remove (hopefully) all traces of sslv2; ok sthen

author: jmc <> 2012-07-12 21:33:12 +0000
committer: jmc <> 2012-07-12 21:33:12 +0000
commit: 1fb06e1accc33ae0bf2f979c7b2f9912c060b844 (patch)
tree: 7867e05667a485853962d5de595debfebd1850f0 /src
parent: e7c356166f940680e7860f17ed3e4e03ea5f474b (diff)
download: openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.tar.gz
openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.tar.bz2
openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.zip
1 files changed, 23 insertions, 55 deletions
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index 6d6204261d..80a22c6403 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.87 2011/09/29 17:57:09 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.88 2012/07/12 21:33:12 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: September 29 2011 $
+.Dd $Mdocdate: July 12 2012 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -138,7 +138,7 @@
 .Sh DESCRIPTION
 .Nm OpenSSL
 is a cryptography toolkit implementing the Secure Sockets Layer
-.Pq SSL v2/v3
+.Pq SSL v3
 and Transport Layer Security
 .Pq TLS v1
 network protocols and related cryptography standards required by them.
@@ -1411,7 +1411,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hVv
-.Op Fl ssl2 | ssl3 | tls1
+.Op Fl ssl3 | tls1
 .Op Ar cipherlist
 .Pp
 The
@@ -1425,8 +1425,6 @@ The options are as follows:
 .Bl -tag -width Ds
 .It Fl h , \&?
 Print a brief usage message.
-.It Fl ssl2
-Only include SSL v2 ciphers.
 .It Fl ssl3
 Only include SSL v3 ciphers.
 .It Fl tls1
@@ -1438,7 +1436,7 @@ but include cipher suite codes in output (hex format).
 .It Fl v
 Verbose option.
 List ciphers with a complete description of protocol version
-.Pq SSLv2 or SSLv3; the latter includes TLS ,
+.Pq SSLv3, which includes TLS ,
 key exchange, authentication, encryption and mac algorithms used along with
 any key size restrictions and whether the algorithm is classed as an
 .Em export
@@ -1446,8 +1444,7 @@ cipher.
 Note that without the
 .Fl v
 option, ciphers may seem to appear twice in a cipher list;
-this is when similar ciphers are available for
+this is when similar ciphers are available for SSL v3/TLS v1.
-SSL v2 and for SSL v3/TLS v1.
 .It Ar cipherlist
 A cipher list to convert to a cipher preference list.
 If it is not included, the default cipher list will be used.
@@ -1585,8 +1582,8 @@ Cipher suites using ephemeral DH key agreement.
 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
 .It Ar aDSS , DSS
 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1 , SSLv3 , SSLv2
+.It Ar TLSv1 , SSLv3
-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively.
+TLS v1.0 or SSL v3.0 cipher suites, respectively.
 .It Ar DH
 Cipher suites using DH, including anonymous DH.
 .It Ar ADH
@@ -1723,16 +1720,6 @@ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
 TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
 .Ed
-.Ss SSL v2.0 cipher suites
-.Bd -unfilled -offset indent
-SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
-SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
-SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
-SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
-SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
-SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
-.Ed
 .Sh CIPHERS NOTES
 The non-ephemeral DH modes are currently unimplemented in
 .Nm OpenSSL
@@ -5357,8 +5344,8 @@ Acceptable values for
 are
 .Cm pkcs1
 for PKCS#1 padding;
-.Cm sslv23
+.Cm sslv3
-for SSLv23 padding;
+for SSLv3 padding;
 .Cm none
 for no padding;
 .Cm oaep
@@ -6575,8 +6562,7 @@ Default is
 The padding to use:
 PKCS#1 OAEP, PKCS#1 v1.5
 .Pq the default ,
-no padding,
+or no padding, respectively.
-or special padding used in SSL v2 backwards compatible handshakes, respectively.
 For signatures, only
 .Fl pkcs
 and
@@ -6724,7 +6710,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl msg
 .Op Fl nbio
 .Op Fl nbio_test
-.Op Fl no_ssl2
 .Op Fl no_ssl3
 .Op Fl no_ticket
 .Op Fl no_tls1
@@ -6736,9 +6721,7 @@ which it can be seen agrees with the recovered value above.
