summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2023-07-03 06:22:08 +0000
committerBob Beck <beck@cvs.openbsd.org>2023-07-03 06:22:08 +0000
commitaf704f6436b692e431e2625ac256c6bec2949c5c (patch)
treef0c79bd76c6113b4d266cdd3e0b5e8b784a308f7 /usr.bin/openssl
parent24290980cce460bc7b083ea28d45793f42c6a204 (diff)
Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit
ok tb@
Diffstat (limited to 'usr.bin/openssl')
-rw-r--r--usr.bin/openssl/openssl.137
-rw-r--r--usr.bin/openssl/s_client.c70
-rw-r--r--usr.bin/openssl/s_server.c72
3 files changed, 20 insertions, 159 deletions
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 45ae95fa5b4..9868955691b 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.149 2023/07/03 06:22:07 beck Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
@@ -110,7 +110,7 @@
.\" copied and put under another distribution licence
.\" [including the GNU Public Licence.]
.\"
-.Dd $Mdocdate: June 8 2023 $
+.Dd $Mdocdate: July 3 2023 $
.Dt OPENSSL 1
.Os
.Sh NAME
@@ -911,8 +911,6 @@ Specify the directories to process.
.Sh CIPHERS
.Nm openssl ciphers
.Op Fl hsVv
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Ar control
@@ -936,7 +934,7 @@ The options are as follows:
Print a brief usage message.
.It Fl s
Only list ciphers that are supported by the TLS method.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
+.It Fl tls1_2 | tls1_3
In combination with the
.Fl s
option, list the ciphers which could be used
@@ -4265,7 +4263,6 @@ Verify the input data and output the recovered data.
.Op Fl crlf
.Op Fl debug
.Op Fl dtls
-.Op Fl dtls1
.Op Fl dtls1_2
.Op Fl extended_crl
.Op Fl groups Ar list
@@ -4286,8 +4283,6 @@ Verify the input data and output the recovered data.
.Op Fl no_ign_eof
.Op Fl no_legacy_server_connect
.Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
.Op Fl no_tls1_2
.Op Fl no_tls1_3
.Op Fl pass Ar arg
@@ -4307,8 +4302,6 @@ Verify the input data and output the recovered data.
.Op Fl state
.Op Fl status
.Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Fl tlsextdebug
@@ -4412,8 +4405,6 @@ as required by some servers.
Print extensive debugging information, including a hex dump of all traffic.
.It Fl dtls
Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
.It Fl dtls1_2
Permit only DTLS1.2.
.It Fl groups Ar list
@@ -4455,8 +4446,8 @@ Can be used to override the implicit
.Fl ign_eof
after
.Fl quiet .
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2 and 1.3 respectively.
.It Fl no_ticket
Disable RFC 4507 session ticket support.
.It Fl pass Ar arg
@@ -4529,8 +4520,8 @@ Send a certificate status request to the server (OCSP stapling).
The server response (if any) is printed out.
.It Fl timeout
Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2 or 1.3 respectively.
.It Fl tlsextdebug
Print a hex dump of any TLS extensions received from the server.
.It Fl use_srtp Ar profiles
@@ -4599,8 +4590,6 @@ will be used.
.Op Fl no_dhe
.Op Fl no_ecdhe
.Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
.Op Fl no_tls1_2
.Op Fl no_tls1_3
.Op Fl no_tmp_rsa
@@ -4616,8 +4605,6 @@ will be used.
.Op Fl status_url Ar url
.Op Fl status_verbose
.Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Fl tlsextdebug
@@ -4749,8 +4736,6 @@ If this fails, a static set of parameters hard coded into the
program will be used.
.It Fl dtls
Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
.It Fl dtls1_2
Permit only DTLS1.2.
.It Fl groups Ar list
@@ -4813,8 +4798,8 @@ Disable ephemeral DH cipher suites.
Disable ephemeral ECDH cipher suites.
.It Fl no_ticket
Disable RFC 4507 session ticket support.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2, and 1.3, respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2, and 1.3, respectively.
.It Fl no_tmp_rsa
Disable temporary RSA key generation.
.It Fl nocert
@@ -4849,8 +4834,8 @@ Enables certificate status request support (OCSP stapling) and gives a verbose
printout of the OCSP response.
.It Fl timeout
Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2, or 1.3, respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2, or 1.3, respectively.
.It Fl tlsextdebug
Print a hex dump of any TLS extensions received from the server.
