# HG changeset patch # User Ronald Jordan # Date 1457136298 28800 # Node ID 0c86123e6de481b030b46b75670457f364f1bbd3 # Parent 4e17dd2a1b16865d83fdc61b752264557c5114b9 22852190 Upgrade OpenSSL version to 1.0.1s 22829389 problem in LIBRARY/OPENSSL 22829403 problem in LIBRARY/OPENSSL 22829414 problem in LIBRARY/OPENSSL 22829419 problem in LIBRARY/OPENSSL 22829425 problem in LIBRARY/OPENSSL diff -r 4e17dd2a1b16 -r 0c86123e6de4 components/openssl/openssl-1.0.1-fips-140/Makefile --- a/components/openssl/openssl-1.0.1-fips-140/Makefile Fri Mar 04 13:32:34 2016 -0800 +++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Fri Mar 04 16:04:58 2016 -0800 @@ -32,18 +32,18 @@ COMPONENT_NAME = openssl-fips-140 # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.1r +COMPONENT_VERSION = 1.0.1s IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 + sha256:e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 26528 +TPNO= 27087 # OpenSSL FIPS directory OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips diff -r 4e17dd2a1b16 -r 0c86123e6de4 components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch Fri Mar 04 13:32:34 2016 -0800 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch Fri Mar 04 16:04:58 2016 -0800 @@ -103,58 +103,47 @@ flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx= ---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 -+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 -@@ -25,10 +25,7 @@ - - =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void) - --A TLS/SSL connection established with these methods will only understand --the SSLv2 protocol. A client will send out SSLv2 client hello messages --and will also indicate that it only understand SSLv2. A server will only --understand SSLv2 client hello messages. -+These functions are deprecated. - - =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) - -@@ -51,33 +48,25 @@ SSLv3 client hello messages. - - =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) - --A TLS/SSL connection established with these methods may understand the SSLv2, -+A TLS/SSL connection established with these methods may understand the - SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Mar 1 14:02:53 2016 ++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue Mar 1 14:35:59 2016 +@@ -62,12 +62,12 @@ + These are the general-purpose I SSL/TLS methods. + The actual protocol version used will be negotiated to the highest version + mutually supported by the client and the server. +-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. ++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. + Most applications should use these method, and avoid the version specific + methods described below. --If the cipher list does not contain any SSLv2 ciphersuites (the default --cipher list does not) or extensions are required (for example server name) -+If extensions are required (for example server name) - a client will send out TLSv1 client hello messages including extensions and - will indicate that it also understands TLSv1.1, TLSv1.2 and permits a - fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 - protocols. This is the best choice when compatibility is a concern. + The list of protocols available can be further limited using the +-B, B, B, ++B, B, + B and B options of the + L or L functions. + Clients should avoid creating "holes" in the set of protocols they support, +@@ -81,8 +81,6 @@ + Applications should typically use L in combination with + the B flag to disable negotiation of SSLv3 via the above + I SSL/TLS methods. +-The B option is set by default, and would need to be cleared +-via L in order to enable negotiation of SSLv2. + + =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() --If any SSLv2 ciphersuites are included in the cipher list and no extensions --are required then SSLv2 compatible client hellos will be used by clients and --SSLv2 will be accepted by servers. This is B recommended due to the --insecurity of SSLv2 and the limited nature of the SSLv2 client hello --prohibiting the use of extensions. -- - =back +@@ -115,13 +113,7 @@ + + =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() --The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, -+The list of protocols available can later be limited using the - SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 - options of the SSL_CTX_set_options() or SSL_set_options() functions. - Using these options it is possible to choose e.g. SSLv23_server_method() and - be able to negotiate with all possible clients, but to only allow newer - protocols like TLSv1, TLSv1.1 or TLS v1.2. +-A TLS/SSL connection established with these methods will only understand the +-SSLv2 protocol. A client will send out SSLv2 client hello messages and will +-also indicate that it only understand SSLv2. A server will only understand +-SSLv2 client hello messages. The SSLv2 protocol offers little to no security +-and should not be used. +-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available +-with SSLv2. ++The SSLv2 protocol offers little to no security and has been deprecated. --Applications which never want to support SSLv2 (even is the cipher string --is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. -+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3. + =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() - SSL_CTX_new() initializes the list of ciphers, the session cache setting, - the callbacks, the keys and certificates and the options to its default --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 @@ -54,10 +54,6 @@ @@ -301,8 +290,8 @@ The behaviour of SSL_shutdown() additionally depends on the underlying BIO. ---- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015 +--- openssl-1.0.1/doc/ssl/ssl.