 .Op Fl quiet
 .Op Fl rand Ar
 .Op Fl reconnect
-.Op Fl serverpref
 .Op Fl showcerts
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl starttls Ar protocol
 .Op Fl state
@@ -6849,19 +6832,17 @@ Turns on non-blocking I/O.
 .It Fl nbio_test
 Tests non-blocking I/O.
 .It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
+.Fl no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl ssl3 | tls1
 .Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
 .Pp
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
 Some servers only work if TLS is turned off with the
 .Fl no_tls
-option, others will only support SSL v2 and may need the
-.Fl ssl2
 option.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
@@ -6902,9 +6883,6 @@ Multiple files can be specified separated by a
 .It Fl reconnect
 Reconnects to the same server 5 times using the same session ID; this can
 be used as a test that session caching is working.
-.It Fl serverpref
-Use server's cipher preferences
-.Pq SSLv2 only .
 .It Fl showcerts
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.
@@ -6962,8 +6940,7 @@ to retrieve a web page.
 .Pp
 If the handshake fails, there are several possible causes; if it is
 nothing obvious like no client certificate, then the
-.Fl bugs , ssl2 , ssl3 , tls1 ,
+.Fl bugs , ssl3 , tls1 , no_ssl3 ,
-.Fl no_ssl2 , no_ssl3 ,
 and
 .Fl no_tls1
 options can be tried in case it is a buggy server.
@@ -7047,7 +7024,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl nbio
 .Op Fl nbio_test
 .Op Fl no_dhe
-.Op Fl no_ssl2
 .Op Fl no_ssl3
 .Op Fl no_tls1
 .Op Fl no_tmp_rsa
@@ -7057,7 +7033,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl quiet
 .Op Fl rand Ar
 .Op Fl serverpref
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl state
 .Op Fl tls1
@@ -7200,12 +7175,12 @@ Tests non-blocking I/O.
 If this option is set, no DH parameters will be loaded, effectively
 disabling the ephemeral DH cipher suites.
 .It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
+.Fl no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl ssl3 | tls1
 .Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
 .It Fl no_tmp_rsa
 Certain export cipher suites sometimes use a temporary RSA key; this option
 disables temporary RSA key generation.
@@ -7343,7 +7318,6 @@ unknown cipher suites a client says it supports.
 .Op Fl nbio
 .Op Fl new
 .Op Fl reuse
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl time Ar seconds
 .Op Fl verify Ar depth
@@ -7414,11 +7388,11 @@ nor
 .Fl reuse
 are specified,
 they are both on by default and executed in sequence.
-.It Fl ssl2 | ssl3
+.It Fl ssl3
-These options disable the use of certain SSL or TLS protocols.
+This option disables the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method
 which should be compatible with all servers and permit them to use
-SSL v3, SSL v2, or TLS as appropriate.
+SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
 the
 .Nm s_client
@@ -7428,9 +7402,6 @@ Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
 Some servers only work if TLS is turned off with the
 .Fl ssl3
-option;
-others will only support SSL v2 and may need the
-.Fl ssl2
 option.
 .It Fl time Ar seconds
 Specifies how long
@@ -7480,7 +7451,7 @@ command for details.
 .Pp
 If the handshake fails, there are several possible causes:
 if it is nothing obvious like no client certificate, the
-.Fl bugs , ssl2 ,
+.Fl bugs
 and
 .Fl ssl3
 options can be tried in case it is a buggy server.
@@ -7605,7 +7576,6 @@ SSL-Session:
    Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
    Session-ID-ctx: 01000000
    Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
-    Key-Arg   : None
    Start Time: 948459261
    Timeout   : 300 (sec)
    Verify return code 0 (ok)
@@ -7615,7 +7585,7 @@ These are described below in more detail.
 .Pp
 .Bl -tag -width "Verify return code " -compact
 .It Ar Protocol
-This is the protocol in use: TLSv1, SSLv3, or SSLv2.
+This is the protocol in use: TLSv1 or SSLv3.
 .It Ar Cipher
 The cipher used is the actual raw SSL or TLS cipher code;
 see the SSL or TLS specifications for more information.
@@ -7625,8 +7595,6 @@ The SSL session ID in hex format.
 The session ID context in hex format.
 .It Ar Master-Key
 This is the SSL session master key.
-.It Ar Key-Arg
-The key argument; this is only used in SSL v2.
