|
1 # |
|
2 # This was developed in house. Not applicable to the upstream. |
|
3 # |
|
4 --- openssl-1.0.1/ssl/s2_meth.c Fri May 8 09:38:33 2015 |
|
5 +++ openssl-1.0.1/ssl/s2_meth.c.new Fri May 8 09:51:53 2015 |
|
6 @@ -74,6 +74,13 @@ |
|
7 ssl2_accept, ssl2_connect, ssl2_get_method) |
|
8 #else /* !OPENSSL_NO_SSL2 */ |
|
9 |
|
10 +/* stub function */ |
|
11 +const SSL_METHOD * |
|
12 +SSLv2_method(void) |
|
13 +{ |
|
14 + return (NULL); |
|
15 +} |
|
16 + |
|
17 # if PEDANTIC |
|
18 static void *dummy = &dummy; |
|
19 # endif |
|
20 --- openssl-1.0.1/ssl/s2_clnt.c Fri May 8 09:37:51 2015 |
|
21 +++ openssl-1.0.1/ssl/ss2_clnt.c.new Fri May 8 09:53:12 2015 |
|
22 @@ -1087,6 +1087,13 @@ |
|
23 } |
|
24 #else /* !OPENSSL_NO_SSL2 */ |
|
25 |
|
26 +/* stub function */ |
|
27 +const SSL_METHOD * |
|
28 +SSLv2_client_method(void) |
|
29 +{ |
|
30 + return (NULL); |
|
31 +} |
|
32 + |
|
33 # if PEDANTIC |
|
34 static void *dummy = &dummy; |
|
35 # endif |
|
36 --- openssl-1.0.1/ssl/s2_srvr.c Fri May 8 09:38:02 2015 |
|
37 +++ openssl-1.0.1/ssl/s2_srvr.c.new Fri May 8 09:53:43 2015 |
|
38 @@ -1150,6 +1150,13 @@ |
|
39 } |
|
40 #else /* !OPENSSL_NO_SSL2 */ |
|
41 |
|
42 +/* stub function */ |
|
43 +const SSL_METHOD * |
|
44 +SSLv2_server_method(void) |
|
45 +{ |
|
46 + return (NULL); |
|
47 +} |
|
48 + |
|
49 # if PEDANTIC |
|
50 static void *dummy = &dummy; |
|
51 # endif |
|
52 --- openssl-1.0.1/ssl/ssl.h Tue May 26 11:13:15 2015 |
|
53 +++ openssl-1.0.1/ssl/ssl.h.new Tue May 26 11:32:09 2015 |
|
54 @@ -2017,12 +2017,24 @@ |
|
55 /* This sets the 'default' SSL version that SSL_new() will create */ |
|
56 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); |
|
57 |
|
58 -# ifndef OPENSSL_NO_SSL2 |
|
59 -const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
60 -const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
61 -const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
62 -# endif |
|
63 |
|
64 +#ifndef __has_attribute |
|
65 +# define __has_attribute(x) 0 |
|
66 +#endif |
|
67 + |
|
68 +/* Mark SSLv2_* functions deprecated */ |
|
69 +#if __has_attribute(deprecated) \ |
|
70 + || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \ |
|
71 + || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130)) |
|
72 +# define DEPRECATED __attribute__((deprecated)) |
|
73 +#else |
|
74 +# define DEPRECATED |
|
75 +#endif |
|
76 + |
|
77 +DEPRECATED const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
78 +DEPRECATED const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
79 +DEPRECATED const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
80 + |
|
81 # ifndef OPENSSL_NO_SSL3_METHOD |
|
82 const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ |
|
83 const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ |
|
84 --- openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod Tue May 26 11:13:15 2015 |
|
85 +++ openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod.new Tue May 26 11:32:09 2015 |
|
86 @@ -25,7 +25,7 @@ |
|
87 |
|
88 SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol |
|
89 version that first defined the cipher. |
|
90 -This is currently B<SSLv2> or B<TLSv1/SSLv3>. |
|
91 +This is currently B<TLSv1/SSLv3>. |
|
92 In some cases it should possibly return "TLSv1.2" but does not; |
|
93 use SSL_CIPHER_description() instead. |
|
94 If B<cipher> is NULL, "(NONE)" is returned. |
|
95 @@ -56,7 +56,7 @@ |
|
96 |
|
97 =item <protocol version> |
|
98 |
|
99 -Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
100 +Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
101 flagged with SSLv3. No new ciphers were added by TLSv1.1. |
|
102 |
|
103 =item Kx=<key exchange> |
|
104 --- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 |
|
105 +++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 |
|
