Split the existing TLS cipher suite groups into four:

"secure" (TLSv1.2+AEAD+PFS)
"compat" (HIGH:!aNULL)
"legacy" (HIGH:MEDIUM:!aNULL)
"insecure" (ALL:!aNULL:!eNULL)

This allows for flexibility and finer grained control, rather than having
two extremes (an issue raised by Marko Kreen some time ago).

ok beck@ tedu@

1 files changed, 11 insertions, 6 deletions

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index cd1f00af23..b4c6a7cc3a 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.61 2016/05/27 11:25:57 sthen Exp $
+.\" $OpenBSD: tls_init.3,v 1.62 2016/07/13 16:30:48 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 27 2016 $
+.Dd $Mdocdate: July 13 2016 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -322,13 +322,18 @@ sets the list of ciphers that may be used.
 Lists of ciphers are specified by name, and the
 permitted names are:
 .Pp
-.Bl -tag -width "default" -offset indent -compact
-.It Dv "secure"
-.It Dv "default" (an alias for secure)
+.Bl -tag -width "insecure" -offset indent -compact
+.It Dv "secure" (or alias "default")
+.It Dv "compat"
 .It Dv "legacy"
-.It Dv "compat" (an alias for legacy)
+.It Dv "insecure" (or alias "all")
 .El
 .Pp
+Alternatively, libssl cipher strings can be specified.
+See the CIPHERS section of
+.Xr openssl 1
+for further information.
+.Pp
 .Em (Client and server)
 .It
 .Fn tls_config_set_key_file