.It Fl use_srtp Ar profiles
diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c
index 82a8128243c..21bb632810e 100644
--- a/usr.bin/openssl/s_client.c
+++ b/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.60 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_client.c,v 1.61 2023/07/03 06:22:07 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -296,18 +296,6 @@ s_client_opt_protocol_version_dtls(void)
}
#endif
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_client_opt_protocol_version_dtls1(void)
-{
- cfg.meth = DTLS_client_method();
- cfg.min_version = DTLS1_VERSION;
- cfg.max_version = DTLS1_VERSION;
- cfg.socket_type = SOCK_DGRAM;
- return (0);
-}
-#endif
-
#ifndef OPENSSL_NO_DTLS1_2
static int
s_client_opt_protocol_version_dtls1_2(void)
@@ -321,22 +309,6 @@ s_client_opt_protocol_version_dtls1_2(void)
#endif
static int
-s_client_opt_protocol_version_tls1(void)
-{
- cfg.min_version = TLS1_VERSION;
- cfg.max_version = TLS1_VERSION;
- return (0);
-}
-
-static int
-s_client_opt_protocol_version_tls1_1(void)
-{
- cfg.min_version = TLS1_1_VERSION;
- cfg.max_version = TLS1_1_VERSION;
- return (0);
-}
-
-static int
s_client_opt_protocol_version_tls1_2(void)
{
cfg.min_version = TLS1_2_VERSION;
@@ -505,14 +477,6 @@ static const struct option s_client_options[] = {
.opt.func = s_client_opt_protocol_version_dtls,
},
#endif
-#ifndef OPENSSL_NO_DTLS1
- {
- .name = "dtls1",
- .desc = "Just use DTLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_dtls1,
- },
-#endif
#ifndef OPENSSL_NO_DTLS1_2
{
.name = "dtls1_2",
@@ -660,20 +624,6 @@ static const struct option s_client_options[] = {
.value = SSL_OP_NO_TICKET,
},
{
- .name = "no_tls1",
- .desc = "Disable the use of TLSv1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1,
- },
- {
- .name = "no_tls1_1",
- .desc = "Disable the use of TLSv1.1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1_1,
- },
- {
.name = "no_tls1_2",
.desc = "Disable the use of TLSv1.2",
.type = OPTION_VALUE_OR,
@@ -806,18 +756,6 @@ static const struct option s_client_options[] = {
},
#endif
{
- .name = "tls1",
- .desc = "Just use TLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_tls1,
- },
- {
- .name = "tls1_1",
- .desc = "Just use TLSv1.1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_tls1_1,
- },
- {
.name = "tls1_2",
.desc = "Just use TLSv1.2",
.type = OPTION_FUNC,
@@ -880,17 +818,17 @@ sc_usage(void)
"[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n"
" [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n"
" [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n"
- " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n"
+ " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1_2] [-extended_crl]\n"
" [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n"
" [-issuer_checks] [-key keyfile] [-keyform der | pem]\n"
" [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n"
" [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n"
- " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n"
+ " [-no_legacy_server_connect] [-no_ticket] \n"
" [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n"
" [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n"
" [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n"
" [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n"
- " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
+ " [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
" [-use_srtp profiles] [-verify depth] [-verify_return_error]\n"
" [-x509_strict] [-xmpphost host]\n");
fprintf(stderr, "\n");
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index a7f6146c4c3..12eb90699e7 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.56 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_server.c,v 1.57 2023/07/03 06:22:07 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -341,18 +341,6 @@ s_server_opt_protocol_version_dtls(void)
}
#endif
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_server_opt_protocol_version_dtls1(void)
-{
- cfg.meth = DTLS_server_method();
- cfg.min_version = DTLS1_VERSION;
- cfg.max_version = DTLS1_VERSION;
- cfg.socket_type = SOCK_DGRAM;
- return (0);
-}
-#endif
-
#ifndef OPENSSL_NO_DTLS1_2
static int
s_server_opt_protocol_version_dtls1_2(void)
@@ -366,22 +354,6 @@ s_server_opt_protocol_version_dtls1_2(void)
#endif
static int
-s_server_opt_protocol_version_tls1(void)
-{
- cfg.min_version = TLS1_VERSION;
- cfg.max_version = TLS1_VERSION;
- return (0);
-}
-
-static int
-s_server_opt_protocol_version_tls1_1(void)
-{
- cfg.min_version = TLS1_1_VERSION;
- cfg.max_version = TLS1_1_VERSION;
- return (0);
-}
-
-static int
s_server_opt_protocol_version_tls1_2(void)
{
cfg.min_version = TLS1_2_VERSION;
@@ -648,14 +620,6 @@ static const struct option s_server_options[] = {
.opt.func = s_server_opt_protocol_version_dtls,
},
#endif
-#ifndef OPENSSL_NO_DTLS1
- {
- .name = "dtls1",
- .desc = "Just use DTLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_dtls1,
- },
-#endif
#ifndef OPENSSL_NO_DTLS1_2
{
.name = "dtls1_2",
@@ -817,20 +781,6 @@ static const struct option s_server_options[] = {
.value = SSL_OP_NO_SSLv3,
},
{
- .name = "no_tls1",
- .desc = "Just disable TLSv1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1,
- },
- {
- .name = "no_tls1_1",
- .desc = "Just disable TLSv1.1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1_1,
- },
- {
.name = "no_tls1_2",
.desc = "Just disable TLSv1.2",
.type = OPTION_VALUE_OR,
@@ -935,18 +885,6 @@ static const struct option s_server_options[] = {
},
#endif
{
- .name = "tls1",
- .desc = "Just talk TLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_tls1,
- },
- {
- .name = "tls1_1",
- .desc = "Just talk TLSv1.1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_tls1_1,
- },
- {
.name = "tls1_2",
.desc = "Just talk TLSv1.2",
.type = OPTION_FUNC,
@@ -1050,17 +988,17 @@ sv_usage(void)
" [-context id] [-crl_check] [-crl_check_all] [-crlf]\n"
" [-dcert file] [-dcertform der | pem] [-debug]\n"
" [-dhparam file] [-dkey file] [-dkeyform der | pem]\n"
- " [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n"
+ " [-dpass arg] [-dtls] [-dtls1_2] [-groups list] [-HTTP]\n"
" [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
" [-keyform der | pem] [-keymatexport label]\n"
" [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n"
" [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
- " [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
- " [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
+ " [-no_dhe] [-no_ecdhe] [-no_ticket] \n"
+ " [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
" [-nocert] [-pass arg] [-quiet] [-servername name]\n"
" [-servername_fatal] [-serverpref] [-state] [-status]\n"
" [-status_timeout nsec] [-status_url url]\n"
- " [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n"
+ " [-status_verbose] [-timeout] \n"
" [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n"
" [-Verify depth] [-verify depth] [-verify_return_error]\n"
" [-WWW] [-www]\n");