summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2020-04-25 14:03:39 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2020-04-25 14:03:39 +0000
commit25e33b4bf343347caf28913e07798c39396200a5 (patch)
treee0dd8f057131385d8c27a443c805bb0f6f4aa16b
parentbdc038f935db8e43e14875e7ec36e4e15289cb87 (diff)
Move unsupported, obsolete ciphers and deprecated aliases out of
the main list of words to make it more readable, even though it remains long. Avoid using deprecated aliases in explanations what other words mean. Stop documenting aDSS because it is *both* a deprecated alias *and* no longer matches anything at all. General direction discussed with jsing@ some time ago.
-rw-r--r--lib/libssl/man/SSL_CTX_set_cipher_list.360
1 files changed, 29 insertions, 31 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/lib/libssl/man/SSL_CTX_set_cipher_list.3
index c88388fb6f3..95f22b1d64e 100644
--- a/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.14 2020/04/25 13:50:05 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.15 2020/04/25 14:03:38 schwarze Exp $
.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file is a derived work.
@@ -157,17 +157,14 @@ is selected.
Cipher suites using ephemeral DH for key exchange
without doing any server authentication.
Equivalent to
-.Cm kEDH Ns + Ns Cm aNULL .
-.It Cm aDSS
-Cipher suites using DSS server authentication.
-LibreSSL no longer provides any such cipher suites.
+.Cm DH Ns + Ns Cm aNULL .
.It Cm AEAD
Cipher suites using Authenticated Encryption with Additional Data.
.It Cm AECDH
Cipher suites using ephemeral ECDH for key exchange
without doing any server authentication.
Equivalent to
-.Cm kEECDH Ns + Ns Cm aNULL .
+.Cm ECDH Ns + Ns Cm aNULL .
.It Cm aECDSA
Cipher suites using ECDSA server authentication.
.It Cm AES
@@ -216,45 +213,31 @@ Currently similar to
except for the order of the cipher suites which are
.Em not
selected.
-.It Cm DES
-Cipher suites using single DES for symmetric encryption.
-LibreSSL no longer provides any such cipher suites.
.It Cm 3DES
Cipher suites using triple DES for symmetric encryption.
.It Cm DH
-An alias for
-.Cm kEDH .
+Cipher suites using ephemeral DH for key exchange.
.It Cm DHE
Cipher suites using ephemeral DH for key exchange,
but excluding those that don't do any server authentication.
Similar to
-.Cm kEDH Ns :! Ns Cm aNULL
+.Cm DH Ns :! Ns Cm aNULL
except for the order of the cipher suites which are
.Em not
selected.
-.It Cm DSS
-An alias for
-.Cm aDSS .
.It Cm ECDH
-An alias for
-.Cm kEECDH .
+Cipher suites using ephemeral ECDH for key exchange.
.It Cm ECDHE
Cipher suites using ephemeral ECDH for key exchange,
but excluding those that don't do any server authentication.
Similar to
-.Cm kEECDH Ns :! Ns Cm aNULL
+.Cm ECDH Ns :! Ns Cm aNULL
except for the order of the cipher suites which are
.Em not
selected.
.It Cm ECDSA
An alias for
.Cm aECDSA .
-.It Cm EDH
-An alias for
-.Cm DHE .
-.It Cm EECDH
-An alias for
-.Cm ECDHE .
.It Cm eNULL
Cipher suites that do not use any encryption.
Not enabled by
@@ -269,13 +252,6 @@ Cipher suites using HMAC based on GOST R 34.11-94
for message authentication.
.It Cm HIGH
Cipher suites of high strength.
-.It Cm IDEA
-Cipher suites using IDEA for symmetric encryption.
-LibreSSL does not provide any such cipher suites.
-.It Cm kEDH
-Cipher suites using ephemeral DH for key exchange.
-.It Cm kEECDH
-Cipher suites using ephemeral ECDH for key exchange.
.It Cm kGOST
Cipher suites using VKO 34.10 key exchange, specified in RFC 4357.
.It Cm kRSA
@@ -329,6 +305,28 @@ The full words returned by the
.Cm ciphers
command can be used to select individual cipher suites.
.Pp
+The following words do not match anything because
+LibreSSL no longer provides any such cipher suites:
+.Pp
+.Bl -tag -width Ds -compact
+.It Cm DES
+Cipher suites using single DES for symmetric encryption.
+.It Cm DSS
+Cipher suites using DSS server authentication.
+.It Cm IDEA
+Cipher suites using IDEA for symmetric encryption.
+.El
+.Pp
+The following are deprecated aliases:
+.Pp
+.Bl -column kEECDH ECDHE -compact -offset indent
+.It avoid: Ta use:
+.It Cm EDH Ta Cm DHE
+.It Cm EECDH Ta Cm ECDHE
+.It Cm kEDH Ta Cm DH
+.It Cm kEECDH Ta Cm ECDH
+.El
+.Pp
Unknown words are silently ignored, selecting no cipher suites.
Failure is only flagged if the
.Fa control