22852190 Upgrade OpenSSL version to 1.0.1s s11u3-sru
authorRonald Jordan <ron.jordan@oracle.com>
Fri, 04 Mar 2016 16:04:58 -0800
branchs11u3-sru
changeset 5557 0c86123e6de4
parent 5552 4e17dd2a1b16
child 5568 d36fc1f41120
22852190 Upgrade OpenSSL version to 1.0.1s 22829389 problem in LIBRARY/OPENSSL 22829403 problem in LIBRARY/OPENSSL 22829414 problem in LIBRARY/OPENSSL 22829419 problem in LIBRARY/OPENSSL 22829425 problem in LIBRARY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Mar 04 13:32:34 2016 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Mar 04 16:04:58 2016 -0800
@@ -32,18 +32,18 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1r
+COMPONENT_VERSION =	1.0.1s
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346
+    sha256:e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			26528
+TPNO=			27087
 
 # OpenSSL FIPS directory
 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips
--- a/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch	Fri Mar 04 13:32:34 2016 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch	Fri Mar 04 16:04:58 2016 -0800
@@ -103,58 +103,47 @@
  flagged with SSLv3. No new ciphers were added by TLSv1.1.
  
  =item Kx=<key exchange>
---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Jan 20 04:33:36 2015
-+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue May 26 11:37:24 2015
[email protected]@ -25,10 +25,7 @@
- 
- =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
- 
--A TLS/SSL connection established with these methods will only understand
--the SSLv2 protocol. A client will send out SSLv2 client hello messages
--and will also indicate that it only understand SSLv2. A server will only
--understand SSLv2 client hello messages.
-+These functions are deprecated.
- 
- =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
- 
[email protected]@ -51,33 +48,25 @@ SSLv3 client hello messages.
- 
- =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
- 
--A TLS/SSL connection established with these methods may understand the SSLv2,
-+A TLS/SSL connection established with these methods may understand the
- SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Mar  1 14:02:53 2016
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue Mar  1 14:35:59 2016
[email protected]@ -62,12 +62,12 @@
+ These are the general-purpose I<version-flexible> SSL/TLS methods.
+ The actual protocol version used will be negotiated to the highest version
+ mutually supported by the client and the server.
+-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
+ Most applications should use these method, and avoid the version specific
+ methods described below.
  
--If the cipher list does not contain any SSLv2 ciphersuites (the default
--cipher list does not) or extensions are required (for example server name)
-+If extensions are required (for example server name)
- a client will send out TLSv1 client hello messages including extensions and
- will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
- fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
- protocols. This is the best choice when compatibility is a concern.
+ The list of protocols available can be further limited using the
+-B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
++B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+ B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the
+ L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions.
+ Clients should avoid creating "holes" in the set of protocols they support,
[email protected]@ -81,8 +81,6 @@
+ Applications should typically use L<SSL_CTX_set_options(3)> in combination with
+ the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above
+ I<version-flexible> SSL/TLS methods.
+-The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared
+-via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2.
+ 
+ =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
  
--If any SSLv2 ciphersuites are included in the cipher list and no extensions
--are required then SSLv2 compatible client hellos will be used by clients and
--SSLv2 will be accepted by servers. This is B<not> recommended due to the
--insecurity of SSLv2 and the limited nature of the SSLv2 client hello
--prohibiting the use of extensions.
--
- =back
[email protected]@ -115,13 +113,7 @@
+ 
+ =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
  
--The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-+The list of protocols available can later be limited using the
- SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
- options of the SSL_CTX_set_options() or SSL_set_options() functions.
- Using these options it is possible to choose e.g. SSLv23_server_method() and
- be able to negotiate with all possible clients, but to only allow newer
- protocols like TLSv1, TLSv1.1 or TLS v1.2.
+-A TLS/SSL connection established with these methods will only understand the
+-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
+-also indicate that it only understand SSLv2.  A server will only understand
+-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
+-and should not be used.
+-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available
+-with SSLv2.
++The SSLv2 protocol offers little to no security and has been deprecated.
  
