st {
     SSL_CTX *ctx;
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 0da2bb4..0f506f0 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -182,7 +182,6 @@
     if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
         goto err;
 #endif
-#ifndef OPENSSL_NO_TLSEXT
     if (x->tlsext_tick_lifetime_hint) {
         if (BIO_printf(bp,
                        "\n    TLS session ticket lifetime hint: %ld (seconds)",
@@ -196,7 +195,6 @@
             <= 0)
             goto err;
     }
-#endif
 
 #ifndef OPENSSL_NO_COMP
     if (x->compress_meth != 0) {
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index f1092ac..396ad7e 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -57,7 +57,6 @@
 
 #include "ssl_locl.h"
 
-#ifndef OPENSSL_NO_TLSEXT
 
 /* Find a custom extension from the list. */
 static custom_ext_method *custom_ext_find(custom_ext_methods *exts,
@@ -283,12 +282,11 @@
     case TLSEXT_TYPE_srp:
     case TLSEXT_TYPE_status_request:
     case TLSEXT_TYPE_use_srtp:
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     case TLSEXT_TYPE_encrypt_then_mac:
-# endif
+#endif
         return 1;
     default:
         return 0;
     }
 }
-#endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7053c4a..ce010ca 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -123,13 +123,11 @@
 
 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
 
-#ifndef OPENSSL_NO_TLSEXT
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                               const unsigned char *sess_id, int sesslen,
                               SSL_SESSION **psess);
 static int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
-#endif
 
 SSL3_ENC_METHOD const TLSv1_enc_data = {
     tls1_enc,
@@ -208,9 +206,7 @@
 
 void tls1_free(SSL *s)
 {
-#ifndef OPENSSL_NO_TLSEXT
     OPENSSL_free(s->tlsext_session_ticket);
-#endif                          /* OPENSSL_NO_TLSEXT */
     ssl3_free(s);
 }
 
@@ -912,32 +908,30 @@
 
 #endif                          /* OPENSSL_NO_EC */
 
-#ifndef OPENSSL_NO_TLSEXT
-
 /*
  * List of supported signature algorithms and hashes. Should make this
  * customisable at some point, for now include everything we support.
  */
 
-# ifdef OPENSSL_NO_RSA
-#  define tlsext_sigalg_rsa(md) /* */
-# else
-#  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
-# endif
+#ifdef OPENSSL_NO_RSA
+# define tlsext_sigalg_rsa(md) /* */
+#else
+# define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
+#endif
 
-# ifdef OPENSSL_NO_DSA
-#  define tlsext_sigalg_dsa(md) /* */
-# else
-#  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
-# endif
+#ifdef OPENSSL_NO_DSA
+# define tlsext_sigalg_dsa(md) /* */
+#else
+# define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
+#endif
 
-# ifdef OPENSSL_NO_EC
-#  define tlsext_sigalg_ecdsa(md) /* */
-# else
-#  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
-# endif
+#ifdef OPENSSL_NO_EC
+# define tlsext_sigalg_ecdsa(md) /* */
+#else
+# define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
+#endif
 
-# define tlsext_sigalg(md) \
+#define tlsext_sigalg(md) \
                 tlsext_sigalg_rsa(md) \
                 tlsext_sigalg_dsa(md) \
                 tlsext_sigalg_ecdsa(md)
@@ -950,19 +944,19 @@
         tlsext_sigalg(TLSEXT_hash_sha1)
 };
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
 static const unsigned char suiteb_sigalgs[] = {
     tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
 };
-# endif
+#endif
 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
 {
     /*
      * If Suite B mode use Suite B sigalgs only, ignore any other
      * preferences.
      */
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     switch (tls1_suiteb(s)) {
     case SSL_CERT_FLAG_SUITEB_128_LOS:
         *psigs = suiteb_sigalgs;
@@ -976,7 +970,7 @@
         *psigs = suiteb_sigalgs + 2;
         return 2;
     }
-# endif
+#endif
     /* If server use client authentication sigalgs if not NULL */
     if (s->server && s->cert->client_sigalgs) {
         *psigs = s->cert->client_sigalgs;
@@ -1008,7 +1002,7 @@
         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
         return 0;
     }
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (pkey->type == EVP_PKEY_EC) {
         unsigned char curve_id[2], comp_id;
         /* Check compression and curve matches extensions */
@@ -1039,7 +1033,7 @@
         }
     } else if (tls1_suiteb(s))
         return 0;
-# endif
+#endif
 
