1 files changed, 164 insertions, 54 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
index 872d302b24..ee60f2a9f8 100644
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,34 +1,127 @@
+.\"     $OpenBSD: SSL_CTX_new.3,v 1.2 2016/11/30 15:48:53 schwarze Exp $
+.\"     OpenSSL 21cd6e00 Aug 17 15:21:33 2015 -0400
 .\"
-.\"     $OpenBSD: SSL_CTX_new.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
+.\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project.
+.\" All rights reserved.
 .\"
-.Dd $Mdocdate: November 5 2016 $
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSL_CTX_NEW 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_new ,
-.Nm SSLv3_method ,
+.Nm TLS_method ,
-.Nm SSLv3_server_method ,
+.Nm TLS_server_method ,
-.Nm SSLv3_client_method ,
+.Nm TLS_client_method ,
+.Nm SSLv23_method ,
+.Nm SSLv23_server_method ,
+.Nm SSLv23_client_method ,
 .Nm TLSv1_method ,
 .Nm TLSv1_server_method ,
 .Nm TLSv1_client_method ,
 .Nm TLSv1_1_method ,
 .Nm TLSv1_1_server_method ,
 .Nm TLSv1_1_client_method ,
-.Nm SSLv23_method ,
+.Nm TLSv1_2_method ,
-.Nm SSLv23_server_method ,
+.Nm TLSv1_2_server_method ,
-.Nm SSLv23_client_method
+.Nm TLSv1_2_client_method ,
+.Nm DTLSv1_method ,
+.Nm DTLSv1_server_method ,
+.Nm DTLSv1_client_method
 .Nd create a new SSL_CTX object as framework for TLS/SSL enabled functions
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_CTX_new "const SSL_METHOD *method"
+.Ft const SSL_METHOD *
+.Fn TLS_method void
+.Ft const SSL_METHOD *
+.Fn TLS_server_method void
+.Ft const SSL_METHOD *
+.Fn TLS_client_method void
+.Ft const SSL_METHOD *
+.Fn SSLv23_method void
+.Ft const SSL_METHOD *
+.Fn SSLv23_server_method void
+.Ft const SSL_METHOD *
+.Fn SSLv23_client_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_server_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_client_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_1_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_1_server_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_1_client_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_2_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_2_server_method void
+.Ft const SSL_METHOD *
+.Fn TLSv1_2_client_method void
+.Ft const SSL_METHOD *
+.Fn DTLSv1_method void
+.Ft const SSL_METHOD *
+.Fn DTLSv1_server_method void
+.Ft const SSL_METHOD *
+.Fn DTLSv1_client_method void
 .Sh DESCRIPTION
 .Fn SSL_CTX_new
 creates a new
 .Vt SSL_CTX
-object as framework to establish TLS/SSL enabled connections.
+object as framework to establish TLS/SSL or DTLS enabled connections.
-.Sh NOTES
+It initializes the list of ciphers, the session cache setting, the
+callbacks, the keys and certificates, and the options to its default
+values.
+.Pp
 The
 .Vt SSL_CTX
 object uses
@@ -39,58 +132,75 @@ a server only type, and a client only type.
 .Fa method
 can be of the following types:
 .Bl -tag -width Ds
-.It Fn SSLv3_method void , Fn SSLv3_server_method void , \
+.It Xo
-Fn SSLv3_client_method void
+.Fn TLS_method ,
-A TLS/SSL connection established with these methods will only understand the
+.Fn TLS_server_method ,
-SSLv3 protocol.
+.Fn TLS_client_method
-A client will send out SSLv3 client hello messages and will indicate that it
+.Xc
-only understands SSLv3.
+These are the general-purpose version-flexible SSL/TLS methods.
-A server will only understand SSLv3 client hello messages.
+The actual protocol version used will be negotiated to the highest
-Importantly, this means that it will not understand SSLv2 client hello messages
+version mutually supported by the client and the server.
-which are widely used for compatibility reasons; see
+The supported protocols are TLSv1, TLSv1.1 and TLSv1.2.
