sslv3 has been removed;

prompted by a mail from jiri navratil help/ok sthen
author: jmc <> 2016-02-08 19:29:57 +0000
committer: jmc <> 2016-02-08 19:29:57 +0000
commit: 6b65bd37575cc6f797493de817a5500962f066b3 (patch)
tree: cb486b6654083ce68f49f4048b70f8a69e723b0f /src
parent: 9c4b29d018ab17000d3e1fb3265a4ea9505d0bac (diff)
download: openbsd-6b65bd37575cc6f797493de817a5500962f066b3.tar.gz
openbsd-6b65bd37575cc6f797493de817a5500962f066b3.tar.bz2
openbsd-6b65bd37575cc6f797493de817a5500962f066b3.zip
1 files changed, 21 insertions, 16 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index c6cca39cd7..6d3775181c 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.30 2015/12/24 16:54:37 mmcc Exp $
+.\" $OpenBSD: openssl.1,v 1.31 2016/02/08 19:29:57 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: December 24 2015 $
+.Dd $Mdocdate: February 8 2016 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -137,11 +137,11 @@
 .Op Ar arbitrary options
 .Sh DESCRIPTION
 .Nm OpenSSL
-is a cryptography toolkit implementing the Secure Sockets Layer
+is a cryptography toolkit implementing the
-.Pq SSL v3
+Transport Layer Security
-and Transport Layer Security
 .Pq TLS v1
-network protocols and related cryptography standards required by them.
+network protocol,
+as well as related cryptography standards.
 .Pp
 The
 .Nm
@@ -6215,6 +6215,8 @@ which it can be seen agrees with the recovered value above.
 .Op Fl starttls Ar protocol
 .Op Fl state
 .Op Fl tls1
+.Op Fl tls1_1
+.Op Fl tls1_2
 .Op Fl tlsextdebug
 .Op Fl verify Ar depth
 .Op Fl x509_strict
@@ -6313,16 +6315,13 @@ Show all protocol messages with hex dump.
 Turns on non-blocking I/O.
 .It Fl nbio_test
 Tests non-blocking I/O.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2
-These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3 or TLS as appropriate.
+with servers supporting any version of TLS.
+These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .Pp
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
-Some servers only work if TLS is turned off with the
-.Fl no_tls
-option.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pause
@@ -6387,6 +6386,8 @@ and
 .Qq xmpp .
 .It Fl state
 Prints out the SSL session states.
+.It Fl tls1 | tls1_1 | tls1_2
+Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl tlsextdebug
 Print out a hex dump of any TLS extensions received from the server.
 .It Fl verify Ar depth
@@ -6435,7 +6436,7 @@ to retrieve a web page.
 .Pp
 If the handshake fails, there are several possible causes; if it is
 nothing obvious like no client certificate, then the
-.Fl bugs , tls1 , no_tls1 , no_tls1_1 ,
+.Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
 and
 .Fl no_tls1_2
 options can be tried in case it is a buggy server.
@@ -6524,6 +6525,8 @@ We should really report information whenever a session is renegotiated.
 .Op Fl serverpref
 .Op Fl state
 .Op Fl tls1
+.Op Fl tls1_1
+.Op Fl tls1_2
 .Op Fl Verify Ar depth
 .Op Fl verify Ar depth
 .Op Fl WWW
@@ -6654,10 +6657,10 @@ Tests non-blocking I/O.
 .It Fl no_dhe
 If this option is set, no DH parameters will be loaded, effectively
 disabling the ephemeral DH cipher suites.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2
-These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3 or TLS as appropriate.
+with servers supporting any version of TLS.
+These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .It Fl no_tmp_rsa
 Certain export cipher suites sometimes use a temporary RSA key; this option
 disables temporary RSA key generation.
@@ -6681,6 +6684,8 @@ Inhibit printing of session and certificate information.
 Use server's cipher preferences.
 .It Fl state
 Prints out the SSL session states.
+.It Fl tls1 | tls1_1 | tls1_2
+Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl WWW
 Emulates a simple web server.
 Pages will be resolved relative to the current directory;
author	jmc <>	2016-02-08 19:29:57 +0000
committer	jmc <>	2016-02-08 19:29:57 +0000
commit	6b65bd37575cc6f797493de817a5500962f066b3 (patch)
tree	cb486b6654083ce68f49f4048b70f8a69e723b0f /src
parent	9c4b29d018ab17000d3e1fb3265a4ea9505d0bac (diff)
download	openbsd-6b65bd37575cc6f797493de817a5500962f066b3.tar.gz openbsd-6b65bd37575cc6f797493de817a5500962f066b3.tar.bz2 openbsd-6b65bd37575cc6f797493de817a5500962f066b3.zip

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index c6cca39cd7..6d3775181c 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.30 2015/12/24 16:54:37 mmcc Exp $	1	.\" $OpenBSD: openssl.1,v 1.31 2016/02/08 19:29:57 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: December 24 2015 $	115	.Dd $Mdocdate: February 8 2016 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -137,11 +137,11 @@
137	.Op Ar arbitrary options	137	.Op Ar arbitrary options
138	.Sh DESCRIPTION	138	.Sh DESCRIPTION
139	.Nm OpenSSL	139	.Nm OpenSSL
140	is a cryptography toolkit implementing the Secure Sockets Layer	140	is a cryptography toolkit implementing the
141	.Pq SSL v3	141	Transport Layer Security
142	and Transport Layer Security
143	.Pq TLS v1	142	.Pq TLS v1
144	network protocols and related cryptography standards required by them.	143	network protocol,
		144	as well as related cryptography standards.
