From eb8dd9dca1228af0cd132f515509051ecfabf6f6 Mon Sep 17 00:00:00 2001
From: cvs2svn <admin@example.com>
Date: Mon, 14 Apr 2025 17:32:06 +0000
Subject: This commit was manufactured by cvs2git to create tag 'tb_20250414'.

---
 src/lib/libssl/man/SSL_CTX_set_options.3 | 374 -------------------------------
 1 file changed, 374 deletions(-)
 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_options.3

(limited to 'src/lib/libssl/man/SSL_CTX_set_options.3')

diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
deleted file mode 100644
index 5df0b07785..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ /dev/null
@@ -1,374 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
-.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
-.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
-.\" Bodo Moeller <bodo@openssl.org>, and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2001-2003, 2005, 2007, 2009, 2010, 2013-2015
-.\" The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt SSL_CTX_SET_OPTIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_options ,
-.Nm SSL_set_options ,
-.Nm SSL_CTX_clear_options ,
-.Nm SSL_clear_options ,
-.Nm SSL_CTX_get_options ,
-.Nm SSL_get_options ,
-.Nm SSL_get_secure_renegotiation_support
-.Nd manipulate SSL options
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_set_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_clear_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_get_options "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_get_options "SSL *ssl"
-.Ft long
-.Fn SSL_get_secure_renegotiation_support "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_CTX_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-.Pp
-.Fn SSL_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_get_options
-returns the options set for
-.Fa ctx .
-.Pp
-.Fn SSL_get_options
-returns the options set for
-.Fa ssl .
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-indicates whether the peer supports secure renegotiation.
-.Pp
-All these functions are implemented using macros.
-.Pp
-The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bitmasks and can be combined by a bitwise OR
-operation (|).
-.Pp
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-affect the (external) protocol behaviour of the SSL library.
-The (internal) behaviour of the API can be changed by using the similar
-.Xr SSL_CTX_set_mode 3
-and
-.Xr SSL_set_mode 3
-functions.
-.Pp
-During a handshake, the option settings of the SSL object are used.
-When a new SSL object is created from a context using
-.Xr SSL_new 3 ,
-the current option setting is copied.
-Changes to
-.Fa ctx
-do not affect already created
-.Vt SSL
-objects.
-.Fn SSL_clear
-does not affect the settings.
-.Pp
-The following
-.Em bug workaround
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-Disables a countermeasure against a TLS 1.0 protocol vulnerability
-affecting CBC ciphers, which cannot be handled by some broken SSL
-implementations.
-This option has no effect for connections using other ciphers.
-.It Dv SSL_OP_ALL
-This is currently an alias for
-.Dv SSL_OP_LEGACY_SERVER_CONNECT .
-.El
-.Pp
-It is usually safe to use
-.Dv SSL_OP_ALL
-to enable the bug workaround options if compatibility with somewhat broken
-implementations is desired.
-.Pp
-The following
-.Em modifying
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
-When choosing a cipher, use the server's preferences instead of the client
-preferences.
-When not set, the server will always follow the client's preferences.
-When set, the server will choose following its own preferences.
-.It Dv SSL_OP_COOKIE_EXCHANGE
-Turn on Cookie Exchange as described in RFC 4347 Section 4.2.1.
-Only affects DTLS connections.
-.It Dv SSL_OP_LEGACY_SERVER_CONNECT
-Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-.Em only :
-this option is currently set by default.
-See the
-.Sx SECURE RENEGOTIATION
-section for more details.
-.It Dv SSL_OP_NO_DTLSv1
-Do not use the DTLSv1 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_DTLSv1_2
-Do not use the DTLSv1.2 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_QUERY_MTU
-Do not query the MTU.
-Only affects DTLS connections.
-.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-When performing renegotiation as a server, always start a new session (i.e.,
-session resumption requests are only accepted in the initial handshake).
-This option is not needed for clients.
-.It Dv SSL_OP_NO_TICKET
-Normally clients and servers using TLSv1.2 and earlier will, where possible,
-transparently make use of
-RFC 5077 tickets for stateless session resumption.
-.Pp
-If this option is set, this functionality is disabled and tickets will not be
-used by clients or servers.
-.It Dv SSL_OP_NO_TLSv1
-Do not use the TLSv1.0 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_TLSv1_1