-.Fn SSLv23_*_method .
+Applications should use these methods and avoid the version-specific
-.It Fn TLSv1_method void , Fn TLSv1_server_method void , \
+methods described below.
-Fn TLSv1_client_method void
+.It Xo
-A TLS/SSL connection established with these methods will only understand the
+.Fn SSLv23_method ,
-TLSv1 protocol.
+.Fn SSLv23_server_method ,
-A client will send out TLSv1 client hello messages and will indicate that it
+.Fn SSLv23_client_method
-only understands TLSv1.
+.Xc
-A server will only understand TLSv1 client hello messages.
+Use of these functions is deprecated.
-Importantly, this means that it will not understand SSLv2 client hello messages
+They have been replaced with the above
-which are widely used for compatibility reasons; see
+.Fn TLS_method ,
-.Fn SSLv23_*_method .
+.Fn TLS_server_method ,
-It will also not understand SSLv3 client hello messages.
+and
-.It Fn SSLv23_method void , Fn SSLv23_server_method void , \
+.Fn TLS_client_method ,
-Fn SSLv23_client_method void
+respectively.
-A TLS/SSL connection established with these methods may understand the SSLv3,
+New code should use those functions instead.
-TLSv1, TLSv1.1 and TLSv1.2 protocols.
+.It Xo
-.Pp
+.Fn TLSv1_method ,
-A client will send out TLSv1 client hello messages including extensions and
+.Fn TLSv1_server_method ,
-will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback
+.Fn TLSv1_client_method
-to SSLv3.
+.Xc
-A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+A TLS/SSL connection established with these methods will only
-This is the best choice when compatibility is a concern.
+understand the TLSv1 protocol.
+.It Xo
+.Fn TLSv1_1_method ,
+.Fn TLSv1_1_server_method ,
+.Fn TLSv1_1_client_method
+.Xc
+A TLS/SSL connection established with these methods will only
+understand the TLSv1.1 protocol.
+.It Xo
+.Fn TLSv1_2_method ,
+.Fn TLSv1_2_server_method ,
+.Fn TLSv1_2_client_method
+.Xc
+A TLS/SSL connection established with these methods will only
+understand the TLSv1.2 protocol.
+.It Xo
+.Fn DTLSv1_method ,
+.Fn DTLSv1_server_method ,
+.Fn DTLSv1_client_method
+.Xc
+These are the version-specific methods for DTLSv1.
 .El
 .Pp
-The list of protocols available can later be limited using the
+The list of protocols available can also be limited using the
-.Dv SSL_OP_NO_SSLv3 ,
 .Dv SSL_OP_NO_TLSv1 ,
 .Dv SSL_OP_NO_TLSv1_1 ,
 and
 .Dv SSL_OP_NO_TLSv1_2
 options of the
-.Fn SSL_CTX_set_options
+.Xr SSL_CTX_set_options 3
 or
-.Fn SSL_set_options
+.Xr SSL_set_options 3
-functions.
+functions, but this approach is not recommended.
-Using these options it is possible to choose, for example,
+Clients should avoid creating "holes" in the set of protocols they support.
-.Fn SSLv23_server_method
+When disabling a protocol, make sure that you also disable either
-and be able to negotiate with all possible clients,
+all previous or all subsequent protocol versions.
-but to only allow newer protocols like TLSv1, TLSv1.1 or TLS v1.2.
+In clients, when a protocol version is disabled without disabling
-.Pp
+all previous protocol versions, the effect is to also disable all
-.Fn SSL_CTX_new
+subsequent protocol versions.
-initializes the list of ciphers, the session cache setting, the callbacks,
-the keys and certificates, and the options to its default values.
