remove (hopefully) all traces of sslv2; ok sthen

1 files changed, 23 insertions, 55 deletions

diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1
index 6d6204261d3..80a22c64033 100644
--- a/usr.sbin/openssl/openssl.1
+++ b/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.87 2011/09/29 17:57:09 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.88 2012/07/12 21:33:12 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: September 29 2011 $
+.Dd $Mdocdate: July 12 2012 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -138,7 +138,7 @@
 .Sh DESCRIPTION
 .Nm OpenSSL
 is a cryptography toolkit implementing the Secure Sockets Layer
-.Pq SSL v2/v3
+.Pq SSL v3
 and Transport Layer Security
 .Pq TLS v1
 network protocols and related cryptography standards required by them.
@@ -1411,7 +1411,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
 .Sh CIPHERS
 .Nm openssl ciphers
 .Op Fl hVv
-.Op Fl ssl2 | ssl3 | tls1
+.Op Fl ssl3 | tls1
 .Op Ar cipherlist
 .Pp
 The
@@ -1425,8 +1425,6 @@ The options are as follows:
 .Bl -tag -width Ds
 .It Fl h , \&?
 Print a brief usage message.
-.It Fl ssl2
-Only include SSL v2 ciphers.
 .It Fl ssl3
 Only include SSL v3 ciphers.
 .It Fl tls1
@@ -1438,7 +1436,7 @@ but include cipher suite codes in output (hex format).
 .It Fl v
 Verbose option.
 List ciphers with a complete description of protocol version
-.Pq SSLv2 or SSLv3; the latter includes TLS ,
+.Pq SSLv3, which includes TLS ,
 key exchange, authentication, encryption and mac algorithms used along with
 any key size restrictions and whether the algorithm is classed as an
 .Em export
@@ -1446,8 +1444,7 @@ cipher.
 Note that without the
 .Fl v
 option, ciphers may seem to appear twice in a cipher list;
-this is when similar ciphers are available for
-SSL v2 and for SSL v3/TLS v1.
+this is when similar ciphers are available for SSL v3/TLS v1.
 .It Ar cipherlist
 A cipher list to convert to a cipher preference list.
 If it is not included, the default cipher list will be used.
@@ -1585,8 +1582,8 @@ Cipher suites using ephemeral DH key agreement.
 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
 .It Ar aDSS , DSS
 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1 , SSLv3 , SSLv2
-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively.
+.It Ar TLSv1 , SSLv3
+TLS v1.0 or SSL v3.0 cipher suites, respectively.
 .It Ar DH
 Cipher suites using DH, including anonymous DH.
 .It Ar ADH
@@ -1723,16 +1720,6 @@ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
 TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
 TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
 .Ed
-.Ss SSL v2.0 cipher suites
-.Bd -unfilled -offset indent
-SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
-SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
-SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
-SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
-SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
-SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
-.Ed
 .Sh CIPHERS NOTES
 The non-ephemeral DH modes are currently unimplemented in
 .Nm OpenSSL
@@ -5357,8 +5344,8 @@ Acceptable values for
 are
 .Cm pkcs1
 for PKCS#1 padding;
-.Cm sslv23
-for SSLv23 padding;
+.Cm sslv3
+for SSLv3 padding;
 .Cm none
 for no padding;
 .Cm oaep
@@ -6575,8 +6562,7 @@ Default is
 The padding to use:
 PKCS#1 OAEP, PKCS#1 v1.5
 .Pq the default ,
-no padding,
-or special padding used in SSL v2 backwards compatible handshakes, respectively.
+or no padding, respectively.
 For signatures, only
 .Fl pkcs
 and
@@ -6724,7 +6710,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl msg
 .Op Fl nbio
 .Op Fl nbio_test
-.Op Fl no_ssl2
 .Op Fl no_ssl3
 .Op Fl no_ticket
 .Op Fl no_tls1
@@ -6736,9 +6721,7 @@ which it can be seen agrees with the recovered value above.
 .Op Fl quiet
 .Op Fl rand Ar
 .Op Fl reconnect
-.Op Fl serverpref
 .Op Fl showcerts
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl starttls Ar protocol
 .Op Fl state
@@ -6849,19 +6832,17 @@ Turns on non-blocking I/O.
 .It Fl nbio_test
 Tests non-blocking I/O.
