diff --git a/doc/release-notes/release-8.sgml.in b/doc/release-notes/release-8.sgml.in
index 8ddb88821e7..35eea07b759 100644
--- a/doc/release-notes/release-8.sgml.in
+++ b/doc/release-notes/release-8.sgml.in
@@ -30,7 +30,7 @@ The Squid-@SQUID_RELEASE@ change history can be <url url="https://github.com/squ
 
 <p>The most important of these new features are:
 <itemize>
-	<item>
+	<item>SSLv3 support removal
 </itemize>
 
 <sect1>Helper changes
@@ -67,6 +67,13 @@ lookups. Requests for that report now result in HTTP 404 errors.
 
 Most user-facing changes are reflected in squid.conf (see below).
 
+<sect1>SSLv3 support removal
+<p>Details in <url url="https://tools.ietf.org/html/rfc7568" name="RFC 7568">.
+
+<p>SSLv3 is not fit for purpose. Squid no longer supports being configured with
+   any settings regarding this protocol. That includes settings manually disabling
+   its use since it is now forced to disable by default. Also settings enabling
+   various client/server workarounds specific to SSLv3 are removed.
 
 <sect>Changes to squid.conf since Squid-@SQUID_RELEASE_OLD@
 <p>
@@ -106,6 +113,11 @@ This section gives an account of those changes in three categories:
 	<em>src_as</em> and <em>dst_as</em> ACLs, Squid no longer initiates ASN
 	lookups.
 
+	<tag>cache_peer</tag>
+	<p>Removed <em>sslversion=</em> option.
+	<p>Removed <em>tls-options=</em> support for <em>SSLREF2_REUSE_CERT_TYPE_BUG</em>,
+	    <em>MICROSOFT_BIG_SSLV3_BUFFER</em> and <em>NO_SSLv3</em>.
+
 	<tag>client_ip_max_connections</tag>
 
 	<p>Fixed off-by-one enforcement. Squid now allows at most <em>N</em>
@@ -121,6 +133,21 @@ This section gives an account of those changes in three categories:
 	HTCP CLR requests allowed by this directive are forwarded to those
 	cache_peers.
 
+	<tag>http_port</tag>
+	<p>Removed <em>sslversion=</em> option.
+	<p>Removed <em>tls-options=</em> support for <em>SSLREF2_REUSE_CERT_TYPE_BUG</em>,
+	    <em>MICROSOFT_BIG_SSLV3_BUFFER</em> and <em>NO_SSLv3</em>.
+
+	<tag>https_port</tag>
+	<p>Removed <em>sslversion=</em> option.
+	<p>Removed <em>tls-options=</em> support for <em>SSLREF2_REUSE_CERT_TYPE_BUG</em>,
+	    <em>MICROSOFT_BIG_SSLV3_BUFFER</em> and <em>NO_SSLv3</em>.
+
+	<tag>tls_outgoing_options</tag>
+	<p>Removed <em>version=</em> option.
+	<p>Removed <em>options=</em> support for <em>SSLREF2_REUSE_CERT_TYPE_BUG</em>,
+	    <em>MICROSOFT_BIG_SSLV3_BUFFER</em> and <em>NO_SSLv3</em>.
+
 </descrip>
 
 <sect1>Removed directives<label id="removeddirectives">
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 898fc9af48d..97dda1f7f3b 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2429,8 +2429,6 @@ DOC_START
 	   options=	Various SSL implementation options. The most important
 			being:
 
-			    NO_SSLv3    Disallow the use of SSLv3
-
 			    NO_TLSv1    Disallow the use of TLSv1.0
 
 			    NO_TLSv1_1  Disallow the use of TLSv1.1
@@ -3055,15 +3053,12 @@ DOC_START
 
 	min-version=1.N
 			The minimum TLS protocol version to permit.
-			To control SSLv3 use the options= parameter.
 			Supported Values: 1.0 (default), 1.1, 1.2, 1.3
 
 	options=...	Specify various TLS/SSL implementation options.
 
 			OpenSSL options most important are:
 
-			    NO_SSLv3    Disallow the use of SSLv3
-
 			    SINGLE_DH_USE
 				      Always create a new key when using
 				      temporary/ephemeral DH key exchanges
@@ -3866,16 +3861,13 @@ DOC_START
 			to this peer.
 
 	tls-min-version=1.N
-			The minimum TLS protocol version to permit. To control
-			SSLv3 use the tls-options= parameter.
+			The minimum TLS protocol version to permit.
 			Supported Values: 1.0 (default), 1.1, 1.2
 
 	tls-options=...	Specify various TLS implementation options.
 