--Applications which never want to support SSLv2 (even is the cipher string
--is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
-+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
+ =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
  
- SSL_CTX_new() initializes the list of ciphers, the session cache setting,
- the callbacks, the keys and certificates and the options to its default
 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod	Thu Mar 19 06:37:10 2015
 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new	Tue May 26 11:38:09 2015
 @@ -54,10 +54,6 @@
@@ -301,8 +290,8 @@
  
  The behaviour of SSL_shutdown() additionally depends on the underlying BIO. 
  
---- openssl-1.0.1/doc/ssl/ssl.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue May 26 11:47:38 2015
+--- openssl-1.0.1/doc/ssl/ssl.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue Mar  1 15:42:46 2016
 @@ -9,7 +9,7 @@
  
  =head1 DESCRIPTION
@@ -318,42 +307,51 @@
  That's a dispatch structure describing the internal B<ssl> library
 -methods/functions which implement the various protocol versions (SSLv1, SSLv2
 -and TLSv1). It's needed to create an B<SSL_CTX>.
-+methods/functions which implement the various protocol versions (SSLv3
++methods/functions which implement the various protocol versions (SSLv3,
 +TLSv1, ...). It's needed to create an B<SSL_CTX>.
  
  =item B<SSL_CIPHER> (SSL Cipher)
  
[email protected]@ -105,8 +104,8 @@
[email protected]@ -93,7 +93,7 @@
+ 
+ =item B<ssl2.h>
+ 
+-That's the sub header file dealing with the SSLv2 protocol only.
++That's the sub header file dealing with the deprecated SSLv2 protocol only.
+ I<Usually you don't have to include it explicitly because
+ it's already included by ssl.h>.
+ 
[email protected]@ -105,8 +105,8 @@
  
  =item B<ssl23.h>
  
 -That's the sub header file dealing with the combined use of the SSLv2 and
 -SSLv3 protocols.
-+That's the sub header file dealing with the combined use of different
-+protocol version.
++That's the sub header file dealing with the combined use of the different
++protocol versions.
  I<Usually you don't have to include it explicitly because
  it's already included by ssl.h>.
  
[email protected]@ -132,15 +131,15 @@
[email protected]@ -201,15 +201,15 @@
+ =item const SSL_METHOD *B<SSLv2_method>(void);
+ 
+ Constructor for the SSLv2 SSL_METHOD structure for clients, servers
+-or both.
++or both. (deprecated)
  
  =item const SSL_METHOD *B<SSLv2_client_method>(void);
  
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
+-Constructor for the SSLv2 SSL_METHOD structure for clients.
++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated)
  
  =item const SSL_METHOD *B<SSLv2_server_method>(void);
  
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
- 
- =item const SSL_METHOD *B<SSLv2_method>(void);
+-Constructor for the SSLv2 SSL_METHOD structure for servers.
++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated)
  
--Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
-+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
+ =back
  
- =item const SSL_METHOD *B<SSLv3_client_method>(void);
- 
[email protected]@ -189,12 +188,12 @@
[email protected]@ -234,12 +234,12 @@
  =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
  
  Return the internal name of I<cipher> as a string. These are the various
@@ -368,8 +366,8 @@
  SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
  in the specification the first time).
  
---- openssl-1.0.1/doc/apps/ciphers.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue May 26 12:07:35 2015
+--- openssl-1.0.1/doc/apps/ciphers.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue Mar  1 15:28:28 2016
 @@ -9,7 +9,6 @@
  B<openssl> B<ciphers>
  [B<-v>]
@@ -394,47 +392,47 @@
  
 @@ -42,10 +38,6 @@
  
- only include SSL v3 ciphers.
+ This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
  
 -=item B<-ssl2>
 -
--only include SSL v2 ciphers.
+-Only include SSLv2 ciphers.
 -
- =item B<-tls1>
+ =item B<-h>, B<-?>
  
- only include TLS v1 ciphers.
[email protected]@ -246,9 +232,9 @@
+ Print a brief usage message.
[email protected]@ -255,9 +247,9 @@
  ciphers suites using FORTEZZA key exchange, authentication, encryption or all
  FORTEZZA algorithms. Not implemented.
  
