diff options
author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2020-04-25 14:03:39 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2020-04-25 14:03:39 +0000 |
commit | 25e33b4bf343347caf28913e07798c39396200a5 (patch) | |
tree | e0dd8f057131385d8c27a443c805bb0f6f4aa16b | |
parent | bdc038f935db8e43e14875e7ec36e4e15289cb87 (diff) |
Move unsupported, obsolete ciphers and deprecated aliases out of
the main list of words to make it more readable, even though it
remains long.
Avoid using deprecated aliases in explanations what other words mean.
Stop documenting aDSS because it is *both* a deprecated alias *and*
no longer matches anything at all.
General direction discussed with jsing@ some time ago.
-rw-r--r-- | lib/libssl/man/SSL_CTX_set_cipher_list.3 | 60 |
1 files changed, 29 insertions, 31 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/lib/libssl/man/SSL_CTX_set_cipher_list.3 index c88388fb6f3..95f22b1d64e 100644 --- a/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/lib/libssl/man/SSL_CTX_set_cipher_list.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.14 2020/04/25 13:50:05 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.15 2020/04/25 14:03:38 schwarze Exp $ .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file is a derived work. @@ -157,17 +157,14 @@ is selected. Cipher suites using ephemeral DH for key exchange without doing any server authentication. Equivalent to -.Cm kEDH Ns + Ns Cm aNULL . -.It Cm aDSS -Cipher suites using DSS server authentication. -LibreSSL no longer provides any such cipher suites. +.Cm DH Ns + Ns Cm aNULL . .It Cm AEAD Cipher suites using Authenticated Encryption with Additional Data. .It Cm AECDH Cipher suites using ephemeral ECDH for key exchange without doing any server authentication. Equivalent to -.Cm kEECDH Ns + Ns Cm aNULL . +.Cm ECDH Ns + Ns Cm aNULL . .It Cm aECDSA Cipher suites using ECDSA server authentication. .It Cm AES @@ -216,45 +213,31 @@ Currently similar to except for the order of the cipher suites which are .Em not selected. -.It Cm DES -Cipher suites using single DES for symmetric encryption. -LibreSSL no longer provides any such cipher suites. .It Cm 3DES Cipher suites using triple DES for symmetric encryption. .It Cm DH -An alias for -.Cm kEDH . +Cipher suites using ephemeral DH for key exchange. .It Cm DHE Cipher suites using ephemeral DH for key exchange, but excluding those that don't do any server authentication. Similar to -.Cm kEDH Ns :! Ns Cm aNULL +.Cm DH Ns :! Ns Cm aNULL except for the order of the cipher suites which are .Em not selected. -.It Cm DSS -An alias for -.Cm aDSS . .It Cm ECDH -An alias for -.Cm kEECDH . +Cipher suites using ephemeral ECDH for key exchange. .It Cm ECDHE Cipher suites using ephemeral ECDH for key exchange, but excluding those that don't do any server authentication. Similar to -.Cm kEECDH Ns :! Ns Cm aNULL +.Cm ECDH Ns :! Ns Cm aNULL except for the order of the cipher suites which are .Em not selected. .It Cm ECDSA An alias for .Cm aECDSA . -.It Cm EDH -An alias for -.Cm DHE . -.It Cm EECDH -An alias for -.Cm ECDHE . .It Cm eNULL Cipher suites that do not use any encryption. Not enabled by @@ -269,13 +252,6 @@ Cipher suites using HMAC based on GOST R 34.11-94 for message authentication. .It Cm HIGH Cipher suites of high strength. -.It Cm IDEA -Cipher suites using IDEA for symmetric encryption. -LibreSSL does not provide any such cipher suites. -.It Cm kEDH -Cipher suites using ephemeral DH for key exchange. -.It Cm kEECDH -Cipher suites using ephemeral ECDH for key exchange. .It Cm kGOST Cipher suites using VKO 34.10 key exchange, specified in RFC 4357. .It Cm kRSA @@ -329,6 +305,28 @@ The full words returned by the .Cm ciphers command can be used to select individual cipher suites. .Pp +The following words do not match anything because +LibreSSL no longer provides any such cipher suites: +.Pp +.Bl -tag -width Ds -compact +.It Cm DES +Cipher suites using single DES for symmetric encryption. +.It Cm DSS +Cipher suites using DSS server authentication. +.It Cm IDEA +Cipher suites using IDEA for symmetric encryption. +.El +.Pp +The following are deprecated aliases: +.Pp +.Bl -column kEECDH ECDHE -compact -offset indent +.It avoid: Ta use: +.It Cm EDH Ta Cm DHE +.It Cm EECDH Ta Cm ECDHE +.It Cm kEDH Ta Cm DH +.It Cm kEECDH Ta Cm ECDH +.El +.Pp Unknown words are silently ignored, selecting no cipher suites. Failure is only flagged if the .Fa control |