PSARC/2015/249 EOL of OpenSSL SSLv2/v3 support
20231102 problem in LIBRARY/OPENSSL
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile Thu Jun 04 12:13:17 2015 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Thu Jun 04 15:40:26 2015 -0700
@@ -106,6 +106,9 @@
CONFIGURE_OPTIONS += enable-md2
CONFIGURE_OPTIONS += no-seed
+# Disable SSLv2 protocol
+CONFIGURE_OPTIONS += no-ssl2
+
# We define our own compiler and linker option sets for Solaris. See Configure
# for more information.
CONFIGURE_OPTIONS32_i386 = solaris-x86-cc-sunw
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch Thu Jun 04 15:40:26 2015 -0700
@@ -0,0 +1,582 @@
+#
+# This was developed in house. Not applicable to the upstream.
+#
+--- openssl-1.0.1/ssl/s2_meth.c Fri May 8 09:38:33 2015
++++ openssl-1.0.1/ssl/s2_meth.c.new Fri May 8 09:51:53 2015
+@@ -74,6 +74,13 @@
+ ssl2_accept, ssl2_connect, ssl2_get_method)
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/s2_clnt.c Fri May 8 09:37:51 2015
++++ openssl-1.0.1/ssl/ss2_clnt.c.new Fri May 8 09:53:12 2015
+@@ -1087,6 +1087,13 @@
+ }
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_client_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/s2_srvr.c Fri May 8 09:38:02 2015
++++ openssl-1.0.1/ssl/s2_srvr.c.new Fri May 8 09:53:43 2015
+@@ -1150,6 +1150,13 @@
+ }
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_server_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/ssl.h Tue May 26 11:13:15 2015
++++ openssl-1.0.1/ssl/ssl.h.new Tue May 26 11:32:09 2015
+@@ -2016,12 +2016,24 @@
+ /* This sets the 'default' SSL version that SSL_new() will create */
+ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+
+-# ifndef OPENSSL_NO_SSL2
+-const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
+-const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
+-const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+-# endif
+
++#ifndef __has_attribute
++# define __has_attribute(x) 0
++#endif
++
++/* Mark SSLv2_* functions deprecated */
++#if __has_attribute(deprecated) \
++ || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
++ || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
++# define DEPRECATED __attribute__((deprecated))
++#else
++# define DEPRECATED
++#endif
++
++DEPRECATED const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
++DEPRECATED const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
++DEPRECATED const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
++
+ # ifndef OPENSSL_NO_SSL3_METHOD
+ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
+ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
+--- openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod Tue May 26 11:13:15 2015
++++ openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod.new Tue May 26 11:32:09 2015
+@@ -25,7 +25,7 @@
+
+ SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
+ version that first defined the cipher.
+-This is currently B<SSLv2> or B<TLSv1/SSLv3>.
++This is currently B<TLSv1/SSLv3>.
+ In some cases it should possibly return "TLSv1.2" but does not;
+ use SSL_CIPHER_description() instead.
+ If B<cipher> is NULL, "(NONE)" is returned.
+@@ -56,7 +56,7 @@
+
+ =item <protocol version>
+
+-Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
++Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
+ flagged with SSLv3. No new ciphers were added by TLSv1.1.
+
+ =item Kx=<key exchange>
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015
+@@ -25,10 +25,7 @@
+
+ =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
+
+-A TLS/SSL connection established with these methods will only understand
+-the SSLv2 protocol. A client will send out SSLv2 client hello messages
+-and will also indicate that it only understand SSLv2. A server will only
+-understand SSLv2 client hello messages.
++These functions are deprecated.
+
+ =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+
+@@ -51,33 +48,25 @@ SSLv3 client hello messages.
+
+ =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+
+-A TLS/SSL connection established with these methods may understand the SSLv2,
++A TLS/SSL connection established with these methods may understand the
+ SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+
+-If the cipher list does not contain any SSLv2 ciphersuites (the default
+-cipher list does not) or extensions are required (for example server name)
++If extensions are required (for example server name)
+ a client will send out TLSv1 client hello messages including extensions and
+ will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+ fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+ protocols. This is the best choice when compatibility is a concern.
+
+-If any SSLv2 ciphersuites are included in the cipher list and no extensions
+-are required then SSLv2 compatible client hellos will be used by clients and
+-SSLv2 will be accepted by servers. This is B<not> recommended due to the
+-insecurity of SSLv2 and the limited nature of the SSLv2 client hello
+-prohibiting the use of extensions.