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue Mar 1 15:42:46 2016 @@ -9,7 +9,7 @@ =head1 DESCRIPTION @@ -318,42 +307,51 @@ That's a dispatch structure describing the internal B library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B. -+methods/functions which implement the various protocol versions (SSLv3 ++methods/functions which implement the various protocol versions (SSLv3, +TLSv1, ...). It's needed to create an B. =item B (SSL Cipher) -@@ -105,8 +104,8 @@ +@@ -93,7 +93,7 @@ + + =item B + +-That's the sub header file dealing with the SSLv2 protocol only. ++That's the sub header file dealing with the deprecated SSLv2 protocol only. + I. + +@@ -105,8 +105,8 @@ =item B -That's the sub header file dealing with the combined use of the SSLv2 and -SSLv3 protocols. -+That's the sub header file dealing with the combined use of different -+protocol version. ++That's the sub header file dealing with the combined use of the different ++protocol versions. I. -@@ -132,15 +131,15 @@ +@@ -201,15 +201,15 @@ + =item const SSL_METHOD *B(void); + + Constructor for the SSLv2 SSL_METHOD structure for clients, servers +-or both. ++or both. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated) +-Constructor for the SSLv2 SSL_METHOD structure for clients. ++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated) - - =item const SSL_METHOD *B(void); +-Constructor for the SSLv2 SSL_METHOD structure for servers. ++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated) --Constructor for the SSLv2 SSL_METHOD structure for combined client and server. -+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated) + =back - =item const SSL_METHOD *B(void); - -@@ -189,12 +188,12 @@ +@@ -234,12 +234,12 @@ =item const char *B(SSL_CIPHER *cipher); Return the internal name of I as a string. These are the various @@ -368,8 +366,8 @@ SSL/TLS protocol version to which I belongs (i.e. where it was defined in the specification the first time). ---- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015 +--- openssl-1.0.1/doc/apps/ciphers.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue Mar 1 15:28:28 2016 @@ -9,7 +9,6 @@ B B [B<-v>] @@ -394,47 +392,47 @@ @@ -42,10 +38,6 @@ - only include SSL v3 ciphers. + This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. -=item B<-ssl2> - --only include SSL v2 ciphers. +-Only include SSLv2 ciphers. - - =item B<-tls1> + =item B<-h>, B<-?> - only include TLS v1 ciphers. -@@ -246,9 +232,9 @@ + Print a brief usage message. +@@ -255,9 +247,9 @@ ciphers suites using FORTEZZA key exchange, authentication, encryption or all FORTEZZA algorithms. Not implemented. -=item B, B, B, B -+=item B, B, B ++=item B, B, B -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: -+TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note: ++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note: there are no ciphersuites specific to TLS v1.1. =item B, B, B -@@ -569,16 +555,6 @@ +@@ -578,16 +570,6 @@ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA -=head2 Deprecated SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 -- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 -- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 -- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 +- SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 +- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 -- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 +- SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - =head1 NOTES The non-ephemeral DH modes are currently unimplemented in OpenSSL ---- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015 -@@ -31,10 +31,8 @@ +--- openssl-1.0.1/doc/apps/s_client.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/s_client.pod.new Tue Mar 1 15:37:40 2016 +@@ -32,10 +32,8 @@ [B<-ign_eof>] [B<-no_ign_eof>] [B<-quiet>] @@ -445,21 +443,16 @@ [B<-no_ssl3>] [B<-no_tls1>] [B<-bugs>] -@@ -196,11 +196,11 @@ +@@ -197,7 +195,7 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> ++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers and permit them to use SSL v3 or TLS as appropriate. - - Unfortunately there are a lot of ancient and broken servers in use which - cannot handle this technique and will fail to connect. Some servers only -@@ -219,10 +219,6 @@ + These options require or disable the use of the specified SSL or TLS protocols. + By default the initial handshake uses a I method which will +@@ -215,10 +213,6 @@ supported cipher in the list sent by the client. See the B command for more information. @@ -470,7 +463,7 @@ =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. -@@ -299,8 +295,8 @@ +@@ -295,8 +289,8 @@ then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is @@ -481,7 +474,7 @@ in case it is a buggy server. In particular you should play with these options B submitting a bug report to an OpenSSL mailing list. -@@ -322,10 +318,6 @@ +@@ -318,10 +312,6 @@ If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. @@ -492,9 +485,9 @@ The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test ---- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015 -@@ -38,10 +38,8 @@ +--- openssl-1.0.1/doc/apps/s_server.