1 # |
|
2 # This was developed in house. Not applicable to the upstream. |
|
3 # |
|
4 --- openssl-1.0.1/ssl/ssl.h Tue May 26 11:13:15 2015 |
|
5 +++ openssl-1.0.1/ssl/ssl.h.new Tue May 26 11:32:09 2015 |
|
6 @@ -2016,12 +2016,28 @@ |
|
7 /* This sets the 'default' SSL version that SSL_new() will create */ |
|
8 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); |
|
9 |
|
10 -# ifndef OPENSSL_NO_SSL2_METHOD |
|
11 -const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
12 -const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
13 -const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
14 -# endif |
|
15 |
|
16 +#ifndef __has_attribute |
|
17 +# define __has_attribute(x) 0 |
|
18 +#endif |
|
19 + |
|
20 +/* Mark SSLv2_* functions deprecated */ |
|
21 +#if __has_attribute(deprecated) \ |
|
22 + || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \ |
|
23 + || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130)) |
|
24 +# define DEPRECATED __attribute__((deprecated)) |
|
25 +#else |
|
26 +# define DEPRECATED |
|
27 +#endif |
|
28 + |
|
29 +# ifndef OPENSSL_NO_SSL2 |
|
30 +# ifndef OPENSSL_NO_SSL2_METHOD |
|
31 +DEPRECATED const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ |
|
32 +DEPRECATED const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ |
|
33 +DEPRECATED const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ |
|
34 +# endif |
|
35 +# endif |
|
36 + |
|
37 # ifndef OPENSSL_NO_SSL3_METHOD |
|
38 const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ |
|
39 const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ |
|
40 --- openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod Tue May 26 11:13:15 2015 |
|
41 +++ openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod.new Tue May 26 11:32:09 2015 |
|
42 @@ -25,7 +25,7 @@ |
|
43 |
|
44 SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol |
|
45 version that first defined the cipher. |
|
46 -This is currently B<SSLv2> or B<TLSv1/SSLv3>. |
|
47 +This is currently B<TLSv1/SSLv3>. |
|
48 In some cases it should possibly return "TLSv1.2" but does not; |
|
49 use SSL_CIPHER_description() instead. |
|
50 If B<cipher> is NULL, "(NONE)" is returned. |
|
51 @@ -56,7 +56,7 @@ |
|
52 |
|
53 =item <protocol version> |
|
54 |
|
55 -Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
56 +Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are |
|
57 flagged with SSLv3. No new ciphers were added by TLSv1.1. |
|
58 |
|
59 =item Kx=<key exchange> |
|
60 --- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Mar 1 14:02:53 2016 |
|
61 +++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue Mar 1 14:35:59 2016 |
|
62 @@ -62,12 +62,12 @@ |
|
63 These are the general-purpose I<version-flexible> SSL/TLS methods. |
|
64 The actual protocol version used will be negotiated to the highest version |
|
65 mutually supported by the client and the server. |
|
66 -The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. |
|
67 +The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. |
|
68 Most applications should use these method, and avoid the version specific |
|
69 methods described below. |
|
70 |
|
71 The list of protocols available can be further limited using the |
|
72 -B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, |
|
73 +B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, |
|
74 B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the |
|
75 L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions. |
|
76 Clients should avoid creating "holes" in the set of protocols they support, |
|
77 @@ -81,8 +81,6 @@ |
|
78 Applications should typically use L<SSL_CTX_set_options(3)> in combination with |
|
79 the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above |
|
80 I<version-flexible> SSL/TLS methods. |
|
81 -The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared |
|