+-
+ =back
+
+-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
++The list of protocols available can later be limited using the
+ SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
+ options of the SSL_CTX_set_options() or SSL_set_options() functions.
+ Using these options it is possible to choose e.g. SSLv23_server_method() and
+ be able to negotiate with all possible clients, but to only allow newer
+ protocols like TLSv1, TLSv1.1 or TLS v1.2.
+
+-Applications which never want to support SSLv2 (even is the cipher string
+-is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
++Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
+
+ SSL_CTX_new() initializes the list of ciphers, the session cache setting,
+ the callbacks, the keys and certificates and the options to its default
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015
+@@ -54,10 +54,6 @@
+ keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
+ and the handshake will fail.
+
+-If the cipher list does not contain any SSLv2 cipher suites (this is the
+-default) then SSLv2 is effectively disabled and neither clients nor servers
+-will attempt to use SSLv2.
+-
+ =head1 RETURN VALUES
+
+ SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod.new Tue May 26 11:40:47 2015
+@@ -32,9 +32,8 @@
+
+ When a new session is established between client and server, the server
+ generates a session id. The session id is an arbitrary sequence of bytes.
+-The length of the session id is 16 bytes for SSLv2 sessions and between
+-1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
+-but must be unique for the server. Additionally, the session id is
++The length of the session id is between 1 and 32 bytes. The session id is not
++security critical but must be unique for the server. Additionally, the session id is
+ transmitted in the clear when reusing the session so it must not contain
+ sensitive information.
+
+@@ -51,12 +50,6 @@
+ the callback B<must never> increase B<id_len> or write to the location
+ B<id> exceeding the given limit.
+
+-If a SSLv2 session id is generated and B<id_len> is reduced, it will be
+-restored after the callback has finished and the session id will be padded
+-with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions.
+-The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function
+-to check, whether the session is of type SSLv2.
+-
+ The location B<id> is filled with 0x00 before the callback is called, so the
+ callback may only fill part of the possible length and leave B<id_len>
+ untouched while maintaining reproducibility.
+@@ -63,9 +56,8 @@
+
+ Since the sessions must be distinguished, session ids must be unique.
+ Without the callback a random number is used, so that the probability
+-of generating the same session id is extremely small (2^128 possible ids
+-for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
+-uniqueness of the generated session id, the callback must call
++of generating the same session id is extremely small (2^256 for SSLv3/TLSv1).
++In order to assure the uniqueness of the generated session id, the callback must call
+ SSL_has_matching_session_id() and generate another id if a conflict occurs.
+ If an id conflict is not resolved, the handshake will fail.
+ If the application codes e.g. a unique host id, a unique process number, and
+@@ -85,10 +77,6 @@
+ the external cache is not tested with SSL_has_matching_session_id()
+ and the same race condition applies.
+
+-When calling SSL_has_matching_session_id() for an SSLv2 session with
+-reduced B<id_len>, the match operation will be performed using the
+-fixed length required and with a 0x00 padded id.
+-
+ The callback must return 0 if it cannot generate a session id for whatever
+ reason and return 1 on success.
+
+@@ -104,12 +92,7 @@
+ unsigned int *id_len)
+ {
+ unsigned int count = 0;
+- const char *version;
+
+- version = SSL_get_version(ssl);
+- if (!strcmp(version, "SSLv2"))
+- /* we must not change id_len */;
+-
+ do {
+ RAND_pseudo_bytes(id, *id_len);
+ /* Prefix the session_id with the required prefix. NB: If our
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod Tue Jan 20 04:33:36 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod.new Tue May 26 11:41:47 2015
+@@ -63,18 +63,11 @@
+
+ =item SSL_OP_MICROSOFT_SESS_ID_BUG
+
+-www.microsoft.com - when talking SSLv2, if session-id reuse is
+-performed, the session-id passed back in the server-finished message
+-is different from the one decided upon.
++As of OpenSSL 1.0.0 this option has no effect.
+
+ =item SSL_OP_NETSCAPE_CHALLENGE_BUG
+
+-Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+-challenge but then appears to only use 16 bytes when generating the
+-encryption keys. Using 16 bytes is ok but it should be ok to use 32.
+-According to the SSLv3 spec, one should use 32 bytes for the challenge
+-when operating in SSLv2/v3 compatibility mode, but as mentioned above,
+-this breaks this server so 16 bytes is the way to go.
++As of OpenSSL 1.0.0 this option has no effect.