 .Sh RETURN VALUES
 The following return values can occur:
 .Bl -tag -width Ds

diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3 index 872d302b24..ee60f2a9f8 100644 --- a/src/lib/libssl/man/SSL_CTX_new.3 +++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,34 +1,127 @@
		1	.\" $OpenBSD: SSL_CTX_new.3,v 1.2 2016/11/30 15:48:53 schwarze Exp $
		2	.\" OpenSSL 21cd6e00 Aug 17 15:21:33 2015 -0400
1	.\"	3	.\"
2	.\" $OpenBSD: SSL_CTX_new.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
		5	.\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project.
		6	.\" All rights reserved.
3	.\"	7	.\"
4	.Dd $Mdocdate: November 5 2016 $	8	.\" Redistribution and use in source and binary forms, with or without
		9	.\" modification, are permitted provided that the following conditions
		10	.\" are met:
		11	.\"
		12	.\" 1. Redistributions of source code must retain the above copyright
		13	.\" notice, this list of conditions and the following disclaimer.
		14	.\"
		15	.\" 2. Redistributions in binary form must reproduce the above copyright
		16	.\" notice, this list of conditions and the following disclaimer in
		17	.\" the documentation and/or other materials provided with the
		18	.\" distribution.
		19	.\"
		20	.\" 3. All advertising materials mentioning features or use of this
		21	.\" software must display the following acknowledgment:
		22	.\" "This product includes software developed by the OpenSSL Project
		23	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		24	.\"
		25	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		26	.\" endorse or promote products derived from this software without
		27	.\" prior written permission. For written permission, please contact
		28	.\" openssl-core@openssl.org.
		29	.\"
		30	.\" 5. Products derived from this software may not be called "OpenSSL"
		31	.\" nor may "OpenSSL" appear in their names without prior written
		32	.\" permission of the OpenSSL Project.
		33	.\"
		34	.\" 6. Redistributions of any form whatsoever must retain the following
		35	.\" acknowledgment:
		36	.\" "This product includes software developed by the OpenSSL Project
		37	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		38	.\"
		39	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		40	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		41	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		42	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		43	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		44	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		45	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		46	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		47	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		48	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		51	.\"
		52	.Dd $Mdocdate: November 30 2016 $
5	.Dt SSL_CTX_NEW 3	53	.Dt SSL_CTX_NEW 3
6	.Os	54	.Os
7	.Sh NAME	55	.Sh NAME
8	.Nm SSL_CTX_new ,	56	.Nm SSL_CTX_new ,
9	.Nm SSLv3_method ,	57	.Nm TLS_method ,
10	.Nm SSLv3_server_method ,	58	.Nm TLS_server_method ,
11	.Nm SSLv3_client_method ,	59	.Nm TLS_client_method ,
		60	.Nm SSLv23_method ,
		61	.Nm SSLv23_server_method ,
		62	.Nm SSLv23_client_method ,
12	.Nm TLSv1_method ,	63	.Nm TLSv1_method ,
13	.Nm TLSv1_server_method ,	64	.Nm TLSv1_server_method ,
14	.Nm TLSv1_client_method ,	65	.Nm TLSv1_client_method ,
15	.Nm TLSv1_1_method ,	66	.Nm TLSv1_1_method ,
16	.Nm TLSv1_1_server_method ,	67	.Nm TLSv1_1_server_method ,
17	.Nm TLSv1_1_client_method ,	68	.Nm TLSv1_1_client_method ,
