diff options
| author | schwarze <> | 2020-04-25 14:03:38 +0000 |
|---|---|---|
| committer | schwarze <> | 2020-04-25 14:03:38 +0000 |
| commit | 83c3bd364e37a6de8475559eadfef31c0a78a60e (patch) | |
| tree | bfb1b05b2c98de5fc90d38458ce3987756154349 | |
| parent | 78413dbef75b1037aa326cbf091c87a9227ca398 (diff) | |
| download | openbsd-83c3bd364e37a6de8475559eadfef31c0a78a60e.tar.gz openbsd-83c3bd364e37a6de8475559eadfef31c0a78a60e.tar.bz2 openbsd-83c3bd364e37a6de8475559eadfef31c0a78a60e.zip | |
Move unsupported, obsolete ciphers and deprecated aliases out of
the main list of words to make it more readable, even though it
remains long.
Avoid using deprecated aliases in explanations what other words mean.
Stop documenting aDSS because it is *both* a deprecated alias *and*
no longer matches anything at all.
General direction discussed with jsing@ some time ago.
| -rw-r--r-- | src/lib/libssl/man/SSL_CTX_set_cipher_list.3 | 60 |
1 files changed, 29 insertions, 31 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 index c88388fb6f..95f22b1d64 100644 --- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.14 2020/04/25 13:50:05 schwarze Exp $ | 1 | .\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.15 2020/04/25 14:03:38 schwarze Exp $ |
| 2 | .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 | 2 | .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 |
| 3 | .\" | 3 | .\" |
| 4 | .\" This file is a derived work. | 4 | .\" This file is a derived work. |
| @@ -157,17 +157,14 @@ is selected. | |||
| 157 | Cipher suites using ephemeral DH for key exchange | 157 | Cipher suites using ephemeral DH for key exchange |
| 158 | without doing any server authentication. | 158 | without doing any server authentication. |
| 159 | Equivalent to | 159 | Equivalent to |
| 160 | .Cm kEDH Ns + Ns Cm aNULL . | 160 | .Cm DH Ns + Ns Cm aNULL . |
| 161 | .It Cm aDSS | ||
| 162 | Cipher suites using DSS server authentication. | ||
| 163 | LibreSSL no longer provides any such cipher suites. | ||
| 164 | .It Cm AEAD | 161 | .It Cm AEAD |
| 165 | Cipher suites using Authenticated Encryption with Additional Data. | 162 | Cipher suites using Authenticated Encryption with Additional Data. |
| 166 | .It Cm AECDH | 163 | .It Cm AECDH |
| 167 | Cipher suites using ephemeral ECDH for key exchange | 164 | Cipher suites using ephemeral ECDH for key exchange |
| 168 | without doing any server authentication. | 165 | without doing any server authentication. |
| 169 | Equivalent to | 166 | Equivalent to |
| 170 | .Cm kEECDH Ns + Ns Cm aNULL . | 167 | .Cm ECDH Ns + Ns Cm aNULL . |
| 171 | .It Cm aECDSA | 168 | .It Cm aECDSA |
| 172 | Cipher suites using ECDSA server authentication. | 169 | Cipher suites using ECDSA server authentication. |
| 173 | .It Cm AES | 170 | .It Cm AES |
| @@ -216,45 +213,31 @@ Currently similar to | |||
| 216 | except for the order of the cipher suites which are | 213 | except for the order of the cipher suites which are |
| 217 | .Em not | 214 | .Em not |
| 218 | selected. | 215 | selected. |
| 219 | .It Cm DES | ||
| 220 | Cipher suites using single DES for symmetric encryption. | ||
| 221 | LibreSSL no longer provides any such cipher suites. | ||
| 222 | .It Cm 3DES | 216 | .It Cm 3DES |
| 223 | Cipher suites using triple DES for symmetric encryption. | 217 | Cipher suites using triple DES for symmetric encryption. |
| 224 | .It Cm DH | 218 | .It Cm DH |
| 225 | An alias for | 219 | Cipher suites using ephemeral DH for key exchange. |
| 226 | .Cm kEDH . | ||
| 227 | .It Cm DHE | 220 | .It Cm DHE |
| 228 | Cipher suites using ephemeral DH for key exchange, | 221 | Cipher suites using ephemeral DH for key exchange, |
| 229 | but excluding those that don't do any server authentication. | 222 | but excluding those that don't do any server authentication. |
