1 files changed, 14 insertions, 58 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 5f849d7a30..8d49bf7b36 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.17 2015/07/27 17:28:39 sobrado Exp $
+.\" $OpenBSD: openssl.1,v 1.18 2015/08/02 12:43:44 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: July 27 2015 $
+.Dd $Mdocdate: August 2 2015 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -1414,7 +1414,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hVv
-.Op Fl ssl3 | tls1
+.Op Fl tls1
 .Op Ar cipherlist
 .Pp
 The
@@ -1428,8 +1428,6 @@ The options are as follows:
 .Bl -tag -width Ds
 .It Fl h , \&?
 Print a brief usage message.
-.It Fl ssl3
-Only include SSL v3 ciphers.
 .It Fl tls1
 Only include TLS v1 ciphers.
 .It Fl V
@@ -1438,14 +1436,12 @@ Like
 but include cipher suite codes in output (hex format).
 .It Fl v
 Verbose option.
-List ciphers with a complete description of protocol version
+List ciphers with a complete description of protocol version,
-.Pq SSLv3, which includes TLS ,
 key exchange, authentication, encryption and mac algorithms used along with
 any key size restrictions.
 Note that without the
 .Fl v
-option, ciphers may seem to appear twice in a cipher list;
+option, ciphers may seem to appear twice in a cipher list.
-this is when similar ciphers are available for SSL v3/TLS v1.
 .It Ar cipherlist
 A cipher list to convert to a cipher preference list.
 If it is not included, the default cipher list will be used.
@@ -1468,9 +1464,7 @@ It can represent a list of cipher suites containing a certain algorithm,
 or cipher suites of a certain type.
 For example
 .Em SHA1
-represents all cipher suites using the digest algorithm SHA1, and
+represents all cipher suites using the digest algorithm SHA1.
-.Em SSLv3
-represents all SSL v3 algorithms.
 .Pp
 Lists of cipher suites can be combined in a single
 .Em cipher string
@@ -1578,8 +1572,8 @@ Cipher suites using ephemeral DH key agreement.
 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
 .It Ar aDSS , DSS
 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1 , SSLv3
+.It Ar TLSv1
-TLS v1.0 or SSL v3.0 cipher suites, respectively.
+TLS v1.0 cipher suites.
 .It Ar DH
 Cipher suites using DH, including anonymous DH.
 .It Ar ADH
@@ -5148,8 +5142,6 @@ Acceptable values for
 are
 .Cm pkcs1
 for PKCS#1 padding;
-.Cm sslv3
-for SSLv3 padding;
 .Cm none
 for no padding;
 .Cm oaep
@@ -6475,7 +6467,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl msg
 .Op Fl nbio
 .Op Fl nbio_test
-.Op Fl no_ssl3
 .Op Fl no_ticket
 .Op Fl no_tls1
 .Op Fl no_tls1_1
@@ -6490,7 +6481,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl reconnect
 .Op Fl servername Ar name
 .Op Fl showcerts
-.Op Fl ssl3
 .Op Fl starttls Ar protocol
 .Op Fl state
 .Op Fl tls1
@@ -6599,10 +6589,7 @@ Show all protocol messages with hex dump.
 Turns on non-blocking I/O.
 .It Fl nbio_test
 Tests non-blocking I/O.
-.It Xo
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
-.Fl no_ssl3 | no_tls1 | no_tls1_1 | no_tls1_2 |
-.Fl ssl3 | tls1
-.Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
 with all servers and permit them to use SSL v3 or TLS as appropriate.
@@ -6717,15 +6704,10 @@ to retrieve a web page.
 .Pp
 If the handshake fails, there are several possible causes; if it is
 nothing obvious like no client certificate, then the
-.Fl bugs , ssl3 , tls1 , no_ssl3 , no_tls1 , no_tls1_1 ,
+.Fl bugs , tls1 , no_tls1 , no_tls1_1 ,
 and
 .Fl no_tls1_2
 options can be tried in case it is a buggy server.
-In particular these options should be tried
-.Em before
-submitting a bug report to an
-.Nm OpenSSL
-mailing list.
