summaryrefslogtreecommitdiff
path: root/usr.sbin/openssl
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2012-07-12 21:33:13 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2012-07-12 21:33:13 +0000
commit60856b4aea8a60f5af37e079038da97007e59807 (patch)
tree4f251d063b698548e5078163e37c48a25ef17561 /usr.sbin/openssl
parent7e30c6b1850e4268ff0d9425c363e1f804cfdaca (diff)
remove (hopefully) all traces of sslv2; ok sthen
Diffstat (limited to 'usr.sbin/openssl')
-rw-r--r--usr.sbin/openssl/openssl.178
1 files changed, 23 insertions, 55 deletions
diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1
index 6d6204261d3..80a22c64033 100644
--- a/usr.sbin/openssl/openssl.1
+++ b/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.87 2011/09/29 17:57:09 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.88 2012/07/12 21:33:12 jmc Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
@@ -112,7 +112,7 @@
.\"
.\" OPENSSL
.\"
-.Dd $Mdocdate: September 29 2011 $
+.Dd $Mdocdate: July 12 2012 $
.Dt OPENSSL 1
.Os
.Sh NAME
@@ -138,7 +138,7 @@
.Sh DESCRIPTION
.Nm OpenSSL
is a cryptography toolkit implementing the Secure Sockets Layer
-.Pq SSL v2/v3
+.Pq SSL v3
and Transport Layer Security
.Pq TLS v1
network protocols and related cryptography standards required by them.
@@ -1411,7 +1411,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
.Sh CIPHERS
.Nm openssl ciphers
.Op Fl hVv
-.Op Fl ssl2 | ssl3 | tls1
+.Op Fl ssl3 | tls1
.Op Ar cipherlist
.Pp
The
@@ -1425,8 +1425,6 @@ The options are as follows:
.Bl -tag -width Ds
.It Fl h , \&?
Print a brief usage message.
-.It Fl ssl2
-Only include SSL v2 ciphers.
.It Fl ssl3
Only include SSL v3 ciphers.
.It Fl tls1
@@ -1438,7 +1436,7 @@ but include cipher suite codes in output (hex format).
.It Fl v
Verbose option.
List ciphers with a complete description of protocol version
-.Pq SSLv2 or SSLv3; the latter includes TLS ,
+.Pq SSLv3, which includes TLS ,
key exchange, authentication, encryption and mac algorithms used along with
any key size restrictions and whether the algorithm is classed as an
.Em export
@@ -1446,8 +1444,7 @@ cipher.
Note that without the
.Fl v
option, ciphers may seem to appear twice in a cipher list;
-this is when similar ciphers are available for
-SSL v2 and for SSL v3/TLS v1.
+this is when similar ciphers are available for SSL v3/TLS v1.
.It Ar cipherlist
A cipher list to convert to a cipher preference list.
If it is not included, the default cipher list will be used.
@@ -1585,8 +1582,8 @@ Cipher suites using ephemeral DH key agreement.
Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
.It Ar aDSS , DSS
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
-.It Ar TLSv1 , SSLv3 , SSLv2
-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively.
+.It Ar TLSv1 , SSLv3
+TLS v1.0 or SSL v3.0 cipher suites, respectively.
.It Ar DH
Cipher suites using DH, including anonymous DH.
.It Ar ADH
@@ -1723,16 +1720,6 @@ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
.Ed
-.Ss SSL v2.0 cipher suites
-.Bd -unfilled -offset indent
-SSL_CK_RC4_128_WITH_MD5 RC4-MD5
-SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
-SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
-SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
-SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
-SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
-.Ed
.Sh CIPHERS NOTES
The non-ephemeral DH modes are currently unimplemented in
.Nm OpenSSL
@@ -5357,8 +5344,8 @@ Acceptable values for
are
.Cm pkcs1
for PKCS#1 padding;
-.Cm sslv23
-for SSLv23 padding;
+.Cm sslv3
+for SSLv3 padding;
.Cm none
for no padding;
.Cm oaep
@@ -6575,8 +6562,7 @@ Default is
The padding to use:
PKCS#1 OAEP, PKCS#1 v1.5
.Pq the default ,
-no padding,
-or special padding used in SSL v2 backwards compatible handshakes, respectively.
+or no padding, respectively.
For signatures, only
.Fl pkcs
and
@@ -6724,7 +6710,6 @@ which it can be seen agrees with the recovered value above.
.Op Fl msg
.Op Fl nbio
.Op Fl nbio_test
-.Op Fl no_ssl2
.Op Fl no_ssl3
.Op Fl no_ticket
.Op Fl no_tls1
@@ -6736,9 +6721,7 @@ which it can be seen agrees with the recovered value above.
.Op Fl quiet
.Op Fl rand Ar
.Op Fl reconnect
-.Op Fl serverpref
.Op Fl showcerts
-.Op Fl ssl2
.Op Fl ssl3
.Op Fl starttls Ar protocol
.Op Fl state
@@ -6849,19 +6832,17 @@ Turns on non-blocking I/O.
