diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile
index 652ad4238f9..7e423b0b437 100644
--- a/lib/libssl/Makefile
+++ b/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.85 2024/08/11 13:04:46 jsing Exp $
+# $OpenBSD: Makefile,v 1.86 2026/04/03 07:26:20 jsing Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -57,7 +57,6 @@ SRCS= \
 	ssl_kex.c \
 	ssl_lib.c \
 	ssl_methods.c \
-	ssl_packet.c \
 	ssl_pkt.c \
 	ssl_rsa.c \
 	ssl_seclevel.c \
diff --git a/lib/libssl/ssl_packet.c b/lib/libssl/ssl_packet.c
deleted file mode 100644
index 32d6cceb7a5..00000000000
--- a/lib/libssl/ssl_packet.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
-/*
- * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "bytestring.h"
-#include "ssl_local.h"
-
-static int
-ssl_is_sslv3_handshake(CBS *header)
-{
-	uint16_t record_version;
-	uint8_t record_type;
-	CBS cbs;
-
-	CBS_dup(header, &cbs);
-
-	if (!CBS_get_u8(&cbs, &record_type) ||
-	    !CBS_get_u16(&cbs, &record_version))
-		return 0;
-
-	if (record_type != SSL3_RT_HANDSHAKE)
-		return 0;
-	if ((record_version >> 8) != SSL3_VERSION_MAJOR)
-		return 0;
-
-	return 1;
-}
-
-/*
- * Potentially do legacy processing on the first packet received by a TLS
- * server. We return 1 if we want SSLv3/TLS record processing to continue
- * normally, otherwise we must set an SSLerr and return -1.
- */
-int
-ssl_server_legacy_first_packet(SSL *s)
-{
-	const char *data;
-	CBS header;
-
-	if (SSL_is_dtls(s))
-		return 1;
-
-	CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
-
-	if (ssl_is_sslv3_handshake(&header) == 1)
-		return 1;
-
-	/* Only continue if this is not a version locked method. */
-	if (s->method->min_tls_version == s->method->max_tls_version)
-		return 1;
-
-	/* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
-	if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
-		SSLerror(s, ERR_R_INTERNAL_ERROR);
-		return -1;
-	}
-	data = (const char *)CBS_data(&header);
-
-	/* Is this a cleartext protocol? */
-	if (strncmp("GET ", data, 4) == 0 ||
-	    strncmp("POST ", data, 5) == 0 ||
-	    strncmp("HEAD ", data, 5) == 0 ||
-	    strncmp("PUT ", data, 4) == 0) {
-		SSLerror(s, SSL_R_HTTP_REQUEST);
-		return -1;
-	}
-	if (strncmp("CONNE", data, 5) == 0) {
-		SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST);
-		return -1;
-	}
-
-	SSLerror(s, SSL_R_UNKNOWN_PROTOCOL);
-
-	return -1;
-}
diff --git a/lib/libssl/ssl_pkt.c b/lib/libssl/ssl_pkt.c
index d2921228c12..683dc94a378 100644
--- a/lib/libssl/ssl_pkt.c
+++ b/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.70 2026/04/03 07:17:36 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.71 2026/04/03 07:26:20 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -352,12 +352,6 @@ ssl3_get_record(SSL *s)
 
 		s->rstate = SSL_ST_READ_BODY;
 
-		if (s->server && s->first_packet) {
-			if ((ret = ssl_server_legacy_first_packet(s)) != 1)
-				return (ret);
-			ret = -1;
-		}
-
 		CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
 
 		/* Pull apart the header into the SSL3_RECORD_INTERNAL */