From b2bc17032b7c138b1775ced5dafe9635bc29b99c Mon Sep 17 00:00:00 2001 From: tb <> Date: Sat, 18 Jan 2025 10:45:12 +0000 Subject: Stop mentioning DSA/DSS Support for this went away in 2017, but a few things still mentioned DSA in various contexts. Replace DSA with ECDSA where appropriate and otherwise delete this. It won't work. ok jsing --- src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 | 6 +++--- src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 | 6 +++--- src/lib/libssl/man/SSL_CTX_set_cipher_list.3 | 10 ++-------- src/lib/libssl/man/SSL_CTX_set_security_level.3 | 6 +++--- src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 | 5 ++--- src/lib/libssl/man/SSL_CTX_use_certificate.3 | 6 +++--- 6 files changed, 16 insertions(+), 23 deletions(-) diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 index 1f60bad142..86eb27a523 100644 --- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 +++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $ .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 .\" .\" This file was written by Dr. Stephen Henson @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 5 2019 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_ADD1_CHAIN_CERT 3 .Os .Sh NAME @@ -203,7 +203,7 @@ in the parent .Vt SSL_CTX . .Pp One chain can be set for each key type supported by a server. -So, for example, an RSA and a DSA certificate can (and often will) have +So, for example, an RSA and an ECDSA certificate can have different chains. .Pp If any certificates are added using these functions, no certificates diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index 4c731309e4..b9694b0cbc 100644 --- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.7 2020/01/02 09:09:16 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke and @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 2 2020 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 .Os .Sh NAME @@ -152,7 +152,7 @@ Only one set of extra chain certificates can be specified per structure using .Fn SSL_CTX_add_extra_chain_cert . Different chains for different certificates (for example if both -RSA and DSA certificates are specified by the same server) or +RSA and ECDSA certificates are specified by the same server) or different SSL structures with the same parent .Vt SSL_CTX require using the functions documented in diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 index 9d24e00880..0d89bdc919 100644 --- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.16 2022/12/11 20:53:27 tb Exp $ +.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.17 2025/01/18 10:45:12 tb Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -65,7 +65,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2022 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_SET_CIPHER_LIST 3 .Os .Sh NAME @@ -317,8 +317,6 @@ LibreSSL no longer provides any such cipher suites: .Bl -tag -width Ds -compact .It Cm DES Cipher suites using single DES for symmetric encryption. -.It Cm DSS -Cipher suites using DSS server authentication. .It Cm IDEA Cipher suites using IDEA for symmetric encryption. .El @@ -350,10 +348,6 @@ RSA ciphers using DHE need a certificate and key and additional DH-parameters (see .Xr SSL_CTX_set_tmp_dh_callback 3 ) . .Pp -A DSA cipher can only be chosen when a DSA certificate is available. -DSA ciphers always use DH key exchange and therefore need DH-parameters (see -.Xr SSL_CTX_set_tmp_dh_callback 3 ) . -.Pp When these conditions are not met for any cipher suite in the list (for example, a client only supports export RSA ciphers with an asymmetric key length of 512 diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3 index 529352cf0f..89adb3d65d 100644 --- a/src/lib/libssl/man/SSL_CTX_set_security_level.3 +++ b/src/lib/libssl/man/SSL_CTX_set_security_level.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.1 2022/07/13 20:52:36 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $ .\" .\" Copyright (c) 2022 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 13 2022 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_SET_SECURITY_LEVEL 3 .Os .Sh NAME @@ -78,7 +78,7 @@ See SP800-57 below .Sx SEE ALSO for details on individual algorithms. .It RSA -The minimum key length in bits for the RSA, DSA, and DH algorithms. +The minimum key length in bits for the RSA and DH algorithms. .It ECC The minimum key length in bits for ECC algorithms. .It TLS diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 index 8be504d3b3..c6f5253431 100644 --- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.10 2022/03/31 17:27:18 naddy Exp $ +.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $ .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke . @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3 .Os .Sh NAME @@ -104,7 +104,6 @@ These functions apply to SSL/TLS servers only. .Pp When using a cipher with RSA authentication, an ephemeral DH key exchange can take place. -Ciphers with DSA keys always use ephemeral DH keys as well. In these cases, the session data are negotiated using the ephemeral/temporary DH key and the key supplied and certified by the certificate chain is only used for signing. diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3 index fac1245f1c..c88a6971b2 100644 --- a/src/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.16 2021/03/31 16:53:30 tb Exp $ +.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $ .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100 .\" @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 31 2021 $ +.Dd $Mdocdate: January 18 2025 $ .Dt SSL_CTX_USE_CERTIFICATE 3 .Os .Sh NAME @@ -315,7 +315,7 @@ It compares the key components and parameters of an OpenSSL private key with the corresponding certificate loaded into .Fa ctx . -If more than one key/certificate pair (RSA/DSA) is installed, +If more than one key/certificate pair (RSA/ECDSA) is installed, the last item installed will be compared. If, e.g., the last item was an RSA certificate or key, the RSA key/certificate pair will be checked. -- cgit v1.2.3-55-g6feb