upstream/oracle/userland-gate: comparison components/openssl/openssl-1.0.1-fips-140/patches/42_rm

equal deleted inserted replaced

-:4e17dd2a1b16
+:0c86123e6de4
 -Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
 +Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
 flagged with SSLv3. No new ciphers were added by TLSv1.1.
 =item Kx=<key exchange>
---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Jan 20 04:33:36 2015
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Mar  1 14:02:53 2016
-+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue May 26 11:37:24 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue Mar  1 14:35:59 2016
-@@ -25,10 +25,7 @@
+@@ -62,12 +62,12 @@
+These are the general-purpose I<version-flexible> SSL/TLS methods.
-=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
+The actual protocol version used will be negotiated to the highest version
+mutually supported by the client and the server.
--A TLS/SSL connection established with these methods will only understand
+-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
--the SSLv2 protocol. A client will send out SSLv2 client hello messages
++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
--and will also indicate that it only understand SSLv2. A server will only
+Most applications should use these method, and avoid the version specific
--understand SSLv2 client hello messages.
+methods described below.
-+These functions are deprecated.
+The list of protocols available can be further limited using the
-=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+-B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
++B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
-@@ -51,33 +48,25 @@ SSLv3 client hello messages.
+B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the
+L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions.
-=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+Clients should avoid creating "holes" in the set of protocols they support,
+@@ -81,8 +81,6 @@
--A TLS/SSL connection established with these methods may understand the SSLv2,
+Applications should typically use L<SSL_CTX_set_options(3)> in combination with
-+A TLS/SSL connection established with these methods may understand the
+the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above
-SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+I<version-flexible> SSL/TLS methods.
+-The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared
--If the cipher list does not contain any SSLv2 ciphersuites (the default
+-via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2.
--cipher list does not) or extensions are required (for example server name)
-+If extensions are required (for example server name)
+=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
-a client will send out TLSv1 client hello messages including extensions and
-will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+@@ -115,13 +113,7 @@
-fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
-protocols. This is the best choice when compatibility is a concern.
+=item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
--If any SSLv2 ciphersuites are included in the cipher list and no extensions
+-A TLS/SSL connection established with these methods will only understand the
--are required then SSLv2 compatible client hellos will be used by clients and
+-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
--SSLv2 will be accepted by servers. This is B<not> recommended due to the
+-also indicate that it only understand SSLv2.  A server will only understand
--insecurity of SSLv2 and the limited nature of the SSLv2 client hello
+-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
--prohibiting the use of extensions.
+-and should not be used.
--
+-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available
-=back
+-with SSLv2.
++The SSLv2 protocol offers little to no security and has been deprecated.
--The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-+The list of protocols available can later be limited using the
+=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
-options of the SSL_CTX_set_options() or SSL_set_options() functions.
-Using these options it is possible to choose e.g. SSLv23_server_method() and
-be able to negotiate with all possible clients, but to only allow newer
-protocols like TLSv1, TLSv1.1 or TLS v1.2.
--Applications which never want to support SSLv2 (even is the cipher string
--is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
-+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
-SSL_CTX_new() initializes the list of ciphers, the session cache setting,
-the callbacks, the keys and certificates and the options to its default
 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod	Thu Mar 19 06:37:10 2015
 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new	Tue May 26 11:38:09 2015
 @@ -54,10 +54,6 @@
 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
 and the handshake will fail.
 -the first call.
 +complete (return value of the first call is 0).
 The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
---- openssl-1.0.1/doc/ssl/ssl.pod	Thu Mar 19 06:37:10 2015
+--- openssl-1.0.1/doc/ssl/ssl.pod	Tue Mar  1 05:40:03 2016
-+++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue May 26 11:47:38 2015
++++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue Mar  1 15:42:46 2016
 @@ -9,7 +9,7 @@
 =head1 DESCRIPTION
 -The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
 =item B<SSL_METHOD> (SSL Method)
 That's a dispatch structure describing the internal B<ssl> library
 -methods/functions which implement the various protocol versions (SSLv1, SSLv2
 -and TLSv1). It's needed to create an B<SSL_CTX>.
-+methods/functions which implement the various protocol versions (SSLv3
++methods/functions which implement the various protocol versions (SSLv3,
 +TLSv1, ...). It's needed to create an B<SSL_CTX>.
 =item B<SSL_CIPHER> (SSL Cipher)
-@@ -105,8 +104,8 @@
+@@ -93,7 +93,7 @@
+=item B<ssl2.h>
+-That's the sub header file dealing with the SSLv2 protocol only.
++That's the sub header file dealing with the deprecated SSLv2 protocol only.
+I<Usually you don't have to include it explicitly because
+it's already included by ssl.h>.
+@@ -105,8 +105,8 @@
 =item B<ssl23.h>
 -That's the sub header file dealing with the combined use of the SSLv2 and
 -SSLv3 protocols.
-+That's the sub header file dealing with the combined use of different
++That's the sub header file dealing with the combined use of the different
-+protocol version.
++protocol versions.
 I<Usually you don't have to include it explicitly because
 it's already included by ssl.h>.
-@@ -132,15 +131,15 @@
+@@ -201,15 +201,15 @@
+=item const SSL_METHOD *B<SSLv2_method>(void);
+Constructor for the SSLv2 SSL_METHOD structure for clients, servers
