1 files changed, 13 insertions, 145 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index f371a8b178..39fdf8bb27 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.92 2018/03/31 12:46:12 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.93 2018/04/10 22:07:30 schwarze Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: March 31 2018 $
+.Dd $Mdocdate: April 10 2018 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -837,14 +837,20 @@ The same as
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hVv
-.Op Ar cipherlist
+.Op Ar control
 .Pp
 The
 .Nm ciphers
-command converts
+command converts the
-.Nm openssl
+.Ar control
-cipher lists into ordered SSL cipher preference lists.
+string from the format documented in
-It can be used as a way to determine the appropriate cipher list.
+.Xr SSL_CTX_set_cipher_list 3
+into an ordered SSL cipher suite preference list.
+If no
+.Ar control
+string is specified, the
+.Cm DEFAULT
+list is printed.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -859,144 +865,6 @@ key exchange, authentication, encryption, and mac algorithms.
 Like
 .Fl V ,
 but without cipher suite codes.
-.It Ar cipherlist
-A cipher list to convert to a cipher preference list.
-If it is not included, the default cipher list will be used.
-.Pp
-The cipher list consists of one or more cipher strings
-separated by colons.
-Commas or spaces are also acceptable separators, but colons are normally used.
-.Pp
-The actual cipher string can take several different forms:
-.Pp
-It can consist of a single cipher suite, such as RC4-SHA.
-.Pp
-It can represent a list of cipher suites containing a certain algorithm,
-or cipher suites of a certain type.
-For example SHA1 represents all cipher suites using the digest algorithm SHA1.
-.Pp
-Lists of cipher suites can be combined in a single cipher string using the
-.Sq +
-character
-(logical AND operation).
-For example, SHA1+DES represents all cipher suites
-containing the SHA1 and DES algorithms.
-.Pp
-Each cipher string can be optionally preceded by the characters
-.Sq \&! ,
-.Sq - ,
-or
-.Sq + .
-If
-.Sq !\&
-is used, then the ciphers are permanently deleted from the list.
-The ciphers deleted can never reappear in the list even if they are
-explicitly stated.
-If
-.Sq -
-is used, then the ciphers are deleted from the list, but some or
-all of the ciphers can be added again by later options.
-If
-.Sq +
-is used, then the ciphers are moved to the end of the list.
-This option doesn't add any new ciphers, it just moves matching existing ones.
-.Pp
-If none of these characters is present, the string is just interpreted
-as a list of ciphers to be appended to the current preference list.
-If the list includes any ciphers already present, they will be ignored;
-that is, they will not be moved to the end of the list.
-.Pp
-Additionally, the cipher string
-.Cm @STRENGTH
-can be used at any point to sort the current cipher list in order of
-encryption algorithm key length.
-.El
-.Pp
-The following is a list of all permitted cipher strings and their meanings.
-.Bl -tag -width "XXXX"
-.It Cm DEFAULT
-The default cipher list.
-This is determined at compile time and is currently
-.Cm ALL:!aNULL:!eNULL:!SSLv2 .
-This must be the first cipher string specified.
-.It Cm COMPLEMENTOFDEFAULT
-The ciphers included in
-.Cm ALL ,
-but not enabled by default.
-Currently this is
-.Cm ADH .
-Note that this rule does not cover
-.Cm eNULL ,
-which is not included by
-.Cm ALL
-(use
-.Cm COMPLEMENTOFALL
-if necessary).
-.It Cm ALL
-All cipher suites except the
-.Cm eNULL
-ciphers, which must be explicitly enabled.
-.It Cm COMPLEMENTOFALL
-The cipher suites not enabled by
-.Cm ALL ,
-currently being
-.Cm eNULL .
-.It Cm HIGH
-.Qq High
-encryption cipher suites.
-This currently means those with key lengths larger than 128 bits.
-.It Cm MEDIUM
-.Qq Medium
-encryption cipher suites, currently those using 128-bit encryption.
-.It Cm LOW
-.Qq Low
-encryption cipher suites, currently those using 64- or 56-bit encryption
-algorithms.