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/s_server.pod.new Tue Mar 1 15:38:50 2016 +@@ -39,10 +39,8 @@ [B<-serverpref>] [B<-quiet>] [B<-no_tmp_rsa>] @@ -505,20 +498,15 @@ [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] -@@ -216,11 +216,11 @@ +@@ -221,7 +219,7 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> ++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers and permit them to use SSL v3 or TLS as appropriate. - - =item B<-bugs> - + These options require or disable the use of the specified SSL or TLS protocols. + By default the initial handshake uses a I method which will --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 @@ -19,7 +19,6 @@ diff -r 4e17dd2a1b16 -r 0c86123e6de4 components/openssl/openssl-1.0.1/Makefile --- a/components/openssl/openssl-1.0.1/Makefile Fri Mar 04 13:32:34 2016 -0800 +++ b/components/openssl/openssl-1.0.1/Makefile Fri Mar 04 16:04:58 2016 -0800 @@ -28,20 +28,20 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.1r +COMPONENT_VERSION = 1.0.1s # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.1.18 +IPS_COMPONENT_VERSION = 1.0.1.19 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 + sha256:e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 26528 +TPNO= 27087 include $(WS_MAKE_RULES)/prep.mk include $(WS_MAKE_RULES)/configure.mk diff -r 4e17dd2a1b16 -r 0c86123e6de4 components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch --- a/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch Fri Mar 04 13:32:34 2016 -0800 +++ b/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch Fri Mar 04 16:04:58 2016 -0800 @@ -103,58 +103,47 @@ flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx= ---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 -+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 -@@ -25,10 +25,7 @@ - - =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void) - --A TLS/SSL connection established with these methods will only understand --the SSLv2 protocol. A client will send out SSLv2 client hello messages --and will also indicate that it only understand SSLv2. A server will only --understand SSLv2 client hello messages. -+These functions are deprecated. - - =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) - -@@ -51,33 +48,25 @@ SSLv3 client hello messages. - - =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) - --A TLS/SSL connection established with these methods may understand the SSLv2, -+A TLS/SSL connection established with these methods may understand the - SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Mar 1 14:02:53 2016 ++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue Mar 1 14:35:59 2016 +@@ -62,12 +62,12 @@ + These are the general-purpose I SSL/TLS methods. + The actual protocol version used will be negotiated to the highest version + mutually supported by the client and the server. +-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. ++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2. + Most applications should use these method, and avoid the version specific + methods described below. --If the cipher list does not contain any SSLv2 ciphersuites (the default --cipher list does not) or extensions are required (for example server name) -+If extensions are required (for example server name) - a client will send out TLSv1 client hello messages including extensions and - will indicate that it also understands TLSv1.1, TLSv1.2 and permits a - fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 - protocols. This is the best choice when compatibility is a concern. + The list of protocols available can be further limited using the +-B, B, B, ++B, B, + B and B options of the + L or L functions. + Clients should avoid creating "holes" in the set of protocols they support, +@@ -81,8 +81,6 @@ + Applications should typically use L in combination with + the B flag to disable negotiation of SSLv3 via the above + I SSL/TLS methods. +-The B option is set by default, and would need to be cleared +-via L in order to enable negotiation of SSLv2. + + =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() --If any SSLv2 ciphersuites are included in the cipher list and no extensions --are required then SSLv2 compatible client hellos will be used by clients and --SSLv2 will be accepted by servers. This is B recommended due to the --insecurity of SSLv2 and the limited nature of the SSLv2 client hello --prohibiting the use of extensions. -- - =back +@@ -115,13 +113,7 @@ + + =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() --The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, -+The list of protocols available can later be limited using the - SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 - options of the SSL_CTX_set_options() or SSL_set_options() functions. - Using these options it is possible to choose e.g. SSLv23_server_method() and - be able to negotiate with all possible clients, but to only allow newer - protocols like TLSv1, TLSv1.1 or TLS v1.2. +-A TLS/SSL connection established with these methods will only understand the +-SSLv2 protocol. A client will send out SSLv2 client hello messages and will +-also indicate that it only understand SSLv2. A server will only understand +-SSLv2 client hello messages. The SSLv2 protocol offers little to no security +-and should not be used. +-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available +-with SSLv2. ++The SSLv2 protocol offers little to no security and has been deprecated. --Applications which never want to support SSLv2 (even is the cipher string --is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. -+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3. + =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() - SSL_CTX_new() initializes the list of ciphers, the session cache setting, - the callbacks, the keys and certificates and the options to its default --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 @@ -54,10 +54,6 @@ @@ -301,8 +290,8 @@ The behaviour of SSL_shutdown() additionally depends on the underlying BIO. ---- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015 +--- openssl-1.0.1/doc/ssl/ssl.