+-or both.
++or both. (deprecated)
 =item const SSL_METHOD *B<SSLv2_client_method>(void);
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
+-Constructor for the SSLv2 SSL_METHOD structure for clients.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated)
 =item const SSL_METHOD *B<SSLv2_server_method>(void);
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
+-Constructor for the SSLv2 SSL_METHOD structure for servers.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated)
-=item const SSL_METHOD *B<SSLv2_method>(void);
+=back
--Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
+@@ -234,12 +234,12 @@
-+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
-=item const SSL_METHOD *B<SSLv3_client_method>(void);
-@@ -189,12 +188,12 @@
 =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
 Return the internal name of I<cipher> as a string. These are the various
 -strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
 +strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
 -Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
 +Returns a string like "C<TLSv1/SSLv3>" which indicates the
 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
 in the specification the first time).
---- openssl-1.0.1/doc/apps/ciphers.pod	Thu Mar 19 06:37:10 2015
+--- openssl-1.0.1/doc/apps/ciphers.pod	Tue Mar  1 05:40:03 2016
-+++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue May 26 12:07:35 2015
++++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue Mar  1 15:28:28 2016
 @@ -9,7 +9,6 @@
 B<openssl> B<ciphers>
 [B<-v>]
 [B<-V>]
 -[B<-ssl2>]
 =item B<-V>
 @@ -42,10 +38,6 @@
-only include SSL v3 ciphers.
+This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
 -=item B<-ssl2>
 -
--only include SSL v2 ciphers.
+-Only include SSLv2 ciphers.
 -
-=item B<-tls1>
+=item B<-h>, B<-?>
-only include TLS v1 ciphers.
+Print a brief usage message.
-@@ -246,9 +232,9 @@
+@@ -255,9 +247,9 @@
 ciphers suites using FORTEZZA key exchange, authentication, encryption or all
 FORTEZZA algorithms. Not implemented.
 -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
-+=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
 -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
-+TLS v1.2, TLS v1.0 or SSL v3.0  cipher suites respectively. Note:
++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note:
 there are no ciphersuites specific to TLS v1.1.
 =item B<AES128>, B<AES256>, B<AES>
-@@ -569,16 +555,6 @@
+@@ -578,16 +570,6 @@
 TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
 TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
 -=head2 Deprecated SSL v2.0 cipher suites.
 -
 - SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
-- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5        Not implemented.
-- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
+- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-CBC-MD5
-- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    Not implemented.
 - SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
-- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5              Not implemented.
 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
 -
 =head1 NOTES
 The non-ephemeral DH modes are currently unimplemented in OpenSSL
---- openssl-1.0.1/doc/apps/s_client.pod	Thu Mar 19 06:37:10 2015
+--- openssl-1.0.1/doc/apps/s_client.pod	Tue Mar  1 05:40:03 2016
-+++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue May 26 12:15:40 2015
++++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue Mar  1 15:37:40 2016
-@@ -31,10 +31,8 @@
+@@ -32,10 +32,8 @@
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-quiet>]
 -[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 -[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-bugs>]
-@@ -196,11 +196,11 @@
+@@ -197,7 +195,7 @@
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-these options disable the use of certain SSL or TLS protocols. By default
+These options require or disable the use of the specified SSL or TLS protocols.
-the initial handshake uses a method which should be compatible with all
+By default the initial handshake uses a I<version-flexible> method which will
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+@@ -215,10 +213,6 @@
-+servers and permit them to use SSL v3 or TLS as appropriate.
-Unfortunately there are a lot of ancient and broken servers in use which
-cannot handle this technique and will fail to connect. Some servers only
-@@ -219,10 +219,6 @@
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 -=item B<-serverpref>
 -
 -use the server's cipher preferences; only used for SSLV2.
 -
 =item B<-starttls protocol>
 send the protocol-specific message(s) to switch to TLS for communication.
-@@ -299,8 +295,8 @@
+@@ -295,8 +289,8 @@
 then an HTTP command can be given such as "GET /" to retrieve a web page.
 If the handshake fails then there are several possible causes, if it is
 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
 -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
 +nothing obvious like no client certificate then the B<-bugs>,
 +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
-@@ -322,10 +318,6 @@
+@@ -318,10 +312,6 @@
 If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show the whole chain.
 -Since the SSLv23 client hello cannot include compression methods or extensions
 -these will only be supported if its use is disabled, for example by using the
 -B<-no_sslv2> option.
 -
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. None test
---- openssl-1.0.1/doc/apps/s_server.pod	Thu Mar 19 06:37:10 2015
+--- openssl-1.0.1/doc/apps/s_server.pod	Tue Mar  1 05:40:03 2016
-+++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue May 26 12:15:02 2015
++++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue Mar  1 15:38:50 2016
-@@ -38,10 +38,8 @@
+@@ -39,10 +39,8 @@
 [B<-serverpref>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
 -[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 -[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
-@@ -216,11 +216,11 @@
+@@ -221,7 +219,7 @@
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-these options disable the use of certain SSL or TLS protocols. By default
+These options require or disable the use of the specified SSL or TLS protocols.
-the initial handshake uses a method which should be compatible with all
+By default the initial handshake uses a I<version-flexible> method which will
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
-=item B<-bugs>
 --- openssl-1.0.1/doc/apps/s_time.pod	Thu Jan 15 06:43:49 2015
 +++ openssl-1.0.1/doc/apps/s_time.pod.new	Tue May 26 12:20:09 2015
 @@ -19,7 +19,6 @@
 [B<-verify depth>]
 [B<-nbio>]

branch	s11u3-sru
changeset 5557	0c86123e6de4
parent 4589	13498d090b19
child 5951	53f9397aa985