|
1 # |
|
2 # This was developed in house. Not applicable to the upstream. |
|
3 # |
|
4 --- openssl-1.0.1/ssl/ssl.h Tue May 26 11:13:15 2015 |
|
5 +++ openssl-1.0.1/ssl/ssl.h.new Tue May 26 11:32:09 2015 |
|
6 @@ -2345,10 +2345,23 @@ |
|
7 /* This sets the 'default' SSL version that SSL_new() will create */ |
|
8 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); |
|
9 |
|
10 +#ifndef __has_attribute |
|
11 +# define __has_attribute(x) 0 |
|
12 +#endif |
|
13 + |
|
14 +/* Mark SSLv2_* functions deprecated */ |
|
15 +#if __has_attribute(deprecated) \ |
|
16 + || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \ |
|
17 + || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130)) |
|
18 +# define DEPRECATED __attribute__((deprecated)) |
|
19 +#else |
|
20 +# define DEPRECATED |
|
21 +#endif |
|
22 + |
|
23 # ifndef OPENSSL_NO_SSL2_METHOD |
|
24 -const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
25 -const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
26 -const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
27 +DEPRECATED const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
28 +DEPRECATED const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
29 +DEPRECATED const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
30 # endif |
|
31 |
|
32 # ifndef OPENSSL_NO_SSL3_METHOD |
|
33 --- openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod Tue May 26 11:13:15 2015 |
|
34 +++ openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod.new Tue May 26 11:32:09 2015 |
|
35 @@ -25,7 +25,7 @@ |
|
36 |
|
37 SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol |
|
38 version that first defined the cipher. |
|
39 -This is currently B<SSLv2> or B<TLSv1/SSLv3>. |
|
40 +This is currently B<TLSv1/SSLv3>. |
|
41 In some cases it should possibly return "TLSv1.2" but does not; |
|
42 use SSL_CIPHER_description() instead. |
|
43 If B<cipher> is NULL, "(NONE)" is returned. |
|
44 @@ -56,7 +56,7 @@ |
|
45 |
|
46 =item <protocol version> |
|
47 |
|
48 -Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
49 +Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
50 flagged with SSLv3. No new ciphers were added by TLSv1.1. |
|
51 |
|
52 =item Kx=<key exchange> |
|
53 --- openssl-1.x/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 |
|
54 +++ openssl-1.x/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 |
|
55 @@ -8,7 +8,6 @@ |
|
56 TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, |
|
57 TLSv1_method, TLSv1_server_method, TLSv1_client_method, |
|
58 SSLv3_method, SSLv3_server_method, SSLv3_client_method, |
|
59 -SSLv2_method, SSLv2_server_method, SSLv2_client_method, |
|
60 DTLS_method, DTLS_server_method, DTLS_client_method, |
|
61 DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method, |
|
62 DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method - |
|
63 @@ -70,7 +69,7 @@ |
|
64 These are the general-purpose I<version-flexible> SSL/TLS methods. |
|
65 The actual protocol version used will be negotiated to the highest version |
|
66 mutually supported by the client and the server. |
|
67 -The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. |
|
68 +The supported protocols are TLSv1, TLSv1.1 and TLSv1.2. |
|
69 Most applications should use these method, and avoid the version specific |
|
70 methods described below. |
|
71 |
|
72 @@ -116,20 +115,11 @@ |
|
73 =item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method() |
|
74 |
|
75 A TLS/SSL connection established with these methods will only understand the |
|
76 -SSLv3 protocol. A client will send out SSLv3 client hello messages and will |
|
77 -indicate that it only understands SSLv3. A server will only understand SSLv3 |
|
78 -client hello messages. The SSLv3 protocol is deprecated and should not be |
|
79 -used. |
|
80 +SSLv3 protocol. However, SSLv3 is not supported by this relese of OpenSSL. |