82 -via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2. |
|
83 |
|
84 =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() |
|
85 |
|
86 @@ -115,13 +113,7 @@ |
|
87 |
|
88 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() |
|
89 |
|
90 -A TLS/SSL connection established with these methods will only understand the |
|
91 -SSLv2 protocol. A client will send out SSLv2 client hello messages and will |
|
92 -also indicate that it only understand SSLv2. A server will only understand |
|
93 -SSLv2 client hello messages. The SSLv2 protocol offers little to no security |
|
94 -and should not be used. |
|
95 -As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available |
|
96 -with SSLv2. |
|
97 +The SSLv2 protocol offers little to no security and has been deprecated. |
|
98 |
|
99 =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() |
|
100 |
|
101 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 |
|
102 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 |
|
103 @@ -54,10 +54,6 @@ |
|
104 keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated |
|
105 and the handshake will fail. |
|
106 |
|
107 -If the cipher list does not contain any SSLv2 cipher suites (this is the |
|
108 -default) then SSLv2 is effectively disabled and neither clients nor servers |
|
109 -will attempt to use SSLv2. |
|
110 - |
|
111 =head1 RETURN VALUES |
|
112 |
|
113 SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher |
|
114 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod Thu Jan 15 06:43:49 2015 |
|
115 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod.new Tue May 26 11:40:47 2015 |
|
116 @@ -32,9 +32,8 @@ |
|
117 |
|
118 When a new session is established between client and server, the server |
|
119 generates a session id. The session id is an arbitrary sequence of bytes. |
|
120 -The length of the session id is 16 bytes for SSLv2 sessions and between |
|
121 -1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical |
|
122 -but must be unique for the server. Additionally, the session id is |
|
123 +The length of the session id is between 1 and 32 bytes. The session id is not |
|
124 +security critical but must be unique for the server. Additionally, the session id is |
|
125 transmitted in the clear when reusing the session so it must not contain |
|
126 sensitive information. |
|
127 |
|
128 @@ -51,12 +50,6 @@ |
|
129 the callback B<must never> increase B<id_len> or write to the location |
|
130 B<id> exceeding the given limit. |
|
131 |
|
132 -If a SSLv2 session id is generated and B<id_len> is reduced, it will be |
|
133 -restored after the callback has finished and the session id will be padded |
|
134 -with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions. |
|
135 -The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function |
|
136 -to check, whether the session is of type SSLv2. |
|
137 - |
|
138 The location B<id> is filled with 0x00 before the callback is called, so the |
|
139 callback may only fill part of the possible length and leave B<id_len> |
|
140 untouched while maintaining reproducibility. |
|
141 @@ -63,9 +56,8 @@ |
|
142 |
|
143 Since the sessions must be distinguished, session ids must be unique. |
|
144 Without the callback a random number is used, so that the probability |
|
145 -of generating the same session id is extremely small (2^128 possible ids |
|
146 -for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the |
|
147 -uniqueness of the generated session id, the callback must call |
|
148 +of generating the same session id is extremely small (2^256 for SSLv3/TLSv1). |
|
149 +In order to assure the uniqueness of the generated session id, the callback must call |
|
150 SSL_has_matching_session_id() and generate another id if a conflict occurs. |
|
151 If an id conflict is not resolved, the handshake will fail. |
|
152 If the application codes e.g. a unique host id, a unique process number, and |
