1 files changed, 11 insertions, 27 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index d27b504ce3..f3e0be15ed 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.164 2025/04/19 17:20:24 kn Exp $
+.\" $OpenBSD: openssl.1,v 1.168 2025/12/20 07:02:37 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: April 19 2025 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -931,7 +931,6 @@ but without cipher suite codes.
 .Op Fl certfile Ar file
 .Op Fl certsout Ar file
 .Op Fl cmsout
-.Op Fl compress
 .Op Fl content Ar file
 .Op Fl crlfeol
 .Op Fl data_create
@@ -985,7 +984,6 @@ but without cipher suite codes.
 .Op Fl subject Ar s
 .Op Fl text
 .Op Fl to Ar addr
-.Op Fl uncompress
 .Op Fl verify
 .Op Fl verify_receipt Ar file
 .Op Fl verify_retcode
@@ -996,8 +994,7 @@ but without cipher suite codes.
 The
 .Nm cms
 command handles S/MIME v3.1 mail.
-It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME
+It can encrypt, decrypt, sign and verify S/MIME messages.
-messages.
 .Pp
 The MIME message must be sent without any blank lines between the headers and
 the output.
@@ -1053,12 +1050,6 @@ Output a content from the input CMS Data type.
 Create a CMS DigestedData type.
 .It Fl digest_verify
 Verify a CMS DigestedData type and output the content.
-.It Fl compress
-Create a CMS CompressedData type.
-Must be compiled with zlib support for this option to work.
-.It Fl uncompress
-Uncompress a CMS CompressedData type and output the content.
-Must be compiled with zlib support for this option to work.
 .It Fl EncryptedData_encrypt
 Encrypt a content using supplied symmetric key and algorithm using a
 CMS EncryptedData type.
@@ -1091,7 +1082,7 @@ The encryption algorithm to use.
 128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
 DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, triple DES is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt
@@ -2973,9 +2964,6 @@ command processes private keys
 (both encrypted and unencrypted)
 in PKCS#8 format
 with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
-The default encryption is only 56 bits;
-keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
-are more secure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3021,16 +3009,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
 .El
 .It Fl v2 Ar alg
 Use PKCS#5 v2.0 algorithms.
-Supports algorithms such as 168-bit triple DES or 128-bit RC2,
+These are block ciphers used in CBC mode.
-however not many implementations support PKCS#5 v2.0 yet
+The default is AES-256-CBC.
-(if using private keys with
+With the exception of AES, the choices available in RFC 8018
-.Nm openssl
+are considered decrepit.
-this doesn't matter).
+They can be enabled with des, des3, and rc2
-.Pp
+(rc5 is no longer supported).
-.Ar alg
-is the encryption algorithm to use;
-valid values include des, des3, and rc2.
-It is recommended that des3 is used.
 .El
 .Tg pkcs12
 .Sh PKCS12
@@ -5105,7 +5089,7 @@ The remaining options are as follows:
 The encryption algorithm to use.
 128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, 40-bit RC2 is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt .

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index d27b504ce3..f3e0be15ed 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.164 2025/04/19 17:20:24 kn Exp $	1	.\" $OpenBSD: openssl.1,v 1.168 2025/12/20 07:02:37 tb Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: April 19 2025 $	113	.Dd $Mdocdate: December 20 2025 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -931,7 +931,6 @@ but without cipher suite codes.
931	.Op Fl certfile Ar file	931	.Op Fl certfile Ar file
932	.Op Fl certsout Ar file	932	.Op Fl certsout Ar file
933	.Op Fl cmsout	933	.Op Fl cmsout
934	.Op Fl compress
935	.Op Fl content Ar file	934	.Op Fl content Ar file
936	.Op Fl crlfeol	935	.Op Fl crlfeol
937	.Op Fl data_create	936	.Op Fl data_create
@@ -985,7 +984,6 @@ but without cipher suite codes.
985	.Op Fl subject Ar s	984	.Op Fl subject Ar s
986	.Op Fl text	985	.Op Fl text
987	.Op Fl to Ar addr	986	.Op Fl to Ar addr
988	.Op Fl uncompress
989	.Op Fl verify	987	.Op Fl verify
990	.Op Fl verify_receipt Ar file	988	.Op Fl verify_receipt Ar file
991	.Op Fl verify_retcode	989	.Op Fl verify_retcode
@@ -996,8 +994,7 @@ but without cipher suite codes.