+
+ =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+--- openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod.new Tue May 26 11:42:15 2015
+@@ -24,7 +24,7 @@
+ timeout for the protocol will be used.
+
+ SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
+-for all currently supported protocols (SSLv2, SSLv3, and TLSv1).
++for all currently supported protocols.
+
+ =head1 RETURN VALUES
+
+--- openssl-1.0.1/doc/ssl/SSL_get_version.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_get_version.pod.new Tue May 26 11:42:45 2015
+@@ -21,9 +21,6 @@
+
+ =over 4
+
+-=item SSLv2
+-
+-The connection uses the SSLv2 protocol.
+
+ =item SSLv3
+
+--- openssl-1.0.1/doc/ssl/SSL_new.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_new.pod.new Tue May 26 11:43:12 2015
+@@ -14,7 +14,7 @@
+
+ SSL_new() creates a new B<SSL> structure which is needed to hold the
+ data for a TLS/SSL connection. The new structure inherits the settings
+-of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1),
++of the underlying context B<ctx>: connection method,
+ options, verification settings, timeout settings.
+
+ =head1 RETURN VALUES
+--- openssl-1.0.1/doc/ssl/SSL_shutdown.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/SSL_shutdown.pod.new Tue May 26 11:43:56 2015
+@@ -60,9 +60,7 @@
+
+ It is therefore recommended, to check the return value of SSL_shutdown()
+ and call SSL_shutdown() again, if the bidirectional shutdown is not yet
+-complete (return value of the first call is 0). As the shutdown is not
+-specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on
+-the first call.
++complete (return value of the first call is 0).
+
+ The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
+
+--- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015
+@@ -9,7 +9,7 @@
+
+ =head1 DESCRIPTION
+
+-The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
++The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v3) and
+ Transport Layer Security (TLS v1) protocols. It provides a rich API which is
+ documented here.
+
+@@ -45,8 +45,8 @@
+ =item B<SSL_METHOD> (SSL Method)
+
+ That's a dispatch structure describing the internal B<ssl> library
+-methods/functions which implement the various protocol versions (SSLv1, SSLv2
+-and TLSv1). It's needed to create an B<SSL_CTX>.
++methods/functions which implement the various protocol versions (SSLv3
++TLSv1, ...). It's needed to create an B<SSL_CTX>.
+
+ =item B<SSL_CIPHER> (SSL Cipher)
+
+@@ -105,8 +104,8 @@
+
+ =item B<ssl23.h>
+
+-That's the sub header file dealing with the combined use of the SSLv2 and
+-SSLv3 protocols.
++That's the sub header file dealing with the combined use of different
++protocol version.
+ I<Usually you don't have to include it explicitly because
+ it's already included by ssl.h>.
+
+@@ -132,15 +131,15 @@
+
+ =item const SSL_METHOD *B<SSLv2_client_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
++Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv2_server_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
++Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv2_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
++Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv3_client_method>(void);
+
+@@ -189,12 +188,12 @@
+ =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
+
+ Return the internal name of I<cipher> as a string. These are the various
+-strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
++strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+ definitions in the header files.
+
+ =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+
+-Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
++Returns a string like "C<TLSv1/SSLv3>" which indicates the
+ SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
+ in the specification the first time).
+
+--- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015
+@@ -9,7 +9,6 @@
+ B<openssl> B<ciphers>
+ [B<-v>]
+ [B<-V>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+ [B<cipherlist>]
+@@ -27,12 +26,9 @@
+ =item B<-v>
+
+ Verbose option. List ciphers with a complete description of
+-protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange,
++protocol version, key exchange,
+ authentication, encryption and mac algorithms used along with any key size
+ restrictions and whether the algorithm is classed as an "export" cipher.
+-Note that without the B<-v> option, ciphers may seem to appear twice
+-in a cipher list; this is when similar ciphers are available for
+-SSL v2 and for SSL v3/TLS v1.
+
+ =item B<-V>
+
+@@ -42,10 +38,6 @@
+
+ only include SSL v3 ciphers.
+
+-=item B<-ssl2>
+-
+-only include SSL v2 ciphers.
+-
+ =item B<-tls1>
+
+ only include TLS v1 ciphers.
+@@ -246,9 +232,9 @@
+ ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+ FORTEZZA algorithms. Not implemented.
+
+-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
+
+-TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
++TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
+ there are no ciphersuites specific to TLS v1.1.
+
+ =item B<AES128>, B<AES256>, B<AES>
+@@ -569,16 +555,6 @@
+ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
+ TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
+
+-=head2 Deprecated SSL v2.0 cipher suites.