|
153 @@ -85,10 +77,6 @@ |
|
154 the external cache is not tested with SSL_has_matching_session_id() |
|
155 and the same race condition applies. |
|
156 |
|
157 -When calling SSL_has_matching_session_id() for an SSLv2 session with |
|
158 -reduced B<id_len>, the match operation will be performed using the |
|
159 -fixed length required and with a 0x00 padded id. |
|
160 - |
|
161 The callback must return 0 if it cannot generate a session id for whatever |
|
162 reason and return 1 on success. |
|
163 |
|
164 @@ -104,12 +92,7 @@ |
|
165 unsigned int *id_len) |
|
166 { |
|
167 unsigned int count = 0; |
|
168 - const char *version; |
|
169 |
|
170 - version = SSL_get_version(ssl); |
|
171 - if (!strcmp(version, "SSLv2")) |
|
172 - /* we must not change id_len */; |
|
173 - |
|
174 do { |
|
175 RAND_pseudo_bytes(id, *id_len); |
|
176 /* Prefix the session_id with the required prefix. NB: If our |
|
177 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod Tue Jan 20 04:33:36 2015 |
|
178 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod.new Tue May 26 11:41:47 2015 |
|
179 @@ -63,18 +63,11 @@ |
|
180 |
|
181 =item SSL_OP_MICROSOFT_SESS_ID_BUG |
|
182 |
|
183 -www.microsoft.com - when talking SSLv2, if session-id reuse is |
|
184 -performed, the session-id passed back in the server-finished message |
|
185 -is different from the one decided upon. |
|
186 +As of OpenSSL 1.0.0 this option has no effect. |
|
187 |
|
188 =item SSL_OP_NETSCAPE_CHALLENGE_BUG |
|
189 |
|
190 -Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte |
|
191 -challenge but then appears to only use 16 bytes when generating the |
|
192 -encryption keys. Using 16 bytes is ok but it should be ok to use 32. |
|
193 -According to the SSLv3 spec, one should use 32 bytes for the challenge |
|
194 -when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
|
195 -this breaks this server so 16 bytes is the way to go. |
|
196 +As of OpenSSL 1.0.0 this option has no effect. |
|
197 |
|
198 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
|
199 |
|
200 --- openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod Thu Jan 15 06:43:49 2015 |
|
201 +++ openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod.new Tue May 26 11:42:15 2015 |
|
202 @@ -24,7 +24,7 @@ |
|
203 timeout for the protocol will be used. |
|
204 |
|
205 SSL_get_default_timeout() return this hardcoded value, which is 300 seconds |
|
206 -for all currently supported protocols (SSLv2, SSLv3, and TLSv1). |
|
207 +for all currently supported protocols. |
|
208 |
|
209 =head1 RETURN VALUES |
|
210 |
|
211 --- openssl-1.0.1/doc/ssl/SSL_get_version.pod Thu Jan 15 06:43:49 2015 |
|
212 +++ openssl-1.0.1/doc/ssl/SSL_get_version.pod.new Tue May 26 11:42:45 2015 |
|
213 @@ -21,9 +21,6 @@ |
|
214 |
|
215 =over 4 |
|
216 |
|
217 -=item SSLv2 |
|
218 - |
|
219 -The connection uses the SSLv2 protocol. |
|
220 |
|
221 =item SSLv3 |
|
222 |
|
223 --- openssl-1.0.1/doc/ssl/SSL_new.pod Thu Jan 15 06:43:49 2015 |
|
224 +++ openssl-1.0.1/doc/ssl/SSL_new.pod.new Tue May 26 11:43:12 2015 |
|
225 @@ -14,7 +14,7 @@ |
|
226 |
|
227 SSL_new() creates a new B<SSL> structure which is needed to hold the |
|
228 data for a TLS/SSL connection. The new structure inherits the settings |
|
229 -of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1), |
|
230 +of the underlying context B<ctx>: connection method, |
|
231 options, verification settings, timeout settings. |
|
232 |
|
233 =head1 RETURN VALUES |
|
234 --- openssl-1.0.1/doc/ssl/SSL_shutdown.pod Thu Mar 19 06:37:10 2015 |
|
235 +++ openssl-1.0.1/doc/ssl/SSL_shutdown.pod.new Tue May 26 11:43:56 2015 |
|
236 @@ -60,9 +60,7 @@ |
|
237 |
|
238 It is therefore recommended, to check the return value of SSL_shutdown() |
|
239 and call SSL_shutdown() again, if the bidirectional shutdown is not yet |
|