|
81 |
|
82 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() |
|
83 |
|
84 -A TLS/SSL connection established with these methods will only understand the |
|
85 -SSLv2 protocol. A client will send out SSLv2 client hello messages and will |
|
86 -also indicate that it only understand SSLv2. A server will only understand |
|
87 -SSLv2 client hello messages. The SSLv2 protocol offers little to no security |
|
88 -and should not be used. |
|
89 -As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available |
|
90 -with SSLv2. |
|
91 +These functions are deprecated. |
|
92 |
|
93 =item DTLS_method(), DTLS_server_method(), DTLS_client_method() |
|
94 |
|
95 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 |
|
96 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 |
|
97 @@ -54,10 +54,6 @@ |
|
98 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated |
|
99 and the handshake will fail. |
|
100 |
|
101 -If the cipher list does not contain any SSLv2 cipher suites (this is the |
|
102 -default) then SSLv2 is effectively disabled and neither clients nor servers |
|
103 -will attempt to use SSLv2. |
|
104 - |
|
105 =head1 RETURN VALUES |
|
106 |
|
107 SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher |
|
108 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod Thu Jan 15 06:43:49 2015 |
|
109 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod.new Tue May 26 11:40:47 2015 |
|
110 @@ -32,9 +32,8 @@ |
|
111 |
|
112 When a new session is established between client and server, the server |
|
113 generates a session id. The session id is an arbitrary sequence of bytes. |
|
114 -The length of the session id is 16 bytes for SSLv2 sessions and between |
|
115 -1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical |
|
116 -but must be unique for the server. Additionally, the session id is |
|
117 +The length of the session id is between 1 and 32 bytes for TLSv1. The session id is not |
|
118 +security critical but must be unique for the server. Additionally, the session id is |
|
119 transmitted in the clear when reusing the session so it must not contain |
|
120 sensitive information. |
|
121 |
|
122 @@ -51,12 +50,6 @@ |
|
123 the callback B<must never> increase B<id_len> or write to the location |
|
124 B<id> exceeding the given limit. |
|
125 |
|
126 -If a SSLv2 session id is generated and B<id_len> is reduced, it will be |
|
127 -restored after the callback has finished and the session id will be padded |
|
128 -with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions. |
|
129 -The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function |
|
130 -to check, whether the session is of type SSLv2. |
|
131 - |
|
132 The location B<id> is filled with 0x00 before the callback is called, so the |
|
133 callback may only fill part of the possible length and leave B<id_len> |
|
134 untouched while maintaining reproducibility. |
|
135 @@ -63,9 +56,8 @@ |
|
136 |
|
137 Since the sessions must be distinguished, session ids must be unique. |
|
138 Without the callback a random number is used, so that the probability |
|
139 -of generating the same session id is extremely small (2^128 possible ids |
|
140 -for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the |
|
141 -uniqueness of the generated session id, the callback must call |
|
142 +of generating the same session id is extremely small (2^256 for TLSv1). |
|
143 +In order to assure the uniqueness of the generated session id, the callback must call |
|
144 SSL_has_matching_session_id() and generate another id if a conflict occurs. |
|
145 If an id conflict is not resolved, the handshake will fail. |
|
146 If the application codes e.g. a unique host id, a unique process number, and |
|
147 @@ -85,10 +77,6 @@ |
|
148 the external cache is not tested with SSL_has_matching_session_id() |
|
149 and the same race condition applies. |
