diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
index a65c4c04d9..751c742c4f 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
@@ -1 +1 @@
-DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb
+DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2
old mode 100644
new mode 100755
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
index f457065482..34ef3688dc 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml
@@ -1,13 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
-<herd>base-system</herd>
+<maintainer type="project">
+ <email>base-system@gentoo.org</email>
+ <name>Gentoo Base System</name>
+</maintainer>
 <use>
- <flag name='asm'>Support assembly hand optimized crypto functions (i.e. faster run time)</flag>
- <flag name='bindist'>Disable EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
- <flag name='sctp'>Support for Stream Control Transmission Protocol</flag>
- <flag name='rfc3779'>Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
- <flag name='tls-heartbeat'>Enable the Heartbeat Extension in TLS and DTLS</flag>
+ <flag name="asm">Support assembly hand optimized crypto functions (i.e. faster run time)</flag>
+ <flag name="bindist">Disable EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
+ <flag name="sctp">Support for Stream Control Transmission Protocol</flag>
+ <flag name="rfc3779">Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
+ <flag name="tls-heartbeat">Enable the Heartbeat Extension in TLS and DTLS</flag>
 </use>
 <upstream>
  <remote-id type="cpe">cpe:/a:openssl:openssl</remote-id>
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2g.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2h.ebuild
similarity index 81%
rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2g.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2h.ebuild
index 3d8fdffad6..9fdf3202ba 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2g.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2h.ebuild
@@ -12,23 +12,17 @@ HOMEPAGE="http://www.openssl.org/"
 SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
 
 LICENSE="openssl"
+# subslot set to 1.0.2g version as this is the first release without SSLv2
+# support and thus breaks nearly every openssl consumer (see bug #575548)
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
-IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
 
-# The blocks are temporary just to make sure people upgrade to a
-# version that lack runtime version checking.  We'll drop them in
-# the future.
 RDEPEND=">=app-misc/c_rehash-1.7-r1
 	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
 	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)
-	!<net-misc/openssh-5.9_p1-r4
-	!<net-libs/neon-0.29.6-r1"
+	kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )"
 DEPEND="${RDEPEND}
 	>=dev-lang/perl-5
 	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
@@ -114,6 +108,13 @@ multilib_src_configure() {
 
 	tc-export CC AR RANLIB RC
 
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5
+
 	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
 	echoit() { echo "$@" ; "$@" ; }
 
@@ -123,9 +124,11 @@ multilib_src_configure() {
 	# friendly and can use the nicely optimized code paths. #460790
 	local ec_nistp_64_gcc_128
 	# Disable it for now though #469976
-	#echo "__uint128_t i;" > "${T}"/128.c
-	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
-	#	ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#if ! use bindist ; then
+	#	echo "__uint128_t i;" > "${T}"/128.c
+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#	fi
 	#fi
 
 	local sslout=$(./gentoo.config)
@@ -133,13 +136,12 @@ multilib_src_configure() {
 	local config="Configure"
 	[[ -z ${sslout} ]] && config="config"
 
-	# we enable sslv2 here so that rebuilding openssl doesn't break other
-	# programs that linked to it.
 	echoit \
 	./${config} \
 		${sslout} \
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
+		$(use_ssl !bindist ec) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \
@@ -241,3 +243,17 @@ multilib_src_install_all() {
 	diropts -m0700
 	keepdir ${SSL_CNF_DIR}/private
 }
+
+pkg_preinst() {
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
+
+	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
+}