240 -complete (return value of the first call is 0). As the shutdown is not |
|
241 -specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on |
|
242 -the first call. |
|
243 +complete (return value of the first call is 0). |
|
244 |
|
245 The behaviour of SSL_shutdown() additionally depends on the underlying BIO. |
|
246 |
|
247 --- openssl-1.0.1/doc/ssl/ssl.pod Tue Mar 1 05:40:03 2016 |
|
248 +++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue Mar 1 15:42:46 2016 |
|
249 @@ -9,7 +9,7 @@ |
|
250 |
|
251 =head1 DESCRIPTION |
|
252 |
|
253 -The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and |
|
254 +The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v3) and |
|
255 Transport Layer Security (TLS v1) protocols. It provides a rich API which is |
|
256 documented here. |
|
257 |
|
258 @@ -45,8 +45,8 @@ |
|
259 =item B<SSL_METHOD> (SSL Method) |
|
260 |
|
261 That's a dispatch structure describing the internal B<ssl> library |
|
262 -methods/functions which implement the various protocol versions (SSLv1, SSLv2 |
|
263 -and TLSv1). It's needed to create an B<SSL_CTX>. |
|
264 +methods/functions which implement the various protocol versions (SSLv3, |
|
265 +TLSv1, ...). It's needed to create an B<SSL_CTX>. |
|
266 |
|
267 =item B<SSL_CIPHER> (SSL Cipher) |
|
268 |
|
269 @@ -93,7 +93,7 @@ |
|
270 |
|
271 =item B<ssl2.h> |
|
272 |
|
273 -That's the sub header file dealing with the SSLv2 protocol only. |
|
274 +That's the sub header file dealing with the deprecated SSLv2 protocol only. |
|
275 I<Usually you don't have to include it explicitly because |
|
276 it's already included by ssl.h>. |
|
277 |
|
278 @@ -105,8 +105,8 @@ |
|
279 |
|
280 =item B<ssl23.h> |
|
281 |
|
282 -That's the sub header file dealing with the combined use of the SSLv2 and |
|
283 -SSLv3 protocols. |
|
284 +That's the sub header file dealing with the combined use of the different |
|
285 +protocol versions. |
|
286 I<Usually you don't have to include it explicitly because |
|
287 it's already included by ssl.h>. |
|
288 |
|
289 @@ -201,15 +201,15 @@ |
|
290 =item const SSL_METHOD *B<SSLv2_method>(void); |
|
291 |
|
292 Constructor for the SSLv2 SSL_METHOD structure for clients, servers |
|
293 -or both. |
|
294 +or both. (deprecated) |
|
295 |
|
296 =item const SSL_METHOD *B<SSLv2_client_method>(void); |
|
297 |
|
298 -Constructor for the SSLv2 SSL_METHOD structure for clients. |
|
299 +Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated) |
|
300 |
|
301 =item const SSL_METHOD *B<SSLv2_server_method>(void); |
|
302 |
|
303 -Constructor for the SSLv2 SSL_METHOD structure for servers. |
|
304 +Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated) |
|
305 |
|
306 =back |
|
307 |
|
308 @@ -234,12 +234,12 @@ |
|
309 =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher); |
|
310 |
|
311 Return the internal name of I<cipher> as a string. These are the various |
|
312 -strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
313 +strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> |
|
314 definitions in the header files. |
|
315 |
|
316 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); |
|
317 |
|
318 -Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the |
|
319 +Returns a string like "C<TLSv1/SSLv3>" which indicates the |
|
320 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined |
|
321 in the specification the first time). |
|
322 |
|
323 --- openssl-1.0.1/doc/apps/ciphers.pod Tue Mar 1 05:40:03 2016 |
|
324 +++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue Mar 1 15:28:28 2016 |
|
325 @@ -9,7 +9,6 @@ |
|
326 B<openssl> B<ciphers> |
|
327 [B<-v>] |
|
328 [B<-V>] |
|
329 -[B<-ssl2>] |
|
330 [B<-ssl3>] |
|
331 [B<-tls1>] |
|
332 [B<cipherlist>] |
|
333 @@ -27,12 +26,9 @@ |
|
334 =item B<-v> |
|
335 |
|
336 Verbose option. List ciphers with a complete description of |
|
337 -protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, |