|
150 |
|
151 -When calling SSL_has_matching_session_id() for an SSLv2 session with |
|
152 -reduced B<id_len>, the match operation will be performed using the |
|
153 -fixed length required and with a 0x00 padded id. |
|
154 - |
|
155 The callback must return 0 if it cannot generate a session id for whatever |
|
156 reason and return 1 on success. |
|
157 |
|
158 @@ -104,12 +92,7 @@ |
|
159 unsigned int *id_len) |
|
160 { |
|
161 unsigned int count = 0; |
|
162 - const char *version; |
|
163 |
|
164 - version = SSL_get_version(ssl); |
|
165 - if (!strcmp(version, "SSLv2")) |
|
166 - /* we must not change id_len */; |
|
167 - |
|
168 do { |
|
169 RAND_pseudo_bytes(id, *id_len); |
|
170 /* Prefix the session_id with the required prefix. NB: If our |
|
171 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod Tue Jan 20 04:33:36 2015 |
|
172 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod.new Tue May 26 11:41:47 2015 |
|
173 @@ -63,18 +63,11 @@ |
|
174 |
|
175 =item SSL_OP_MICROSOFT_SESS_ID_BUG |
|
176 |
|
177 -www.microsoft.com - when talking SSLv2, if session-id reuse is |
|
178 -performed, the session-id passed back in the server-finished message |
|
179 -is different from the one decided upon. |
|
180 +As of OpenSSL 1.0.0 this option has no effect. |
|
181 |
|
182 =item SSL_OP_NETSCAPE_CHALLENGE_BUG |
|
183 |
|
184 -Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte |
|
185 -challenge but then appears to only use 16 bytes when generating the |
|
186 -encryption keys. Using 16 bytes is ok but it should be ok to use 32. |
|
187 -According to the SSLv3 spec, one should use 32 bytes for the challenge |
|
188 -when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
|
189 -this breaks this server so 16 bytes is the way to go. |
|
190 +As of OpenSSL 1.0.0 this option has no effect. |
|
191 |
|
192 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
|
193 |
|
194 --- openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod Thu Jan 15 06:43:49 2015 |
|
195 +++ openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod.new Tue May 26 11:42:15 2015 |
|
196 @@ -24,7 +24,7 @@ |
|
197 timeout for the protocol will be used. |
|
198 |
|
199 SSL_get_default_timeout() return this hardcoded value, which is 300 seconds |
|
200 -for all currently supported protocols (SSLv2, SSLv3, and TLSv1). |
|
201 +for all currently supported protocols. |
|
202 |
|
203 =head1 RETURN VALUES |
|
204 |
|
205 --- openssl-1.0.1/doc/ssl/SSL_get_version.pod Thu Jan 15 06:43:49 2015 |
|
206 +++ openssl-1.0.1/doc/ssl/SSL_get_version.pod.new Tue May 26 11:42:45 2015 |
|
207 @@ -21,14 +21,6 @@ |
|
208 |
|
209 =over 4 |
|
210 |
|
211 -=item SSLv2 |
|
212 - |
|
213 -The connection uses the SSLv2 protocol. |
|
214 - |
|
215 -=item SSLv3 |
|
216 - |
|
217 -The connection uses the SSLv3 protocol. |
|
218 - |
|
219 =item TLSv1 |
|
220 |
|
221 The connection uses the TLSv1.0 protocol. |
|
222 --- openssl-1.0.1/doc/ssl/SSL_new.pod Thu Jan 15 06:43:49 2015 |
|
223 +++ openssl-1.0.1/doc/ssl/SSL_new.pod.new Tue May 26 11:43:12 2015 |
|
224 @@ -14,7 +14,7 @@ |
|
225 |
|
226 SSL_new() creates a new B<SSL> structure which is needed to hold the |
|
227 data for a TLS/SSL connection. The new structure inherits the settings |
|
228 -of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1), |
|
229 +of the underlying context B<ctx>: connection method, |
|
230 options, verification settings, timeout settings. |
|
231 |
|
232 =head1 RETURN VALUES |
|
233 --- openssl-1.0.1/doc/ssl/SSL_shutdown.pod Thu Mar 19 06:37:10 2015 |
|
234 +++ openssl-1.0.1/doc/ssl/SSL_shutdown.pod.new Tue May 26 11:43:56 2015 |
|
235 @@ -60,9 +60,7 @@ |
|
236 |
|
237 It is therefore recommended, to check the return value of SSL_shutdown() |
|
238 and call SSL_shutdown() again, if the bidirectional shutdown is not yet |
|
239 -complete (return value of the first call is 0). As the shutdown is not |
