Mention that SSL_OP_TLSEXT_PADDING no longer has any effect,

and correct the description of SSL_OP_ALL. Found by inspecting <openssl/ssl.h>.
author: schwarze <> 2018-02-27 17:08:20 +0000
committer: schwarze <> 2018-02-27 17:08:20 +0000
commit: fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe (patch)
tree: bc67fe2e6ab56778265d3c8edd0d69012a79095a /src
parent: fefe4861e4c1cadad558991fb9fe3dea2642edef (diff)
download: openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.tar.gz
openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.tar.bz2
openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.zip
1 files changed, 10 insertions, 12 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
index 98c1a6d365..f7445ad7c4 100644
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ b/src/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,5 +1,6 @@
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2018/02/27 17:08:20 schwarze Exp $
-.\"     OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100
+.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
+.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
 .\" Bodo Moeller <bodo@openssl.org>, and
@@ -51,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: February 27 2018 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -154,12 +155,9 @@ Disables a countermeasure against a TLS 1.0 protocol vulnerability
 affecting CBC ciphers, which cannot be handled by some broken SSL
 implementations.
 This option has no effect for connections using other ciphers.
-.It Dv SSL_OP_TLSEXT_PADDING
-Adds a padding extension to ensure the ClientHello size is never between 256
-and 511 bytes in length.
-This is needed as a workaround for some implementations.
 .It Dv SSL_OP_ALL
-All of the above bug workarounds.
+This is currently an alias for
+.Dv SSL_OP_LEGACY_SERVER_CONNECT .
 .El
 .Pp
 It is usually safe to use
@@ -237,7 +235,8 @@ and no longer have any effect:
 .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG ,
 .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ,
 .Dv SSL_OP_TLS_BLOCK_PADDING_BUG ,
-.Dv SSL_OP_TLS_D5_BUG .
+.Dv SSL_OP_TLS_D5_BUG ,
+.Dv SSL_OP_TLSEXT_PADDING .
 .Sh SECURE RENEGOTIATION
 OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
 described in RFC5746.
@@ -268,9 +267,8 @@ alert is sent.
 This is because the server code may be unaware of the unpatched nature of the
 client.
 .Pp
-.Em N.B.:
+Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which
-a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will
+are unpatched) will result in the connection hanging if it receives a
-result in the connection hanging if it receives a
 .Em no_renegotiation
 alert.
 OpenSSL versions 0.9.8m and later will regard a
author	schwarze <>	2018-02-27 17:08:20 +0000
committer	schwarze <>	2018-02-27 17:08:20 +0000
commit	fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe (patch)
tree	bc67fe2e6ab56778265d3c8edd0d69012a79095a /src
parent	fefe4861e4c1cadad558991fb9fe3dea2642edef (diff)
download	openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.tar.gz openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.tar.bz2 openbsd-fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe.zip