-.It Cm eNULL , NULL
-The
-.Qq NULL
-ciphers; that is, those offering no encryption.
-Because these offer no encryption at all and are a security risk,
-they are disabled unless explicitly included.
-.It Cm aNULL
-The cipher suites offering no authentication.
-This is currently the anonymous DH algorithms.
-These cipher suites are vulnerable to a
-.Qq man in the middle
-attack, so their use is normally discouraged.
-.It Cm kRSA , RSA
-Cipher suites using RSA key exchange.
-.It Cm kEDH
-Cipher suites using ephemeral DH key agreement.
-.It Cm aRSA
-Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
-.It Cm aDSS , DSS
-Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Cm TLSv1
-TLS v1.0 cipher suites.
-.It Cm DH
-Cipher suites using DH, including anonymous DH.
-.It Cm ADH
-Anonymous DH cipher suites.
-.It Cm AES
-Cipher suites using AES.
-.It Cm 3DES
-Cipher suites using triple DES.
-.It Cm DES
-Cipher suites using DES
-.Pq not triple DES .
-.It Cm RC4
-Cipher suites using RC4.
-.It Cm CAMELLIA
-Cipher suites using Camellia.
-.It Cm CHACHA20
-Cipher suites using ChaCha20.
-.It Cm IDEA
-Cipher suites using IDEA.
-.It Cm MD5
-Cipher suites using MD5.
-.It Cm SHA1 , SHA
-Cipher suites using SHA1.
 .El
 .Sh CRL
 .nr nS 1

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index f371a8b178..39fdf8bb27 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.92 2018/03/31 12:46:12 schwarze Exp $	1	.\" $OpenBSD: openssl.1,v 1.93 2018/04/10 22:07:30 schwarze Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: March 31 2018 $	113	.Dd $Mdocdate: April 10 2018 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -837,14 +837,20 @@ The same as
837	.Sh CIPHERS	837	.Sh CIPHERS
838	.Nm openssl ciphers	838	.Nm openssl ciphers
839	.Op Fl hVv	839	.Op Fl hVv
840	.Op Ar cipherlist	840	.Op Ar control
841	.Pp	841	.Pp
842	The	842	The
843	.Nm ciphers	843	.Nm ciphers
844	command converts	844	command converts the
845	.Nm openssl	845	.Ar control
846	cipher lists into ordered SSL cipher preference lists.	846	string from the format documented in
847	It can be used as a way to determine the appropriate cipher list.	847	.Xr SSL_CTX_set_cipher_list 3
		848	into an ordered SSL cipher suite preference list.
		849	If no
		850	.Ar control
		851	string is specified, the
		852	.Cm DEFAULT
		853	list is printed.
848	.Pp	854	.Pp
849	The options are as follows:	855	The options are as follows:
850	.Bl -tag -width Ds	856	.Bl -tag -width Ds
@@ -859,144 +865,6 @@ key exchange, authentication, encryption, and mac algorithms.
859	Like	865	Like
860	.Fl V ,	866	.Fl V ,
861	but without cipher suite codes.	867	but without cipher suite codes.
862	.It Ar cipherlist
863	A cipher list to convert to a cipher preference list.
864	If it is not included, the default cipher list will be used.
865	.Pp
866	The cipher list consists of one or more cipher strings
867	separated by colons.
868	Commas or spaces are also acceptable separators, but colons are normally used.
869	.Pp
870	The actual cipher string can take several different forms:
871	.Pp
872	It can consist of a single cipher suite, such as RC4-SHA.
873	.Pp
874	It can represent a list of cipher suites containing a certain algorithm,
875	or cipher suites of a certain type.
876	For example SHA1 represents all cipher suites using the digest algorithm SHA1.
877	.Pp
878	Lists of cipher suites can be combined in a single cipher string using the
879	.Sq +
880	character
881	(logical AND operation).
882	For example, SHA1+DES represents all cipher suites
883	containing the SHA1 and DES algorithms.
884	.Pp
885	Each cipher string can be optionally preceded by the characters
886	.Sq \&! ,
887	.Sq - ,
888	or
889	.Sq + .