|
240 -specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on |
|
241 -the first call. |
|
242 +complete (return value of the first call is 0). |
|
243 |
|
244 The behaviour of SSL_shutdown() additionally depends on the underlying BIO. |
|
245 |
|
246 --- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015 |
|
247 +++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015 |
|
248 @@ -9,9 +9,8 @@ |
|
249 |
|
250 =head1 DESCRIPTION |
|
251 |
|
252 -The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and |
|
253 -Transport Layer Security (TLS v1) protocols. It provides a rich API which is |
|
254 -documented here. |
|
255 +The OpenSSL B<ssl> library implements the Transport Layer Security (TLS v1) |
|
256 +protocols. It provides a rich API which is documented here. |
|
257 |
|
258 At first the library must be initialized; see |
|
259 L<SSL_library_init(3)|SSL_library_init(3)>. |
|
260 @@ -45,8 +44,8 @@ |
|
261 =item B<SSL_METHOD> (SSL Method) |
|
262 |
|
263 That's a dispatch structure describing the internal B<ssl> library |
|
264 -methods/functions which implement the various protocol versions (SSLv1, SSLv2 |
|
265 -and TLSv1). It's needed to create an B<SSL_CTX>. |
|
266 +methods/functions which implement the various protocol versions (TLSv1, ...). |
|
267 +It's needed to create an B<SSL_CTX>. |
|
268 |
|
269 =item B<SSL_CIPHER> (SSL Cipher) |
|
270 |
|
271 @@ -105,8 +104,8 @@ |
|
272 |
|
273 =item B<ssl23.h> |
|
274 |
|
275 -That's the sub header file dealing with the combined use of the SSLv2 and |
|
276 -SSLv3 protocols. |
|
277 +That's the sub header file dealing with the combined use of different |
|
278 +protocol version. |
|
279 I<Usually you don't have to include it explicitly because |
|
280 it's already included by ssl.h>. |
|
281 |
|
282 @@ -201,15 +200,15 @@ |
|
283 =item const SSL_METHOD *B<SSLv2_method>(void); |
|
284 |
|
285 Constructor for the SSLv2 SSL_METHOD structure for clients, servers |
|
286 -or both. |
|
287 +or both. (deprecated) |
|
288 |
|
289 =item const SSL_METHOD *B<SSLv2_client_method>(void); |
|
290 |
|
291 -Constructor for the SSLv2 SSL_METHOD structure for clients. |
|
292 +Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated) |
|
293 |
|
294 =item const SSL_METHOD *B<SSLv2_server_method>(void); |
|
295 |
|
296 -Constructor for the SSLv2 SSL_METHOD structure for servers. |
|
297 +Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated) |
|
298 |
|
299 =back |
|
300 |
|
301 @@ -234,12 +233,12 @@ |
|
302 =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher); |
|
303 |
|
304 Return the internal name of I<cipher> as a string. These are the various |
|
305 -strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
306 +strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
307 definitions in the header files. |
|
308 |
|
309 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); |
|
310 |
|
311 -Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the |
|
312 +Returns a string like "C<TLSv1/SSLv3>" which indicates the |
|
313 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined |
|
314 in the specification the first time). |
|
315 |
|
316 --- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015 |
|
317 +++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015 |
|
318 @@ -26,26 +24,18 @@ |
|
319 |
|
320 =item B<-v> |
|
321 |
|
322 -Verbose option. List ciphers with a complete description of |
|
323 -protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, |
|
324 -authentication, encryption and mac algorithms used along with any key size |
|
325 -restrictions and whether the algorithm is classed as an "export" cipher. |
|
326 -Note that without the B<-v> option, ciphers may seem to appear twice |
|
327 -in a cipher list; this is when similar ciphers are available for |
|
328 -SSL v2 and for SSL v3/TLS v1. |
