1 files changed, 14 insertions, 38 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 6ceb53ef5c..40defdc38b 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.162 2025/01/19 10:24:17 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.167 2025/06/07 08:29:20 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: January 19 2025 $
+.Dd $Mdocdate: June 7 2025 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -325,7 +325,6 @@ into a nested structure.
 .Op Fl keyfile Ar file
 .Op Fl keyform Cm pem | der
 .Op Fl md Ar alg
-.Op Fl msie_hack
 .Op Fl multivalue-rdn
 .Op Fl name Ar section
 .Op Fl noemailDN
@@ -422,17 +421,6 @@ Possible values include
 and
 .Ar sha1 .
 This option also applies to CRLs.
-.It Fl msie_hack
-This is a legacy option to make
-.Nm ca
-work with very old versions of the IE certificate enrollment control
-.Qq certenr3 .
-It used UniversalStrings for almost everything.
-Since the old control has various security bugs,
-its use is strongly discouraged.
-The newer control
-.Qq Xenroll
-does not need this option.
 .It Fl multivalue-rdn
 This option causes the
 .Fl subj
@@ -629,11 +617,9 @@ specified using
 .Cm default_ca
 or
 .Fl name .
-The options
+The
 .Cm preserve
-and
+option is read directly from the
-.Cm msie_hack
-are read directly from the
 .Cm ca
 section.
 .Pp
@@ -746,9 +732,6 @@ simply set this to
 .Qq no .
 If not present, the default is to allow for the EMAIL field in the
 certificate's DN.
-.It Cm msie_hack
-The same as
-.Fl msie_hack .
 .It Cm name_opt , cert_opt
 These options allow the format used to display the certificate details
 when asking the user to confirm signing.
@@ -1108,7 +1091,7 @@ The encryption algorithm to use.
 128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
 DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, triple DES is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt
@@ -2990,9 +2973,6 @@ command processes private keys
 (both encrypted and unencrypted)
 in PKCS#8 format
 with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
-The default encryption is only 56 bits;
-keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
-are more secure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3038,16 +3018,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
 .El
 .It Fl v2 Ar alg
 Use PKCS#5 v2.0 algorithms.
-Supports algorithms such as 168-bit triple DES or 128-bit RC2,
+These are block ciphers used in CBC mode.
-however not many implementations support PKCS#5 v2.0 yet
+The default is AES-256-CBC.
-(if using private keys with
+With the exception of AES, the choices available in RFC 8018
-.Nm openssl
+are considered decrepit.
-this doesn't matter).
+They can be enabled with des, des3, and rc2
-.Pp
+(rc5 is no longer supported).
-.Ar alg
-is the encryption algorithm to use;
-valid values include des, des3, and rc2.
-It is recommended that des3 is used.
 .El
 .Tg pkcs12
 .Sh PKCS12
@@ -5122,7 +5098,7 @@ The remaining options are as follows:
 The encryption algorithm to use.
 128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, 40-bit RC2 is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt .
@@ -6165,7 +6141,7 @@ either using a list of comma-separated options or by specifying
 .Fl nameopt
 multiple times.
 The default behaviour is to use the
-.Cm oneline
+.Cm compat
 format.
 The options,
 which can be preceded by a dash to turn them off,
@@ -6247,7 +6223,7 @@ A one line format which is more readable than
 .Cm RFC2253 .
 Equivalent to
 .Cm esc_2253 , esc_ctrl , esc_msb , utf8 ,
-.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
+.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_space ,
 .Cm space_eq ,
 and
 .Cm sname .

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 6ceb53ef5c..40defdc38b 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.162 2025/01/19 10:24:17 tb Exp $	1	.\" $OpenBSD: openssl.1,v 1.167 2025/06/07 08:29:20 tb Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: January 19 2025 $	113	.Dd $Mdocdate: June 7 2025 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -325,7 +325,6 @@ into a nested structure.
325	.Op Fl keyfile Ar file	325	.Op Fl keyfile Ar file
326	.Op Fl keyform Cm pem \| der	326	.Op Fl keyform Cm pem \| der
327	.Op Fl md Ar alg	327	.Op Fl md Ar alg
328	.Op Fl msie_hack
329	.Op Fl multivalue-rdn	328	.Op Fl multivalue-rdn
330	.Op Fl name Ar section	329	.Op Fl name Ar section
331	.Op Fl noemailDN	330	.Op Fl noemailDN
@@ -422,17 +421,6 @@ Possible values include
422	and	421	and
423	.Ar sha1 .	422	.Ar sha1 .
424	This option also applies to CRLs.	423	This option also applies to CRLs.
425	.It Fl msie_hack
426	This is a legacy option to make
427	.Nm ca
428	work with very old versions of the IE certificate enrollment control
429	.Qq certenr3 .
430	It used UniversalStrings for almost everything.
431	Since the old control has various security bugs,
432	its use is strongly discouraged.
433	The newer control
434	.Qq Xenroll
435	does not need this option.