 .It Ar Start Time
 This is the session start time, represented as an integer in standard
 .Ux
author	jmc <>	2012-07-12 21:33:12 +0000
committer	jmc <>	2012-07-12 21:33:12 +0000
commit	1fb06e1accc33ae0bf2f979c7b2f9912c060b844 (patch)
tree	7867e05667a485853962d5de595debfebd1850f0 /src
parent	e7c356166f940680e7860f17ed3e4e03ea5f474b (diff)
download	openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.tar.gz openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.tar.bz2 openbsd-1fb06e1accc33ae0bf2f979c7b2f9912c060b844.zip

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index 6d6204261d..80a22c6403 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.87 2011/09/29 17:57:09 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.88 2012/07/12 21:33:12 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: September 29 2011 $	115	.Dd $Mdocdate: July 12 2012 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -138,7 +138,7 @@
138	.Sh DESCRIPTION	138	.Sh DESCRIPTION
139	.Nm OpenSSL	139	.Nm OpenSSL
140	is a cryptography toolkit implementing the Secure Sockets Layer	140	is a cryptography toolkit implementing the Secure Sockets Layer
141	.Pq SSL v2/v3	141	.Pq SSL v3
142	and Transport Layer Security	142	and Transport Layer Security
143	.Pq TLS v1	143	.Pq TLS v1
144	network protocols and related cryptography standards required by them.	144	network protocols and related cryptography standards required by them.
@@ -1411,7 +1411,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
1411	.Sh CIPHERS	1411	.Sh CIPHERS
1412	.Nm openssl ciphers	1412	.Nm openssl ciphers
1413	.Op Fl hVv	1413	.Op Fl hVv
1414	.Op Fl ssl2 \| ssl3 \| tls1	1414	.Op Fl ssl3 \| tls1
1415	.Op Ar cipherlist	1415	.Op Ar cipherlist
1416	.Pp	1416	.Pp
1417	The	1417	The
@@ -1425,8 +1425,6 @@ The options are as follows:
1425	.Bl -tag -width Ds	1425	.Bl -tag -width Ds
1426	.It Fl h , \&?	1426	.It Fl h , \&?
1427	Print a brief usage message.	1427	Print a brief usage message.
1428	.It Fl ssl2
1429	Only include SSL v2 ciphers.
1430	.It Fl ssl3	1428	.It Fl ssl3
1431	Only include SSL v3 ciphers.	1429	Only include SSL v3 ciphers.
1432	.It Fl tls1	1430	.It Fl tls1
@@ -1438,7 +1436,7 @@ but include cipher suite codes in output (hex format).
1438	.It Fl v	1436	.It Fl v
1439	Verbose option.	1437	Verbose option.
1440	List ciphers with a complete description of protocol version	1438	List ciphers with a complete description of protocol version
1441	.Pq SSLv2 or SSLv3; the latter includes TLS ,	1439	.Pq SSLv3, which includes TLS ,
1442	key exchange, authentication, encryption and mac algorithms used along with	1440	key exchange, authentication, encryption and mac algorithms used along with
1443	any key size restrictions and whether the algorithm is classed as an	1441	any key size restrictions and whether the algorithm is classed as an
1444	.Em export	1442	.Em export
@@ -1446,8 +1444,7 @@ cipher.
1446	Note that without the	1444	Note that without the
1447	.Fl v	1445	.Fl v
1448	option, ciphers may seem to appear twice in a cipher list;	1446	option, ciphers may seem to appear twice in a cipher list;
1449	this is when similar ciphers are available for	1447	this is when similar ciphers are available for SSL v3/TLS v1.
1450	SSL v2 and for SSL v3/TLS v1.
1451	.It Ar cipherlist	1448	.It Ar cipherlist
1452	A cipher list to convert to a cipher preference list.	1449	A cipher list to convert to a cipher preference list.
1453	If it is not included, the default cipher list will be used.	1450	If it is not included, the default cipher list will be used.
@@ -1585,8 +1582,8 @@ Cipher suites using ephemeral DH key agreement.