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue Mar 1 15:42:46 2016 @@ -9,7 +9,7 @@ =head1 DESCRIPTION @@ -318,42 +307,51 @@ That's a dispatch structure describing the internal B library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B. -+methods/functions which implement the various protocol versions (SSLv3 ++methods/functions which implement the various protocol versions (SSLv3, +TLSv1, ...). It's needed to create an B. =item B (SSL Cipher) -@@ -105,8 +104,8 @@ +@@ -93,7 +93,7 @@ + + =item B + +-That's the sub header file dealing with the SSLv2 protocol only. ++That's the sub header file dealing with the deprecated SSLv2 protocol only. + I. + +@@ -105,8 +105,8 @@ =item B -That's the sub header file dealing with the combined use of the SSLv2 and -SSLv3 protocols. -+That's the sub header file dealing with the combined use of different -+protocol version. ++That's the sub header file dealing with the combined use of the different ++protocol versions. I. -@@ -132,15 +131,15 @@ +@@ -201,15 +201,15 @@ + =item const SSL_METHOD *B(void); + + Constructor for the SSLv2 SSL_METHOD structure for clients, servers +-or both. ++or both. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated) +-Constructor for the SSLv2 SSL_METHOD structure for clients. ++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated) - - =item const SSL_METHOD *B(void); +-Constructor for the SSLv2 SSL_METHOD structure for servers. ++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated) --Constructor for the SSLv2 SSL_METHOD structure for combined client and server. -+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated) + =back - =item const SSL_METHOD *B(void); - -@@ -189,12 +188,12 @@ +@@ -234,12 +234,12 @@ =item const char *B(SSL_CIPHER *cipher); Return the internal name of I as a string. These are the various @@ -368,8 +366,8 @@ SSL/TLS protocol version to which I belongs (i.e. where it was defined in the specification the first time). ---- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015 +--- openssl-1.0.1/doc/apps/ciphers.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue Mar 1 15:28:28 2016 @@ -9,7 +9,6 @@ B B [B<-v>] @@ -394,47 +392,47 @@ @@ -42,10 +38,6 @@ - only include SSL v3 ciphers. + This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. -=item B<-ssl2> - --only include SSL v2 ciphers. +-Only include SSLv2 ciphers. - - =item B<-tls1> + =item B<-h>, B<-?> - only include TLS v1 ciphers. -@@ -246,9 +232,9 @@ + Print a brief usage message. +@@ -255,9 +247,9 @@ ciphers suites using FORTEZZA key exchange, authentication, encryption or all FORTEZZA algorithms. Not implemented. -=item B, B, B, B -+=item B, B, B ++=item B, B, B -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: -+TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note: ++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note: there are no ciphersuites specific to TLS v1.1. =item B, B, B -@@ -569,16 +555,6 @@ +@@ -578,16 +570,6 @@ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA -=head2 Deprecated SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 -- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 -- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 -- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 +- SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 +- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 -- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 +- SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - =head1 NOTES The non-ephemeral DH modes are currently unimplemented in OpenSSL ---- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015 -@@ -31,10 +31,8 @@ +--- openssl-1.0.1/doc/apps/s_client.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/s_client.pod.new Tue Mar 1 15:37:40 2016 +@@ -32,10 +32,8 @@ [B<-ign_eof>] [B<-no_ign_eof>] [B<-quiet>] @@ -445,21 +443,16 @@ [B<-no_ssl3>] [B<-no_tls1>] [B<-bugs>] -@@ -196,11 +196,11 @@ +@@ -197,7 +195,7 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> ++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers and permit them to use SSL v3 or TLS as appropriate. - - Unfortunately there are a lot of ancient and broken servers in use which - cannot handle this technique and will fail to connect. Some servers only -@@ -219,10 +219,6 @@ + These options require or disable the use of the specified SSL or TLS protocols. + By default the initial handshake uses a I method which will +@@ -215,10 +213,6 @@ supported cipher in the list sent by the client. See the B command for more information. @@ -470,7 +463,7 @@ =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. -@@ -299,8 +295,8 @@ +@@ -295,8 +289,8 @@ then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is @@ -481,7 +474,7 @@ in case it is a buggy server. In particular you should play with these options B submitting a bug report to an OpenSSL mailing list. -@@ -322,10 +318,6 @@ +@@ -318,10 +312,6 @@ If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. @@ -492,9 +485,9 @@ The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test ---- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015 -+++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015 -@@ -38,10 +38,8 @@ +--- openssl-1.0.1/doc/apps/s_server.pod Tue Mar 1 05:40:03 2016 ++++ openssl-1.0.1/doc/apps/s_server.pod.new Tue Mar 1 15:38:50 2016 +@@ -39,10 +39,8 @@ [B<-serverpref>] [B<-quiet>] [B<-no_tmp_rsa>] @@ -505,20 +498,15 @@ [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] -@@ -216,11 +216,11 @@ +@@ -221,7 +219,7 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> -+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> ++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers and permit them to use SSL v3 or TLS as appropriate. - - =item B<-bugs> - + These options require or disable the use of the specified SSL or TLS protocols. + By default the initial handshake uses a I method which will --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 @@ -19,7 +19,6 @@