--- a/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch Fri Mar 04 13:32:34 2016 -0800
+++ b/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch Fri Mar 04 16:04:58 2016 -0800
@@ -103,58 +103,47 @@
flagged with SSLv3. No new ciphers were added by TLSv1.1.
=item Kx=<key exchange>
---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015
-+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015
-@@ -25,10 +25,7 @@
-
- =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
-
--A TLS/SSL connection established with these methods will only understand
--the SSLv2 protocol. A client will send out SSLv2 client hello messages
--and will also indicate that it only understand SSLv2. A server will only
--understand SSLv2 client hello messages.
-+These functions are deprecated.
-
- =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
-
-@@ -51,33 +48,25 @@ SSLv3 client hello messages.
-
- =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
-
--A TLS/SSL connection established with these methods may understand the SSLv2,
-+A TLS/SSL connection established with these methods may understand the
- SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Mar 1 14:02:53 2016
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue Mar 1 14:35:59 2016
+@@ -62,12 +62,12 @@
+ These are the general-purpose I<version-flexible> SSL/TLS methods.
+ The actual protocol version used will be negotiated to the highest version
+ mutually supported by the client and the server.
+-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
+ Most applications should use these method, and avoid the version specific
+ methods described below.
--If the cipher list does not contain any SSLv2 ciphersuites (the default
--cipher list does not) or extensions are required (for example server name)
-+If extensions are required (for example server name)
- a client will send out TLSv1 client hello messages including extensions and
- will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
- fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
- protocols. This is the best choice when compatibility is a concern.
+ The list of protocols available can be further limited using the
+-B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
++B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+ B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the
+ L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions.
+ Clients should avoid creating "holes" in the set of protocols they support,
+@@ -81,8 +81,6 @@
+ Applications should typically use L<SSL_CTX_set_options(3)> in combination with
+ the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above
+ I<version-flexible> SSL/TLS methods.
+-The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared
+-via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2.
+
+ =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
--If any SSLv2 ciphersuites are included in the cipher list and no extensions
--are required then SSLv2 compatible client hellos will be used by clients and
--SSLv2 will be accepted by servers. This is B<not> recommended due to the
--insecurity of SSLv2 and the limited nature of the SSLv2 client hello
--prohibiting the use of extensions.
--
- =back
+@@ -115,13 +113,7 @@
+
+ =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
--The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-+The list of protocols available can later be limited using the
- SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
- options of the SSL_CTX_set_options() or SSL_set_options() functions.
- Using these options it is possible to choose e.g. SSLv23_server_method() and
- be able to negotiate with all possible clients, but to only allow newer
- protocols like TLSv1, TLSv1.1 or TLS v1.2.
+-A TLS/SSL connection established with these methods will only understand the
+-SSLv2 protocol. A client will send out SSLv2 client hello messages and will
+-also indicate that it only understand SSLv2. A server will only understand
+-SSLv2 client hello messages. The SSLv2 protocol offers little to no security
+-and should not be used.
+-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available
+-with SSLv2.
++The SSLv2 protocol offers little to no security and has been deprecated.
--Applications which never want to support SSLv2 (even is the cipher string
--is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
-+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
+ =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
- SSL_CTX_new() initializes the list of ciphers, the session cache setting,
- the callbacks, the keys and certificates and the options to its default
--- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015
+++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015
@@ -54,10 +54,6 @@
@@ -301,8 +290,8 @@
The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
---- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015
+--- openssl-1.0.1/doc/ssl/ssl.pod Tue Mar 1 05:40:03 2016
++++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue Mar 1 15:42:46 2016
@@ -9,7 +9,7 @@
=head1 DESCRIPTION
@@ -318,42 +307,51 @@
That's a dispatch structure describing the internal B<ssl> library
-methods/functions which implement the various protocol versions (SSLv1, SSLv2
-and TLSv1). It's needed to create an B<SSL_CTX>.
-+methods/functions which implement the various protocol versions (SSLv3
++methods/functions which implement the various protocol versions (SSLv3,
+TLSv1, ...). It's needed to create an B<SSL_CTX>.
=item B<SSL_CIPHER> (SSL Cipher)
-@@ -105,8 +104,8 @@
+@@ -93,7 +93,7 @@
+
+ =item B<ssl2.h>
+
+-That's the sub header file dealing with the SSLv2 protocol only.
++That's the sub header file dealing with the deprecated SSLv2 protocol only.
+ I<Usually you don't have to include it explicitly because
+ it's already included by ssl.h>.
+
+@@ -105,8 +105,8 @@
=item B<ssl23.h>
-That's the sub header file dealing with the combined use of the SSLv2 and
-SSLv3 protocols.