|
329 +Verbose option. List ciphers with a complete description of protocol version, |
|
330 +key exchange, authentication, encryption and mac algorithms used along with any |
|
331 +key size restrictions and whether the algorithm is classed as an "export" cipher. |
|
332 |
|
333 =item B<-V> |
|
334 |
|
335 Like B<-v>, but include cipher suite codes in output (hex format). |
|
336 |
|
337 -=item B<-ssl3>, B<-tls1> |
|
338 +=item B<-tls1> |
|
339 |
|
340 -This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. |
|
341 +This lists ciphers compatible with any of TLSv1, TLSv1.1 or TLSv1.2. |
|
342 |
|
343 -=item B<-ssl2> |
|
344 - |
|
345 -Only include SSLv2 ciphers. |
|
346 - |
|
347 =item B<-h>, B<-?> |
|
348 |
|
349 Print a brief usage message. |
|
350 @@ -588,16 +580,6 @@ |
|
351 TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA |
|
352 TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA |
|
353 |
|
354 -=head2 Deprecated SSL v2.0 cipher suites. |
|
355 - |
|
356 - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 |
|
357 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. |
|
358 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 |
|
359 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. |
|
360 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 |
|
361 - SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. |
|
362 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 |
|
363 - |
|
364 =head1 NOTES |
|
365 |
|
366 Some compiled versions of OpenSSL may not include all the ciphers |
|
367 --- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015 |
|
368 +++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015 |
|
369 @@ -32,11 +32,9 @@ |
|
370 [B<-ign_eof>] |
|
371 [B<-no_ign_eof>] |
|
372 [B<-quiet>] |
|
373 -[B<-ssl2>] |
|
374 -[B<-ssl3>] |
|
375 [B<-tls1>] |
|
376 +[B<-tls1_1>] |
|
377 +[B<-tls1_2>] |
|
378 -[B<-no_ssl2>] |
|
379 -[B<-no_ssl3>] |
|
380 [B<-no_tls1>] |
|
381 [B<-no_tls1_1>] |
|
382 [B<-no_tls1_2>] |
|
383 @@ -201,9 +199,9 @@ |
|
384 given as a hexadecimal number without leading 0x, for example -psk |
|
385 1a2b3c4d. |
|
386 |
|
387 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
388 +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
389 |
|
390 -These options require or disable the use of the specified SSL or TLS protocols. |
|
391 +These options require or disable the use of the specified TLS protocols. |
|
392 By default the initial handshake uses a I<version-flexible> method which will |
|
393 negotiate the highest mutually supported protocol version. |
|
394 |
|
395 @@ -227,10 +225,6 @@ |
|
396 supported cipher in the list sent by the client. See the B<ciphers> |
|
397 command for more information. |
|
398 |
|
399 -=item B<-serverpref> |
|
400 - |
|
401 -use the server's cipher preferences; only used for SSLV2. |
|
402 - |
|
403 =item B<-starttls protocol> |
|
404 |
|
405 send the protocol-specific message(s) to switch to TLS for communication. |
|
406 @@ -314,8 +308,8 @@ |
|
407 then an HTTP command can be given such as "GET /" to retrieve a web page. |
|
408 |
|
409 If the handshake fails then there are several possible causes, if it is |
|
410 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
411 -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
412 +nothing obvious like no client certificate then the B<-bugs>, B<-tls1>, B<-tls1_1>, |
|
413 +B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> options can be tried |
|
414 in case it is a buggy server. In particular you should play with these |
|
415 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
416 |
|
417 @@ -337,10 +331,6 @@ |
|
418 If there are problems verifying a server certificate then the |
|
419 B<-showcerts> option can be used to show the whole chain. |
|
420 |
|
421 -Since the SSLv23 client hello cannot include compression methods or extensions |
|