     /* Check signature matches a type we sent */
     sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
@@ -1105,13 +1099,13 @@
         s->s3->tmp.mask_a |= SSL_aPSK;
         s->s3->tmp.mask_k |= SSL_kPSK;
     }
-# endif                         /* OPENSSL_NO_PSK */
-# ifndef OPENSSL_NO_SRP
+#endif                         /* OPENSSL_NO_PSK */
+#ifndef OPENSSL_NO_SRP
     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
         s->s3->tmp.mask_a |= SSL_aSRP;
         s->s3->tmp.mask_k |= SSL_kSRP;
     }
-# endif
+#endif
 }
 
 int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op)
@@ -1136,7 +1130,7 @@
     int extdatalen = 0;
     unsigned char *orig = buf;
     unsigned char *ret = buf;
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /* See if we support any ECC ciphersuites */
     int using_ecc = 0;
     if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
@@ -1156,7 +1150,7 @@
             }
         }
     }
-# endif
+#endif
 
     ret += 2;
 
@@ -1221,7 +1215,7 @@
         memcpy(ret, s->tlsext_hostname, size_str);
         ret += size_str;
     }
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
     /* Add SRP username if there is one */
     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
                                      * Client Hello message */
@@ -1248,9 +1242,9 @@
         memcpy(ret, s->srp_ctx.login, login_len);
         ret += login_len;
     }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (using_ecc) {
         /*
          * Add TLS extension ECPointFormats to the ClientHello message
@@ -1311,7 +1305,7 @@
         s2n(curves_list_len, ret);
         ret += curves_list_len;
     }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (tls_use_ticket(s)) {
         int ticklen;
@@ -1407,7 +1401,7 @@
         if (extlen > 0)
             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
     }
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     /* Add Heartbeat extension */
     if ((limit - ret - 4 - 1) < 0)
         return NULL;
@@ -1422,9 +1416,9 @@
         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
     else
         *(ret++) = SSL_TLSEXT_HB_ENABLED;
-# endif
+#endif
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
         /*
          * The client advertises an emtpy extension to indicate its support
@@ -1435,7 +1429,7 @@
         s2n(TLSEXT_TYPE_next_proto_neg, ret);
         s2n(0, ret);
     }
-# endif
+#endif
 
     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
@@ -1446,7 +1440,7 @@
         memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
         ret += s->alpn_client_proto_list_len;
     }
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
         int el;
 
@@ -1468,15 +1462,15 @@
         }
         ret += el;
     }
-# endif
+#endif
     custom_ext_init(&s->cert->cli_ext);
     /* Add custom TLS Extensions to ClientHello */
     if (!custom_ext_add(s, 0, &ret, limit, al))
         return NULL;
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
     s2n(0, ret);
-# endif
+#endif
     s2n(TLSEXT_TYPE_extended_master_secret, ret);
     s2n(0, ret);
 