|
338 +protocol version, key exchange, |
|
339 authentication, encryption and mac algorithms used along with any key size |
|
340 restrictions and whether the algorithm is classed as an "export" cipher. |
|
341 -Note that without the B<-v> option, ciphers may seem to appear twice |
|
342 -in a cipher list; this is when similar ciphers are available for |
|
343 -SSL v2 and for SSL v3/TLS v1. |
|
344 |
|
345 =item B<-V> |
|
346 |
|
347 @@ -42,10 +38,6 @@ |
|
348 |
|
349 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. |
|
350 |
|
351 -=item B<-ssl2> |
|
352 - |
|
353 -Only include SSLv2 ciphers. |
|
354 - |
|
355 =item B<-h>, B<-?> |
|
356 |
|
357 Print a brief usage message. |
|
358 @@ -255,9 +247,9 @@ |
|
359 ciphers suites using FORTEZZA key exchange, authentication, encryption or all |
|
360 FORTEZZA algorithms. Not implemented. |
|
361 |
|
362 -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2> |
|
363 +=item B<TLSv1.2>, B<TLSv1>, B<SSLv3> |
|
364 |
|
365 -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: |
|
366 +TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note: |
|
367 there are no ciphersuites specific to TLS v1.1. |
|
368 |
|
369 =item B<AES128>, B<AES256>, B<AES> |
|
370 @@ -578,16 +570,6 @@ |
|
371 TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA |
|
372 TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA |
|
373 |
|
374 -=head2 Deprecated SSL v2.0 cipher suites. |
|
375 - |
|
376 - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 |
|
377 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. |
|
378 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 |
|
379 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. |
|
380 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 |
|
381 - SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. |
|
382 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 |
|
383 - |
|
384 =head1 NOTES |
|
385 |
|
386 The non-ephemeral DH modes are currently unimplemented in OpenSSL |
|
387 --- openssl-1.0.1/doc/apps/s_client.pod Tue Mar 1 05:40:03 2016 |
|
388 +++ openssl-1.0.1/doc/apps/s_client.pod.new Tue Mar 1 15:37:40 2016 |
|
389 @@ -32,10 +32,8 @@ |
|
390 [B<-ign_eof>] |
|
391 [B<-no_ign_eof>] |
|
392 [B<-quiet>] |
|
393 -[B<-ssl2>] |
|
394 [B<-ssl3>] |
|
395 [B<-tls1>] |
|
396 -[B<-no_ssl2>] |
|
397 [B<-no_ssl3>] |
|
398 [B<-no_tls1>] |
|
399 [B<-bugs>] |
|
400 @@ -197,7 +195,7 @@ |
|
401 given as a hexadecimal number without leading 0x, for example -psk |
|
402 1a2b3c4d. |
|
403 |
|
404 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
405 +=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
406 |
|
407 These options require or disable the use of the specified SSL or TLS protocols. |
|
408 By default the initial handshake uses a I<version-flexible> method which will |
|
409 @@ -215,10 +213,6 @@ |
|
410 supported cipher in the list sent by the client. See the B<ciphers> |
|
411 command for more information. |
|
412 |
|
413 -=item B<-serverpref> |
|
414 - |
|
415 -use the server's cipher preferences; only used for SSLV2. |
|
416 - |
|
417 =item B<-starttls protocol> |
|
418 |
|
419 send the protocol-specific message(s) to switch to TLS for communication. |
|
420 @@ -295,8 +289,8 @@ |
|
421 then an HTTP command can be given such as "GET /" to retrieve a web page. |
|
422 |
|
423 If the handshake fails then there are several possible causes, if it is |
|
424 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
425 -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
426 +nothing obvious like no client certificate then the B<-bugs>, |
|
427 +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
428 in case it is a buggy server. In particular you should play with these |
|
429 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
430 |
|
431 @@ -318,10 +312,6 @@ |
|