 .Pp
 A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
@@ -6801,7 +6783,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl nbio
 .Op Fl nbio_test
 .Op Fl no_dhe
-.Op Fl no_ssl3
 .Op Fl no_tls1
 .Op Fl no_tls1_1
 .Op Fl no_tls1_2
@@ -6811,7 +6792,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl psk_hint Ar hint
 .Op Fl quiet
 .Op Fl serverpref
-.Op Fl ssl3
 .Op Fl state
 .Op Fl tls1
 .Op Fl Verify Ar depth
@@ -6952,10 +6932,7 @@ Tests non-blocking I/O.
 .It Fl no_dhe
 If this option is set, no DH parameters will be loaded, effectively
 disabling the ephemeral DH cipher suites.
-.It Xo
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
-.Fl no_ssl3 | no_tls1 | no_tls1_1 | no_tls1_2 |
-.Fl ssl3 | tls1
-.Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
 with all servers and permit them to use SSL v3 or TLS as appropriate.
@@ -7090,7 +7067,6 @@ unknown cipher suites a client says it supports.
 .Op Fl nbio
 .Op Fl new
 .Op Fl reuse
-.Op Fl ssl3
 .Op Fl time Ar seconds
 .Op Fl verify Ar depth
 .Op Fl www Ar page
@@ -7160,21 +7136,6 @@ nor
 .Fl reuse
 are specified,
 they are both on by default and executed in sequence.
-.It Fl ssl3
-This option disables the use of certain SSL or TLS protocols.
-By default, the initial handshake uses a method
-which should be compatible with all servers and permit them to use
-SSL v3 or TLS as appropriate.
-The timing program is not as rich in options to turn protocols on and off as
-the
-.Nm s_client
-program and may not connect to all servers.
-.Pp
-Unfortunately there are a lot of ancient and broken servers in use which
-cannot handle this technique and will fail to connect.
-Some servers only work if TLS is turned off with the
-.Fl ssl3
-option.
 .It Fl time Ar seconds
 Specifies how long
 .Pq in seconds
@@ -7210,7 +7171,7 @@ can be used to measure the performance of an SSL connection.
 To connect to an SSL HTTP server and get the default page the command
 .Bd -literal -offset indent
 $ openssl s_time -connect servername:443 -www / -CApath yourdir \e
-        -CAfile yourfile.pem -cipher commoncipher [-ssl3]
+        -CAfile yourfile.pem -cipher commoncipher
 .Ed
 .Pp
 would typically be used
@@ -7224,12 +7185,7 @@ command for details.
 If the handshake fails, there are several possible causes:
 if it is nothing obvious like no client certificate, the
 .Fl bugs
-and
+option can be tried in case it is a buggy server.
-.Fl ssl3
-options can be tried in case it is a buggy server.
-In particular you should play with these options
-.Em before
-submitting a bug report to an OpenSSL mailing list.
 .Pp
 A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
@@ -7358,7 +7314,7 @@ These are described below in more detail.
 .Pp
 .Bl -tag -width "Verify return code " -compact
 .It Ar Protocol
-This is the protocol in use: TLSv1 or SSLv3.
+This is the protocol in use.
 .It Ar Cipher
 The cipher used is the actual raw SSL or TLS cipher code;
 see the SSL or TLS specifications for more information.

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index 5f849d7a30..8d49bf7b36 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.17 2015/07/27 17:28:39 sobrado Exp $	1	.\" $OpenBSD: openssl.1,v 1.18 2015/08/02 12:43:44 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: July 27 2015 $	115	.Dd $Mdocdate: August 2 2015 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -1414,7 +1414,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
1414	.Sh CIPHERS	1414	.Sh CIPHERS
1415	.Nm openssl ciphers	1415	.Nm openssl ciphers
1416	.Op Fl hVv	1416	.Op Fl hVv
1417	.Op Fl ssl3 \| tls1	1417	.Op Fl tls1
1418	.Op Ar cipherlist	1418	.Op Ar cipherlist
1419	.Pp	1419	.Pp
1420	The	1420	The
@@ -1428,8 +1428,6 @@ The options are as follows:
1428	.Bl -tag -width Ds	1428	.Bl -tag -width Ds
1429	.It Fl h , \&?	1429	.It Fl h , \&?