+-
+- SSL_CK_RC4_128_WITH_MD5 RC4-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
+- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
+- SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
+- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
+-
+ =head1 NOTES
+
+ The non-ephemeral DH modes are currently unimplemented in OpenSSL
+--- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015
+@@ -31,10 +31,8 @@
+ [B<-ign_eof>]
+ [B<-no_ign_eof>]
+ [B<-quiet>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-bugs>]
+@@ -196,11 +196,11 @@
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+
+ Unfortunately there are a lot of ancient and broken servers in use which
+ cannot handle this technique and will fail to connect. Some servers only
+@@ -219,10 +219,6 @@
+ supported cipher in the list sent by the client. See the B<ciphers>
+ command for more information.
+
+-=item B<-serverpref>
+-
+-use the server's cipher preferences; only used for SSLV2.
+-
+ =item B<-starttls protocol>
+
+ send the protocol-specific message(s) to switch to TLS for communication.
+@@ -299,8 +295,8 @@
+ then an HTTP command can be given such as "GET /" to retrieve a web page.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
++nothing obvious like no client certificate then the B<-bugs>,
++B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+
+@@ -322,10 +318,6 @@
+ If there are problems verifying a server certificate then the
+ B<-showcerts> option can be used to show the whole chain.
+
+-Since the SSLv23 client hello cannot include compression methods or extensions
+-these will only be supported if its use is disabled, for example by using the
+-B<-no_sslv2> option.
+-
+ The B<s_client> utility is a test tool and is designed to continue the
+ handshake after any certificate verification errors. As a result it will
+ accept any certificate chain (trusted or not) sent by the peer. None test
+--- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015
+@@ -38,10 +38,8 @@
+ [B<-serverpref>]
+ [B<-quiet>]
+ [B<-no_tmp_rsa>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-no_dhe>]
+@@ -216,11 +216,11 @@
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+
+ =item B<-bugs>
+
+--- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015
+@@ -19,7 +19,6 @@
+ [B<-verify depth>]
+ [B<-nbio>]
+ [B<-time seconds>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
+@@ -92,18 +90,17 @@
+
+ turns on non-blocking I/O.
+
+-=item B<-ssl2>, B<-ssl3>
++=item B<-ssl3>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+ The timing program is not as rich in options to turn protocols on and off as
+ the L<s_client(1)|s_client(1)> program and may not connect to all servers.
+
+ Unfortunately there are a lot of ancient and broken servers in use which
+ cannot handle this technique and will fail to connect. Some servers only
+-work if TLS is turned off with the B<-ssl3> option; others
+-will only support SSL v2 and may need the B<-ssl2> option.
++work if TLS is turned off with the B<-ssl3> option.
+
+ =item B<-bugs>
+
+@@ -137,7 +122,7 @@
+ for details.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
++nothing obvious like no client certificate then the B<-bugs>,
+ B<-ssl3> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+--- openssl-1.0.1/doc/apps/sess_id.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/apps/sess_id.pod.new Tue May 26 12:21:07 2015
+@@ -91,7 +91,7 @@
+
+ =item B<Protocol>
+
+-this is the protocol in use TLSv1, SSLv3 or SSLv2.
++this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
+
+ =item B<Cipher>
+
+@@ -110,10 +110,6 @@
+
+ this is the SSL session master key.
+
+-=item B<Key-Arg>
+-
+-the key argument, this is only used in SSL v2.
+-
+ =item B<Start Time>
+
+ this is the session start time represented as an integer in standard Unix format.
--- a/components/openssl/openssl-1.0.1/Makefile Thu Jun 04 12:13:17 2015 -0700
+++ b/components/openssl/openssl-1.0.1/Makefile Thu Jun 04 15:40:26 2015 -0700
@@ -96,6 +96,10 @@
# Userland needs it. One example is nmap.
CONFIGURE_OPTIONS += enable-md2
CONFIGURE_OPTIONS += no-seed
+
+# Disable SSLv2 protocol
+CONFIGURE_OPTIONS += no-ssl2
+
# We use both no-whirlpool and no-whrlpool since there is an inconsistency in
# the OpenSSL code and one needs both to build OpenSSL successfully with
# Whirlpool implementation removed.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch Thu Jun 04 15:40:26 2015 -0700
@@ -0,0 +1,582 @@
+#
+# This was developed in house. Not applicable to the upstream.