106 @@ -25,19 +25,12 @@ |
|
107 |
|
108 =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void) |
|
109 |
|
110 -A TLS/SSL connection established with these methods will only understand |
|
111 -the SSLv2 protocol. A client will send out SSLv2 client hello messages |
|
112 -and will also indicate that it only understand SSLv2. A server will only |
|
113 -understand SSLv2 client hello messages. |
|
114 +These functions are deprecated. |
|
115 |
|
116 =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) |
|
117 |
|
118 A TLS/SSL connection established with these methods will only understand the |
|
119 -SSLv3 protocol. A client will send out SSLv3 client hello messages |
|
120 -and will indicate that it only understands SSLv3. A server will only understand |
|
121 -SSLv3 client hello messages. This especially means, that it will |
|
122 -not understand SSLv2 client hello messages which are widely used for |
|
123 -compatibility reasons, see SSLv23_*_method(). |
|
124 +SSLv3 protocol. However, SSLv3 is not supported by this relese of OpenSSL. |
|
125 |
|
126 =item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void) |
|
127 |
|
128 @@ -51,34 +44,24 @@ |
|
129 |
|
130 =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) |
|
131 |
|
132 -A TLS/SSL connection established with these methods may understand the SSLv2, |
|
133 -SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. |
|
134 +A TLS/SSL connection established with these methods may understand the |
|
135 +TLSv1, TLSv1.1 and TLSv1.2 protocols. |
|
136 |
|
137 -If the cipher list does not contain any SSLv2 ciphersuites (the default |
|
138 -cipher list does not) or extensions are required (for example server name) |
|
139 +If extensions are required (for example server name) |
|
140 a client will send out TLSv1 client hello messages including extensions and |
|
141 will indicate that it also understands TLSv1.1, TLSv1.2 and permits a |
|
142 fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 |
|
143 protocols. This is the best choice when compatibility is a concern. |
|
144 |
|
145 -If any SSLv2 ciphersuites are included in the cipher list and no extensions |
|
146 -are required then SSLv2 compatible client hellos will be used by clients and |
|
147 -SSLv2 will be accepted by servers. This is B<not> recommended due to the |
|
148 -insecurity of SSLv2 and the limited nature of the SSLv2 client hello |
|
149 -prohibiting the use of extensions. |
|
150 - |
|
151 =back |
|
152 |
|
153 -The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, |
|
154 -SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 |
|
155 +The list of protocols available can later be limited using the |
|
156 +SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 |
|
157 options of the SSL_CTX_set_options() or SSL_set_options() functions. |
|
158 Using these options it is possible to choose e.g. SSLv23_server_method() and |
|
159 be able to negotiate with all possible clients, but to only allow newer |
|
160 protocols like TLSv1, TLSv1.1 or TLS v1.2. |
|
161 |
|
162 -Applications which never want to support SSLv2 (even is the cipher string |
|
163 -is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. |
|
164 - |
|
165 SSL_CTX_new() initializes the list of ciphers, the session cache setting, |
|
166 the callbacks, the keys and certificates and the options to its default |
|
167 values. |
|
168 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 |
|
169 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 |
|
170 @@ -54,10 +54,6 @@ |
|
171 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated |
|
172 and the handshake will fail. |
|
173 |
|
174 -If the cipher list does not contain any SSLv2 cipher suites (this is the |
|
175 -default) then SSLv2 is effectively disabled and neither clients nor servers |
|