432 If there are problems verifying a server certificate then the |
|
433 B<-showcerts> option can be used to show the whole chain. |
|
434 |
|
435 -Since the SSLv23 client hello cannot include compression methods or extensions |
|
436 -these will only be supported if its use is disabled, for example by using the |
|
437 -B<-no_sslv2> option. |
|
438 - |
|
439 The B<s_client> utility is a test tool and is designed to continue the |
|
440 handshake after any certificate verification errors. As a result it will |
|
441 accept any certificate chain (trusted or not) sent by the peer. None test |
|
442 --- openssl-1.0.1/doc/apps/s_server.pod Tue Mar 1 05:40:03 2016 |
|
443 +++ openssl-1.0.1/doc/apps/s_server.pod.new Tue Mar 1 15:38:50 2016 |
|
444 @@ -39,10 +39,8 @@ |
|
445 [B<-serverpref>] |
|
446 [B<-quiet>] |
|
447 [B<-no_tmp_rsa>] |
|
448 -[B<-ssl2>] |
|
449 [B<-ssl3>] |
|
450 [B<-tls1>] |
|
451 -[B<-no_ssl2>] |
|
452 [B<-no_ssl3>] |
|
453 [B<-no_tls1>] |
|
454 [B<-no_dhe>] |
|
455 @@ -221,7 +219,7 @@ |
|
456 given as a hexadecimal number without leading 0x, for example -psk |
|
457 1a2b3c4d. |
|
458 |
|
459 -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
460 +=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
461 |
|
462 These options require or disable the use of the specified SSL or TLS protocols. |
|
463 By default the initial handshake uses a I<version-flexible> method which will |
|
464 --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 |
|
465 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 |
|
466 @@ -19,7 +19,6 @@ |
|
467 [B<-verify depth>] |
|
468 [B<-nbio>] |
|
469 [B<-time seconds>] |
|
470 -[B<-ssl2>] |
|
471 [B<-ssl3>] |
|
472 [B<-bugs>] |
|
473 [B<-cipher cipherlist>] |
|
474 @@ -92,18 +90,17 @@ |
|
475 |
|
476 turns on non-blocking I/O. |
|
477 |
|
478 -=item B<-ssl2>, B<-ssl3> |
|
479 +=item B<-ssl3> |
|
480 |
|
481 these options disable the use of certain SSL or TLS protocols. By default |
|
482 the initial handshake uses a method which should be compatible with all |
|
483 -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
484 +servers and permit them to use SSL v3 or TLS as appropriate. |
|
485 The timing program is not as rich in options to turn protocols on and off as |
|
486 the L<s_client(1)|s_client(1)> program and may not connect to all servers. |
|
487 |
|
488 Unfortunately there are a lot of ancient and broken servers in use which |
|
489 cannot handle this technique and will fail to connect. Some servers only |
|
490 -work if TLS is turned off with the B<-ssl3> option; others |
|
491 -will only support SSL v2 and may need the B<-ssl2> option. |
|
492 +work if TLS is turned off with the B<-ssl3> option. |
|
493 |
|
494 =item B<-bugs> |
|
495 |
|
496 @@ -137,7 +122,7 @@ |
|
497 for details. |
|
498 |
|
499 If the handshake fails then there are several possible causes, if it is |
|
500 -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
501 +nothing obvious like no client certificate then the B<-bugs>, |
|
502 B<-ssl3> options can be tried |
|
503 in case it is a buggy server. In particular you should play with these |
|
504 options B<before> submitting a bug report to an OpenSSL mailing list. |
|
505 --- openssl-1.0.1/doc/apps/sess_id.pod Thu Jan 15 06:43:49 2015 |
|
506 +++ openssl-1.0.1/doc/apps/sess_id.pod.new Tue May 26 12:21:07 2015 |
|
507 @@ -91,7 +91,7 @@ |
|
508 |
|
509 =item B<Protocol> |
|
510 |
|
511 -this is the protocol in use TLSv1, SSLv3 or SSLv2. |
|
512 +this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3. |
|
513 |
|
514 =item B<Cipher> |
|
515 |
|
516 @@ -110,10 +110,6 @@ |
|
517 |
|
518 this is the SSL session master key. |
|
519 |
|
520 -=item B<Key-Arg> |
|
521 - |
|
522 -the key argument, this is only used in SSL v2. |
|
523 - |
|
524 =item B<Start Time> |
|
525 |
|
526 this is the session start time represented as an integer in standard Unix format. |
|