@@ -1518,16 +1512,16 @@
     int extdatalen = 0;
     unsigned char *orig = buf;
     unsigned char *ret = buf;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     int next_proto_neg_seen;
-# endif
-# ifndef OPENSSL_NO_EC
+#endif
+#ifndef OPENSSL_NO_EC
     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
     int using_ecc = (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe))
         || (alg_a & SSL_aECDSA);
     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
-# endif
+#endif
 
     ret += 2;
     if (ret >= limit)
@@ -1567,7 +1561,7 @@
         s2n(TLSEXT_TYPE_server_name, ret);
         s2n(0, ret);
     }
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (using_ecc) {
         const unsigned char *plist;
         size_t plistlen;
@@ -1598,7 +1592,7 @@
      * Currently the server should not respond with a SupportedCurves
      * extension
      */
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (s->tlsext_ticket_expected && tls_use_ticket(s)) {
         if ((long)(limit - ret - 4) < 0)
@@ -1614,7 +1608,7 @@
         s2n(0, ret);
     }
 
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
     if (SSL_IS_DTLS(s) && s->srtp_profile) {
         int el;
 
@@ -1635,7 +1629,7 @@
         }
         ret += el;
     }
-# endif
+#endif
 
     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
@@ -1654,7 +1648,7 @@
         ret += 36;
 
     }
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     /* Add Heartbeat extension if we've received one */
     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
         if ((limit - ret - 4 - 1) < 0)
@@ -1672,9 +1666,9 @@
             *(ret++) = SSL_TLSEXT_HB_ENABLED;
 
     }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     next_proto_neg_seen = s->s3->next_proto_neg_seen;
     s->s3->next_proto_neg_seen = 0;
     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
@@ -1695,10 +1689,10 @@
             s->s3->next_proto_neg_seen = 1;
         }
     }
-# endif
+#endif
     if (!custom_ext_add(s, 1, &ret, limit, al))
         return NULL;
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
         /*
          * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
@@ -1712,7 +1706,7 @@
             s2n(0, ret);
         }
     }
-# endif
+#endif
     if (!s->hit && s->session->flags & SSL_SESS_FLAG_EXTMS) {
         s2n(TLSEXT_TYPE_extended_master_secret, ret);
         s2n(0, ret);
@@ -1808,7 +1802,7 @@
     return -1;
 }
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
 /*-
  * ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
@@ -1889,7 +1883,7 @@
 
     s->s3->is_probably_safari = 1;
 }
-# endif                         /* !OPENSSL_NO_EC */
+#endif                         /* !OPENSSL_NO_EC */
 
 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                                        unsigned char *d, int n, int *al)
@@ -1902,33 +1896,33 @@
 
     s->servername_done = 0;
     s->tlsext_status_type = -1;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
 
     OPENSSL_free(s->s3->alpn_selected);
     s->s3->alpn_selected = NULL;
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
         ssl_check_for_safari(s, data, d, n);
-# endif                         /* !OPENSSL_NO_EC */
+#endif                         /* !OPENSSL_NO_EC */
 
     /* Clear any signature algorithms extension received */
     OPENSSL_free(s->s3->tmp.peer_sigalgs);
     s->s3->tmp.peer_sigalgs = NULL;
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
+#endif
 
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
     OPENSSL_free(s->srp_ctx.login);
     s->srp_ctx.login = NULL;
-# endif
+#endif
 
     s->srtp_profile = NULL;
 
@@ -2051,7 +2045,7 @@
             }
 
         }
-# ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
         else if (type == TLSEXT_TYPE_srp) {
             if (size <= 0 || ((len = data[0])) != (size - 1)) {
                 *al = SSL_AD_DECODE_ERROR;
@@ -2071,9 +2065,9 @@
                 return 0;
             }
         }
-# endif
+#endif
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             unsigned char *sdata = data;
             int ecpointformatlist_length = *(sdata++);
@@ -2126,7 +2120,7 @@
                        ellipticcurvelist_length);
             }
         }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
         else if (type == TLSEXT_TYPE_session_ticket) {
             if (s->tls_session_ticket_ext_cb &&
                 !s->tls_session_ticket_ext_cb(s, data, size,
@@ -2239,7 +2233,7 @@
             else
                 s->tlsext_status_type = -1;
         }
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
         else if (type == TLSEXT_TYPE_heartbeat) {
             switch (data[0]) {
             case 0x01:         /* Client allows us to send HB requests */
@@ -2254,8 +2248,8 @@
                 return 0;
             }
         }
-# endif
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#endif
+#ifndef OPENSSL_NO_NEXTPROTONEG
         else if (type == TLSEXT_TYPE_next_proto_neg &&
                  s->s3->tmp.finish_md_len == 0 &&
                  s->s3->alpn_selected == NULL) {
@@ -2278,30 +2272,30 @@
              */
             s->s3->next_proto_neg_seen = 1;
         }
-# endif
+#endif
 