1585	Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.	1582	Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
1586	.It Ar aDSS , DSS	1583	.It Ar aDSS , DSS
1587	Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.	1584	Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
1588	.It Ar TLSv1 , SSLv3 , SSLv2	1585	.It Ar TLSv1 , SSLv3
1589	TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively.	1586	TLS v1.0 or SSL v3.0 cipher suites, respectively.
1590	.It Ar DH	1587	.It Ar DH
1591	Cipher suites using DH, including anonymous DH.	1588	Cipher suites using DH, including anonymous DH.
1592	.It Ar ADH	1589	.It Ar ADH
@@ -1723,16 +1720,6 @@ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
1723	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA	1720	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
1724	TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA	1721	TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
1725	.Ed	1722	.Ed
1726	.Ss SSL v2.0 cipher suites
1727	.Bd -unfilled -offset indent
1728	SSL_CK_RC4_128_WITH_MD5 RC4-MD5
1729	SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
1730	SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
1731	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
1732	SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
1733	SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
1734	SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
1735	.Ed
1736	.Sh CIPHERS NOTES	1723	.Sh CIPHERS NOTES
1737	The non-ephemeral DH modes are currently unimplemented in	1724	The non-ephemeral DH modes are currently unimplemented in
1738	.Nm OpenSSL	1725	.Nm OpenSSL
@@ -5357,8 +5344,8 @@ Acceptable values for
5357	are	5344	are
5358	.Cm pkcs1	5345	.Cm pkcs1
5359	for PKCS#1 padding;	5346	for PKCS#1 padding;
5360	.Cm sslv23	5347	.Cm sslv3
5361	for SSLv23 padding;	5348	for SSLv3 padding;
5362	.Cm none	5349	.Cm none
5363	for no padding;	5350	for no padding;
5364	.Cm oaep	5351	.Cm oaep
@@ -6575,8 +6562,7 @@ Default is
6575	The padding to use:	6562	The padding to use:
6576	PKCS#1 OAEP, PKCS#1 v1.5	6563	PKCS#1 OAEP, PKCS#1 v1.5
6577	.Pq the default ,	6564	.Pq the default ,
6578	no padding,	6565	or no padding, respectively.
6579	or special padding used in SSL v2 backwards compatible handshakes, respectively.
6580	For signatures, only	6566	For signatures, only
6581	.Fl pkcs	6567	.Fl pkcs
6582	and	6568	and
@@ -6724,7 +6710,6 @@ which it can be seen agrees with the recovered value above.
6724	.Op Fl msg	6710	.Op Fl msg
6725	.Op Fl nbio	6711	.Op Fl nbio
6726	.Op Fl nbio_test	6712	.Op Fl nbio_test
6727	.Op Fl no_ssl2
6728	.Op Fl no_ssl3	6713	.Op Fl no_ssl3
6729	.Op Fl no_ticket	6714	.Op Fl no_ticket
6730	.Op Fl no_tls1	6715	.Op Fl no_tls1
@@ -6736,9 +6721,7 @@ which it can be seen agrees with the recovered value above.
6736	.Op Fl quiet	6721	.Op Fl quiet
6737	.Op Fl rand Ar	6722	.Op Fl rand Ar
6738	.Op Fl reconnect	6723	.Op Fl reconnect
6739	.Op Fl serverpref
6740	.Op Fl showcerts	6724	.Op Fl showcerts
6741	.Op Fl ssl2
6742	.Op Fl ssl3	6725	.Op Fl ssl3
6743	.Op Fl starttls Ar protocol	6726	.Op Fl starttls Ar protocol
6744	.Op Fl state	6727	.Op Fl state
@@ -6849,19 +6832,17 @@ Turns on non-blocking I/O.
6849	.It Fl nbio_test	6832	.It Fl nbio_test
6850	Tests non-blocking I/O.	6833	Tests non-blocking I/O.
6851	.It Xo	6834	.It Xo
6852	.Fl no_ssl2 \| no_ssl3 \| no_tls1 \|	6835	.Fl no_ssl3 \| no_tls1 \|
6853	.Fl ssl2 \| ssl3 \| tls1	6836	.Fl ssl3 \| tls1
6854	.Xc	6837	.Xc
6855	These options disable the use of certain SSL or TLS protocols.	6838	These options disable the use of certain SSL or TLS protocols.
6856	By default, the initial handshake uses a method which should be compatible	6839	By default, the initial handshake uses a method which should be compatible
6857	with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.	6840	with all servers and permit them to use SSL v3 or TLS as appropriate.
6858	.Pp	6841	.Pp
6859	Unfortunately there are a lot of ancient and broken servers in use which	6842	Unfortunately there are a lot of ancient and broken servers in use which
6860	cannot handle this technique and will fail to connect.	6843	cannot handle this technique and will fail to connect.