890	If
891	.Sq !\&
892	is used, then the ciphers are permanently deleted from the list.
893	The ciphers deleted can never reappear in the list even if they are
894	explicitly stated.
895	If
896	.Sq -
897	is used, then the ciphers are deleted from the list, but some or
898	all of the ciphers can be added again by later options.
899	If
900	.Sq +
901	is used, then the ciphers are moved to the end of the list.
902	This option doesn't add any new ciphers, it just moves matching existing ones.
903	.Pp
904	If none of these characters is present, the string is just interpreted
905	as a list of ciphers to be appended to the current preference list.
906	If the list includes any ciphers already present, they will be ignored;
907	that is, they will not be moved to the end of the list.
908	.Pp
909	Additionally, the cipher string
910	.Cm @STRENGTH
911	can be used at any point to sort the current cipher list in order of
912	encryption algorithm key length.
913	.El
914	.Pp
915	The following is a list of all permitted cipher strings and their meanings.
916	.Bl -tag -width "XXXX"
917	.It Cm DEFAULT
918	The default cipher list.
919	This is determined at compile time and is currently
920	.Cm ALL:!aNULL:!eNULL:!SSLv2 .
921	This must be the first cipher string specified.
922	.It Cm COMPLEMENTOFDEFAULT
923	The ciphers included in
924	.Cm ALL ,
925	but not enabled by default.
926	Currently this is
927	.Cm ADH .
928	Note that this rule does not cover
929	.Cm eNULL ,
930	which is not included by
931	.Cm ALL
932	(use
933	.Cm COMPLEMENTOFALL
934	if necessary).
935	.It Cm ALL
936	All cipher suites except the
937	.Cm eNULL
938	ciphers, which must be explicitly enabled.
939	.It Cm COMPLEMENTOFALL
940	The cipher suites not enabled by
941	.Cm ALL ,
942	currently being
943	.Cm eNULL .
944	.It Cm HIGH
945	.Qq High
946	encryption cipher suites.
947	This currently means those with key lengths larger than 128 bits.
948	.It Cm MEDIUM
949	.Qq Medium
950	encryption cipher suites, currently those using 128-bit encryption.
951	.It Cm LOW
952	.Qq Low
953	encryption cipher suites, currently those using 64- or 56-bit encryption
954	algorithms.
955	.It Cm eNULL , NULL
956	The
957	.Qq NULL
958	ciphers; that is, those offering no encryption.
959	Because these offer no encryption at all and are a security risk,
960	they are disabled unless explicitly included.
961	.It Cm aNULL
962	The cipher suites offering no authentication.
963	This is currently the anonymous DH algorithms.
964	These cipher suites are vulnerable to a
965	.Qq man in the middle
966	attack, so their use is normally discouraged.
967	.It Cm kRSA , RSA
968	Cipher suites using RSA key exchange.
969	.It Cm kEDH
970	Cipher suites using ephemeral DH key agreement.
971	.It Cm aRSA
972	Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
973	.It Cm aDSS , DSS
974	Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
975	.It Cm TLSv1
976	TLS v1.0 cipher suites.
977	.It Cm DH
978	Cipher suites using DH, including anonymous DH.
979	.It Cm ADH
980	Anonymous DH cipher suites.
981	.It Cm AES
982	Cipher suites using AES.
983	.It Cm 3DES
984	Cipher suites using triple DES.
985	.It Cm DES
986	Cipher suites using DES
987	.Pq not triple DES .
988	.It Cm RC4
989	Cipher suites using RC4.
990	.It Cm CAMELLIA
991	Cipher suites using Camellia.
992	.It Cm CHACHA20
993	Cipher suites using ChaCha20.
994	.It Cm IDEA
995	Cipher suites using IDEA.
996	.It Cm MD5
997	Cipher suites using MD5.
998	.It Cm SHA1 , SHA
999	Cipher suites using SHA1.
1000	.El	868	.El
1001	.Sh CRL	869	.Sh CRL
1002	.nr nS 1	870	.nr nS 1