176 -will attempt to use SSLv2. |
|
177 - |
|
178 =head1 RETURN VALUES |
|
179 |
|
180 SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher |
|
181 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod Thu Jan 15 06:43:49 2015 |
|
182 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod.new Tue May 26 11:40:47 2015 |
|
183 @@ -32,9 +32,8 @@ |
|
184 |
|
185 When a new session is established between client and server, the server |
|
186 generates a session id. The session id is an arbitrary sequence of bytes. |
|
187 -The length of the session id is 16 bytes for SSLv2 sessions and between |
|
188 -1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical |
|
189 -but must be unique for the server. Additionally, the session id is |
|
190 +The length of the session id is between 1 and 32 bytes for TLSv1. The session id is not |
|
191 +security critical but must be unique for the server. Additionally, the session id is |
|
192 transmitted in the clear when reusing the session so it must not contain |
|
193 sensitive information. |
|
194 |
|
195 @@ -51,12 +50,6 @@ |
|
196 the callback B<must never> increase B<id_len> or write to the location |
|
197 B<id> exceeding the given limit. |
|
198 |
|
199 -If a SSLv2 session id is generated and B<id_len> is reduced, it will be |
|
200 -restored after the callback has finished and the session id will be padded |
|
201 -with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions. |
|
202 -The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function |
|
203 -to check, whether the session is of type SSLv2. |
|
204 - |
|
205 The location B<id> is filled with 0x00 before the callback is called, so the |
|
206 callback may only fill part of the possible length and leave B<id_len> |
|
207 untouched while maintaining reproducibility. |
|
208 @@ -63,9 +56,8 @@ |
|
209 |
|
210 Since the sessions must be distinguished, session ids must be unique. |
|
211 Without the callback a random number is used, so that the probability |
|
212 -of generating the same session id is extremely small (2^128 possible ids |
|
213 -for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the |
|
214 -uniqueness of the generated session id, the callback must call |
|
215 +of generating the same session id is extremely small (2^256 for TLSv1). |
|
216 +In order to assure the uniqueness of the generated session id, the callback must call |
|
217 SSL_has_matching_session_id() and generate another id if a conflict occurs. |
|
218 If an id conflict is not resolved, the handshake will fail. |
|
219 If the application codes e.g. a unique host id, a unique process number, and |
|
220 @@ -85,10 +77,6 @@ |
|
221 the external cache is not tested with SSL_has_matching_session_id() |
|
222 and the same race condition applies. |
|
223 |
|
224 -When calling SSL_has_matching_session_id() for an SSLv2 session with |
|
225 -reduced B<id_len>, the match operation will be performed using the |
|
226 -fixed length required and with a 0x00 padded id. |
|
227 - |
|
228 The callback must return 0 if it cannot generate a session id for whatever |
|
229 reason and return 1 on success. |
|
230 |
|
231 @@ -104,12 +92,7 @@ |
|
232 unsigned int *id_len) |
|
233 { |
|
234 unsigned int count = 0; |
|
235 - const char *version; |
|
236 |
|
237 - version = SSL_get_version(ssl); |
|
238 - if (!strcmp(version, "SSLv2")) |
|
239 - /* we must not change id_len */; |
|
240 - |
|
241 do { |
|
242 RAND_pseudo_bytes(id, *id_len); |
|
243 /* Prefix the session_id with the required prefix. NB: If our |
|
244 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod Tue Jan 20 04:33:36 2015 |
|
245 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod.new Tue May 26 11:41:47 2015 |
|
246 @@ -63,18 +63,11 @@ |
|
247 |
|
248 =item SSL_OP_MICROSOFT_SESS_ID_BUG |
|
249 |
|
