strip back openssl ciphers:

- rearrange the descriptions of -V and -v to read more logically
- move the cipherlist text into the cipherlist description
- zap examples

1 files changed, 60 insertions, 106 deletions

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 184da99a49..b8bf67565e 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.35 2016/07/19 20:02:47 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.36 2016/07/20 14:42:03 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: July 19 2016 $
+.Dd $Mdocdate: July 20 2016 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -795,9 +795,6 @@ The default value is
 The same as
 .Fl extensions .
 .El
-.\"
-.\" CIPHERS
-.\"
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hVv
@@ -807,7 +804,7 @@ The same as
 The
 .Nm ciphers
 command converts
-.Nm OpenSSL
+.Nm openssl
 cipher lists into ordered SSL cipher preference lists.
 It can be used as a test tool to determine the appropriate cipherlist.
 .Pp
@@ -818,70 +815,52 @@ Print a brief usage message.
 .It Fl tls1
 Only include TLS v1 ciphers.
 .It Fl V
-Like
-.Fl v ,
-but include cipher suite codes in output (hex format).
-.It Fl v
-Verbose option.
+Verbose.
 List ciphers with a complete description of protocol version,
-key exchange, authentication, encryption and mac algorithms used along with
-any key size restrictions.
-Note that without the
-.Fl v
-option, ciphers may seem to appear twice in a cipher list.
+key exchange, authentication, encryption and mac algorithms,
+any key size restrictions,
+and cipher suite codes (hex format).
+.It Fl v
+Like
+.Fl V ,
+but without cipher suite codes.
 .It Ar cipherlist
 A cipher list to convert to a cipher preference list.
 If it is not included, the default cipher list will be used.
-The format is described below.
-.El
-.Sh CIPHERS LIST FORMAT
-The cipher list consists of one or more
-.Em cipher strings
+.Pp
+The cipher list consists of one or more cipher strings
 separated by colons.
 Commas or spaces are also acceptable separators, but colons are normally used.
 .Pp
-The actual
-.Em cipher string
-can take several different forms:
+The actual cipher string can take several different forms:
 .Pp
-It can consist of a single cipher suite such as
-.Em RC4-SHA .
+It can consist of a single cipher suite, such as RC4-SHA.
 .Pp
 It can represent a list of cipher suites containing a certain algorithm,
 or cipher suites of a certain type.
-For example
-.Em SHA1
-represents all cipher suites using the digest algorithm SHA1.
+For example SHA1 represents all cipher suites using the digest algorithm SHA1.
 .Pp
-Lists of cipher suites can be combined in a single
-.Em cipher string
-using the
+Lists of cipher suites can be combined in a single cipher string using the
 .Sq +
-character.
-This is used as a logical
-.Em and
-operation.
-For example,
-.Em SHA1+DES
-represents all cipher suites containing the SHA1 and the DES algorithms.
+character
+(logical AND operation).
+For example, SHA1+DES represents all cipher suites
+containing the SHA1 and DES algorithms.
 .Pp
 Each cipher string can be optionally preceded by the characters
 .Sq \&! ,
 .Sq - ,
 or
 .Sq + .
-.Pp
 If
 .Sq !\&
 is used, then the ciphers are permanently deleted from the list.
 The ciphers deleted can never reappear in the list even if they are
 explicitly stated.
-.Pp
 If
 .Sq -
 is used, then the ciphers are deleted from the list, but some or
 all of the ciphers can be added again by later options.
-.Pp
 If
 .Sq +
 is used, then the ciphers are moved to the end of the list.
@@ -893,122 +872,97 @@ If the list includes any ciphers already present, they will be ignored;
 that is, they will not be moved to the end of the list.
 .Pp
 Additionally, the cipher string