422 -these will only be supported if its use is disabled, for example by using the |
|
423 -B<-no_sslv2> option. |
|
424 - |
|
425 The B<s_client> utility is a test tool and is designed to continue the |
|
426 handshake after any certificate verification errors. As a result it will |
|
427 accept any certificate chain (trusted or not) sent by the peer. None test |
|
428 --- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015 |
|
429 +++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015 |
|
430 @@ -39,12 +39,12 @@ |
|
431 [B<-serverpref>] |
|
432 [B<-quiet>] |
|
433 [B<-no_tmp_rsa>] |
|
434 -[B<-ssl2>] |
|
435 -[B<-ssl3>] |
|
436 [B<-tls1>] |
|
437 -[B<-no_ssl2>] |
|
438 -[B<-no_ssl3>] |
|
439 +[B<-tls1_1>] |
|
440 +[B<-tls1_2>] |
|
441 [B<-no_tls1>] |
|
442 +[B<-no_tls1_1>] |
|
443 +[B<-no_tls1_2>] |
|
444 [B<-no_dhe>] |
|
445 [B<-bugs>] |
|
446 [B<-hack>] |
|
447 @@ -217,9 +217,9 @@ |
|
448 given as a hexadecimal number without leading 0x, for example -psk |
|
449 1a2b3c4d. |
|
450 |
|
451 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
452 +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
453 |
|
454 -These options require or disable the use of the specified SSL or TLS protocols. |
|
455 +These options require or disable the use of the specified TLS protocols. |
|
456 By default the initial handshake uses a I<version-flexible> method which will |
|
457 negotiate the highest mutually supported protocol version. |
|
458 |
|
459 --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 |
|
460 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 |
|
461 @@ -19,8 +19,6 @@ |
|
462 [B<-verify depth>] |
|
463 [B<-nbio>] |
|
464 [B<-time seconds>] |
|
465 -[B<-ssl2>] |
|
466 -[B<-ssl3>] |
|
467 [B<-bugs>] |
|
468 [B<-cipher cipherlist>] |
|
469 |
|
470 @@ -92,19 +90,6 @@ |
|
471 |
|
472 turns on non-blocking I/O. |
|
473 |
|
474 -=item B<-ssl2>, B<-ssl3> |
|
475 - |
|
476 -these options disable the use of certain SSL or TLS protocols. By default |
|
477 -the initial handshake uses a method which should be compatible with all |
|
478 -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
479 -The timing program is not as rich in options to turn protocols on and off as |
|
480 -the L<s_client(1)|s_client(1)> program and may not connect to all servers. |
|
481 - |
|
482 -Unfortunately there are a lot of ancient and broken servers in use which |
|
483 -cannot handle this technique and will fail to connect. Some servers only |
|
484 -work if TLS is turned off with the B<-ssl3> option; others |
|
485 -will only support SSL v2 and may need the B<-ssl2> option. |
|
486 - |
|
487 =item B<-bugs> |
|
488 |
|
489 there are several known bug in SSL and TLS implementations. Adding this |
|
490 @@ -137,8 +122,7 @@ |
|
491 for details. |
|
492 |
|
493 If the handshake fails then there are several possible causes, if it is |
|
494 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
495 -B<-ssl3> options can be tried |
|
496 +nothing obvious like no client certificate then the B<-bugs> option can be tried |
|
497 in case it is a buggy server. In particular you should play with these |
|
498 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
499 |
|
500 --- openssl-1.0.1/doc/apps/sess_id.pod Thu Jan 15 06:43:49 2015 |
|
501 +++ openssl-1.0.1/doc/apps/sess_id.pod.new Tue May 26 12:21:07 2015 |
|
502 @@ -91,7 +91,7 @@ |
|
503 |
|
504 =item B<Protocol> |
|
505 |
|
506 -this is the protocol in use TLSv1, SSLv3 or SSLv2. |
|
507 +this is the protocol in use. |
|
508 |
|
509 =item B<Cipher> |
|
510 |
|
511 @@ -110,10 +110,6 @@ |
|
512 |
|
513 this is the SSL session master key. |
|
514 |
|
515 -=item B<Key-Arg> |
|
516 - |
|
517 -the key argument, this is only used in SSL v2. |
|
518 - |
|
519 =item B<Start Time> |
|
520 |
|
521 this is the session start time represented as an integer in standard Unix format. |