436	.It Fl multivalue-rdn	424	.It Fl multivalue-rdn
437	This option causes the	425	This option causes the
438	.Fl subj	426	.Fl subj
@@ -629,11 +617,9 @@ specified using
629	.Cm default_ca	617	.Cm default_ca
630	or	618	or
631	.Fl name .	619	.Fl name .
632	The options	620	The
633	.Cm preserve	621	.Cm preserve
634	and	622	option is read directly from the
635	.Cm msie_hack
636	are read directly from the
637	.Cm ca	623	.Cm ca
638	section.	624	section.
639	.Pp	625	.Pp
@@ -746,9 +732,6 @@ simply set this to
746	.Qq no .	732	.Qq no .
747	If not present, the default is to allow for the EMAIL field in the	733	If not present, the default is to allow for the EMAIL field in the
748	certificate's DN.	734	certificate's DN.
749	.It Cm msie_hack
750	The same as
751	.Fl msie_hack .
752	.It Cm name_opt , cert_opt	735	.It Cm name_opt , cert_opt
753	These options allow the format used to display the certificate details	736	These options allow the format used to display the certificate details
754	when asking the user to confirm signing.	737	when asking the user to confirm signing.
@@ -1108,7 +1091,7 @@ The encryption algorithm to use.
1108	128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,	1091	128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
1109	DES (56 bits), triple DES (168 bits),	1092	DES (56 bits), triple DES (168 bits),
1110	or 40-, 64-, or 128-bit RC2, respectively;	1093	or 40-, 64-, or 128-bit RC2, respectively;
1111	if not specified, triple DES is	1094	if not specified, 256-bit AES is
1112	used.	1095	used.
1113	Only used with	1096	Only used with
1114	.Fl encrypt	1097	.Fl encrypt
@@ -2990,9 +2973,6 @@ command processes private keys
2990	(both encrypted and unencrypted)	2973	(both encrypted and unencrypted)
2991	in PKCS#8 format	2974	in PKCS#8 format
2992	with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.	2975	with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
2993	The default encryption is only 56 bits;
2994	keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
2995	are more secure.
2996	.Pp	2976	.Pp
2997	The options are as follows:	2977	The options are as follows:
2998	.Bl -tag -width Ds	2978	.Bl -tag -width Ds
@@ -3038,16 +3018,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
3038	.El	3018	.El
3039	.It Fl v2 Ar alg	3019	.It Fl v2 Ar alg
3040	Use PKCS#5 v2.0 algorithms.	3020	Use PKCS#5 v2.0 algorithms.
3041	Supports algorithms such as 168-bit triple DES or 128-bit RC2,	3021	These are block ciphers used in CBC mode.
3042	however not many implementations support PKCS#5 v2.0 yet	3022	The default is AES-256-CBC.
3043	(if using private keys with	3023	With the exception of AES, the choices available in RFC 8018
3044	.Nm openssl	3024	are considered decrepit.
3045	this doesn't matter).	3025	They can be enabled with des, des3, and rc2
3046	.Pp	3026	(rc5 is no longer supported).
3047	.Ar alg
3048	is the encryption algorithm to use;
3049	valid values include des, des3, and rc2.
3050	It is recommended that des3 is used.
3051	.El	3027	.El
3052	.Tg pkcs12	3028	.Tg pkcs12
3053	.Sh PKCS12	3029	.Sh PKCS12
@@ -5122,7 +5098,7 @@ The remaining options are as follows:
5122	The encryption algorithm to use.	5098	The encryption algorithm to use.
5123	128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),	5099	128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
5124	or 40-, 64-, or 128-bit RC2, respectively;	5100	or 40-, 64-, or 128-bit RC2, respectively;
5125	if not specified, 40-bit RC2 is	5101	if not specified, 256-bit AES is
5126	used.	5102	used.
5127	Only used with	5103	Only used with
5128	.Fl encrypt .	5104	.Fl encrypt .
@@ -6165,7 +6141,7 @@ either using a list of comma-separated options or by specifying
6165	.Fl nameopt	6141	.Fl nameopt
6166	multiple times.	6142	multiple times.
6167	The default behaviour is to use the	6143	The default behaviour is to use the
6168	.Cm oneline	6144	.Cm compat
6169	format.	6145	format.
6170	The options,	6146	The options,
6171	which can be preceded by a dash to turn them off,	6147	which can be preceded by a dash to turn them off,
@@ -6247,7 +6223,7 @@ A one line format which is more readable than
6247	.Cm RFC2253 .	6223	.Cm RFC2253 .
6248	Equivalent to	6224	Equivalent to
6249	.Cm esc_2253 , esc_ctrl , esc_msb , utf8 ,	6225	.Cm esc_2253 , esc_ctrl , esc_msb , utf8 ,
6250	.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,	6226	.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_space ,
6251	.Cm space_eq ,	6227	.Cm space_eq ,
6252	and	6228	and
6253	.Cm sname .	6229	.Cm sname .