Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit

ok tb@

3 files changed, 20 insertions, 159 deletions

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 45ae95fa5b..9868955691 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.149 2023/07/03 06:22:07 beck Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: June 8 2023 $
+.Dd $Mdocdate: July 3 2023 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -911,8 +911,6 @@ Specify the directories to process.
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hsVv
-.Op Fl tls1
-.Op Fl tls1_1
 .Op Fl tls1_2
 .Op Fl tls1_3
 .Op Ar control
@@ -936,7 +934,7 @@ The options are as follows:
 Print a brief usage message.
 .It Fl s
 Only list ciphers that are supported by the TLS method.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
+.It Fl  tls1_2 | tls1_3
 In combination with the
 .Fl s
 option, list the ciphers which could be used
@@ -4265,7 +4263,6 @@ Verify the input data and output the recovered data.
 .Op Fl crlf
 .Op Fl debug
 .Op Fl dtls
-.Op Fl dtls1
 .Op Fl dtls1_2
 .Op Fl extended_crl
 .Op Fl groups Ar list
@@ -4286,8 +4283,6 @@ Verify the input data and output the recovered data.
 .Op Fl no_ign_eof
 .Op Fl no_legacy_server_connect
 .Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
 .Op Fl no_tls1_2
 .Op Fl no_tls1_3
 .Op Fl pass Ar arg
@@ -4307,8 +4302,6 @@ Verify the input data and output the recovered data.
 .Op Fl state
 .Op Fl status
 .Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
 .Op Fl tls1_2
 .Op Fl tls1_3
 .Op Fl tlsextdebug
@@ -4412,8 +4405,6 @@ as required by some servers.
 Print extensive debugging information, including a hex dump of all traffic.
 .It Fl dtls
 Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
 .It Fl dtls1_2
 Permit only DTLS1.2.
 .It Fl groups Ar list
@@ -4455,8 +4446,8 @@ Can be used to override the implicit
 .Fl ign_eof
 after
 .Fl quiet .
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2 and 1.3 respectively.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pass Ar arg
@@ -4529,8 +4520,8 @@ Send a certificate status request to the server (OCSP stapling).
 The server response (if any) is printed out.
 .It Fl timeout
 Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2 or 1.3 respectively.
 .It Fl tlsextdebug
 Print a hex dump of any TLS extensions received from the server.
 .It Fl use_srtp Ar profiles
@@ -4599,8 +4590,6 @@ will be used.
 .Op Fl no_dhe
 .Op Fl no_ecdhe
 .Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
 .Op Fl no_tls1_2
 .Op Fl no_tls1_3
 .Op Fl no_tmp_rsa
@@ -4616,8 +4605,6 @@ will be used.
 .Op Fl status_url Ar url
 .Op Fl status_verbose
 .Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
 .Op Fl tls1_2
 .Op Fl tls1_3
 .Op Fl tlsextdebug
@@ -4749,8 +4736,6 @@ If this fails, a static set of parameters hard coded into the
 program will be used.
 .It Fl dtls
 Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
 .It Fl dtls1_2
 Permit only DTLS1.2.
 .It Fl groups Ar list
@@ -4813,8 +4798,8 @@ Disable ephemeral DH cipher suites.
 Disable ephemeral ECDH cipher suites.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2, and 1.3, respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2, and 1.3, respectively.
 .It Fl no_tmp_rsa
 Disable temporary RSA key generation.
 .It Fl nocert
@@ -4849,8 +4834,8 @@ Enables certificate status request support (OCSP stapling) and gives a verbose
 printout of the OCSP response.
 .It Fl timeout
 Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2, or 1.3, respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2, or 1.3, respectively.
 .It Fl tlsextdebug
 Print a hex dump of any TLS extensions received from the server.
 .It Fl use_srtp Ar profiles
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 82a8128243..21bb632810 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.60 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_client.c,v 1.61 2023/07/03 06:22:07 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -296,18 +296,6 @@ s_client_opt_protocol_version_dtls(void)
 }
 #endif
 