+#
+--- openssl-1.0.1/ssl/s2_meth.c Fri May 8 09:38:33 2015
++++ openssl-1.0.1/ssl/s2_meth.c.new Fri May 8 09:51:53 2015
+@@ -74,6 +74,13 @@
+ ssl2_accept, ssl2_connect, ssl2_get_method)
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/s2_clnt.c Fri May 8 09:37:51 2015
++++ openssl-1.0.1/ssl/ss2_clnt.c.new Fri May 8 09:53:12 2015
+@@ -1087,6 +1087,13 @@
+ }
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_client_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/s2_srvr.c Fri May 8 09:38:02 2015
++++ openssl-1.0.1/ssl/s2_srvr.c.new Fri May 8 09:53:43 2015
+@@ -1150,6 +1150,13 @@
+ }
+ #else /* !OPENSSL_NO_SSL2 */
+
++/* stub function */
++const SSL_METHOD *
++SSLv2_server_method(void)
++{
++ return (NULL);
++}
++
+ # if PEDANTIC
+ static void *dummy = &dummy;
+ # endif
+--- openssl-1.0.1/ssl/ssl.h Tue May 26 11:13:15 2015
++++ openssl-1.0.1/ssl/ssl.h.new Tue May 26 11:32:09 2015
+@@ -2016,12 +2016,24 @@
+ /* This sets the 'default' SSL version that SSL_new() will create */
+ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+
+-# ifndef OPENSSL_NO_SSL2
+-const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
+-const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
+-const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+-# endif
+
++#ifndef __has_attribute
++# define __has_attribute(x) 0
++#endif
++
++/* Mark SSLv2_* functions deprecated */
++#if __has_attribute(deprecated) \
++ || (defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 301)) \
++ || (defined(__SUNPRO_C) && (__SUNPRO_C >= 0x5130))
++# define DEPRECATED __attribute__((deprecated))
++#else
++# define DEPRECATED
++#endif
++
++DEPRECATED const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
++DEPRECATED const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
++DEPRECATED const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
++
+ # ifndef OPENSSL_NO_SSL3_METHOD
+ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
+ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
+--- openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod Tue May 26 11:13:15 2015
++++ openssl-1.0.1/doc/ssl/SSL_CIPHER_get_name.pod.new Tue May 26 11:32:09 2015
+@@ -25,7 +25,7 @@
+
+ SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
+ version that first defined the cipher.
+-This is currently B<SSLv2> or B<TLSv1/SSLv3>.
++This is currently B<TLSv1/SSLv3>.
+ In some cases it should possibly return "TLSv1.2" but does not;
+ use SSL_CIPHER_description() instead.
+ If B<cipher> is NULL, "(NONE)" is returned.
+@@ -56,7 +56,7 @@
+
+ =item <protocol version>
+
+-Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
++Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are
+ flagged with SSLv3. No new ciphers were added by TLSv1.1.
+
+ =item Kx=<key exchange>
+--- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015
+@@ -25,10 +25,7 @@
+
+ =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
+
+-A TLS/SSL connection established with these methods will only understand
+-the SSLv2 protocol. A client will send out SSLv2 client hello messages
+-and will also indicate that it only understand SSLv2. A server will only
+-understand SSLv2 client hello messages.
++These functions are deprecated.
+
+ =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
+
+@@ -51,33 +48,25 @@ SSLv3 client hello messages.
+
+ =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
+
+-A TLS/SSL connection established with these methods may understand the SSLv2,
++A TLS/SSL connection established with these methods may understand the
+ SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+
+-If the cipher list does not contain any SSLv2 ciphersuites (the default
+-cipher list does not) or extensions are required (for example server name)
++If extensions are required (for example server name)
+ a client will send out TLSv1 client hello messages including extensions and
+ will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+ fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+ protocols. This is the best choice when compatibility is a concern.
+
+-If any SSLv2 ciphersuites are included in the cipher list and no extensions
+-are required then SSLv2 compatible client hellos will be used by clients and
+-SSLv2 will be accepted by servers. This is B<not> recommended due to the
+-insecurity of SSLv2 and the limited nature of the SSLv2 client hello
+-prohibiting the use of extensions.
+-
+ =back
+
+-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
++The list of protocols available can later be limited using the
+ SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
+ options of the SSL_CTX_set_options() or SSL_set_options() functions.
+ Using these options it is possible to choose e.g. SSLv23_server_method() and
+ be able to negotiate with all possible clients, but to only allow newer
+ protocols like TLSv1, TLSv1.1 or TLS v1.2.
