sslv3 has been removed;

prompted by a mail from jiri navratil
help/ok sthen

2 files changed, 26 insertions, 22 deletions

diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8
index fb08857d611..c3af58157ed 100644
--- a/share/man/man8/ssl.8
+++ b/share/man/man8/ssl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssl.8,v 1.62 2014/11/22 18:06:35 deraadt Exp $
+.\"	$OpenBSD: ssl.8,v 1.63 2016/02/08 19:29:58 jmc Exp $
 .\"
 .\" Copyright (c) 1999 Theo de Raadt, Bob Beck
 .\" All rights reserved.
@@ -23,7 +23,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2014 $
+.Dd $Mdocdate: February 8 2016 $
 .Dt SSL 8
 .Os
 .Sh NAME
@@ -35,9 +35,8 @@ the OpenSSL libssl and libcrypto libraries.
 This document is intended as an overview of what the libraries do,
 and what uses them.
 .Pp
-The SSL libraries (libssl and libcrypto) implement the SSL version 3
-and TLS version 1 protocols.
-SSL and TLS are most commonly used by the HTTPS protocol for encrypted
+The libssl and libcrypto libraries implement the TLS version 1 protocol.
+It is most commonly used by the HTTPS protocol for encrypted
 web transactions, as can be done with
 .Xr httpd 8 .
 The libcrypto library is also used by various programs such as
@@ -46,7 +45,7 @@ The libcrypto library is also used by various programs such as
 and
 .Xr isakmpd 8 .
 .Sh SERVER CERTIFICATES
-The most common uses of SSL/TLS will require you to generate a server
+The most common uses of TLS will require you to generate a server
 certificate, which is provided by your host as evidence of its identity
 when clients make new connections.
 The certificates reside in the
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index c6cca39cd76..6d3775181cf 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.30 2015/12/24 16:54:37 mmcc Exp $
+.\" $OpenBSD: openssl.1,v 1.31 2016/02/08 19:29:57 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: December 24 2015 $
+.Dd $Mdocdate: February 8 2016 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -137,11 +137,11 @@
 .Op Ar arbitrary options
 .Sh DESCRIPTION
 .Nm OpenSSL
-is a cryptography toolkit implementing the Secure Sockets Layer
-.Pq SSL v3
-and Transport Layer Security
+is a cryptography toolkit implementing the
+Transport Layer Security
 .Pq TLS v1
-network protocols and related cryptography standards required by them.
+network protocol,
+as well as related cryptography standards.
 .Pp
 The
 .Nm
@@ -6215,6 +6215,8 @@ which it can be seen agrees with the recovered value above.
 .Op Fl starttls Ar protocol
 .Op Fl state
 .Op Fl tls1
+.Op Fl tls1_1
+.Op Fl tls1_2
 .Op Fl tlsextdebug
 .Op Fl verify Ar depth
 .Op Fl x509_strict
@@ -6313,16 +6315,13 @@ Show all protocol messages with hex dump.
 Turns on non-blocking I/O.
 .It Fl nbio_test
 Tests non-blocking I/O.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
-These options disable the use of certain SSL or TLS protocols.
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3 or TLS as appropriate.
+with servers supporting any version of TLS.
+These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .Pp
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
-Some servers only work if TLS is turned off with the
-.Fl no_tls
-option.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
 .It Fl pause
@@ -6387,6 +6386,8 @@ and
 .Qq xmpp .
 .It Fl state
 Prints out the SSL session states.
+.It Fl tls1 | tls1_1 | tls1_2
+Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl tlsextdebug
 Print out a hex dump of any TLS extensions received from the server.
 .It Fl verify Ar depth
@@ -6435,7 +6436,7 @@ to retrieve a web page.
 .Pp
 If the handshake fails, there are several possible causes; if it is
 nothing obvious like no client certificate, then the
-.Fl bugs , tls1 , no_tls1 , no_tls1_1 ,
+.Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
 and
 .Fl no_tls1_2
 options can be tried in case it is a buggy server.
@@ -6524,6 +6525,8 @@ We should really report information whenever a session is renegotiated.
 .Op Fl serverpref
 .Op Fl state
 .Op Fl tls1
+.Op Fl tls1_1
+.Op Fl tls1_2
 .Op Fl Verify Ar depth
 .Op Fl verify Ar depth
 .Op Fl WWW
@@ -6654,10 +6657,10 @@ Tests non-blocking I/O.
 .It Fl no_dhe
 If this option is set, no DH parameters will be loaded, effectively
 disabling the ephemeral DH cipher suites.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1
-These options disable the use of certain SSL or TLS protocols.
+.It Fl no_tls1 | no_tls1_1 | no_tls1_2
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3 or TLS as appropriate.
+with servers supporting any version of TLS.
+These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
 .It Fl no_tmp_rsa
 Certain export cipher suites sometimes use a temporary RSA key; this option
 disables temporary RSA key generation.
@@ -6681,6 +6684,8 @@ Inhibit printing of session and certificate information.
 Use server's cipher preferences.
 .It Fl state
 Prints out the SSL session states.
+.It Fl tls1 | tls1_1 | tls1_2
+Permit only TLS1.0, 1.1, or 1.2, respectively.
 .It Fl WWW
 Emulates a simple web server.
 Pages will be resolved relative to the current directory;