 -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
-+=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
  
 -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
-+TLS v1.2, TLS v1.0 or SSL v3.0  cipher suites respectively. Note:
++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note:
  there are no ciphersuites specific to TLS v1.1.
  
  =item B<AES128>, B<AES256>, B<AES>
[email protected]@ -569,16 +555,6 @@
[email protected]@ -578,16 +570,6 @@
   TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
   TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
  
 -=head2 Deprecated SSL v2.0 cipher suites.
 -
 - SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
-- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
-- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
-- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5        Not implemented.
+- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-CBC-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    Not implemented.
 - SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
-- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5              Not implemented.
 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
 -
  =head1 NOTES
  
  The non-ephemeral DH modes are currently unimplemented in OpenSSL
---- openssl-1.0.1/doc/apps/s_client.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue May 26 12:15:40 2015
[email protected]@ -31,10 +31,8 @@
+--- openssl-1.0.1/doc/apps/s_client.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue Mar  1 15:37:40 2016
[email protected]@ -32,10 +32,8 @@
  [B<-ign_eof>]
  [B<-no_ign_eof>]
  [B<-quiet>]
@@ -445,21 +443,16 @@
  [B<-no_ssl3>]
  [B<-no_tls1>]
  [B<-bugs>]
[email protected]@ -196,11 +196,11 @@
[email protected]@ -197,7 +195,7 @@
  given as a hexadecimal number without leading 0x, for example -psk
  1a2b3c4d.
  
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
  
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
- 
- Unfortunately there are a lot of ancient and broken servers in use which
- cannot handle this technique and will fail to connect. Some servers only
[email protected]@ -219,10 +219,6 @@
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
[email protected]@ -215,10 +213,6 @@
  supported cipher in the list sent by the client. See the B<ciphers>
  command for more information.
  
@@ -470,7 +463,7 @@
  =item B<-starttls protocol>
  
  send the protocol-specific message(s) to switch to TLS for communication.
[email protected]@ -299,8 +295,8 @@
[email protected]@ -295,8 +289,8 @@
  then an HTTP command can be given such as "GET /" to retrieve a web page.
  
  If the handshake fails then there are several possible causes, if it is
@@ -481,7 +474,7 @@
  in case it is a buggy server. In particular you should play with these
  options B<before> submitting a bug report to an OpenSSL mailing list.
  
[email protected]@ -322,10 +318,6 @@
[email protected]@ -318,10 +312,6 @@
  If there are problems verifying a server certificate then the
  B<-showcerts> option can be used to show the whole chain.
  
@@ -492,9 +485,9 @@
  The B<s_client> utility is a test tool and is designed to continue the
  handshake after any certificate verification errors. As a result it will
  accept any certificate chain (trusted or not) sent by the peer. None test
---- openssl-1.0.1/doc/apps/s_server.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue May 26 12:15:02 2015
[email protected]@ -38,10 +38,8 @@
+--- openssl-1.0.1/doc/apps/s_server.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue Mar  1 15:38:50 2016
[email protected]@ -39,10 +39,8 @@
  [B<-serverpref>]
  [B<-quiet>]
  [B<-no_tmp_rsa>]
@@ -505,20 +498,15 @@
  [B<-no_ssl3>]
  [B<-no_tls1>]
  [B<-no_dhe>]
[email protected]@ -216,11 +216,11 @@
[email protected]@ -221,7 +219,7 @@
  given as a hexadecimal number without leading 0x, for example -psk
  1a2b3c4d.
  