+
+-Applications which never want to support SSLv2 (even is the cipher string
+-is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
++Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3.
+
+ SSL_CTX_new() initializes the list of ciphers, the session cache setting,
+ the callbacks, the keys and certificates and the options to its default
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015
+@@ -54,10 +54,6 @@
+ keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
+ and the handshake will fail.
+
+-If the cipher list does not contain any SSLv2 cipher suites (this is the
+-default) then SSLv2 is effectively disabled and neither clients nor servers
+-will attempt to use SSLv2.
+-
+ =head1 RETURN VALUES
+
+ SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_generate_session_id.pod.new Tue May 26 11:40:47 2015
+@@ -32,9 +32,8 @@
+
+ When a new session is established between client and server, the server
+ generates a session id. The session id is an arbitrary sequence of bytes.
+-The length of the session id is 16 bytes for SSLv2 sessions and between
+-1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
+-but must be unique for the server. Additionally, the session id is
++The length of the session id is between 1 and 32 bytes. The session id is not
++security critical but must be unique for the server. Additionally, the session id is
+ transmitted in the clear when reusing the session so it must not contain
+ sensitive information.
+
+@@ -51,12 +50,6 @@
+ the callback B<must never> increase B<id_len> or write to the location
+ B<id> exceeding the given limit.
+
+-If a SSLv2 session id is generated and B<id_len> is reduced, it will be
+-restored after the callback has finished and the session id will be padded
+-with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions.
+-The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function
+-to check, whether the session is of type SSLv2.
+-
+ The location B<id> is filled with 0x00 before the callback is called, so the
+ callback may only fill part of the possible length and leave B<id_len>
+ untouched while maintaining reproducibility.
+@@ -63,9 +56,8 @@
+
+ Since the sessions must be distinguished, session ids must be unique.
+ Without the callback a random number is used, so that the probability
+-of generating the same session id is extremely small (2^128 possible ids
+-for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
+-uniqueness of the generated session id, the callback must call
++of generating the same session id is extremely small (2^256 for SSLv3/TLSv1).
++In order to assure the uniqueness of the generated session id, the callback must call
+ SSL_has_matching_session_id() and generate another id if a conflict occurs.
+ If an id conflict is not resolved, the handshake will fail.
+ If the application codes e.g. a unique host id, a unique process number, and
+@@ -85,10 +77,6 @@
+ the external cache is not tested with SSL_has_matching_session_id()
+ and the same race condition applies.
+
+-When calling SSL_has_matching_session_id() for an SSLv2 session with
+-reduced B<id_len>, the match operation will be performed using the
+-fixed length required and with a 0x00 padded id.
+-
+ The callback must return 0 if it cannot generate a session id for whatever
+ reason and return 1 on success.
+
+@@ -104,12 +92,7 @@
+ unsigned int *id_len)
+ {
+ unsigned int count = 0;
+- const char *version;
+
+- version = SSL_get_version(ssl);
+- if (!strcmp(version, "SSLv2"))
+- /* we must not change id_len */;
+-
+ do {
+ RAND_pseudo_bytes(id, *id_len);
+ /* Prefix the session_id with the required prefix. NB: If our
+--- openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod Tue Jan 20 04:33:36 2015
++++ openssl-1.0.1/doc/ssl/SSL_CTX_set_options.pod.new Tue May 26 11:41:47 2015
+@@ -63,18 +63,11 @@
+
+ =item SSL_OP_MICROSOFT_SESS_ID_BUG
+
+-www.microsoft.com - when talking SSLv2, if session-id reuse is
+-performed, the session-id passed back in the server-finished message
+-is different from the one decided upon.
++As of OpenSSL 1.0.0 this option has no effect.
+
+ =item SSL_OP_NETSCAPE_CHALLENGE_BUG
+
+-Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+-challenge but then appears to only use 16 bytes when generating the
+-encryption keys. Using 16 bytes is ok but it should be ok to use 32.
+-According to the SSLv3 spec, one should use 32 bytes for the challenge
+-when operating in SSLv2/v3 compatibility mode, but as mentioned above,
+-this breaks this server so 16 bytes is the way to go.
++As of OpenSSL 1.0.0 this option has no effect.
+
+ =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+--- openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_get_default_timeout.pod.new Tue May 26 11:42:15 2015
+@@ -24,7 +24,7 @@
+ timeout for the protocol will be used.
+
+ SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
+-for all currently supported protocols (SSLv2, SSLv3, and TLSv1).