 			OpenSSL options most important are:
 
-			    NO_SSLv3    Disallow the use of SSLv3
-
 			    SINGLE_DH_USE
 				      Always create a new key when using
 				      temporary/ephemeral DH key exchanges
@@ -9623,14 +9615,11 @@ DOC_START
 			to this icap server.
 
 	tls-min-version=1.N
-			The minimum TLS protocol version to permit. To control
-			SSLv3 use the tls-options= parameter.
+			The minimum TLS protocol version to permit.
 			Supported Values: 1.0 (default), 1.1, 1.2
 
 	tls-options=...	Specify various OpenSSL library options:
 
-			    NO_SSLv3    Disallow the use of SSLv3
-
 			    SINGLE_DH_USE
 				      Always create a new key when using
 				      temporary/ephemeral DH key exchanges
@@ -9641,8 +9630,8 @@ DOC_START
 				      strength to some attacks.
 
 			See the OpenSSL SSL_CTX_set_options documentation for a
-			more complete list. Options relevant only to SSLv2 are
-			not supported.
+			more complete list. Options relevant only to SSLv2 or SSLv3
+			are not supported.
 
 	tls-cafile=	PEM file containing CA certificates to use when verifying
 			the icap server certificate.
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index f81a38d123b..04928e2c6d3 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -59,9 +59,6 @@ Security::PeerOptions::parse(const char *token)
         }
         KeyData &t = certs.back();
         t.privateKeyFile = SBuf(token + 4);
-    } else if (strncmp(token, "version=", 8) == 0) {
-        debugs(0, DBG_PARSE_NOTE(1), "WARNING: UPGRADE: SSL version= is deprecated. Use options= and tls-min-version= to limit protocols instead.");
-        sslVersion = xatoi(token + 8);
     } else if (strncmp(token, "min-version=", 12) == 0) {
         tlsMinVersion = SBuf(token + 12);
         optsReparse = true;
@@ -192,54 +189,6 @@ Security::PeerOptions::updateTlsVersionLimits()
 
         return;
     }
-
-    if (sslVersion > 2) {
-        // backward compatibility hack for sslversion= configuration
-        // only use if tls-min-version=N.N is not present
-        // values 0-2 for auto and SSLv2 are not supported any longer.
-        // Do it this way so we DO cause changes to options= in cachemgr config report
-        const char *add = nullptr;
-        switch (sslVersion) {
-        case 3:
-#if USE_OPENSSL
-            add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif HAVE_LIBGNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
-#endif
-            break;
-        case 4:
-#if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif HAVE_LIBGNUTLS
-            add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
-#endif
-            break;
-        case 5:
-#if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
-#elif HAVE_LIBGNUTLS
-            add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
-#endif
-            break;
-        case 6:
-#if USE_OPENSSL
-            add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
-#elif HAVE_LIBGNUTLS
-            add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
-#endif
-            break;
-        default: // nothing
-            break;
-        }
-        if (add) {
-            if (sslOptions.isEmpty())
-                sslOptions.append(add+1, strlen(add+1));
-            else
-                sslOptions.append(add, strlen(add));
-            optsReparse = true;
-        }
-        sslVersion = 0; // prevent sslOptions being repeatedly appended
-    }
 }
 
 Security::ContextPointer
@@ -307,16 +256,6 @@ static struct ssl_option {
         "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     },
 #endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-    {
-        "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-    },
-#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-    {
-        "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-    },
-#endif
 #if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
     {
         "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
@@ -382,11 +321,6 @@ static struct ssl_option {
         "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     },
 #endif
-#if defined(SSL_OP_NO_SSLv3)
-    {
-        "NO_SSLv3", SSL_OP_NO_SSLv3
-    },
-#endif
 #if defined(SSL_OP_NO_TLSv1)
     {
         "NO_TLSv1", SSL_OP_NO_TLSv1
@@ -524,6 +458,11 @@ Security::PeerOptions::parseOptions()
     // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
     if (SSL_OP_NO_SSLv2)
         op |= SSL_OP_NO_SSLv2;
+#endif
+#if defined(SSL_OP_NO_SSLv3)
+    // compliance with RFC 7568: Prohibiting Secure Sockets Layer (SSL) Version 3.0
+    if (SSL_OP_NO_SSLv3)
+        op |= SSL_OP_NO_SSLv3;
 #endif
     parsedOptions = op;
 
diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index ef114808af4..17345e800fe 100644
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -127,8 +127,6 @@ class PeerOptions
 #endif
     }
 
-    int sslVersion = 0;
-
     /// flags governing Squid internal TLS operations
     struct flags_ {
         flags_() : tlsDefaultCa(true), tlsNpn(true) {}