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
  
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
- 
- =item B<-bugs>
- 
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
 --- openssl-1.0.1/doc/apps/s_time.pod	Thu Jan 15 06:43:49 2015
 +++ openssl-1.0.1/doc/apps/s_time.pod.new	Tue May 26 12:20:09 2015
 @@ -19,7 +19,6 @@
--- a/components/openssl/openssl-1.0.1/Makefile	Fri Mar 04 13:32:34 2016 -0800
+++ b/components/openssl/openssl-1.0.1/Makefile	Fri Mar 04 16:04:58 2016 -0800
@@ -28,20 +28,20 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1r
+COMPONENT_VERSION =	1.0.1s
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.18
+IPS_COMPONENT_VERSION = 1.0.1.19
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346
+    sha256:e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511
 
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			26528
+TPNO=			27087
 
 include $(WS_MAKE_RULES)/prep.mk
 include $(WS_MAKE_RULES)/configure.mk
--- a/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch	Fri Mar 04 13:32:34 2016 -0800
+++ b/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch	Fri Mar 04 16:04:58 2016 -0800
@@ -103,58 +103,47 @@
  flagged with SSLv3. No new ciphers were added by TLSv1.1.
  
  =item Kx=<key exchange>
---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Jan 20 04:33:36 2015
-+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue May 26 11:37:24 2015
[email protected]@ -25,10 +25,7 @@
- 
- =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
- 
--A TLS/SSL connection established with these methods will only understand
--the SSLv2 protocol. A client will send out SSLv2 client hello messages
--and will also indicate that it only understand SSLv2. A server will only
--understand SSLv2 client hello messages.
-+These functions are deprecated.
- 
- =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
- 
[email protected]@ -51,33 +48,25 @@ SSLv3 client hello messages.
- 
- =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
- 
--A TLS/SSL connection established with these methods may understand the SSLv2,
-+A TLS/SSL connection established with these methods may understand the
- SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod	Tue Mar  1 14:02:53 2016
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new	Tue Mar  1 14:35:59 2016
[email protected]@ -62,12 +62,12 @@
+ These are the general-purpose I<version-flexible> SSL/TLS methods.
+ The actual protocol version used will be negotiated to the highest version
+ mutually supported by the client and the server.
+-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
++The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
+ Most applications should use these method, and avoid the version specific
+ methods described below.
  
--If the cipher list does not contain any SSLv2 ciphersuites (the default
--cipher list does not) or extensions are required (for example server name)
-+If extensions are required (for example server name)
- a client will send out TLSv1 client hello messages including extensions and
- will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
- fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
- protocols. This is the best choice when compatibility is a concern.
+ The list of protocols available can be further limited using the
+-B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
++B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+ B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the
+ L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions.
+ Clients should avoid creating "holes" in the set of protocols they support,
[email protected]@ -81,8 +81,6 @@
+ Applications should typically use L<SSL_CTX_set_options(3)> in combination with
+ the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above
+ I<version-flexible> SSL/TLS methods.
+-The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared
+-via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2.
+ 
+ =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
  
--If any SSLv2 ciphersuites are included in the cipher list and no extensions
--are required then SSLv2 compatible client hellos will be used by clients and
--SSLv2 will be accepted by servers. This is B<not> recommended due to the
--insecurity of SSLv2 and the limited nature of the SSLv2 client hello
--prohibiting the use of extensions.
--
- =back
[email protected]@ -115,13 +113,7 @@
+ 
+ =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
  
--The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-+The list of protocols available can later be limited using the
- SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
- options of the SSL_CTX_set_options() or SSL_set_options() functions.
- Using these options it is possible to choose e.g. SSLv23_server_method() and
- be able to negotiate with all possible clients, but to only allow newer
- protocols like TLSv1, TLSv1.1 or TLS v1.2.
+-A TLS/SSL connection established with these methods will only understand the
+-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
+-also indicate that it only understand SSLv2.  A server will only understand
+-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
+-and should not be used.
+-As of OpenSSL 1.0.1s, EXPORT ciphers and 56-bit DES are no longer available
+-with SSLv2.
++The SSLv2 protocol offers little to no security and has been deprecated.
  
--Applications which never want to support SSLv2 (even is the cipher string
--is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
-+Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
+ =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
  
- SSL_CTX_new() initializes the list of ciphers, the session cache setting,
- the callbacks, the keys and certificates and the options to its default
 --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod	Thu Mar 19 06:37:10 2015
 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new	Tue May 26 11:38:09 2015
 @@ -54,10 +54,6 @@
@@ -301,8 +290,8 @@
  
  The behaviour of SSL_shutdown() additionally depends on the underlying BIO. 
  