6861	Some servers only work if TLS is turned off with the	6844	Some servers only work if TLS is turned off with the
6862	.Fl no_tls	6845	.Fl no_tls
6863	option, others will only support SSL v2 and may need the
6864	.Fl ssl2
6865	option.	6846	option.
6866	.It Fl no_ticket	6847	.It Fl no_ticket
6867	Disable RFC 4507 session ticket support.	6848	Disable RFC 4507 session ticket support.
@@ -6902,9 +6883,6 @@ Multiple files can be specified separated by a
6902	.It Fl reconnect	6883	.It Fl reconnect
6903	Reconnects to the same server 5 times using the same session ID; this can	6884	Reconnects to the same server 5 times using the same session ID; this can
6904	be used as a test that session caching is working.	6885	be used as a test that session caching is working.
6905	.It Fl serverpref
6906	Use server's cipher preferences
6907	.Pq SSLv2 only .
6908	.It Fl showcerts	6886	.It Fl showcerts
6909	Display the whole server certificate chain: normally only the server	6887	Display the whole server certificate chain: normally only the server
6910	certificate itself is displayed.	6888	certificate itself is displayed.
@@ -6962,8 +6940,7 @@ to retrieve a web page.
6962	.Pp	6940	.Pp
6963	If the handshake fails, there are several possible causes; if it is	6941	If the handshake fails, there are several possible causes; if it is
6964	nothing obvious like no client certificate, then the	6942	nothing obvious like no client certificate, then the
6965	.Fl bugs , ssl2 , ssl3 , tls1 ,	6943	.Fl bugs , ssl3 , tls1 , no_ssl3 ,
6966	.Fl no_ssl2 , no_ssl3 ,
6967	and	6944	and
6968	.Fl no_tls1	6945	.Fl no_tls1
6969	options can be tried in case it is a buggy server.	6946	options can be tried in case it is a buggy server.
@@ -7047,7 +7024,6 @@ We should really report information whenever a session is renegotiated.
7047	.Op Fl nbio	7024	.Op Fl nbio
7048	.Op Fl nbio_test	7025	.Op Fl nbio_test
7049	.Op Fl no_dhe	7026	.Op Fl no_dhe
7050	.Op Fl no_ssl2
7051	.Op Fl no_ssl3	7027	.Op Fl no_ssl3
7052	.Op Fl no_tls1	7028	.Op Fl no_tls1
7053	.Op Fl no_tmp_rsa	7029	.Op Fl no_tmp_rsa
@@ -7057,7 +7033,6 @@ We should really report information whenever a session is renegotiated.
7057	.Op Fl quiet	7033	.Op Fl quiet
7058	.Op Fl rand Ar	7034	.Op Fl rand Ar
7059	.Op Fl serverpref	7035	.Op Fl serverpref
7060	.Op Fl ssl2
7061	.Op Fl ssl3	7036	.Op Fl ssl3
7062	.Op Fl state	7037	.Op Fl state
7063	.Op Fl tls1	7038	.Op Fl tls1
@@ -7200,12 +7175,12 @@ Tests non-blocking I/O.
7200	If this option is set, no DH parameters will be loaded, effectively	7175	If this option is set, no DH parameters will be loaded, effectively
7201	disabling the ephemeral DH cipher suites.	7176	disabling the ephemeral DH cipher suites.
7202	.It Xo	7177	.It Xo
7203	.Fl no_ssl2 \| no_ssl3 \| no_tls1 \|	7178	.Fl no_ssl3 \| no_tls1 \|
7204	.Fl ssl2 \| ssl3 \| tls1	7179	.Fl ssl3 \| tls1
7205	.Xc	7180	.Xc
7206	These options disable the use of certain SSL or TLS protocols.	7181	These options disable the use of certain SSL or TLS protocols.
7207	By default, the initial handshake uses a method which should be compatible	7182	By default, the initial handshake uses a method which should be compatible
7208	with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.	7183	with all servers and permit them to use SSL v3 or TLS as appropriate.
7209	.It Fl no_tmp_rsa	7184	.It Fl no_tmp_rsa
7210	Certain export cipher suites sometimes use a temporary RSA key; this option	7185	Certain export cipher suites sometimes use a temporary RSA key; this option
7211	disables temporary RSA key generation.	7186	disables temporary RSA key generation.
@@ -7343,7 +7318,6 @@ unknown cipher suites a client says it supports.