1430	Print a brief usage message.	1430	Print a brief usage message.
1431	.It Fl ssl3
1432	Only include SSL v3 ciphers.
1433	.It Fl tls1	1431	.It Fl tls1
1434	Only include TLS v1 ciphers.	1432	Only include TLS v1 ciphers.
1435	.It Fl V	1433	.It Fl V
@@ -1438,14 +1436,12 @@ Like
1438	but include cipher suite codes in output (hex format).	1436	but include cipher suite codes in output (hex format).
1439	.It Fl v	1437	.It Fl v
1440	Verbose option.	1438	Verbose option.
1441	List ciphers with a complete description of protocol version	1439	List ciphers with a complete description of protocol version,
1442	.Pq SSLv3, which includes TLS ,
1443	key exchange, authentication, encryption and mac algorithms used along with	1440	key exchange, authentication, encryption and mac algorithms used along with
1444	any key size restrictions.	1441	any key size restrictions.
1445	Note that without the	1442	Note that without the
1446	.Fl v	1443	.Fl v
1447	option, ciphers may seem to appear twice in a cipher list;	1444	option, ciphers may seem to appear twice in a cipher list.
1448	this is when similar ciphers are available for SSL v3/TLS v1.
1449	.It Ar cipherlist	1445	.It Ar cipherlist
1450	A cipher list to convert to a cipher preference list.	1446	A cipher list to convert to a cipher preference list.
1451	If it is not included, the default cipher list will be used.	1447	If it is not included, the default cipher list will be used.
@@ -1468,9 +1464,7 @@ It can represent a list of cipher suites containing a certain algorithm,
1468	or cipher suites of a certain type.	1464	or cipher suites of a certain type.
1469	For example	1465	For example
1470	.Em SHA1	1466	.Em SHA1
1471	represents all cipher suites using the digest algorithm SHA1, and	1467	represents all cipher suites using the digest algorithm SHA1.
1472	.Em SSLv3
1473	represents all SSL v3 algorithms.
1474	.Pp	1468	.Pp
1475	Lists of cipher suites can be combined in a single	1469	Lists of cipher suites can be combined in a single
1476	.Em cipher string	1470	.Em cipher string
@@ -1578,8 +1572,8 @@ Cipher suites using ephemeral DH key agreement.
1578	Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.	1572	Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
1579	.It Ar aDSS , DSS	1573	.It Ar aDSS , DSS
1580	Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.	1574	Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
1581	.It Ar TLSv1 , SSLv3	1575	.It Ar TLSv1
1582	TLS v1.0 or SSL v3.0 cipher suites, respectively.	1576	TLS v1.0 cipher suites.
1583	.It Ar DH	1577	.It Ar DH
1584	Cipher suites using DH, including anonymous DH.	1578	Cipher suites using DH, including anonymous DH.
1585	.It Ar ADH	1579	.It Ar ADH
@@ -5148,8 +5142,6 @@ Acceptable values for
5148	are	5142	are
5149	.Cm pkcs1	5143	.Cm pkcs1
5150	for PKCS#1 padding;	5144	for PKCS#1 padding;
5151	.Cm sslv3
5152	for SSLv3 padding;
5153	.Cm none	5145	.Cm none
5154	for no padding;	5146	for no padding;
5155	.Cm oaep	5147	.Cm oaep
@@ -6475,7 +6467,6 @@ which it can be seen agrees with the recovered value above.
6475	.Op Fl msg	6467	.Op Fl msg
6476	.Op Fl nbio	6468	.Op Fl nbio
6477	.Op Fl nbio_test	6469	.Op Fl nbio_test
6478	.Op Fl no_ssl3
6479	.Op Fl no_ticket	6470	.Op Fl no_ticket
6480	.Op Fl no_tls1	6471	.Op Fl no_tls1
6481	.Op Fl no_tls1_1	6472	.Op Fl no_tls1_1
@@ -6490,7 +6481,6 @@ which it can be seen agrees with the recovered value above.