250 -www.microsoft.com - when talking SSLv2, if session-id reuse is |
|
251 -performed, the session-id passed back in the server-finished message |
|
252 -is different from the one decided upon. |
|
253 +As of OpenSSL 1.0.0 this option has no effect. |
|
254 |
|
255 =item SSL_OP_NETSCAPE_CHALLENGE_BUG |
|
256 |
|
257 -Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte |
|
258 -challenge but then appears to only use 16 bytes when generating the |
|
259 -encryption keys. Using 16 bytes is ok but it should be ok to use 32. |
|
260 -According to the SSLv3 spec, one should use 32 bytes for the challenge |
|
261 -when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
|
262 -this breaks this server so 16 bytes is the way to go. |
|
263 +As of OpenSSL 1.0.0 this option has no effect. |
|
264 |
|
265 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
|
266 |
|
267 --- openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod Thu Jan 15 06:43:49 2015 |
|
268 +++ openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod.new Tue May 26 11:42:15 2015 |
|
269 @@ -24,7 +24,7 @@ |
|
270 timeout for the protocol will be used. |
|
271 |
|
272 SSL_get_default_timeout() return this hardcoded value, which is 300 seconds |
|
273 -for all currently supported protocols (SSLv2, SSLv3, and TLSv1). |
|
274 +for all currently supported protocols. |
|
275 |
|
276 =head1 RETURN VALUES |
|
277 |
|
278 --- openssl-1.0.1/doc/ssl/SSL_get_version.pod Thu Jan 15 06:43:49 2015 |
|
279 +++ openssl-1.0.1/doc/ssl/SSL_get_version.pod.new Tue May 26 11:42:45 2015 |
|
280 @@ -21,14 +21,6 @@ |
|
281 |
|
282 =over 4 |
|
283 |
|
284 -=item SSLv2 |
|
285 - |
|
286 -The connection uses the SSLv2 protocol. |
|
287 - |
|
288 -=item SSLv3 |
|
289 - |
|
290 -The connection uses the SSLv3 protocol. |
|
291 - |
|
292 =item TLSv1 |
|
293 |
|
294 The connection uses the TLSv1.0 protocol. |
|
295 --- openssl-1.0.1/doc/ssl/SSL_new.pod Thu Jan 15 06:43:49 2015 |
|
296 +++ openssl-1.0.1/doc/ssl/SSL_new.pod.new Tue May 26 11:43:12 2015 |
|
297 @@ -14,7 +14,7 @@ |
|
298 |
|
299 SSL_new() creates a new B<SSL> structure which is needed to hold the |
|
300 data for a TLS/SSL connection. The new structure inherits the settings |
|
301 -of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1), |
|
302 +of the underlying context B<ctx>: connection method, |
|
303 options, verification settings, timeout settings. |
|
304 |
|
305 =head1 RETURN VALUES |
|
306 --- openssl-1.0.1/doc/ssl/SSL_shutdown.pod Thu Mar 19 06:37:10 2015 |
|
307 +++ openssl-1.0.1/doc/ssl/SSL_shutdown.pod.new Tue May 26 11:43:56 2015 |
|
308 @@ -60,9 +60,7 @@ |
|
309 |
|
310 It is therefore recommended, to check the return value of SSL_shutdown() |
|
311 and call SSL_shutdown() again, if the bidirectional shutdown is not yet |
|
312 -complete (return value of the first call is 0). As the shutdown is not |
|
313 -specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on |
|
314 -the first call. |
|
315 +complete (return value of the first call is 0). |
|
316 |
|
317 The behaviour of SSL_shutdown() additionally depends on the underlying BIO. |
|
318 |
|
319 --- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015 |
|
320 +++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015 |
|
321 @@ -9,9 +9,8 @@ |
|
322 |
|
323 =head1 DESCRIPTION |
|
324 |
|
325 -The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and |
|
326 -Transport Layer Security (TLS v1) protocols. It provides a rich API which is |
|
327 -documented here. |
|
328 +The OpenSSL B<ssl> library implements the Transport Layer Security (TLS v1) |
|
329 +protocols. It provides a rich API which is documented here. |
|
330 |
|
331 At first the library must be initialized; see |
|
332 L<SSL_library_init(3)|SSL_library_init(3)>. |
|
333 @@ -45,8 +44,8 @@ |
|
334 =item B<SSL_METHOD> (SSL Method) |