-Do not use the TLSv1.1 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_TLSv1_2
-Do not use the TLSv1.2 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_max_proto_version 3
-instead.
-.El
-.Pp
-The following options used to be supported at some point in the past
-and no longer have any effect:
-.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION ,
-.Dv SSL_OP_EPHEMERAL_RSA ,
-.Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ,
-.Dv SSL_OP_MICROSOFT_SESS_ID_BUG ,
-.Dv SSL_OP_NETSCAPE_CA_DN_BUG ,
-.Dv SSL_OP_NETSCAPE_CHALLENGE_BUG ,
-.Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ,
-.Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ,
-.Dv SSL_OP_NO_COMPRESSION ,
-.Dv SSL_OP_NO_SSLv2 ,
-.Dv SSL_OP_NO_SSLv3 ,
-.Dv SSL_OP_PKCS1_CHECK_1 ,
-.Dv SSL_OP_PKCS1_CHECK_2 ,
-.Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG ,
-.Dv SSL_OP_SINGLE_DH_USE ,
-.Dv SSL_OP_SINGLE_ECDH_USE ,
-.Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG ,
-.Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ,
-.Dv SSL_OP_TLS_BLOCK_PADDING_BUG ,
-.Dv SSL_OP_TLS_D5_BUG ,
-.Dv SSL_OP_TLS_ROLLBACK_BUG ,
-.Dv SSL_OP_TLSEXT_PADDING .
-.Sh SECURE RENEGOTIATION
-OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in RFC 5746.
-This counters the prefix attack described in CVE-2009-3555 and elsewhere.
-.Pp
-This attack has far-reaching consequences which application writers should be
-aware of.
-In the description below an implementation supporting secure renegotiation is
-referred to as
-.Dq patched .
-A server not supporting secure
-renegotiation is referred to as
-.Dq unpatched .
-.Pp
-The following sections describe the operations permitted by OpenSSL's secure
-renegotiation implementation.
-.Ss Patched client and server
-Connections and renegotiation are always permitted by OpenSSL implementations.
-.Ss Unpatched client and patched OpenSSL server
-The initial connection succeeds but client renegotiation is denied by the
-server with a
-.Em no_renegotiation
-warning alert.
-.Pp
-If the patched OpenSSL server attempts to renegotiate, a fatal
-.Em handshake_failure
-alert is sent.
-This is because the server code may be unaware of the unpatched nature of the
-client.
-.Pp
-Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which
-are unpatched) will result in the connection hanging if it receives a
-.Em no_renegotiation
-alert.
-OpenSSL versions 0.9.8m and later will regard a
-.Em no_renegotiation
-alert as fatal and respond with a fatal
-.Em handshake_failure
-alert.
-This is because the OpenSSL API currently has no provision to indicate to an
-application that a renegotiation attempt was refused.
-.Ss Patched OpenSSL client and unpatched server
-If the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is set then initial connections and renegotiation between patched OpenSSL
-clients and unpatched servers succeeds.
-If neither option is set then initial connections to unpatched servers will
-fail.
-.Pp
-The option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is currently set by default even though it has security implications:
-otherwise it would be impossible to connect to unpatched servers (i.e., all of
-them initially) and this is clearly not acceptable.
-Renegotiation is permitted because this does not add any additional security
-issues: during an attack clients do not see any renegotiations anyway.
-.Pp
-As more servers become patched, the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-will
-.Em not
-be set by default in a future version of OpenSSL.
-.Pp
-OpenSSL client applications wishing to ensure they can connect to unpatched
-servers should always
-.Em set
-.Dv SSL_OP_LEGACY_SERVER_CONNECT .
-.Pp
-OpenSSL client applications that want to ensure they can
-.Em not
-connect to unpatched servers (and thus avoid any security issues) should always
-.Em clear
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-using
-.Fn SSL_CTX_clear_options
-or
-.Fn SSL_clear_options .
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-return the new options bitmask after adding
-.Fa options .
-.Pp
-.Fn SSL_CTX_clear_options
-and
-.Fn SSL_clear_options
-return the new options bitmask after clearing
-.Fa options .
-.Pp
-.Fn SSL_CTX_get_options
-and
-.Fn SSL_get_options
-return the current bitmask.
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-returns 1 is the peer supports secure renegotiation and 0 if it does not.
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_set_min_proto_version 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_get_options
-and
-.Fn SSL_get_options
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_CTX_clear_options ,
-.Fn SSL_clear_options ,
-and
-.Fn SSL_get_secure_renegotiation_support
-first appeared in OpenSSL 0.9.8m and have been available since
-.Ox 4.9 .
-- 
cgit v1.2.3-55-g6feb