--- Lib/ssl.py.orig	2014-10-12 08:52:02.000000000 +0200
+++ Lib/ssl.py	2015-12-23 11:29:24.243085919 +0100
@@ -63,7 +63,16 @@ from _ssl import OPENSSL_VERSION_NUMBER,
 from _ssl import _SSLContext, SSLError
 from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
 from _ssl import OP_ALL, OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_TLSv1
-from _ssl import RAND_status, RAND_egd, RAND_add
+### Fix build with LibreSSL (does not have RAND_egd)
+### PR195513, http://bugs.python.org/issue21356
+from _ssl import RAND_status, RAND_add
+try:
+    from _ssl import RAND_egd
+except ImportError:
+    # LibreSSL does not provide RAND_egd
+    pass
+### End PR195513
+
 from _ssl import (
     SSL_ERROR_ZERO_RETURN,
     SSL_ERROR_WANT_READ,
@@ -76,13 +85,12 @@ from _ssl import (
     SSL_ERROR_INVALID_ERROR_CODE,
     )
 from _ssl import HAS_SNI
-from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1
+from _ssl import PROTOCOL_SSLv23, PROTOCOL_TLSv1
 from _ssl import _OPENSSL_API_VERSION
 
 _PROTOCOL_NAMES = {
     PROTOCOL_TLSv1: "TLSv1",
     PROTOCOL_SSLv23: "SSLv23",
-    PROTOCOL_SSLv3: "SSLv3",
 }
 try:
     from _ssl import PROTOCOL_SSLv2
@@ -91,6 +99,13 @@ except ImportError:
     _SSLv2_IF_EXISTS = None
 else:
     _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
+try:
+    from _ssl import PROTOCOL_SSLv3
+    _SSLv3_IF_EXISTS = PROTOCOL_SSLv3
+except ImportError:
+    _SSLv3_IF_EXISTS = None
+else:
+    _PROTOCOL_NAMES[PROTOCOL_SSLv3] = "SSLv3"
 
 from socket import getnameinfo as _getnameinfo
 from socket import error as socket_error
@@ -557,7 +572,7 @@ def PEM_cert_to_DER_cert(pem_cert_string
     d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
     return base64.decodebytes(d.encode('ASCII', 'strict'))
 
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
     """Retrieve the certificate from the server at the specified address,
     and return it as a PEM-encoded string.
     If 'ca_certs' is specified, validate the server cert against it.
--- Lib/test/test_ssl.py.orig	2014-10-12 08:52:03.000000000 +0200
+++ Lib/test/test_ssl.py	2015-12-23 11:29:24.245086385 +0100
@@ -21,11 +21,12 @@ import functools
 ssl = support.import_module("ssl")
 
 PROTOCOLS = [
-    ssl.PROTOCOL_SSLv3,
     ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1
 ]
 if hasattr(ssl, 'PROTOCOL_SSLv2'):
     PROTOCOLS.append(ssl.PROTOCOL_SSLv2)
+if hasattr(ssl, 'PROTOCOL_SSLv3'):
+    PROTOCOLS.append(ssl.PROTOCOL_SSLv3)
 
 HOST = support.HOST
 
@@ -104,8 +105,12 @@ class BasicSocketTests(unittest.TestCase
             sys.stdout.write("\n RAND_status is %d (%s)\n"
                              % (v, (v and "sufficient randomness") or
                                 "insufficient randomness"))
-        self.assertRaises(TypeError, ssl.RAND_egd, 1)
-        self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
+### Fix build with LibreSSL (does not have RAND_egd)
+### PR195513, http://bugs.python.org/issue21356        
+        if hasattr(ssl, 'RAND_egd'):
+            self.assertRaises(TypeError, ssl.RAND_egd, 1)
+            self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
+### End PR195513
         ssl.RAND_add("this is a random string", 75.0)
 
     def test_parse_cert(self):
@@ -380,7 +385,8 @@ class ContextTests(unittest.TestCase):
         if hasattr(ssl, 'PROTOCOL_SSLv2'):
             ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
+        if hasattr(ssl, 'PROTOCOL_SSLv3'):
+            ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
         self.assertRaises(TypeError, ssl.SSLContext)
         self.assertRaises(ValueError, ssl.SSLContext, -1)
@@ -1372,6 +1378,7 @@ else:
 