|
335 |
|
336 That's a dispatch structure describing the internal B<ssl> library |
|
337 -methods/functions which implement the various protocol versions (SSLv1, SSLv2 |
|
338 -and TLSv1). It's needed to create an B<SSL_CTX>. |
|
339 +methods/functions which implement the various protocol versions (TLSv1, ...). |
|
340 +It's needed to create an B<SSL_CTX>. |
|
341 |
|
342 =item B<SSL_CIPHER> (SSL Cipher) |
|
343 |
|
344 @@ -105,8 +104,8 @@ |
|
345 |
|
346 =item B<ssl23.h> |
|
347 |
|
348 -That's the sub header file dealing with the combined use of the SSLv2 and |
|
349 -SSLv3 protocols. |
|
350 +That's the sub header file dealing with the combined use of different |
|
351 +protocol version. |
|
352 I<Usually you don't have to include it explicitly because |
|
353 it's already included by ssl.h>. |
|
354 |
|
355 @@ -132,15 +131,15 @@ |
|
356 |
|
357 =item const SSL_METHOD *B<SSLv2_client_method>(void); |
|
358 |
|
359 -Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. |
|
360 +Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated) |
|
361 |
|
362 =item const SSL_METHOD *B<SSLv2_server_method>(void); |
|
363 |
|
364 -Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. |
|
365 +Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated) |
|
366 |
|
367 =item const SSL_METHOD *B<SSLv2_method>(void); |
|
368 |
|
369 -Constructor for the SSLv2 SSL_METHOD structure for combined client and server. |
|
370 +Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated) |
|
371 |
|
372 =item const SSL_METHOD *B<SSLv3_client_method>(void); |
|
373 |
|
374 @@ -189,12 +188,12 @@ |
|
375 =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher); |
|
376 |
|
377 Return the internal name of I<cipher> as a string. These are the various |
|
378 -strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
379 +strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
380 definitions in the header files. |
|
381 |
|
382 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); |
|
383 |
|
384 -Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the |
|
385 +Returns a string like "C<TLSv1/SSLv3>" which indicates the |
|
386 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined |
|
387 in the specification the first time). |
|
388 |
|
389 --- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015 |
|
390 +++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015 |
|
391 @@ -9,8 +9,6 @@ |
|
392 B<openssl> B<ciphers> |
|
393 [B<-v>] |
|
394 [B<-V>] |
|
395 -[B<-ssl2>] |
|
396 -[B<-ssl3>] |
|
397 [B<-tls1>] |
|
398 [B<cipherlist>] |
|
399 |
|
400 @@ -26,26 +24,14 @@ |
|
401 |
|
402 =item B<-v> |
|
403 |
|
404 -Verbose option. List ciphers with a complete description of |
|
405 -protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, |
|
406 -authentication, encryption and mac algorithms used along with any key size |
|
407 -restrictions and whether the algorithm is classed as an "export" cipher. |
|
408 -Note that without the B<-v> option, ciphers may seem to appear twice |
|
409 -in a cipher list; this is when similar ciphers are available for |
|
410 -SSL v2 and for SSL v3/TLS v1. |
|
411 +Verbose option. List ciphers with a complete description of protocol version, |
|
412 +key exchange, authentication, encryption and mac algorithms used along with any |
|
413 +key size restrictions and whether the algorithm is classed as an "export" cipher. |
|
414 |
|
415 =item B<-V> |
|
416 |
|
417 Like B<-v>, but include cipher suite codes in output (hex format). |
|
418 |
|
419 -=item B<-ssl3> |
|
420 - |
|
421 -only include SSL v3 ciphers. |
|
422 - |
|
423 -=item B<-ssl2> |
|
424 - |
|
425 -only include SSL v2 ciphers. |
|
426 - |
|
427 =item B<-tls1> |
|
428 |
|
429 only include TLS v1 ciphers. |
|
430 @@ -246,9 +232,9 @@ |
|