7343	.Op Fl nbio	7318	.Op Fl nbio
7344	.Op Fl new	7319	.Op Fl new
7345	.Op Fl reuse	7320	.Op Fl reuse
7346	.Op Fl ssl2
7347	.Op Fl ssl3	7321	.Op Fl ssl3
7348	.Op Fl time Ar seconds	7322	.Op Fl time Ar seconds
7349	.Op Fl verify Ar depth	7323	.Op Fl verify Ar depth
@@ -7414,11 +7388,11 @@ nor
7414	.Fl reuse	7388	.Fl reuse
7415	are specified,	7389	are specified,
7416	they are both on by default and executed in sequence.	7390	they are both on by default and executed in sequence.
7417	.It Fl ssl2 \| ssl3	7391	.It Fl ssl3
7418	These options disable the use of certain SSL or TLS protocols.	7392	This option disables the use of certain SSL or TLS protocols.
7419	By default, the initial handshake uses a method	7393	By default, the initial handshake uses a method
7420	which should be compatible with all servers and permit them to use	7394	which should be compatible with all servers and permit them to use
7421	SSL v3, SSL v2, or TLS as appropriate.	7395	SSL v3 or TLS as appropriate.
7422	The timing program is not as rich in options to turn protocols on and off as	7396	The timing program is not as rich in options to turn protocols on and off as
7423	the	7397	the
7424	.Nm s_client	7398	.Nm s_client
@@ -7428,9 +7402,6 @@ Unfortunately there are a lot of ancient and broken servers in use which
7428	cannot handle this technique and will fail to connect.	7402	cannot handle this technique and will fail to connect.
7429	Some servers only work if TLS is turned off with the	7403	Some servers only work if TLS is turned off with the
7430	.Fl ssl3	7404	.Fl ssl3
7431	option;
7432	others will only support SSL v2 and may need the
7433	.Fl ssl2
7434	option.	7405	option.
7435	.It Fl time Ar seconds	7406	.It Fl time Ar seconds
7436	Specifies how long	7407	Specifies how long
@@ -7480,7 +7451,7 @@ command for details.
7480	.Pp	7451	.Pp
7481	If the handshake fails, there are several possible causes:	7452	If the handshake fails, there are several possible causes:
7482	if it is nothing obvious like no client certificate, the	7453	if it is nothing obvious like no client certificate, the
7483	.Fl bugs , ssl2 ,	7454	.Fl bugs
7484	and	7455	and
7485	.Fl ssl3	7456	.Fl ssl3
7486	options can be tried in case it is a buggy server.	7457	options can be tried in case it is a buggy server.
@@ -7605,7 +7576,6 @@ SSL-Session:
7605	Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED	7576	Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
7606	Session-ID-ctx: 01000000	7577	Session-ID-ctx: 01000000
7607	Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD	7578	Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
7608	Key-Arg : None
7609	Start Time: 948459261	7579	Start Time: 948459261
7610	Timeout : 300 (sec)	7580	Timeout : 300 (sec)
7611	Verify return code 0 (ok)	7581	Verify return code 0 (ok)
@@ -7615,7 +7585,7 @@ These are described below in more detail.
7615	.Pp	7585	.Pp
7616	.Bl -tag -width "Verify return code " -compact	7586	.Bl -tag -width "Verify return code " -compact
7617	.It Ar Protocol	7587	.It Ar Protocol
7618	This is the protocol in use: TLSv1, SSLv3, or SSLv2.	7588	This is the protocol in use: TLSv1 or SSLv3.
7619	.It Ar Cipher	7589	.It Ar Cipher
7620	The cipher used is the actual raw SSL or TLS cipher code;	7590	The cipher used is the actual raw SSL or TLS cipher code;
7621	see the SSL or TLS specifications for more information.	7591	see the SSL or TLS specifications for more information.
@@ -7625,8 +7595,6 @@ The SSL session ID in hex format.
7625	The session ID context in hex format.	7595	The session ID context in hex format.
7626	.It Ar Master-Key	7596	.It Ar Master-Key
7627	This is the SSL session master key.	7597	This is the SSL session master key.
7628	.It Ar Key-Arg
7629	The key argument; this is only used in SSL v2.
7630	.It Ar Start Time	7598	.It Ar Start Time
7631	This is the session start time, represented as an integer in standard	7599	This is the session start time, represented as an integer in standard
7632	.Ux	7600	.Ux