---- openssl-1.0.1/doc/ssl/ssl.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue May 26 11:47:38 2015
+--- openssl-1.0.1/doc/ssl/ssl.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/ssl/ssl.pod.new	Tue Mar  1 15:42:46 2016
 @@ -9,7 +9,7 @@
  
  =head1 DESCRIPTION
@@ -318,42 +307,51 @@
  That's a dispatch structure describing the internal B<ssl> library
 -methods/functions which implement the various protocol versions (SSLv1, SSLv2
 -and TLSv1). It's needed to create an B<SSL_CTX>.
-+methods/functions which implement the various protocol versions (SSLv3
++methods/functions which implement the various protocol versions (SSLv3,
 +TLSv1, ...). It's needed to create an B<SSL_CTX>.
  
  =item B<SSL_CIPHER> (SSL Cipher)
  
[email protected]@ -105,8 +104,8 @@
[email protected]@ -93,7 +93,7 @@
+ 
+ =item B<ssl2.h>
+ 
+-That's the sub header file dealing with the SSLv2 protocol only.
++That's the sub header file dealing with the deprecated SSLv2 protocol only.
+ I<Usually you don't have to include it explicitly because
+ it's already included by ssl.h>.
+ 
[email protected]@ -105,8 +105,8 @@
  
  =item B<ssl23.h>
  
 -That's the sub header file dealing with the combined use of the SSLv2 and
 -SSLv3 protocols.
-+That's the sub header file dealing with the combined use of different
-+protocol version.
++That's the sub header file dealing with the combined use of the different
++protocol versions.
  I<Usually you don't have to include it explicitly because
  it's already included by ssl.h>.
  
[email protected]@ -132,15 +131,15 @@
[email protected]@ -201,15 +201,15 @@
+ =item const SSL_METHOD *B<SSLv2_method>(void);
+ 
+ Constructor for the SSLv2 SSL_METHOD structure for clients, servers
+-or both.
++or both. (deprecated)
  
  =item const SSL_METHOD *B<SSLv2_client_method>(void);
  
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
+-Constructor for the SSLv2 SSL_METHOD structure for clients.
++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated)
  
  =item const SSL_METHOD *B<SSLv2_server_method>(void);
  
--Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
-+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
- 
- =item const SSL_METHOD *B<SSLv2_method>(void);
+-Constructor for the SSLv2 SSL_METHOD structure for servers.
++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated)
  
--Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
-+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
+ =back
  
- =item const SSL_METHOD *B<SSLv3_client_method>(void);
- 
[email protected]@ -189,12 +188,12 @@
[email protected]@ -234,12 +234,12 @@
  =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
  
  Return the internal name of I<cipher> as a string. These are the various
@@ -368,8 +366,8 @@
  SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
  in the specification the first time).
  
---- openssl-1.0.1/doc/apps/ciphers.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue May 26 12:07:35 2015
+--- openssl-1.0.1/doc/apps/ciphers.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/ciphers.pod.new	Tue Mar  1 15:28:28 2016
 @@ -9,7 +9,6 @@
  B<openssl> B<ciphers>
  [B<-v>]
@@ -394,47 +392,47 @@
  
 @@ -42,10 +38,6 @@
  
- only include SSL v3 ciphers.
+ This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
  
 -=item B<-ssl2>
 -
--only include SSL v2 ciphers.
+-Only include SSLv2 ciphers.
 -
- =item B<-tls1>
+ =item B<-h>, B<-?>
  
- only include TLS v1 ciphers.
[email protected]@ -246,9 +232,9 @@
+ Print a brief usage message.
[email protected]@ -255,9 +247,9 @@
  ciphers suites using FORTEZZA key exchange, authentication, encryption or all
  FORTEZZA algorithms. Not implemented.
  
 -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
-+=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
  
 -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
-+TLS v1.2, TLS v1.0 or SSL v3.0  cipher suites respectively. Note:
++TLS v1.2, TLS v1.0, or SSL v3.0 cipher suites respectively. Note:
  there are no ciphersuites specific to TLS v1.1.
  