| 230 | Similar to | 223 | Similar to |
| 231 | .Cm kEDH Ns :! Ns Cm aNULL | 224 | .Cm DH Ns :! Ns Cm aNULL |
| 232 | except for the order of the cipher suites which are | 225 | except for the order of the cipher suites which are |
| 233 | .Em not | 226 | .Em not |
| 234 | selected. | 227 | selected. |
| 235 | .It Cm DSS | ||
| 236 | An alias for | ||
| 237 | .Cm aDSS . | ||
| 238 | .It Cm ECDH | 228 | .It Cm ECDH |
| 239 | An alias for | 229 | Cipher suites using ephemeral ECDH for key exchange. |
| 240 | .Cm kEECDH . | ||
| 241 | .It Cm ECDHE | 230 | .It Cm ECDHE |
| 242 | Cipher suites using ephemeral ECDH for key exchange, | 231 | Cipher suites using ephemeral ECDH for key exchange, |
| 243 | but excluding those that don't do any server authentication. | 232 | but excluding those that don't do any server authentication. |
| 244 | Similar to | 233 | Similar to |
| 245 | .Cm kEECDH Ns :! Ns Cm aNULL | 234 | .Cm ECDH Ns :! Ns Cm aNULL |
| 246 | except for the order of the cipher suites which are | 235 | except for the order of the cipher suites which are |
| 247 | .Em not | 236 | .Em not |
| 248 | selected. | 237 | selected. |
| 249 | .It Cm ECDSA | 238 | .It Cm ECDSA |
| 250 | An alias for | 239 | An alias for |
| 251 | .Cm aECDSA . | 240 | .Cm aECDSA . |
| 252 | .It Cm EDH | ||
| 253 | An alias for | ||
| 254 | .Cm DHE . | ||
| 255 | .It Cm EECDH | ||
| 256 | An alias for | ||
| 257 | .Cm ECDHE . | ||
| 258 | .It Cm eNULL | 241 | .It Cm eNULL |
| 259 | Cipher suites that do not use any encryption. | 242 | Cipher suites that do not use any encryption. |
| 260 | Not enabled by | 243 | Not enabled by |
| @@ -269,13 +252,6 @@ Cipher suites using HMAC based on GOST R 34.11-94 | |||
| 269 | for message authentication. | 252 | for message authentication. |
| 270 | .It Cm HIGH | 253 | .It Cm HIGH |
| 271 | Cipher suites of high strength. | 254 | Cipher suites of high strength. |
| 272 | .It Cm IDEA | ||
| 273 | Cipher suites using IDEA for symmetric encryption. | ||
| 274 | LibreSSL does not provide any such cipher suites. | ||
| 275 | .It Cm kEDH | ||
| 276 | Cipher suites using ephemeral DH for key exchange. | ||
| 277 | .It Cm kEECDH | ||
| 278 | Cipher suites using ephemeral ECDH for key exchange. | ||
| 279 | .It Cm kGOST | 255 | .It Cm kGOST |
| 280 | Cipher suites using VKO 34.10 key exchange, specified in RFC 4357. | 256 | Cipher suites using VKO 34.10 key exchange, specified in RFC 4357. |
| 281 | .It Cm kRSA | 257 | .It Cm kRSA |
| @@ -329,6 +305,28 @@ The full words returned by the | |||
| 329 | .Cm ciphers | 305 | .Cm ciphers |
| 330 | command can be used to select individual cipher suites. | 306 | command can be used to select individual cipher suites. |
| 331 | .Pp | 307 | .Pp |
| 308 | The following words do not match anything because | ||
| 309 | LibreSSL no longer provides any such cipher suites: | ||
| 310 | .Pp | ||
| 311 | .Bl -tag -width Ds -compact | ||
| 312 | .It Cm DES | ||
| 313 | Cipher suites using single DES for symmetric encryption. | ||
| 314 | .It Cm DSS | ||
| 315 | Cipher suites using DSS server authentication. | ||
| 316 | .It Cm IDEA | ||
| 317 | Cipher suites using IDEA for symmetric encryption. | ||
| 318 | .El | ||
| 319 | .Pp | ||
| 320 | The following are deprecated aliases: | ||
| 321 | .Pp | ||
| 322 | .Bl -column kEECDH ECDHE -compact -offset indent | ||
| 323 | .It avoid: Ta use: | ||
| 324 | .It Cm EDH Ta Cm DHE | ||
| 325 | .It Cm EECDH Ta Cm ECDHE | ||
| 326 | .It Cm kEDH Ta Cm DH | ||
| 327 | .It Cm kEECDH Ta Cm ECDH | ||
| 328 | .El | ||
| 329 | .Pp | ||
| 332 | Unknown words are silently ignored, selecting no cipher suites. | 330 | Unknown words are silently ignored, selecting no cipher suites. |
| 333 | Failure is only flagged if the | 331 | Failure is only flagged if the |
| 334 | .Fa control | 332 | .Fa control |