-.Em @STRENGTH
+.Cm @STRENGTH
 can be used at any point to sort the current cipher list in order of
 encryption algorithm key length.
-.Sh CIPHERS STRINGS
+.El
+.Pp
 The following is a list of all permitted cipher strings and their meanings.
 .Bl -tag -width "XXXX"
-.It Ar DEFAULT
+.It Cm DEFAULT
 The default cipher list.
 This is determined at compile time and is currently
-.Ar ALL:!aNULL:!eNULL:!SSLv2 .
-This must be the first
-.Ar cipher string
-specified.
-.It Ar COMPLEMENTOFDEFAULT
+.Cm ALL:!aNULL:!eNULL:!SSLv2 .
+This must be the first cipher string specified.
+.It Cm COMPLEMENTOFDEFAULT
 The ciphers included in
-.Ar ALL ,
+.Cm ALL ,
 but not enabled by default.
 Currently this is
-.Ar ADH .
+.Cm ADH .
 Note that this rule does not cover
-.Ar eNULL ,
+.Cm eNULL ,
 which is not included by
-.Ar ALL
+.Cm ALL
 (use
-.Ar COMPLEMENTOFALL
+.Cm COMPLEMENTOFALL
 if necessary).
-.It Ar ALL
+.It Cm ALL
 All cipher suites except the
-.Ar eNULL
-ciphers which must be explicitly enabled.
-.It Ar COMPLEMENTOFALL
+.Cm eNULL
+ciphers, which must be explicitly enabled.
+.It Cm COMPLEMENTOFALL
 The cipher suites not enabled by
-.Ar ALL ,
+.Cm ALL ,
 currently being
-.Ar eNULL .
-.It Ar HIGH
+.Cm eNULL .
+.It Cm HIGH
 .Qq High
 encryption cipher suites.
 This currently means those with key lengths larger than 128 bits.
-.It Ar MEDIUM
+.It Cm MEDIUM
 .Qq Medium
 encryption cipher suites, currently those using 128-bit encryption.
-.It Ar LOW
+.It Cm LOW
 .Qq Low
 encryption cipher suites, currently those using 64- or 56-bit encryption
 algorithms.
-.It Ar eNULL , NULL
+.It Cm eNULL , NULL
 The
 .Qq NULL
 ciphers; that is, those offering no encryption.
 Because these offer no encryption at all and are a security risk,
 they are disabled unless explicitly included.
-.It Ar aNULL
+.It Cm aNULL
 The cipher suites offering no authentication.
 This is currently the anonymous DH algorithms.
 These cipher suites are vulnerable to a
 .Qq man in the middle
 attack, so their use is normally discouraged.
-.It Ar kRSA , RSA
+.It Cm kRSA , RSA
 Cipher suites using RSA key exchange.
-.It Ar kEDH
+.It Cm kEDH
 Cipher suites using ephemeral DH key agreement.
-.It Ar aRSA
+.It Cm aRSA
 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
-.It Ar aDSS , DSS
+.It Cm aDSS , DSS
 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1
+.It Cm TLSv1
 TLS v1.0 cipher suites.
-.It Ar DH
+.It Cm DH
 Cipher suites using DH, including anonymous DH.
-.It Ar ADH
+.It Cm ADH
 Anonymous DH cipher suites.
-.It Ar AES
+.It Cm AES
 Cipher suites using AES.
-.It Ar 3DES
+.It Cm 3DES
 Cipher suites using triple DES.
-.It Ar DES
+.It Cm DES
 Cipher suites using DES
 .Pq not triple DES .
-.It Ar RC4
+.It Cm RC4
 Cipher suites using RC4.
-.It Ar CAMELLIA
+.It Cm CAMELLIA
 Cipher suites using Camellia.
-.It Ar CHACHA20
+.It Cm CHACHA20
 Cipher suites using ChaCha20.
-.It Ar IDEA
+.It Cm IDEA
 Cipher suites using IDEA.
-.It Ar MD5
+.It Cm MD5
 Cipher suites using MD5.
-.It Ar SHA1 , SHA
+.It Cm SHA1 , SHA
 Cipher suites using SHA1.
 .El
-.Sh CIPHERS EXAMPLES
-Verbose listing of all
-.Nm OpenSSL
-ciphers including NULL ciphers:
-.Pp
-.Dl $ openssl ciphers -v 'ALL:eNULL'
-.Pp
-Include all ciphers except NULL and anonymous DH then sort by
-strength:
-.Pp
-.Dl $ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
-.Pp
-Include only 3DES ciphers and then place RSA ciphers last:
-.Pp
-.Dl $ openssl ciphers -v '3DES:+RSA'
-.Pp
-Include all RC4 ciphers but leave out those without authentication:
-.Pp
-.Dl $ openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
-.Pp
-Include all ciphers with RSA authentication but leave out ciphers without
-encryption:
-.Pp
-.Dl $ openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
 .\"
 .\" CRL
 .\"