         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
                  s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
             if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
                 return 0;
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
             /* ALPN takes precedence over NPN. */
             s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
         }
 
         /* session ticket processed earlier */
-# ifndef OPENSSL_NO_SRTP
+#ifndef OPENSSL_NO_SRTP
         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
                  && type == TLSEXT_TYPE_use_srtp) {
             if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
                 return 0;
         }
-# endif
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
         else if (type == TLSEXT_TYPE_encrypt_then_mac)
             s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
+#endif
         else if (type == TLSEXT_TYPE_extended_master_secret) {
             if (!s->hit)
                 s->session->flags |= SSL_SESS_FLAG_EXTMS;
@@ -2355,7 +2349,7 @@
     return 1;
 }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  * elements of zero length are allowed and the set of elements must exactly
@@ -2374,7 +2368,7 @@
 
     return off == len;
 }
-# endif
+#endif
 
 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                                        unsigned char *d, int n, int *al)
@@ -2386,21 +2380,21 @@
     int tlsext_servername = 0;
     int renegotiate_seen = 0;
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
     s->s3->next_proto_neg_seen = 0;
-# endif
+#endif
     s->tlsext_ticket_expected = 0;
 
     OPENSSL_free(s->s3->alpn_selected);
     s->s3->alpn_selected = NULL;
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-# endif
+#endif
 
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#ifdef TLSEXT_TYPE_encrypt_then_mac
     s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
-# endif
+#endif
 
     if (data >= (d + n - 2))
         goto ri_check;
@@ -2433,7 +2427,7 @@
             }
             tlsext_servername = 1;
         }
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             unsigned char *sdata = data;
             int ecpointformatlist_length = *(sdata++);
@@ -2456,7 +2450,7 @@
                        ecpointformatlist_length);
             }
         }
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
         else if (type == TLSEXT_TYPE_session_ticket) {
             if (s->tls_session_ticket_ext_cb &&
@@ -2484,7 +2478,7 @@
             /* Set flag to expect CertificateStatus message */
             s->tlsext_status_expected = 1;
         }
-# ifndef OPENSSL_NO_NEXTPROTONEG
+#ifndef OPENSSL_NO_NEXTPROTONEG
         else if (type == TLSEXT_TYPE_next_proto_neg &&
                  s->s3->tmp.finish_md_len == 0) {
             unsigned char *selected;
@@ -2517,7 +2511,7 @@
             s->next_proto_negotiated_len = selected_len;
             s->s3->next_proto_neg_seen = 1;
         }
-# endif
+#endif
 