-+That's the sub header file dealing with the combined use of different
-+protocol version.
++That's the sub header file dealing with the combined use of the different
++protocol versions.
I<Usually you don't have to include it explicitly because
it's already included by ssl.h>.
-@@ -132,15 +131,15 @@
+@@ -201,15 +201,15 @@
+ =item const SSL_METHOD *B<SSLv2_method>(void);
+
+ Constructor for the SSLv2 SSL_METHOD structure for clients, servers
+-or both.
++or both. (deprecated)
=item const SSL_METHOD *B<SSLv2_client_method>(void);
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
+-Constructor for the SSLv2 SSL_METHOD structure for clients.
++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated)
=item const SSL_METHOD *B<SSLv2_server_method>(void);
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
-
- =item const SSL_METHOD *B<SSLv2_method>(void);
+-Constructor for the SSLv2 SSL_METHOD structure for servers.
++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated)
--Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
-+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
+ =back
- =item const SSL_METHOD *B<SSLv3_client_method>(void);
-
-@@ -189,12 +188,12 @@
+@@ -234,12 +234,12 @@
=item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
Return the internal name of I<cipher> as a string. These are the various
@@ -368,8 +366,8 @@
SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
in the specification the first time).
---- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015
+--- openssl-1.0.1/doc/apps/ciphers.pod Tue Mar 1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue Mar 1 15:28:28 2016
@@ -9,7 +9,6 @@
B<openssl> B<ciphers>
[B<-v>]
@@ -394,47 +392,47 @@
@@ -42,10 +38,6 @@
- only include SSL v3 ciphers.
+ This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
-=item B<-ssl2>
-
--only include SSL v2 ciphers.
+-Only include SSLv2 ciphers.
-
- =item B<-tls1>
+ =item B<-h>, B<-?>
- only include TLS v1 ciphers.
-@@ -246,9 +232,9 @@
+ Print a brief usage message.
+@@ -255,9 +247,9 @@
ciphers suites using FORTEZZA key exchange, authentication, encryption or all
FORTEZZA algorithms. Not implemented.
-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
-+=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
-TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
-+TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note:
there are no ciphersuites specific to TLS v1.1.
=item B<AES128>, B<AES256>, B<AES>
-@@ -569,16 +555,6 @@
+@@ -578,16 +570,6 @@
TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
-=head2 Deprecated SSL v2.0 cipher suites.
-
- SSL_CK_RC4_128_WITH_MD5 RC4-MD5
-- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
-- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
-- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
+- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
- SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
-- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
-
=head1 NOTES
The non-ephemeral DH modes are currently unimplemented in OpenSSL
---- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015
-@@ -31,10 +31,8 @@
+--- openssl-1.0.1/doc/apps/s_client.pod Tue Mar 1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_client.pod.new Tue Mar 1 15:37:40 2016
+@@ -32,10 +32,8 @@
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-quiet>]
@@ -445,21 +443,16 @@
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-bugs>]
-@@ -196,11 +196,11 @@
+@@ -197,7 +195,7 @@
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
-
- Unfortunately there are a lot of ancient and broken servers in use which
- cannot handle this technique and will fail to connect. Some servers only
-@@ -219,10 +219,6 @@
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
+@@ -215,10 +213,6 @@
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
@@ -470,7 +463,7 @@
=item B<-starttls protocol>
send the protocol-specific message(s) to switch to TLS for communication.
-@@ -299,8 +295,8 @@
+@@ -295,8 +289,8 @@
then an HTTP command can be given such as "GET /" to retrieve a web page.
If the handshake fails then there are several possible causes, if it is
@@ -481,7 +474,7 @@
in case it is a buggy server. In particular you should play with these
options B<before> submitting a bug report to an OpenSSL mailing list.
-@@ -322,10 +318,6 @@
+@@ -318,10 +312,6 @@
If there are problems verifying a server certificate then the
B<-showcerts> option can be used to show the whole chain.
@@ -492,9 +485,9 @@
The B<s_client> utility is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
accept any certificate chain (trusted or not) sent by the peer. None test
---- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015
-@@ -38,10 +38,8 @@
+--- openssl-1.0.1/doc/apps/s_server.pod Tue Mar 1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_server.pod.new Tue Mar 1 15:38:50 2016
+@@ -39,10 +39,8 @@
[B<-serverpref>]
[B<-quiet>]
[B<-no_tmp_rsa>]
@@ -505,20 +498,15 @@
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_dhe>]
-@@ -216,11 +216,11 @@
+@@ -221,7 +219,7 @@
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
-
- =item B<-bugs>
-
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
--- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015
+++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015
@@ -19,7 +19,6 @@