++for all currently supported protocols.
+
+ =head1 RETURN VALUES
+
+--- openssl-1.0.1/doc/ssl/SSL_get_version.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_get_version.pod.new Tue May 26 11:42:45 2015
+@@ -21,9 +21,6 @@
+
+ =over 4
+
+-=item SSLv2
+-
+-The connection uses the SSLv2 protocol.
+
+ =item SSLv3
+
+--- openssl-1.0.1/doc/ssl/SSL_new.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/ssl/SSL_new.pod.new Tue May 26 11:43:12 2015
+@@ -14,7 +14,7 @@
+
+ SSL_new() creates a new B<SSL> structure which is needed to hold the
+ data for a TLS/SSL connection. The new structure inherits the settings
+-of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1),
++of the underlying context B<ctx>: connection method,
+ options, verification settings, timeout settings.
+
+ =head1 RETURN VALUES
+--- openssl-1.0.1/doc/ssl/SSL_shutdown.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/SSL_shutdown.pod.new Tue May 26 11:43:56 2015
+@@ -60,9 +60,7 @@
+
+ It is therefore recommended, to check the return value of SSL_shutdown()
+ and call SSL_shutdown() again, if the bidirectional shutdown is not yet
+-complete (return value of the first call is 0). As the shutdown is not
+-specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on
+-the first call.
++complete (return value of the first call is 0).
+
+ The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
+
+--- openssl-1.0.1/doc/ssl/ssl.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/ssl/ssl.pod.new Tue May 26 11:47:38 2015
+@@ -9,7 +9,7 @@
+
+ =head1 DESCRIPTION
+
+-The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
++The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v3) and
+ Transport Layer Security (TLS v1) protocols. It provides a rich API which is
+ documented here.
+
+@@ -45,8 +45,8 @@
+ =item B<SSL_METHOD> (SSL Method)
+
+ That's a dispatch structure describing the internal B<ssl> library
+-methods/functions which implement the various protocol versions (SSLv1, SSLv2
+-and TLSv1). It's needed to create an B<SSL_CTX>.
++methods/functions which implement the various protocol versions (SSLv3
++TLSv1, ...). It's needed to create an B<SSL_CTX>.
+
+ =item B<SSL_CIPHER> (SSL Cipher)
+
+@@ -105,8 +104,8 @@
+
+ =item B<ssl23.h>
+
+-That's the sub header file dealing with the combined use of the SSLv2 and
+-SSLv3 protocols.
++That's the sub header file dealing with the combined use of different
++protocol version.
+ I<Usually you don't have to include it explicitly because
+ it's already included by ssl.h>.
+
+@@ -132,15 +131,15 @@
+
+ =item const SSL_METHOD *B<SSLv2_client_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
++Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv2_server_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
++Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv2_method>(void);
+
+-Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
++Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated)
+
+ =item const SSL_METHOD *B<SSLv3_client_method>(void);
+
+@@ -189,12 +188,12 @@
+ =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher);
+
+ Return the internal name of I<cipher> as a string. These are the various
+-strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
++strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx>
+ definitions in the header files.
+
+ =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
+
+-Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
++Returns a string like "C<TLSv1/SSLv3>" which indicates the
+ SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
+ in the specification the first time).
+
+--- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015
+@@ -9,7 +9,6 @@
+ B<openssl> B<ciphers>
+ [B<-v>]
+ [B<-V>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+ [B<cipherlist>]
+@@ -27,12 +26,9 @@
+ =item B<-v>
+
+ Verbose option. List ciphers with a complete description of
+-protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange,
++protocol version, key exchange,
+ authentication, encryption and mac algorithms used along with any key size
+ restrictions and whether the algorithm is classed as an "export" cipher.
+-Note that without the B<-v> option, ciphers may seem to appear twice
+-in a cipher list; this is when similar ciphers are available for
+-SSL v2 and for SSL v3/TLS v1.
+
+ =item B<-V>
+
+@@ -42,10 +38,6 @@
+
+ only include SSL v3 ciphers.
+
+-=item B<-ssl2>
+-
+-only include SSL v2 ciphers.
+-
+ =item B<-tls1>
+
+ only include TLS v1 ciphers.
+@@ -246,9 +232,9 @@
+ ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+ FORTEZZA algorithms. Not implemented.
+
+-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
++=item B<TLSv1.2>, B<TLSv1>, B<SSLV3>
+
+-TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
++TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
+ there are no ciphersuites specific to TLS v1.1.