         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
             unsigned len;
@@ -2558,7 +2552,7 @@
             memcpy(s->s3->alpn_selected, data + 3, len);
             s->s3->alpn_selected_len = len;
         }
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
         else if (type == TLSEXT_TYPE_heartbeat) {
             switch (data[0]) {
             case 0x01:         /* Server allows us to send HB requests */
@@ -2573,21 +2567,21 @@
                 return 0;
             }
         }
-# endif
-# ifndef OPENSSL_NO_SRTP
+#endif
+#ifndef OPENSSL_NO_SRTP
         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
             if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
                 return 0;
         }
-# endif
-# ifdef TLSEXT_TYPE_encrypt_then_mac
+#endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
         else if (type == TLSEXT_TYPE_encrypt_then_mac) {
             /* Ignore if inappropriate ciphersuite */
             if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
                 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
                 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
         }
-# endif
+#endif
         else if (type == TLSEXT_TYPE_extended_master_secret) {
             if (!s->hit)
                 s->session->flags |= SSL_SESS_FLAG_EXTMS;
@@ -2661,7 +2655,7 @@
     int ret = SSL_TLSEXT_ERR_NOACK;
     int al = SSL_AD_UNRECOGNIZED_NAME;
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /*
      * The handling of the ECPointFormats extension is done elsewhere, namely
      * in ssl3_choose_cipher in s3_lib.c.
@@ -2670,7 +2664,7 @@
      * The handling of the EllipticCurves extension is done elsewhere, namely
      * in ssl3_choose_cipher in s3_lib.c.
      */
-# endif
+#endif
 
     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
         ret =
@@ -2818,7 +2812,7 @@
     int ret = SSL_TLSEXT_ERR_NOACK;
     int al = SSL_AD_UNRECOGNIZED_NAME;
 
-# ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
     /*
      * If we are client and using an elliptic curve cryptography cipher
      * suite, then if server returns an EC point formats lists extension it
@@ -2850,7 +2844,7 @@
         }
     }
     ret = SSL_TLSEXT_ERR_OK;
-# endif                         /* OPENSSL_NO_EC */
+#endif                         /* OPENSSL_NO_EC */
 
     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
         ret =
@@ -3227,11 +3221,11 @@
 } tls12_hash_info;
 
 static const tls12_hash_info tls12_md_info[] = {
-# ifdef OPENSSL_NO_MD5
+#ifdef OPENSSL_NO_MD5
     {NID_md5, 64, 0},
-# else
+#else
     {NID_md5, 64, EVP_md5},
-# endif
+#endif
     {NID_sha1, 80, EVP_sha1},
     {NID_sha224, 112, EVP_sha224},
     {NID_sha256, 128, EVP_sha256},
@@ -3262,18 +3256,18 @@
 static int tls12_get_pkey_idx(unsigned char sig_alg)
 {
     switch (sig_alg) {
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
     case TLSEXT_signature_rsa:
         return SSL_PKEY_RSA_SIGN;
-# endif
-# ifndef OPENSSL_NO_DSA
+#endif
+#ifndef OPENSSL_NO_DSA
     case TLSEXT_signature_dsa:
         return SSL_PKEY_DSA_SIGN;
-# endif
-# ifndef OPENSSL_NO_EC
+#endif
+#ifndef OPENSSL_NO_EC
     case TLSEXT_signature_ecdsa:
         return SSL_PKEY_ECC;
-# endif
+#endif
     }
     return -1;
 }
@@ -3336,24 +3330,24 @@
     sigalgslen = tls12_get_psigalgs(s, &sigalgs);
     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
         switch (sigalgs[1]) {
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
         case TLSEXT_signature_rsa:
             if (!have_rsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_rsa = 1;
             break;
-# endif
-# ifndef OPENSSL_NO_DSA
+#endif
+#ifndef OPENSSL_NO_DSA
         case TLSEXT_signature_dsa:
             if (!have_dsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_dsa = 1;
             break;
-# endif
-# ifndef OPENSSL_NO_EC
+#endif
+#ifndef OPENSSL_NO_EC
         case TLSEXT_signature_ecdsa:
             if (!have_ecdsa && tls12_sigalg_allowed(s, op, sigalgs))
                 have_ecdsa = 1;
             break;
-# endif
+#endif
         }
     }
     if (!have_rsa)
@@ -3487,7 +3481,7 @@
     if (!tls1_set_shared_sigalgs(s))
         return 0;
 
