From fcbddf4e7f38e5e64ebf1df1b6b2c505ba2564fe Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Tue, 27 Feb 2018 17:08:20 +0000 Subject: Mention that SSL_OP_TLSEXT_PADDING no longer has any effect, and correct the description of SSL_OP_ALL. Found by inspecting <openssl/ssl.h>. --- src/lib/libssl/man/SSL_CTX_set_options.3 | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3 index 98c1a6d365..f7445ad7c4 100644 --- a/src/lib/libssl/man/SSL_CTX_set_options.3 +++ b/src/lib/libssl/man/SSL_CTX_set_options.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100 +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2018/02/27 17:08:20 schwarze Exp $ +.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 +.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 .\" .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>, .\" Bodo Moeller <bodo@openssl.org>, and @@ -51,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: February 27 2018 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -154,12 +155,9 @@ Disables a countermeasure against a TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. -.It Dv SSL_OP_TLSEXT_PADDING -Adds a padding extension to ensure the ClientHello size is never between 256 -and 511 bytes in length. -This is needed as a workaround for some implementations. .It Dv SSL_OP_ALL -All of the above bug workarounds. +This is currently an alias for +.Dv SSL_OP_LEGACY_SERVER_CONNECT . .El .Pp It is usually safe to use @@ -237,7 +235,8 @@ and no longer have any effect: .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , .Dv SSL_OP_TLS_BLOCK_PADDING_BUG , -.Dv SSL_OP_TLS_D5_BUG . +.Dv SSL_OP_TLS_D5_BUG , +.Dv SSL_OP_TLSEXT_PADDING . .Sh SECURE RENEGOTIATION OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. @@ -268,9 +267,8 @@ alert is sent. This is because the server code may be unaware of the unpatched nature of the client. .Pp -.Em N.B.: -a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will -result in the connection hanging if it receives a +Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which +are unpatched) will result in the connection hanging if it receives a .Em no_renegotiation alert. OpenSSL versions 0.9.8m and later will regard a -- cgit v1.2.3-55-g6feb