 
         @skip_if_broken_ubuntu_ssl
+        @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv3'), "need SSLv3")
         def test_protocol_sslv3(self):
             """Connecting to an SSLv3 server with various client options"""
             if support.verbose:
--- Modules/_ssl.c.orig	2014-10-12 08:52:03.000000000 +0200
+++ Modules/_ssl.c	2015-12-23 11:29:24.242085898 +0100
@@ -66,7 +66,9 @@ enum py_ssl_version {
 #ifndef OPENSSL_NO_SSL2
     PY_SSL_VERSION_SSL2,
 #endif
-    PY_SSL_VERSION_SSL3=1,
+#ifndef OPENSSL_NO_SSL3
+    PY_SSL_VERSION_SSL3,
+#endif
     PY_SSL_VERSION_SSL23,
     PY_SSL_VERSION_TLS1
 };
@@ -1512,8 +1514,10 @@ context_new(PyTypeObject *type, PyObject
     PySSL_BEGIN_ALLOW_THREADS
     if (proto_version == PY_SSL_VERSION_TLS1)
         ctx = SSL_CTX_new(TLSv1_method());
+#ifndef OPENSSL_NO_SSL3
     else if (proto_version == PY_SSL_VERSION_SSL3)
         ctx = SSL_CTX_new(SSLv3_method());
+#endif
 #ifndef OPENSSL_NO_SSL2
     else if (proto_version == PY_SSL_VERSION_SSL2)
         ctx = SSL_CTX_new(SSLv2_method());
@@ -1965,6 +1969,9 @@ Returns 1 if the OpenSSL PRNG has been s
 It is necessary to seed the PRNG with RAND_add() on some platforms before\n\
 using the ssl() function.");
 
+/* ### Fix build with LibreSSL (does not have RAND_egd)
+   ### PR195513, http://bugs.python.org/issue21356 */
+#ifndef OPENSSL_NO_EGD
 static PyObject *
 PySSL_RAND_egd(PyObject *self, PyObject *args)
 {
@@ -1992,6 +1999,8 @@ PyDoc_STRVAR(PySSL_RAND_egd_doc,
 Queries the entropy gather daemon (EGD) on the socket named by 'path'.\n\
 Returns number of bytes read.  Raises SSLError if connection to EGD\n\
 fails or if it does provide enough data to seed PRNG.");
+#endif /* OPENSSL_NO_EGD */
+/* ### End PR195513  */
 
 #endif
 
@@ -2005,8 +2014,12 @@ static PyMethodDef PySSL_methods[] = {
 #ifdef HAVE_OPENSSL_RAND
     {"RAND_add",            PySSL_RAND_add, METH_VARARGS,
      PySSL_RAND_add_doc},
+/* ### Fix build with LibreSSL (does not have RAND_egd)
+   ### PR195513, http://bugs.python.org/issue21356 */
+#ifndef OPENSSL_NO_EGD
     {"RAND_egd",            PySSL_RAND_egd, METH_VARARGS,
      PySSL_RAND_egd_doc},
+#endif /* OPENSSL_NO_EGD */
     {"RAND_status",         (PyCFunction)PySSL_RAND_status, METH_NOARGS,
      PySSL_RAND_status_doc},
 #endif
@@ -2199,8 +2212,10 @@ PyInit__ssl(void)
     PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
                             PY_SSL_VERSION_SSL2);
 #endif
+#ifndef OPENSSL_NO_SSL3
     PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
                             PY_SSL_VERSION_SSL3);
+#endif
     PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
                             PY_SSL_VERSION_SSL23);
     PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