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
         /*
          * Use first set signature preference to force message digest,
@@ -3509,7 +3503,7 @@
             }
         }
     }
-# endif
+#endif
 
     for (i = 0, sigptr = c->shared_sigalgs;
          i < c->shared_sigalgslen; i++, sigptr++) {
@@ -3534,20 +3528,20 @@
          * Set any remaining keys to default values. NOTE: if alg is not
          * supported it stays as NULL.
          */
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (pmd[SSL_PKEY_DSA_SIGN] == NULL)
             pmd[SSL_PKEY_DSA_SIGN] = EVP_sha1();
-# endif
-# ifndef OPENSSL_NO_RSA
+#endif
+#ifndef OPENSSL_NO_RSA
         if (pmd[SSL_PKEY_RSA_SIGN] == NULL) {
             pmd[SSL_PKEY_RSA_SIGN] = EVP_sha1();
             pmd[SSL_PKEY_RSA_ENC] = EVP_sha1();
         }
-# endif
-# ifndef OPENSSL_NO_EC
+#endif
+#ifndef OPENSSL_NO_EC
         if (pmd[SSL_PKEY_ECC] == NULL)
             pmd[SSL_PKEY_ECC] = EVP_sha1();
-# endif
+#endif
     }
     return 1;
 }
@@ -3594,7 +3588,7 @@
     return s->cert->shared_sigalgslen;
 }
 
-# ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
 int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
 {
     unsigned char *pl;
@@ -3752,9 +3746,9 @@
     OPENSSL_free(buf);
     return ret;
 }
-# endif
+#endif
 
-# define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
+#define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
 
 typedef struct {
     size_t sigalgcnt;
@@ -3897,10 +3891,10 @@
 
 /* Flags which need to be set for a certificate when stict mode not set */
 
-# define CERT_PKEY_VALID_FLAGS \
+#define CERT_PKEY_VALID_FLAGS \
         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
 /* Strict mode flags */
-# define CERT_PKEY_STRICT_FLAGS \
+#define CERT_PKEY_STRICT_FLAGS \
          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
 
@@ -3930,7 +3924,7 @@
         /* If no cert or key, forget it */
         if (!x || !pk)
             goto end;
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
         /* Allow any certificate to pass test */
         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
             rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
@@ -3938,7 +3932,7 @@
             *pvalid = rv;
             return rv;
         }
-# endif
+#endif
     } else {
         if (!x || !pk)
             return 0;
@@ -4174,7 +4168,6 @@
     return tls1_check_chain(s, x, pk, chain, -1);
 }
 