996	The	994	The
997	.Nm cms	995	.Nm cms
998	command handles S/MIME v3.1 mail.	996	command handles S/MIME v3.1 mail.
999	It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME	997	It can encrypt, decrypt, sign and verify S/MIME messages.
1000	messages.
1001	.Pp	998	.Pp
1002	The MIME message must be sent without any blank lines between the headers and	999	The MIME message must be sent without any blank lines between the headers and
1003	the output.	1000	the output.
@@ -1053,12 +1050,6 @@ Output a content from the input CMS Data type.
1053	Create a CMS DigestedData type.	1050	Create a CMS DigestedData type.
1054	.It Fl digest_verify	1051	.It Fl digest_verify
1055	Verify a CMS DigestedData type and output the content.	1052	Verify a CMS DigestedData type and output the content.
1056	.It Fl compress
1057	Create a CMS CompressedData type.
1058	Must be compiled with zlib support for this option to work.
1059	.It Fl uncompress
1060	Uncompress a CMS CompressedData type and output the content.
1061	Must be compiled with zlib support for this option to work.
1062	.It Fl EncryptedData_encrypt	1053	.It Fl EncryptedData_encrypt
1063	Encrypt a content using supplied symmetric key and algorithm using a	1054	Encrypt a content using supplied symmetric key and algorithm using a
1064	CMS EncryptedData type.	1055	CMS EncryptedData type.
@@ -1091,7 +1082,7 @@ The encryption algorithm to use.
1091	128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,	1082	128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
1092	DES (56 bits), triple DES (168 bits),	1083	DES (56 bits), triple DES (168 bits),
1093	or 40-, 64-, or 128-bit RC2, respectively;	1084	or 40-, 64-, or 128-bit RC2, respectively;
1094	if not specified, triple DES is	1085	if not specified, 256-bit AES is
1095	used.	1086	used.
1096	Only used with	1087	Only used with
1097	.Fl encrypt	1088	.Fl encrypt
@@ -2973,9 +2964,6 @@ command processes private keys
2973	(both encrypted and unencrypted)	2964	(both encrypted and unencrypted)
2974	in PKCS#8 format	2965	in PKCS#8 format
2975	with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.	2966	with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
2976	The default encryption is only 56 bits;
2977	keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
2978	are more secure.
2979	.Pp	2967	.Pp
2980	The options are as follows:	2968	The options are as follows:
2981	.Bl -tag -width Ds	2969	.Bl -tag -width Ds
@@ -3021,16 +3009,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
3021	.El	3009	.El
3022	.It Fl v2 Ar alg	3010	.It Fl v2 Ar alg
3023	Use PKCS#5 v2.0 algorithms.	3011	Use PKCS#5 v2.0 algorithms.
3024	Supports algorithms such as 168-bit triple DES or 128-bit RC2,	3012	These are block ciphers used in CBC mode.
3025	however not many implementations support PKCS#5 v2.0 yet	3013	The default is AES-256-CBC.
3026	(if using private keys with	3014	With the exception of AES, the choices available in RFC 8018
3027	.Nm openssl	3015	are considered decrepit.
3028	this doesn't matter).	3016	They can be enabled with des, des3, and rc2
3029	.Pp	3017	(rc5 is no longer supported).
3030	.Ar alg
3031	is the encryption algorithm to use;
3032	valid values include des, des3, and rc2.
3033	It is recommended that des3 is used.
3034	.El	3018	.El
3035	.Tg pkcs12	3019	.Tg pkcs12
3036	.Sh PKCS12	3020	.Sh PKCS12
@@ -5105,7 +5089,7 @@ The remaining options are as follows:
5105	The encryption algorithm to use.	5089	The encryption algorithm to use.
5106	128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),	5090	128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
5107	or 40-, 64-, or 128-bit RC2, respectively;	5091	or 40-, 64-, or 128-bit RC2, respectively;
5108	if not specified, 40-bit RC2 is	5092	if not specified, 256-bit AES is
5109	used.	5093	used.
5110	Only used with	5094	Only used with
5111	.Fl encrypt .	5095	.Fl encrypt .