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_client_opt_protocol_version_dtls1(void)
-{
-        cfg.meth = DTLS_client_method();
-        cfg.min_version = DTLS1_VERSION;
-        cfg.max_version = DTLS1_VERSION;
-        cfg.socket_type = SOCK_DGRAM;
-        return (0);
-}
-#endif
-
 #ifndef OPENSSL_NO_DTLS1_2
 static int
 s_client_opt_protocol_version_dtls1_2(void)
@@ -321,22 +309,6 @@ s_client_opt_protocol_version_dtls1_2(void)
 #endif
 
 static int
-s_client_opt_protocol_version_tls1(void)
-{
-        cfg.min_version = TLS1_VERSION;
-        cfg.max_version = TLS1_VERSION;
-        return (0);
-}
-
-static int
-s_client_opt_protocol_version_tls1_1(void)
-{
-        cfg.min_version = TLS1_1_VERSION;
-        cfg.max_version = TLS1_1_VERSION;
-        return (0);
-}
-
-static int
 s_client_opt_protocol_version_tls1_2(void)
 {
         cfg.min_version = TLS1_2_VERSION;
@@ -505,14 +477,6 @@ static const struct option s_client_options[] = {
                 .opt.func = s_client_opt_protocol_version_dtls,
         },
 #endif
-#ifndef OPENSSL_NO_DTLS1
-        {
-                .name = "dtls1",
-                .desc = "Just use DTLSv1",
-                .type = OPTION_FUNC,
-                .opt.func = s_client_opt_protocol_version_dtls1,
-        },
-#endif
 #ifndef OPENSSL_NO_DTLS1_2
         {
                 .name = "dtls1_2",
@@ -660,20 +624,6 @@ static const struct option s_client_options[] = {
                 .value = SSL_OP_NO_TICKET,
         },
         {
-                .name = "no_tls1",
-                .desc = "Disable the use of TLSv1",
-                .type = OPTION_VALUE_OR,
-                .opt.value = &cfg.off,
-                .value = SSL_OP_NO_TLSv1,
-        },
-        {
-                .name = "no_tls1_1",
-                .desc = "Disable the use of TLSv1.1",
-                .type = OPTION_VALUE_OR,
-                .opt.value = &cfg.off,
-                .value = SSL_OP_NO_TLSv1_1,
-        },
-        {
                 .name = "no_tls1_2",
                 .desc = "Disable the use of TLSv1.2",
                 .type = OPTION_VALUE_OR,
@@ -806,18 +756,6 @@ static const struct option s_client_options[] = {
         },
 #endif
         {
-                .name = "tls1",
-                .desc = "Just use TLSv1",
-                .type = OPTION_FUNC,
-                .opt.func = s_client_opt_protocol_version_tls1,
-        },
-        {
-                .name = "tls1_1",
-                .desc = "Just use TLSv1.1",
-                .type = OPTION_FUNC,
-                .opt.func = s_client_opt_protocol_version_tls1_1,
-        },
-        {
                 .name = "tls1_2",
                 .desc = "Just use TLSv1.2",
                 .type = OPTION_FUNC,
@@ -880,17 +818,17 @@ sc_usage(void)
             "[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n"
             "    [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n"
             "    [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n"
-            "    [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n"
+            "    [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1_2] [-extended_crl]\n"
             "    [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n"
             "    [-issuer_checks] [-key keyfile] [-keyform der | pem]\n"
             "    [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n"
             "    [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n"
-            "    [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n"
+            "    [-no_legacy_server_connect] [-no_ticket] \n"
             "    [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n"
             "    [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n"
             "    [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n"
             "    [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n"
-            "    [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
+            "    [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
             "    [-use_srtp profiles] [-verify depth] [-verify_return_error]\n"
             "    [-x509_strict] [-xmpphost host]\n");
         fprintf(stderr, "\n");
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index a7f6146c4c..12eb90699e 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.56 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_server.c,v 1.57 2023/07/03 06:22:07 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -341,18 +341,6 @@ s_server_opt_protocol_version_dtls(void)
 }
 #endif
 