431 ciphers suites using FORTEZZA key exchange, authentication, encryption or all |
|
432 FORTEZZA algorithms. Not implemented. |
|
433 |
|
434 -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2> |
|
435 +=item B<TLSv1.2>, B<TLSv1> |
|
436 |
|
437 -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: |
|
438 +TLS v1.2 or TLS v1.0 cipher suites respectively. Note: |
|
439 there are no ciphersuites specific to TLS v1.1. |
|
440 |
|
441 =item B<AES128>, B<AES256>, B<AES> |
|
442 @@ -569,16 +555,6 @@ |
|
443 TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA |
|
444 TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA |
|
445 |
|
446 -=head2 Deprecated SSL v2.0 cipher suites. |
|
447 - |
|
448 - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 |
|
449 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 |
|
450 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 |
|
451 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 |
|
452 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 |
|
453 - SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 |
|
454 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 |
|
455 - |
|
456 =head1 NOTES |
|
457 |
|
458 The non-ephemeral DH modes are currently unimplemented in OpenSSL |
|
459 --- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015 |
|
460 +++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015 |
|
461 @@ -31,12 +31,12 @@ |
|
462 [B<-ign_eof>] |
|
463 [B<-no_ign_eof>] |
|
464 [B<-quiet>] |
|
465 -[B<-ssl2>] |
|
466 -[B<-ssl3>] |
|
467 [B<-tls1>] |
|
468 -[B<-no_ssl2>] |
|
469 -[B<-no_ssl3>] |
|
470 +[B<-tls1_1>] |
|
471 +[B<-tls1_2>] |
|
472 [B<-no_tls1>] |
|
473 +[B<-no_tls1_1>] |
|
474 +[B<-no_tls1_2>] |
|
475 [B<-bugs>] |
|
476 [B<-cipher cipherlist>] |
|
477 [B<-serverpref>] |
|
478 @@ -196,11 +196,11 @@ |
|
479 given as a hexadecimal number without leading 0x, for example -psk |
|
480 1a2b3c4d. |
|
481 |
|
482 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> |
|
483 +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
484 |
|
485 -these options disable the use of certain SSL or TLS protocols. By default |
|
486 +these options disable the use of certain TLS protocols. By default |
|
487 the initial handshake uses a method which should be compatible with all |
|
488 -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
489 +servers. |
|
490 |
|
491 Unfortunately there are a lot of ancient and broken servers in use which |
|
492 cannot handle this technique and will fail to connect. Some servers only |
|
493 @@ -219,10 +219,6 @@ |
|
494 supported cipher in the list sent by the client. See the B<ciphers> |
|
495 command for more information. |
|
496 |
|
497 -=item B<-serverpref> |
|
498 - |
|
499 -use the server's cipher preferences; only used for SSLV2. |
|
500 - |
|
501 =item B<-starttls protocol> |
|
502 |
|
503 send the protocol-specific message(s) to switch to TLS for communication. |
|
504 @@ -299,8 +295,8 @@ |
|
505 then an HTTP command can be given such as "GET /" to retrieve a web page. |
|
506 |
|
507 If the handshake fails then there are several possible causes, if it is |
|
508 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
509 -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
510 +nothing obvious like no client certificate then the B<-bugs>, B<-tls1>, B<-tls1_1>, |
|
511 +B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> options can be tried |
|
512 in case it is a buggy server. In particular you should play with these |
|
513 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
514 |
|
515 @@ -322,10 +318,6 @@ |
|
516 If there are problems verifying a server certificate then the |
|
517 B<-showcerts> option can be used to show the whole chain. |
|
518 |
|
519 -Since the SSLv23 client hello cannot include compression methods or extensions |
|