145	.Pp	145	.Pp
146	The	146	The
147	.Nm	147	.Nm
@@ -6215,6 +6215,8 @@ which it can be seen agrees with the recovered value above.
6215	.Op Fl starttls Ar protocol	6215	.Op Fl starttls Ar protocol
6216	.Op Fl state	6216	.Op Fl state
6217	.Op Fl tls1	6217	.Op Fl tls1
		6218	.Op Fl tls1_1
		6219	.Op Fl tls1_2
6218	.Op Fl tlsextdebug	6220	.Op Fl tlsextdebug
6219	.Op Fl verify Ar depth	6221	.Op Fl verify Ar depth
6220	.Op Fl x509_strict	6222	.Op Fl x509_strict
@@ -6313,16 +6315,13 @@ Show all protocol messages with hex dump.
6313	Turns on non-blocking I/O.	6315	Turns on non-blocking I/O.
6314	.It Fl nbio_test	6316	.It Fl nbio_test
6315	Tests non-blocking I/O.	6317	Tests non-blocking I/O.
6316	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2 \| tls1	6318	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2
6317	These options disable the use of certain SSL or TLS protocols.
6318	By default, the initial handshake uses a method which should be compatible	6319	By default, the initial handshake uses a method which should be compatible
6319	with all servers and permit them to use SSL v3 or TLS as appropriate.	6320	with servers supporting any version of TLS.
		6321	These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
6320	.Pp	6322	.Pp
6321	Unfortunately there are a lot of ancient and broken servers in use which	6323	Unfortunately there are a lot of ancient and broken servers in use which
6322	cannot handle this technique and will fail to connect.	6324	cannot handle this technique and will fail to connect.
6323	Some servers only work if TLS is turned off with the
6324	.Fl no_tls
6325	option.
6326	.It Fl no_ticket	6325	.It Fl no_ticket
6327	Disable RFC 4507 session ticket support.	6326	Disable RFC 4507 session ticket support.
6328	.It Fl pause	6327	.It Fl pause
@@ -6387,6 +6386,8 @@ and
6387	.Qq xmpp .	6386	.Qq xmpp .
6388	.It Fl state	6387	.It Fl state
6389	Prints out the SSL session states.	6388	Prints out the SSL session states.
		6389	.It Fl tls1 \| tls1_1 \| tls1_2
		6390	Permit only TLS1.0, 1.1, or 1.2, respectively.
6390	.It Fl tlsextdebug	6391	.It Fl tlsextdebug
6391	Print out a hex dump of any TLS extensions received from the server.	6392	Print out a hex dump of any TLS extensions received from the server.
6392	.It Fl verify Ar depth	6393	.It Fl verify Ar depth
@@ -6435,7 +6436,7 @@ to retrieve a web page.
6435	.Pp	6436	.Pp
6436	If the handshake fails, there are several possible causes; if it is	6437	If the handshake fails, there are several possible causes; if it is
6437	nothing obvious like no client certificate, then the	6438	nothing obvious like no client certificate, then the
6438	.Fl bugs , tls1 , no_tls1 , no_tls1_1 ,	6439	.Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
6439	and	6440	and
6440	.Fl no_tls1_2	6441	.Fl no_tls1_2
6441	options can be tried in case it is a buggy server.	6442	options can be tried in case it is a buggy server.
@@ -6524,6 +6525,8 @@ We should really report information whenever a session is renegotiated.
6524	.Op Fl serverpref	6525	.Op Fl serverpref
6525	.Op Fl state	6526	.Op Fl state
6526	.Op Fl tls1	6527	.Op Fl tls1
		6528	.Op Fl tls1_1
		6529	.Op Fl tls1_2
6527	.Op Fl Verify Ar depth	6530	.Op Fl Verify Ar depth
6528	.Op Fl verify Ar depth	6531	.Op Fl verify Ar depth
6529	.Op Fl WWW	6532	.Op Fl WWW
@@ -6654,10 +6657,10 @@ Tests non-blocking I/O.
6654	.It Fl no_dhe	6657	.It Fl no_dhe
6655	If this option is set, no DH parameters will be loaded, effectively	6658	If this option is set, no DH parameters will be loaded, effectively
6656	disabling the ephemeral DH cipher suites.	6659	disabling the ephemeral DH cipher suites.
6657	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2 \| tls1	6660	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2
6658	These options disable the use of certain SSL or TLS protocols.
6659	By default, the initial handshake uses a method which should be compatible	6661	By default, the initial handshake uses a method which should be compatible
6660	with all servers and permit them to use SSL v3 or TLS as appropriate.	6662	with servers supporting any version of TLS.
		6663	These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
6661	.It Fl no_tmp_rsa	6664	.It Fl no_tmp_rsa
6662	Certain export cipher suites sometimes use a temporary RSA key; this option	6665	Certain export cipher suites sometimes use a temporary RSA key; this option
6663	disables temporary RSA key generation.	6666	disables temporary RSA key generation.
@@ -6681,6 +6684,8 @@ Inhibit printing of session and certificate information.
6681	Use server's cipher preferences.	6684	Use server's cipher preferences.
6682	.It Fl state	6685	.It Fl state
6683	Prints out the SSL session states.	6686	Prints out the SSL session states.
		6687	.It Fl tls1 \| tls1_1 \| tls1_2
		6688	Permit only TLS1.0, 1.1, or 1.2, respectively.
6684	.It Fl WWW	6689	.It Fl WWW
6685	Emulates a simple web server.	6690	Emulates a simple web server.
6686	Pages will be resolved relative to the current directory;	6691	Pages will be resolved relative to the current directory;