+
+ =item B<AES128>, B<AES256>, B<AES>
+@@ -569,16 +555,6 @@
+ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
+ TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
+
+-=head2 Deprecated SSL v2.0 cipher suites.
+-
+- SSL_CK_RC4_128_WITH_MD5 RC4-MD5
+- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
+- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
+- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
+- SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
+- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
+- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
+-
+ =head1 NOTES
+
+ The non-ephemeral DH modes are currently unimplemented in OpenSSL
+--- openssl-1.0.1/doc/apps/s_client.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/s_client.pod.new Tue May 26 12:15:40 2015
+@@ -31,10 +31,8 @@
+ [B<-ign_eof>]
+ [B<-no_ign_eof>]
+ [B<-quiet>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-bugs>]
+@@ -196,11 +196,11 @@
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+
+ Unfortunately there are a lot of ancient and broken servers in use which
+ cannot handle this technique and will fail to connect. Some servers only
+@@ -219,10 +219,6 @@
+ supported cipher in the list sent by the client. See the B<ciphers>
+ command for more information.
+
+-=item B<-serverpref>
+-
+-use the server's cipher preferences; only used for SSLV2.
+-
+ =item B<-starttls protocol>
+
+ send the protocol-specific message(s) to switch to TLS for communication.
+@@ -299,8 +295,8 @@
+ then an HTTP command can be given such as "GET /" to retrieve a web page.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
++nothing obvious like no client certificate then the B<-bugs>,
++B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+
+@@ -322,10 +318,6 @@
+ If there are problems verifying a server certificate then the
+ B<-showcerts> option can be used to show the whole chain.
+
+-Since the SSLv23 client hello cannot include compression methods or extensions
+-these will only be supported if its use is disabled, for example by using the
+-B<-no_sslv2> option.
+-
+ The B<s_client> utility is a test tool and is designed to continue the
+ handshake after any certificate verification errors. As a result it will
+ accept any certificate chain (trusted or not) sent by the peer. None test
+--- openssl-1.0.1/doc/apps/s_server.pod Thu Mar 19 06:37:10 2015
++++ openssl-1.0.1/doc/apps/s_server.pod.new Tue May 26 12:15:02 2015
+@@ -38,10 +38,8 @@
+ [B<-serverpref>]
+ [B<-quiet>]
+ [B<-no_tmp_rsa>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
+-[B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+ [B<-no_dhe>]
+@@ -216,11 +216,11 @@
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+
+ =item B<-bugs>
+
+--- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015
+@@ -19,7 +19,6 @@
+ [B<-verify depth>]
+ [B<-nbio>]
+ [B<-time seconds>]
+-[B<-ssl2>]
+ [B<-ssl3>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
+@@ -92,18 +90,17 @@
+
+ turns on non-blocking I/O.
+
+-=item B<-ssl2>, B<-ssl3>
++=item B<-ssl3>
+
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
++servers and permit them to use SSL v3 or TLS as appropriate.
+ The timing program is not as rich in options to turn protocols on and off as
+ the L<s_client(1)|s_client(1)> program and may not connect to all servers.
+
+ Unfortunately there are a lot of ancient and broken servers in use which
+ cannot handle this technique and will fail to connect. Some servers only
+-work if TLS is turned off with the B<-ssl3> option; others
+-will only support SSL v2 and may need the B<-ssl2> option.
++work if TLS is turned off with the B<-ssl3> option.
+
+ =item B<-bugs>
+
+@@ -137,7 +122,7 @@
+ for details.
+
+ If the handshake fails then there are several possible causes, if it is
+-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
++nothing obvious like no client certificate then the B<-bugs>,
+ B<-ssl3> options can be tried
+ in case it is a buggy server. In particular you should play with these
+ options B<before> submitting a bug report to an OpenSSL mailing list.
+--- openssl-1.0.1/doc/apps/sess_id.pod Thu Jan 15 06:43:49 2015
++++ openssl-1.0.1/doc/apps/sess_id.pod.new Tue May 26 12:21:07 2015
+@@ -91,7 +91,7 @@
+
+ =item B<Protocol>
+
+-this is the protocol in use TLSv1, SSLv3 or SSLv2.
++this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
+
+ =item B<Cipher>
+
+@@ -110,10 +110,6 @@
+
+ this is the SSL session master key.
+
+-=item B<Key-Arg>
+-
+-the key argument, this is only used in SSL v2.
+-
+ =item B<Start Time>
+
+ this is the session start time represented as an integer in standard Unix format.