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_server_opt_protocol_version_dtls1(void)
-{
-        cfg.meth = DTLS_server_method();
-        cfg.min_version = DTLS1_VERSION;
-        cfg.max_version = DTLS1_VERSION;
-        cfg.socket_type = SOCK_DGRAM;
-        return (0);
-}
-#endif
-
 #ifndef OPENSSL_NO_DTLS1_2
 static int
 s_server_opt_protocol_version_dtls1_2(void)
@@ -366,22 +354,6 @@ s_server_opt_protocol_version_dtls1_2(void)
 #endif
 
 static int
-s_server_opt_protocol_version_tls1(void)
-{
-        cfg.min_version = TLS1_VERSION;
-        cfg.max_version = TLS1_VERSION;
-        return (0);
-}
-
-static int
-s_server_opt_protocol_version_tls1_1(void)
-{
-        cfg.min_version = TLS1_1_VERSION;
-        cfg.max_version = TLS1_1_VERSION;
-        return (0);
-}
-
-static int
 s_server_opt_protocol_version_tls1_2(void)
 {
         cfg.min_version = TLS1_2_VERSION;
@@ -648,14 +620,6 @@ static const struct option s_server_options[] = {
                 .opt.func = s_server_opt_protocol_version_dtls,
         },
 #endif
-#ifndef OPENSSL_NO_DTLS1
-        {
-                .name = "dtls1",
-                .desc = "Just use DTLSv1",
-                .type = OPTION_FUNC,
-                .opt.func = s_server_opt_protocol_version_dtls1,
-        },
-#endif
 #ifndef OPENSSL_NO_DTLS1_2
         {
                 .name = "dtls1_2",
@@ -817,20 +781,6 @@ static const struct option s_server_options[] = {
                 .value = SSL_OP_NO_SSLv3,
         },
         {
-                .name = "no_tls1",
-                .desc = "Just disable TLSv1",
-                .type = OPTION_VALUE_OR,
-                .opt.value = &cfg.off,
-                .value = SSL_OP_NO_TLSv1,
-        },
-        {
-                .name = "no_tls1_1",
-                .desc = "Just disable TLSv1.1",
-                .type = OPTION_VALUE_OR,
-                .opt.value = &cfg.off,
-                .value = SSL_OP_NO_TLSv1_1,
-        },
-        {
                 .name = "no_tls1_2",
                 .desc = "Just disable TLSv1.2",
                 .type = OPTION_VALUE_OR,
@@ -935,18 +885,6 @@ static const struct option s_server_options[] = {
         },
 #endif
         {
-                .name = "tls1",
-                .desc = "Just talk TLSv1",
-                .type = OPTION_FUNC,
-                .opt.func = s_server_opt_protocol_version_tls1,
-        },
-        {
-                .name = "tls1_1",
-                .desc = "Just talk TLSv1.1",
-                .type = OPTION_FUNC,
-                .opt.func = s_server_opt_protocol_version_tls1_1,
-        },
-        {
                 .name = "tls1_2",
                 .desc = "Just talk TLSv1.2",
                 .type = OPTION_FUNC,
@@ -1050,17 +988,17 @@ sv_usage(void)
             "    [-context id] [-crl_check] [-crl_check_all] [-crlf]\n"
             "    [-dcert file] [-dcertform der | pem] [-debug]\n"
             "    [-dhparam file] [-dkey file] [-dkeyform der | pem]\n"
-            "    [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n"
+            "    [-dpass arg] [-dtls] [-dtls1_2] [-groups list] [-HTTP]\n"
             "    [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
             "    [-keyform der | pem] [-keymatexport label]\n"
             "    [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n"
             "    [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
-            "    [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
-            "    [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
+            "    [-no_dhe] [-no_ecdhe] [-no_ticket] \n"
+            "    [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
             "    [-nocert] [-pass arg] [-quiet] [-servername name]\n"
             "    [-servername_fatal] [-serverpref] [-state] [-status]\n"
             "    [-status_timeout nsec] [-status_url url]\n"
-            "    [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n"
+            "    [-status_verbose] [-timeout] \n"
             "    [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n"
             "    [-Verify depth] [-verify depth] [-verify_return_error]\n"
             "    [-WWW] [-www]\n");