18	.Nm SSLv23_method ,	69	.Nm TLSv1_2_method ,
19	.Nm SSLv23_server_method ,	70	.Nm TLSv1_2_server_method ,
20	.Nm SSLv23_client_method	71	.Nm TLSv1_2_client_method ,
		72	.Nm DTLSv1_method ,
		73	.Nm DTLSv1_server_method ,
		74	.Nm DTLSv1_client_method
21	.Nd create a new SSL_CTX object as framework for TLS/SSL enabled functions	75	.Nd create a new SSL_CTX object as framework for TLS/SSL enabled functions
22	.Sh SYNOPSIS	76	.Sh SYNOPSIS
23	.In openssl/ssl.h	77	.In openssl/ssl.h
24	.Ft SSL_CTX *	78	.Ft SSL_CTX *
25	.Fn SSL_CTX_new "const SSL_METHOD *method"	79	.Fn SSL_CTX_new "const SSL_METHOD *method"
		80	.Ft const SSL_METHOD *
		81	.Fn TLS_method void
		82	.Ft const SSL_METHOD *
		83	.Fn TLS_server_method void
		84	.Ft const SSL_METHOD *
		85	.Fn TLS_client_method void
		86	.Ft const SSL_METHOD *
		87	.Fn SSLv23_method void
		88	.Ft const SSL_METHOD *
		89	.Fn SSLv23_server_method void
		90	.Ft const SSL_METHOD *
		91	.Fn SSLv23_client_method void
		92	.Ft const SSL_METHOD *
		93	.Fn TLSv1_method void
		94	.Ft const SSL_METHOD *
		95	.Fn TLSv1_server_method void
		96	.Ft const SSL_METHOD *
		97	.Fn TLSv1_client_method void
		98	.Ft const SSL_METHOD *
		99	.Fn TLSv1_1_method void
		100	.Ft const SSL_METHOD *
		101	.Fn TLSv1_1_server_method void
		102	.Ft const SSL_METHOD *
		103	.Fn TLSv1_1_client_method void
		104	.Ft const SSL_METHOD *
		105	.Fn TLSv1_2_method void
		106	.Ft const SSL_METHOD *
		107	.Fn TLSv1_2_server_method void
		108	.Ft const SSL_METHOD *
		109	.Fn TLSv1_2_client_method void
		110	.Ft const SSL_METHOD *
		111	.Fn DTLSv1_method void
		112	.Ft const SSL_METHOD *
		113	.Fn DTLSv1_server_method void
		114	.Ft const SSL_METHOD *
		115	.Fn DTLSv1_client_method void
26	.Sh DESCRIPTION	116	.Sh DESCRIPTION
27	.Fn SSL_CTX_new	117	.Fn SSL_CTX_new
28	creates a new	118	creates a new
29	.Vt SSL_CTX	119	.Vt SSL_CTX
30	object as framework to establish TLS/SSL enabled connections.	120	object as framework to establish TLS/SSL or DTLS enabled connections.
31	.Sh NOTES	121	It initializes the list of ciphers, the session cache setting, the
		122	callbacks, the keys and certificates, and the options to its default
		123	values.
		124	.Pp
32	The	125	The
33	.Vt SSL_CTX	126	.Vt SSL_CTX
34	object uses	127	object uses
@@ -39,58 +132,75 @@ a server only type, and a client only type.
39	.Fa method	132	.Fa method
40	can be of the following types:	133	can be of the following types:
41	.Bl -tag -width Ds	134	.Bl -tag -width Ds
42	.It Fn SSLv3_method void , Fn SSLv3_server_method void , \	135	.It Xo
43	Fn SSLv3_client_method void	136	.Fn TLS_method ,
44	A TLS/SSL connection established with these methods will only understand the	137	.Fn TLS_server_method ,
45	SSLv3 protocol.	138	.Fn TLS_client_method
46	A client will send out SSLv3 client hello messages and will indicate that it	139	.Xc
47	only understands SSLv3.	140	These are the general-purpose version-flexible SSL/TLS methods.
48	A server will only understand SSLv3 client hello messages.	141	The actual protocol version used will be negotiated to the highest
49	Importantly, this means that it will not understand SSLv2 client hello messages	142	version mutually supported by the client and the server.
50	which are widely used for compatibility reasons; see	143	The supported protocols are TLSv1, TLSv1.1 and TLSv1.2.
51	.Fn SSLv23_*_method .	144	Applications should use these methods and avoid the version-specific
52	.It Fn TLSv1_method void , Fn TLSv1_server_method void , \	145	methods described below.