6490	.Op Fl reconnect	6481	.Op Fl reconnect
6491	.Op Fl servername Ar name	6482	.Op Fl servername Ar name
6492	.Op Fl showcerts	6483	.Op Fl showcerts
6493	.Op Fl ssl3
6494	.Op Fl starttls Ar protocol	6484	.Op Fl starttls Ar protocol
6495	.Op Fl state	6485	.Op Fl state
6496	.Op Fl tls1	6486	.Op Fl tls1
@@ -6599,10 +6589,7 @@ Show all protocol messages with hex dump.
6599	Turns on non-blocking I/O.	6589	Turns on non-blocking I/O.
6600	.It Fl nbio_test	6590	.It Fl nbio_test
6601	Tests non-blocking I/O.	6591	Tests non-blocking I/O.
6602	.It Xo	6592	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2 \| tls1
6603	.Fl no_ssl3 \| no_tls1 \| no_tls1_1 \| no_tls1_2 \|
6604	.Fl ssl3 \| tls1
6605	.Xc
6606	These options disable the use of certain SSL or TLS protocols.	6593	These options disable the use of certain SSL or TLS protocols.
6607	By default, the initial handshake uses a method which should be compatible	6594	By default, the initial handshake uses a method which should be compatible
6608	with all servers and permit them to use SSL v3 or TLS as appropriate.	6595	with all servers and permit them to use SSL v3 or TLS as appropriate.
@@ -6717,15 +6704,10 @@ to retrieve a web page.
6717	.Pp	6704	.Pp
6718	If the handshake fails, there are several possible causes; if it is	6705	If the handshake fails, there are several possible causes; if it is
6719	nothing obvious like no client certificate, then the	6706	nothing obvious like no client certificate, then the
6720	.Fl bugs , ssl3 , tls1 , no_ssl3 , no_tls1 , no_tls1_1 ,	6707	.Fl bugs , tls1 , no_tls1 , no_tls1_1 ,
6721	and	6708	and
6722	.Fl no_tls1_2	6709	.Fl no_tls1_2
6723	options can be tried in case it is a buggy server.	6710	options can be tried in case it is a buggy server.
6724	In particular these options should be tried
6725	.Em before
6726	submitting a bug report to an
6727	.Nm OpenSSL
6728	mailing list.
6729	.Pp	6711	.Pp
6730	A frequent problem when attempting to get client certificates working	6712	A frequent problem when attempting to get client certificates working
6731	is that a web client complains it has no certificates or gives an empty	6713	is that a web client complains it has no certificates or gives an empty
@@ -6801,7 +6783,6 @@ We should really report information whenever a session is renegotiated.
6801	.Op Fl nbio	6783	.Op Fl nbio
6802	.Op Fl nbio_test	6784	.Op Fl nbio_test
6803	.Op Fl no_dhe	6785	.Op Fl no_dhe
6804	.Op Fl no_ssl3
6805	.Op Fl no_tls1	6786	.Op Fl no_tls1
6806	.Op Fl no_tls1_1	6787	.Op Fl no_tls1_1
6807	.Op Fl no_tls1_2	6788	.Op Fl no_tls1_2
@@ -6811,7 +6792,6 @@ We should really report information whenever a session is renegotiated.
6811	.Op Fl psk_hint Ar hint	6792	.Op Fl psk_hint Ar hint
6812	.Op Fl quiet	6793	.Op Fl quiet
6813	.Op Fl serverpref	6794	.Op Fl serverpref
6814	.Op Fl ssl3
6815	.Op Fl state	6795	.Op Fl state
6816	.Op Fl tls1	6796	.Op Fl tls1
6817	.Op Fl Verify Ar depth	6797	.Op Fl Verify Ar depth
@@ -6952,10 +6932,7 @@ Tests non-blocking I/O.
6952	.It Fl no_dhe	6932	.It Fl no_dhe
6953	If this option is set, no DH parameters will be loaded, effectively	6933	If this option is set, no DH parameters will be loaded, effectively
6954	disabling the ephemeral DH cipher suites.	6934	disabling the ephemeral DH cipher suites.
6955	.It Xo	6935	.It Fl no_tls1 \| no_tls1_1 \| no_tls1_2 \| tls1
6956	.Fl no_ssl3 \| no_tls1 \| no_tls1_1 \| no_tls1_2 \|
6957	.Fl ssl3 \| tls1
6958	.Xc
6959	These options disable the use of certain SSL or TLS protocols.	6936	These options disable the use of certain SSL or TLS protocols.