  =item B<AES128>, B<AES256>, B<AES>
[email protected]@ -569,16 +555,6 @@
[email protected]@ -578,16 +570,6 @@
   TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
   TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
  
 -=head2 Deprecated SSL v2.0 cipher suites.
 -
 - SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
-- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
-- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
-- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5        Not implemented.
+- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-CBC-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    Not implemented.
 - SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
-- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5              Not implemented.
 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
 -
  =head1 NOTES
  
  The non-ephemeral DH modes are currently unimplemented in OpenSSL
---- openssl-1.0.1/doc/apps/s_client.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue May 26 12:15:40 2015
[email protected]@ -31,10 +31,8 @@
+--- openssl-1.0.1/doc/apps/s_client.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_client.pod.new	Tue Mar  1 15:37:40 2016
[email protected]@ -32,10 +32,8 @@
  [B<-ign_eof>]
  [B<-no_ign_eof>]
  [B<-quiet>]
@@ -445,21 +443,16 @@
  [B<-no_ssl3>]
  [B<-no_tls1>]
  [B<-bugs>]
[email protected]@ -196,11 +196,11 @@
[email protected]@ -197,7 +195,7 @@
  given as a hexadecimal number without leading 0x, for example -psk
  1a2b3c4d.
  
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
  
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
- 
- Unfortunately there are a lot of ancient and broken servers in use which
- cannot handle this technique and will fail to connect. Some servers only
[email protected]@ -219,10 +219,6 @@
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
[email protected]@ -215,10 +213,6 @@
  supported cipher in the list sent by the client. See the B<ciphers>
  command for more information.
  
@@ -470,7 +463,7 @@
  =item B<-starttls protocol>
  
  send the protocol-specific message(s) to switch to TLS for communication.
[email protected]@ -299,8 +295,8 @@
[email protected]@ -295,8 +289,8 @@
  then an HTTP command can be given such as "GET /" to retrieve a web page.
  
  If the handshake fails then there are several possible causes, if it is
@@ -481,7 +474,7 @@
  in case it is a buggy server. In particular you should play with these
  options B<before> submitting a bug report to an OpenSSL mailing list.
  
[email protected]@ -322,10 +318,6 @@
[email protected]@ -318,10 +312,6 @@
  If there are problems verifying a server certificate then the
  B<-showcerts> option can be used to show the whole chain.
  
@@ -492,9 +485,9 @@
  The B<s_client> utility is a test tool and is designed to continue the
  handshake after any certificate verification errors. As a result it will
  accept any certificate chain (trusted or not) sent by the peer. None test
---- openssl-1.0.1/doc/apps/s_server.pod	Thu Mar 19 06:37:10 2015
-+++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue May 26 12:15:02 2015
[email protected]@ -38,10 +38,8 @@
+--- openssl-1.0.1/doc/apps/s_server.pod	Tue Mar  1 05:40:03 2016
++++ openssl-1.0.1/doc/apps/s_server.pod.new	Tue Mar  1 15:38:50 2016
[email protected]@ -39,10 +39,8 @@
  [B<-serverpref>]
  [B<-quiet>]
  [B<-no_tmp_rsa>]
@@ -505,20 +498,15 @@
  [B<-no_ssl3>]
  [B<-no_tls1>]
  [B<-no_dhe>]
[email protected]@ -216,11 +216,11 @@
[email protected]@ -221,7 +219,7 @@
  given as a hexadecimal number without leading 0x, for example -psk
  1a2b3c4d.
  
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
  
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
--servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-+servers and permit them to use SSL v3 or TLS as appropriate.
- 
- =item B<-bugs>
- 
+ These options require or disable the use of the specified SSL or TLS protocols.
+ By default the initial handshake uses a I<version-flexible> method which will
 --- openssl-1.0.1/doc/apps/s_time.pod	Thu Jan 15 06:43:49 2015
 +++ openssl-1.0.1/doc/apps/s_time.pod.new	Tue May 26 12:20:09 2015
 @@ -19,7 +19,6 @@