-#endif
 
 #ifndef OPENSSL_NO_DH
 DH *ssl_get_auto_dh(SSL *s)
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 00a3efe..5161c17 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -289,7 +289,6 @@
 $cflags.=" -DOPENSSL_NO_WHIRLPOOL"   if $no_whirlpool;
 $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
-$cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_SRP" if $no_srp;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
@@ -1391,7 +1390,6 @@
 		"gaswin" => \$gaswin,
 		"no-ssl3" => \$no_ssl3,
 		"no-ssl3-method" => 0,
-		"no-tlsext" => \$no_tlsext,
 		"no-srp" => \$no_srp,
 		"no-cms" => \$no_cms,
 		"no-jpake" => \$no_jpake,
diff --git a/util/mkdef.pl b/util/mkdef.pl
index e2b1fb6..b21d03b 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -81,7 +81,7 @@
 			 # Engines
 			 "STATIC_ENGINE", "ENGINE", "HW", "GMP",
 			 # TLS
-			 "TLSEXT", "PSK", "SRP", "HEARTBEATS",
+			 "PSK", "SRP", "HEARTBEATS",
 			 # CMS
 			 "CMS",
 			 # CryptoAPI Engine
@@ -124,7 +124,7 @@
 my $no_rsa; my $no_dsa; my $no_dh; my $no_aes;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
 my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
-my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
+my $no_psk; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
 my $no_unit_test; my $no_ssl3_method; my $no_ocb;
@@ -213,7 +213,6 @@
 	elsif (/^no-engine$/)	{ $no_engine=1; }
 	elsif (/^no-hw$/)	{ $no_hw=1; }
 	elsif (/^no-gmp$/)	{ $no_gmp=1; }
-	elsif (/^no-tlsext$/)	{ $no_tlsext=1; }
 	elsif (/^no-cms$/)	{ $no_cms=1; }
 	elsif (/^no-ec2m$/)	{ $no_ec2m=1; }
  	elsif (/^no-ec-nistp224-64-gcc-128$/)	{ $no_nistp_gcc=1; }
@@ -1198,7 +1197,6 @@
 			if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
 			if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
 			if ($keyword eq "GMP" && $no_gmp) { return 0; }
-			if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
 			if ($keyword eq "PSK" && $no_psk) { return 0; }
 			if ($keyword eq "CMS" && $no_cms) { return 0; }
 			if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
diff --git a/util/ssleay.num b/util/ssleay.num
index d595fe0..1b4755c 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -240,8 +240,8 @@
 SSL_CTX_get_client_cert_cb              288	EXIST::FUNCTION:
 SSL_CTX_sess_get_remove_cb              289	EXIST::FUNCTION:
 SSL_set_SSL_CTX                         290	EXIST::FUNCTION:
-SSL_get_servername                      291	EXIST::FUNCTION:TLSEXT
-SSL_get_servername_type                 292	EXIST::FUNCTION:TLSEXT
+SSL_get_servername                      291	EXIST::FUNCTION:
+SSL_get_servername_type                 292	EXIST::FUNCTION:
 SSL_CTX_set_client_cert_engine          293	EXIST::FUNCTION:ENGINE
 SSL_CTX_use_psk_identity_hint           294	EXIST::FUNCTION:PSK
 SSL_CTX_set_psk_client_callback         295	EXIST::FUNCTION:PSK
@@ -309,21 +309,21 @@
 TLSv1_2_method                          350	EXIST::FUNCTION:
 SSL_SESSION_get_id_len                  351	NOEXIST::FUNCTION:
 kssl_ctx_get0_client_princ              352	NOEXIST::FUNCTION:
-SSL_export_keying_material              353	EXIST::FUNCTION:TLSEXT
+SSL_export_keying_material              353	EXIST::FUNCTION:
 SSL_set_tlsext_use_srtp                 354	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_protos_advertised_cb   355	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_protos_adv_cb          355	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_get0_next_proto_negotiated          356	EXIST::FUNCTION:NEXTPROTONEG
 SSL_get_selected_srtp_profile           357	EXIST::FUNCTION:SRTP
 SSL_CTX_set_tlsext_use_srtp             358	EXIST::FUNCTION:SRTP
-SSL_select_next_proto                   359	EXIST::FUNCTION:TLSEXT
+SSL_select_next_proto                   359	EXIST::FUNCTION:
 SSL_get_srtp_profiles                   360	EXIST::FUNCTION:SRTP
 SSL_CTX_set_next_proto_select_cb        361	EXIST:!VMS:FUNCTION:NEXTPROTONEG
 SSL_CTX_set_next_proto_sel_cb           361	EXIST:VMS:FUNCTION:NEXTPROTONEG
 SSL_SESSION_get_compress_id             362	EXIST::FUNCTION:
 SSL_get0_param                          363	EXIST::FUNCTION:
 SSL_CTX_get0_privatekey                 364	EXIST::FUNCTION:
-SSL_get_shared_sigalgs                  365	EXIST::FUNCTION:TLSEXT
+SSL_get_shared_sigalgs                  365	EXIST::FUNCTION:
 SSL_CONF_CTX_finish                     366	EXIST::FUNCTION:
 DTLS_method                             367	EXIST::FUNCTION:
 DTLS_client_method                      368	EXIST::FUNCTION:
@@ -336,40 +336,40 @@
 SSL_COMP_set0_compression_methods       374	EXIST:!VMS:FUNCTION:
 SSL_COMP_set0_compr_methods             374	EXIST:VMS:FUNCTION:
 SSL_CTX_set_cert_cb                     375	EXIST::FUNCTION:
-SSL_CTX_add_client_custom_ext           376	EXIST::FUNCTION:TLSEXT
+SSL_CTX_add_client_custom_ext           376	EXIST::FUNCTION:
 SSL_is_server                           377	EXIST::FUNCTION:
 SSL_CTX_get0_param                      378	EXIST::FUNCTION:
 SSL_CONF_cmd                            379	EXIST::FUNCTION:
 SSL_CTX_get_ssl_method                  380	EXIST::FUNCTION:
 SSL_CONF_CTX_set_ssl_ctx                381	EXIST::FUNCTION:
 SSL_CIPHER_find                         382	EXIST::FUNCTION:
-SSL_CTX_use_serverinfo                  383	EXIST::FUNCTION:TLSEXT
+SSL_CTX_use_serverinfo                  383	EXIST::FUNCTION:
 DTLSv1_2_client_method                  384	EXIST::FUNCTION:
 SSL_get0_alpn_selected                  385	EXIST::FUNCTION:
 SSL_CONF_CTX_clear_flags                386	EXIST::FUNCTION:
 SSL_CTX_set_alpn_protos                 387	EXIST::FUNCTION:
-SSL_CTX_add_server_custom_ext           389	EXIST::FUNCTION:TLSEXT
+SSL_CTX_add_server_custom_ext           389	EXIST::FUNCTION:
 SSL_CTX_get0_certificate                390	EXIST::FUNCTION:
 SSL_CTX_set_alpn_select_cb              391	EXIST::FUNCTION:
 SSL_CONF_cmd_value_type                 392	EXIST::FUNCTION:
 SSL_set_cert_cb                         393	EXIST::FUNCTION:
-SSL_get_sigalgs                         394	EXIST::FUNCTION:TLSEXT
+SSL_get_sigalgs                         394	EXIST::FUNCTION:
 SSL_CONF_CTX_set1_prefix                395	EXIST::FUNCTION:
 SSL_CONF_CTX_new                        396	EXIST::FUNCTION:
 SSL_CONF_CTX_set_flags                  397	EXIST::FUNCTION:
 SSL_CONF_CTX_set_ssl                    398	EXIST::FUNCTION:
-SSL_check_chain                         399	EXIST::FUNCTION:TLSEXT
+SSL_check_chain                         399	EXIST::FUNCTION:
 SSL_certs_clear                         400	EXIST::FUNCTION:
 SSL_CONF_CTX_free                       401	EXIST::FUNCTION:
 SSL_trace                               402	EXIST::FUNCTION:SSL_TRACE
 SSL_CTX_set_cli_supp_data               403	NOEXIST::FUNCTION:
 DTLSv1_2_method                         404	EXIST::FUNCTION:
 DTLS_server_method                      405	EXIST::FUNCTION:
-SSL_CTX_use_serverinfo_file             406	EXIST::FUNCTION:STDIO,TLSEXT
+SSL_CTX_use_serverinfo_file             406	EXIST::FUNCTION:STDIO
 SSL_COMP_free_compress_methods          407	NOEXIST::FUNCTION:
 SSL_COMP_free_compression_methods       407	EXIST:!VMS:FUNCTION:
 SSL_COMP_free_compr_methods             407	EXIST:VMS:FUNCTION:
-SSL_extension_supported                 409	EXIST::FUNCTION:TLSEXT
+SSL_extension_supported                 409	EXIST::FUNCTION:
 SSL_CTX_get_security_callback           410	EXIST::FUNCTION:
 SSL_SESSION_print_keylog                411	EXIST::FUNCTION:
 SSL_CTX_set_not_resumable_session_callback 412	EXIST:!VMS:FUNCTION: