Document the TLSv1.3 control word, update the description of the

TLSv1 control word, and explain how TLSv1.3 cipher suites can be
configured in LibreSSL and in OpenSSL.  While here, also mention
how users can inspect the DEFAULT list of cipher suites.
Stimulus, feedback and OK from jsing@.

1 files changed, 30 insertions, 4 deletions

diff --git a/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/lib/libssl/man/SSL_CTX_set_cipher_list.3
index bf1cb5ed509..a41b680c23d 100644
--- a/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,10 +1,10 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.10 2019/12/19 20:23:25 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.11 2020/04/11 14:01:59 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2019 $
+.Dd $Mdocdate: April 11 2020 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -134,6 +134,12 @@ An alias for
 .Cm ALL No :! Cm aNULL No :! Cm eNULL .
 .Sm on
 It can only be used as the first word.
+The
+.Cm DEFAULT
+cipher list can be displayed with the
+.Xr openssl 1
+.Cm ciphers
+command.
 .It Cm @STRENGTH
 Sort the list by decreasing encryption strength,
 preserving the order of cipher suites that have the same strength.
@@ -316,9 +322,18 @@ An alias for
 .It Cm STREEBOG256
 Cipher suites using STREEBOG256 for message authentication.
 .It Cm TLSv1
-Cipher suites usable with any TLS protocol.
+Cipher suites usable with the TLSv1.0, TLSv1.1, and TLSv1.2 protocols.
 .It Cm TLSv1.2
 Cipher suites for the TLSv1.2 protocol.
+.It Cm TLSv1.3
+Cipher suites for the TLSv1.3 protocol.
+If the
+.Fa control
+string neither contains the word
+.Cm TLSv1.3
+nor specifically includes nor excludes any TLSv1.3 cipher suites, all the
+.Cm TLSv1.3
+cipher suites are made available.
 .El
 .Pp
 The full words returned by the
@@ -371,3 +386,14 @@ and
 .Fn SSL_set_cipher_list
 first appeared in SSLeay 0.5.2 and have been available since
 .Ox 2.4 .
+.Sh CAVEATS
+In LibreSSL,
+.Fn SSL_CTX_set_cipher_list
+and
+.Fn SSL_set_cipher_list
+can be used to configure the list of available cipher suites for
+all versions of the TLS protocol, whereas in OpenSSL, they only
+control cipher suites for protocols up to TLSv1.2.
+If compatibility with OpenSSL is required, the list of
+available TLSv1.3 cipher suites can only be changed with
+.Fn SSL_set_ciphersuites .