53	Fn TLSv1_client_method void	146	.It Xo
54	A TLS/SSL connection established with these methods will only understand the	147	.Fn SSLv23_method ,
55	TLSv1 protocol.	148	.Fn SSLv23_server_method ,
56	A client will send out TLSv1 client hello messages and will indicate that it	149	.Fn SSLv23_client_method
57	only understands TLSv1.	150	.Xc
58	A server will only understand TLSv1 client hello messages.	151	Use of these functions is deprecated.
59	Importantly, this means that it will not understand SSLv2 client hello messages	152	They have been replaced with the above
60	which are widely used for compatibility reasons; see	153	.Fn TLS_method ,
61	.Fn SSLv23_*_method .	154	.Fn TLS_server_method ,
62	It will also not understand SSLv3 client hello messages.	155	and
63	.It Fn SSLv23_method void , Fn SSLv23_server_method void , \	156	.Fn TLS_client_method ,
64	Fn SSLv23_client_method void	157	respectively.
65	A TLS/SSL connection established with these methods may understand the SSLv3,	158	New code should use those functions instead.
66	TLSv1, TLSv1.1 and TLSv1.2 protocols.	159	.It Xo
67	.Pp	160	.Fn TLSv1_method ,
68	A client will send out TLSv1 client hello messages including extensions and	161	.Fn TLSv1_server_method ,
69	will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback	162	.Fn TLSv1_client_method
70	to SSLv3.	163	.Xc
71	A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.	164	A TLS/SSL connection established with these methods will only
72	This is the best choice when compatibility is a concern.	165	understand the TLSv1 protocol.
		166	.It Xo
		167	.Fn TLSv1_1_method ,
		168	.Fn TLSv1_1_server_method ,
		169	.Fn TLSv1_1_client_method
		170	.Xc
		171	A TLS/SSL connection established with these methods will only
		172	understand the TLSv1.1 protocol.
		173	.It Xo
		174	.Fn TLSv1_2_method ,
		175	.Fn TLSv1_2_server_method ,
		176	.Fn TLSv1_2_client_method
		177	.Xc
		178	A TLS/SSL connection established with these methods will only
		179	understand the TLSv1.2 protocol.
		180	.It Xo
		181	.Fn DTLSv1_method ,
		182	.Fn DTLSv1_server_method ,
		183	.Fn DTLSv1_client_method
		184	.Xc
		185	These are the version-specific methods for DTLSv1.
73	.El	186	.El
74	.Pp	187	.Pp
75	The list of protocols available can later be limited using the	188	The list of protocols available can also be limited using the
76	.Dv SSL_OP_NO_SSLv3 ,
77	.Dv SSL_OP_NO_TLSv1 ,	189	.Dv SSL_OP_NO_TLSv1 ,
78	.Dv SSL_OP_NO_TLSv1_1 ,	190	.Dv SSL_OP_NO_TLSv1_1 ,
79	and	191	and
80	.Dv SSL_OP_NO_TLSv1_2	192	.Dv SSL_OP_NO_TLSv1_2
81	options of the	193	options of the
82	.Fn SSL_CTX_set_options	194	.Xr SSL_CTX_set_options 3
83	or	195	or
84	.Fn SSL_set_options	196	.Xr SSL_set_options 3
85	functions.	197	functions, but this approach is not recommended.
86	Using these options it is possible to choose, for example,	198	Clients should avoid creating "holes" in the set of protocols they support.
87	.Fn SSLv23_server_method	199	When disabling a protocol, make sure that you also disable either
88	and be able to negotiate with all possible clients,	200	all previous or all subsequent protocol versions.
89	but to only allow newer protocols like TLSv1, TLSv1.1 or TLS v1.2.	201	In clients, when a protocol version is disabled without disabling
90	.Pp	202	all previous protocol versions, the effect is to also disable all
91	.Fn SSL_CTX_new	203	subsequent protocol versions.
92	initializes the list of ciphers, the session cache setting, the callbacks,
93	the keys and certificates, and the options to its default values.
94	.Sh RETURN VALUES	204	.Sh RETURN VALUES
95	The following return values can occur:	205	The following return values can occur:
96	.Bl -tag -width Ds	206	.Bl -tag -width Ds