 .It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl no_ssl3 | no_tls1 |
+.Fl ssl3 | tls1
 .Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
 .Pp
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
 Some servers only work if TLS is turned off with the
 .Fl no_tls
-option, others will only support SSL v2 and may need the
-.Fl ssl2
 option.
 .It Fl no_ticket
 Disable RFC 4507 session ticket support.
@@ -6902,9 +6883,6 @@ Multiple files can be specified separated by a
 .It Fl reconnect
 Reconnects to the same server 5 times using the same session ID; this can
 be used as a test that session caching is working.
-.It Fl serverpref
-Use server's cipher preferences
-.Pq SSLv2 only .
 .It Fl showcerts
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.
@@ -6962,8 +6940,7 @@ to retrieve a web page.
 .Pp
 If the handshake fails, there are several possible causes; if it is
 nothing obvious like no client certificate, then the
-.Fl bugs , ssl2 , ssl3 , tls1 ,
-.Fl no_ssl2 , no_ssl3 ,
+.Fl bugs , ssl3 , tls1 , no_ssl3 ,
 and
 .Fl no_tls1
 options can be tried in case it is a buggy server.
@@ -7047,7 +7024,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl nbio
 .Op Fl nbio_test
 .Op Fl no_dhe
-.Op Fl no_ssl2
 .Op Fl no_ssl3
 .Op Fl no_tls1
 .Op Fl no_tmp_rsa
@@ -7057,7 +7033,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl quiet
 .Op Fl rand Ar
 .Op Fl serverpref
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl state
 .Op Fl tls1
@@ -7200,12 +7175,12 @@ Tests non-blocking I/O.
 If this option is set, no DH parameters will be loaded, effectively
 disabling the ephemeral DH cipher suites.
 .It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl no_ssl3 | no_tls1 |
+.Fl ssl3 | tls1
 .Xc
 These options disable the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
 .It Fl no_tmp_rsa
 Certain export cipher suites sometimes use a temporary RSA key; this option
 disables temporary RSA key generation.
@@ -7343,7 +7318,6 @@ unknown cipher suites a client says it supports.
 .Op Fl nbio
 .Op Fl new
 .Op Fl reuse
-.Op Fl ssl2
 .Op Fl ssl3
 .Op Fl time Ar seconds
 .Op Fl verify Ar depth
@@ -7414,11 +7388,11 @@ nor
 .Fl reuse
 are specified,
 they are both on by default and executed in sequence.
-.It Fl ssl2 | ssl3
-These options disable the use of certain SSL or TLS protocols.
+.It Fl ssl3
+This option disables the use of certain SSL or TLS protocols.
 By default, the initial handshake uses a method
 which should be compatible with all servers and permit them to use
-SSL v3, SSL v2, or TLS as appropriate.
+SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
 the
 .Nm s_client
@@ -7428,9 +7402,6 @@ Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect.
 Some servers only work if TLS is turned off with the
 .Fl ssl3
-option;
-others will only support SSL v2 and may need the
-.Fl ssl2
 option.
 .It Fl time Ar seconds
 Specifies how long
@@ -7480,7 +7451,7 @@ command for details.
 .Pp
 If the handshake fails, there are several possible causes:
 if it is nothing obvious like no client certificate, the
-.Fl bugs , ssl2 ,
+.Fl bugs
 and
 .Fl ssl3
 options can be tried in case it is a buggy server.
@@ -7605,7 +7576,6 @@ SSL-Session:
     Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
     Session-ID-ctx: 01000000
     Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
-    Key-Arg   : None
     Start Time: 948459261
     Timeout   : 300 (sec)
     Verify return code 0 (ok)
@@ -7615,7 +7585,7 @@ These are described below in more detail.
 .Pp
 .Bl -tag -width "Verify return code " -compact
 .It Ar Protocol
-This is the protocol in use: TLSv1, SSLv3, or SSLv2.
+This is the protocol in use: TLSv1 or SSLv3.
 .It Ar Cipher
 The cipher used is the actual raw SSL or TLS cipher code;
 see the SSL or TLS specifications for more information.
@@ -7625,8 +7595,6 @@ The SSL session ID in hex format.
 The session ID context in hex format.
 .It Ar Master-Key
 This is the SSL session master key.
-.It Ar Key-Arg
-The key argument; this is only used in SSL v2.
 .It Ar Start Time
 This is the session start time, represented as an integer in standard
 .Ux