.It Fl nbio_test
Tests non-blocking I/O.
.It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl no_ssl3 | no_tls1 |
+.Fl ssl3 | tls1
.Xc
These options disable the use of certain SSL or TLS protocols.
By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
.Pp
Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect.
Some servers only work if TLS is turned off with the
.Fl no_tls
-option, others will only support SSL v2 and may need the
-.Fl ssl2
option.
.It Fl no_ticket
Disable RFC 4507 session ticket support.
@@ -6902,9 +6883,6 @@ Multiple files can be specified separated by a
.It Fl reconnect
Reconnects to the same server 5 times using the same session ID; this can
be used as a test that session caching is working.
-.It Fl serverpref
-Use server's cipher preferences
-.Pq SSLv2 only .
.It Fl showcerts
Display the whole server certificate chain: normally only the server
certificate itself is displayed.
@@ -6962,8 +6940,7 @@ to retrieve a web page.
.Pp
If the handshake fails, there are several possible causes; if it is
nothing obvious like no client certificate, then the
-.Fl bugs , ssl2 , ssl3 , tls1 ,
-.Fl no_ssl2 , no_ssl3 ,
+.Fl bugs , ssl3 , tls1 , no_ssl3 ,
and
.Fl no_tls1
options can be tried in case it is a buggy server.
@@ -7047,7 +7024,6 @@ We should really report information whenever a session is renegotiated.
.Op Fl nbio
.Op Fl nbio_test
.Op Fl no_dhe
-.Op Fl no_ssl2
.Op Fl no_ssl3
.Op Fl no_tls1
.Op Fl no_tmp_rsa
@@ -7057,7 +7033,6 @@ We should really report information whenever a session is renegotiated.
.Op Fl quiet
.Op Fl rand Ar
.Op Fl serverpref
-.Op Fl ssl2
.Op Fl ssl3
.Op Fl state
.Op Fl tls1
@@ -7200,12 +7175,12 @@ Tests non-blocking I/O.
If this option is set, no DH parameters will be loaded, effectively
disabling the ephemeral DH cipher suites.
.It Xo
-.Fl no_ssl2 | no_ssl3 | no_tls1 |
-.Fl ssl2 | ssl3 | tls1
+.Fl no_ssl3 | no_tls1 |
+.Fl ssl3 | tls1
.Xc
These options disable the use of certain SSL or TLS protocols.
By default, the initial handshake uses a method which should be compatible
-with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate.
+with all servers and permit them to use SSL v3 or TLS as appropriate.
.It Fl no_tmp_rsa
Certain export cipher suites sometimes use a temporary RSA key; this option
disables temporary RSA key generation.
@@ -7343,7 +7318,6 @@ unknown cipher suites a client says it supports.
.Op Fl nbio
.Op Fl new
.Op Fl reuse
-.Op Fl ssl2
.Op Fl ssl3
.Op Fl time Ar seconds
.Op Fl verify Ar depth
@@ -7414,11 +7388,11 @@ nor
.Fl reuse
are specified,
they are both on by default and executed in sequence.
-.It Fl ssl2 | ssl3
-These options disable the use of certain SSL or TLS protocols.
+.It Fl ssl3
+This option disables the use of certain SSL or TLS protocols.
By default, the initial handshake uses a method
which should be compatible with all servers and permit them to use
-SSL v3, SSL v2, or TLS as appropriate.
+SSL v3 or TLS as appropriate.
The timing program is not as rich in options to turn protocols on and off as
the
.Nm s_client
@@ -7428,9 +7402,6 @@ Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect.
Some servers only work if TLS is turned off with the
.Fl ssl3
-option;
-others will only support SSL v2 and may need the
-.Fl ssl2
option.
.It Fl time Ar seconds
Specifies how long
@@ -7480,7 +7451,7 @@ command for details.
.Pp
If the handshake fails, there are several possible causes:
if it is nothing obvious like no client certificate, the
-.Fl bugs , ssl2 ,
+.Fl bugs
and
.Fl ssl3
options can be tried in case it is a buggy server.
@@ -7605,7 +7576,6 @@ SSL-Session:
Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
Session-ID-ctx: 01000000
Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
- Key-Arg : None
Start Time: 948459261
Timeout : 300 (sec)
Verify return code 0 (ok)
@@ -7615,7 +7585,7 @@ These are described below in more detail.
.Pp
.Bl -tag -width "Verify return code " -compact
.It Ar Protocol
-This is the protocol in use: TLSv1, SSLv3, or SSLv2.
+This is the protocol in use: TLSv1 or SSLv3.
.It Ar Cipher
The cipher used is the actual raw SSL or TLS cipher code;
see the SSL or TLS specifications for more information.
@@ -7625,8 +7595,6 @@ The SSL session ID in hex format.
The session ID context in hex format.
.It Ar Master-Key
This is the SSL session master key.
-.It Ar Key-Arg
-The key argument; this is only used in SSL v2.
.It Ar Start Time
This is the session start time, represented as an integer in standard
.Ux