520 -these will only be supported if its use is disabled, for example by using the |
|
521 -B<-no_sslv2> option. |
|
522 - |
|
523 The B<s_client> utility is a test tool and is designed to continue the |
|
524 handshake after any certificate verification errors. As a result it will |
|
525 accept any certificate chain (trusted or not) sent by the peer. None test |
|
526 --- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015 |
|
527 +++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015 |
|
528 @@ -38,12 +38,12 @@ |
|
529 [B<-serverpref>] |
|
530 [B<-quiet>] |
|
531 [B<-no_tmp_rsa>] |
|
532 -[B<-ssl2>] |
|
533 -[B<-ssl3>] |
|
534 [B<-tls1>] |
|
535 -[B<-no_ssl2>] |
|
536 -[B<-no_ssl3>] |
|
537 +[B<-tls1_1>] |
|
538 +[B<-tls1_2>] |
|
539 [B<-no_tls1>] |
|
540 +[B<-no_tls1_1>] |
|
541 +[B<-no_tls1_2>] |
|
542 [B<-no_dhe>] |
|
543 [B<-no_ecdhe>] |
|
544 [B<-bugs>] |
|
545 @@ -216,11 +216,11 @@ |
|
546 given as a hexadecimal number without leading 0x, for example -psk |
|
547 1a2b3c4d. |
|
548 |
|
549 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> |
|
550 +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
551 |
|
552 these options disable the use of certain SSL or TLS protocols. By default |
|
553 the initial handshake uses a method which should be compatible with all |
|
554 -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
555 +servers. |
|
556 |
|
557 =item B<-bugs> |
|
558 |
|
559 --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 |
|
560 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 |
|
561 @@ -19,8 +19,6 @@ |
|
562 [B<-verify depth>] |
|
563 [B<-nbio>] |
|
564 [B<-time seconds>] |
|
565 -[B<-ssl2>] |
|
566 -[B<-ssl3>] |
|
567 [B<-bugs>] |
|
568 [B<-cipher cipherlist>] |
|
569 |
|
570 @@ -92,19 +90,6 @@ |
|
571 |
|
572 turns on non-blocking I/O. |
|
573 |
|
574 -=item B<-ssl2>, B<-ssl3> |
|
575 - |
|
576 -these options disable the use of certain SSL or TLS protocols. By default |
|
577 -the initial handshake uses a method which should be compatible with all |
|
578 -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
579 -The timing program is not as rich in options to turn protocols on and off as |
|
580 -the L<s_client(1)|s_client(1)> program and may not connect to all servers. |
|
581 - |
|
582 -Unfortunately there are a lot of ancient and broken servers in use which |
|
583 -cannot handle this technique and will fail to connect. Some servers only |
|
584 -work if TLS is turned off with the B<-ssl3> option; others |
|
585 -will only support SSL v2 and may need the B<-ssl2> option. |
|
586 - |
|
587 =item B<-bugs> |
|
588 |
|
589 there are several known bug in SSL and TLS implementations. Adding this |
|
590 @@ -137,8 +122,7 @@ |
|
591 for details. |
|
592 |
|
593 If the handshake fails then there are several possible causes, if it is |
|
594 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
595 -B<-ssl3> options can be tried |
|
596 +nothing obvious like no client certificate then the B<-bugs> option can be tried |
|
597 in case it is a buggy server. In particular you should play with these |
|
598 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
599 |
|
600 --- openssl-1.0.1/doc/apps/sess_id.pod Thu Jan 15 06:43:49 2015 |
|
601 +++ openssl-1.0.1/doc/apps/sess_id.pod.new Tue May 26 12:21:07 2015 |
|
602 @@ -91,7 +91,7 @@ |
|
603 |
|
604 =item B<Protocol> |
|
605 |
|
606 -this is the protocol in use TLSv1, SSLv3 or SSLv2. |
|
607 +this is the protocol in use. |
|
608 |
|
609 =item B<Cipher> |
|
610 |
|
611 @@ -110,10 +110,6 @@ |
|
612 |
|
613 this is the SSL session master key. |
|
614 |
|
615 -=item B<Key-Arg> |
|
616 - |
|
617 -the key argument, this is only used in SSL v2. |
|
618 - |
|
619 =item B<Start Time> |
|
620 |
|
621 this is the session start time represented as an integer in standard Unix format. |