6960	By default, the initial handshake uses a method which should be compatible	6937	By default, the initial handshake uses a method which should be compatible
6961	with all servers and permit them to use SSL v3 or TLS as appropriate.	6938	with all servers and permit them to use SSL v3 or TLS as appropriate.
@@ -7090,7 +7067,6 @@ unknown cipher suites a client says it supports.
7090	.Op Fl nbio	7067	.Op Fl nbio
7091	.Op Fl new	7068	.Op Fl new
7092	.Op Fl reuse	7069	.Op Fl reuse
7093	.Op Fl ssl3
7094	.Op Fl time Ar seconds	7070	.Op Fl time Ar seconds
7095	.Op Fl verify Ar depth	7071	.Op Fl verify Ar depth
7096	.Op Fl www Ar page	7072	.Op Fl www Ar page
@@ -7160,21 +7136,6 @@ nor
7160	.Fl reuse	7136	.Fl reuse
7161	are specified,	7137	are specified,
7162	they are both on by default and executed in sequence.	7138	they are both on by default and executed in sequence.
7163	.It Fl ssl3
7164	This option disables the use of certain SSL or TLS protocols.
7165	By default, the initial handshake uses a method
7166	which should be compatible with all servers and permit them to use
7167	SSL v3 or TLS as appropriate.
7168	The timing program is not as rich in options to turn protocols on and off as
7169	the
7170	.Nm s_client
7171	program and may not connect to all servers.
7172	.Pp
7173	Unfortunately there are a lot of ancient and broken servers in use which
7174	cannot handle this technique and will fail to connect.
7175	Some servers only work if TLS is turned off with the
7176	.Fl ssl3
7177	option.
7178	.It Fl time Ar seconds	7139	.It Fl time Ar seconds
7179	Specifies how long	7140	Specifies how long
7180	.Pq in seconds	7141	.Pq in seconds
@@ -7210,7 +7171,7 @@ can be used to measure the performance of an SSL connection.
7210	To connect to an SSL HTTP server and get the default page the command	7171	To connect to an SSL HTTP server and get the default page the command
7211	.Bd -literal -offset indent	7172	.Bd -literal -offset indent
7212	$ openssl s_time -connect servername:443 -www / -CApath yourdir \e	7173	$ openssl s_time -connect servername:443 -www / -CApath yourdir \e
7213	-CAfile yourfile.pem -cipher commoncipher [-ssl3]	7174	-CAfile yourfile.pem -cipher commoncipher
7214	.Ed	7175	.Ed
7215	.Pp	7176	.Pp
7216	would typically be used	7177	would typically be used
@@ -7224,12 +7185,7 @@ command for details.
7224	If the handshake fails, there are several possible causes:	7185	If the handshake fails, there are several possible causes:
7225	if it is nothing obvious like no client certificate, the	7186	if it is nothing obvious like no client certificate, the
7226	.Fl bugs	7187	.Fl bugs
7227	and	7188	option can be tried in case it is a buggy server.
7228	.Fl ssl3
7229	options can be tried in case it is a buggy server.
7230	In particular you should play with these options
7231	.Em before
7232	submitting a bug report to an OpenSSL mailing list.
7233	.Pp	7189	.Pp
7234	A frequent problem when attempting to get client certificates working	7190	A frequent problem when attempting to get client certificates working
7235	is that a web client complains it has no certificates or gives an empty	7191	is that a web client complains it has no certificates or gives an empty
@@ -7358,7 +7314,7 @@ These are described below in more detail.
7358	.Pp	7314	.Pp
7359	.Bl -tag -width "Verify return code " -compact	7315	.Bl -tag -width "Verify return code " -compact
7360	.It Ar Protocol	7316	.It Ar Protocol
7361	This is the protocol in use: TLSv1 or SSLv3.	7317	This is the protocol in use.
7362	.It Ar Cipher	7318	.It Ar Cipher
7363	The cipher used is the actual raw SSL or TLS cipher code;	7319	The cipher used is the actual raw SSL or TLS cipher code;
7364	see the SSL or TLS specifications for more information.	7320	see the SSL or TLS specifications for more information.