diff options
-rw-r--r-- | usr.sbin/openssl/openssl.1 | 78 |
1 files changed, 23 insertions, 55 deletions
diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1 index 6d6204261d3..80a22c64033 100644 --- a/usr.sbin/openssl/openssl.1 +++ b/usr.sbin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.87 2011/09/29 17:57:09 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.88 2012/07/12 21:33:12 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -112,7 +112,7 @@ .\" .\" OPENSSL .\" -.Dd $Mdocdate: September 29 2011 $ +.Dd $Mdocdate: July 12 2012 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -138,7 +138,7 @@ .Sh DESCRIPTION .Nm OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer -.Pq SSL v2/v3 +.Pq SSL v3 and Transport Layer Security .Pq TLS v1 network protocols and related cryptography standards required by them. @@ -1411,7 +1411,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid. .Sh CIPHERS .Nm openssl ciphers .Op Fl hVv -.Op Fl ssl2 | ssl3 | tls1 +.Op Fl ssl3 | tls1 .Op Ar cipherlist .Pp The @@ -1425,8 +1425,6 @@ The options are as follows: .Bl -tag -width Ds .It Fl h , \&? Print a brief usage message. -.It Fl ssl2 -Only include SSL v2 ciphers. .It Fl ssl3 Only include SSL v3 ciphers. .It Fl tls1 @@ -1438,7 +1436,7 @@ but include cipher suite codes in output (hex format). .It Fl v Verbose option. List ciphers with a complete description of protocol version -.Pq SSLv2 or SSLv3; the latter includes TLS , +.Pq SSLv3, which includes TLS , key exchange, authentication, encryption and mac algorithms used along with any key size restrictions and whether the algorithm is classed as an .Em export @@ -1446,8 +1444,7 @@ cipher. Note that without the .Fl v option, ciphers may seem to appear twice in a cipher list; -this is when similar ciphers are available for -SSL v2 and for SSL v3/TLS v1. +this is when similar ciphers are available for SSL v3/TLS v1. .It Ar cipherlist A cipher list to convert to a cipher preference list. If it is not included, the default cipher list will be used. @@ -1585,8 +1582,8 @@ Cipher suites using ephemeral DH key agreement. Cipher suites using RSA authentication, i.e. the certificates carry RSA keys. .It Ar aDSS , DSS Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. -.It Ar TLSv1 , SSLv3 , SSLv2 -TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites, respectively. +.It Ar TLSv1 , SSLv3 +TLS v1.0 or SSL v3.0 cipher suites, respectively. .It Ar DH Cipher suites using DH, including anonymous DH. .It Ar ADH @@ -1723,16 +1720,6 @@ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA .Ed -.Ss SSL v2.0 cipher suites -.Bd -unfilled -offset indent -SSL_CK_RC4_128_WITH_MD5 RC4-MD5 -SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 -SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 -SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 -SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 -SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 -SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 -.Ed .Sh CIPHERS NOTES The non-ephemeral DH modes are currently unimplemented in .Nm OpenSSL @@ -5357,8 +5344,8 @@ Acceptable values for are .Cm pkcs1 for PKCS#1 padding; -.Cm sslv23 -for SSLv23 padding; +.Cm sslv3 +for SSLv3 padding; .Cm none for no padding; .Cm oaep @@ -6575,8 +6562,7 @@ Default is The padding to use: PKCS#1 OAEP, PKCS#1 v1.5 .Pq the default , -no padding, -or special padding used in SSL v2 backwards compatible handshakes, respectively. +or no padding, respectively. For signatures, only .Fl pkcs and @@ -6724,7 +6710,6 @@ which it can be seen agrees with the recovered value above. .Op Fl msg .Op Fl nbio .Op Fl nbio_test -.Op Fl no_ssl2 .Op Fl no_ssl3 .Op Fl no_ticket .Op Fl no_tls1 @@ -6736,9 +6721,7 @@ which it can be seen agrees with the recovered value above. .Op Fl quiet .Op Fl rand Ar .Op Fl reconnect -.Op Fl serverpref .Op Fl showcerts -.Op Fl ssl2 .Op Fl ssl3 .Op Fl starttls Ar protocol .Op Fl state @@ -6849,19 +6832,17 @@ Turns on non-blocking I/O. .It Fl nbio_test Tests non-blocking I/O. .It Xo -.Fl no_ssl2 | no_ssl3 | no_tls1 | -.Fl ssl2 | ssl3 | tls1 +.Fl no_ssl3 | no_tls1 | +.Fl ssl3 | tls1 .Xc These options disable the use of certain SSL or TLS protocols. By default, the initial handshake uses a method which should be compatible -with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate. +with all servers and permit them to use SSL v3 or TLS as appropriate. .Pp Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only work if TLS is turned off with the .Fl no_tls -option, others will only support SSL v2 and may need the -.Fl ssl2 option. .It Fl no_ticket Disable RFC 4507 session ticket support. @@ -6902,9 +6883,6 @@ Multiple files can be specified separated by a .It Fl reconnect Reconnects to the same server 5 times using the same session ID; this can be used as a test that session caching is working. -.It Fl serverpref -Use server's cipher preferences -.Pq SSLv2 only . .It Fl showcerts Display the whole server certificate chain: normally only the server certificate itself is displayed. @@ -6962,8 +6940,7 @@ to retrieve a web page. .Pp If the handshake fails, there are several possible causes; if it is nothing obvious like no client certificate, then the -.Fl bugs , ssl2 , ssl3 , tls1 , -.Fl no_ssl2 , no_ssl3 , +.Fl bugs , ssl3 , tls1 , no_ssl3 , and .Fl no_tls1 options can be tried in case it is a buggy server. @@ -7047,7 +7024,6 @@ We should really report information whenever a session is renegotiated. .Op Fl nbio .Op Fl nbio_test .Op Fl no_dhe -.Op Fl no_ssl2 .Op Fl no_ssl3 .Op Fl no_tls1 .Op Fl no_tmp_rsa @@ -7057,7 +7033,6 @@ We should really report information whenever a session is renegotiated. .Op Fl quiet .Op Fl rand Ar .Op Fl serverpref -.Op Fl ssl2 .Op Fl ssl3 .Op Fl state .Op Fl tls1 @@ -7200,12 +7175,12 @@ Tests non-blocking I/O. If this option is set, no DH parameters will be loaded, effectively disabling the ephemeral DH cipher suites. .It Xo -.Fl no_ssl2 | no_ssl3 | no_tls1 | -.Fl ssl2 | ssl3 | tls1 +.Fl no_ssl3 | no_tls1 | +.Fl ssl3 | tls1 .Xc These options disable the use of certain SSL or TLS protocols. By default, the initial handshake uses a method which should be compatible -with all servers and permit them to use SSL v3, SSL v2, or TLS as appropriate. +with all servers and permit them to use SSL v3 or TLS as appropriate. .It Fl no_tmp_rsa Certain export cipher suites sometimes use a temporary RSA key; this option disables temporary RSA key generation. @@ -7343,7 +7318,6 @@ unknown cipher suites a client says it supports. .Op Fl nbio .Op Fl new .Op Fl reuse -.Op Fl ssl2 .Op Fl ssl3 .Op Fl time Ar seconds .Op Fl verify Ar depth @@ -7414,11 +7388,11 @@ nor .Fl reuse are specified, they are both on by default and executed in sequence. -.It Fl ssl2 | ssl3 -These options disable the use of certain SSL or TLS protocols. +.It Fl ssl3 +This option disables the use of certain SSL or TLS protocols. By default, the initial handshake uses a method which should be compatible with all servers and permit them to use -SSL v3, SSL v2, or TLS as appropriate. +SSL v3 or TLS as appropriate. The timing program is not as rich in options to turn protocols on and off as the .Nm s_client @@ -7428,9 +7402,6 @@ Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only work if TLS is turned off with the .Fl ssl3 -option; -others will only support SSL v2 and may need the -.Fl ssl2 option. .It Fl time Ar seconds Specifies how long @@ -7480,7 +7451,7 @@ command for details. .Pp If the handshake fails, there are several possible causes: if it is nothing obvious like no client certificate, the -.Fl bugs , ssl2 , +.Fl bugs and .Fl ssl3 options can be tried in case it is a buggy server. @@ -7605,7 +7576,6 @@ SSL-Session: Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED Session-ID-ctx: 01000000 Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD - Key-Arg : None Start Time: 948459261 Timeout : 300 (sec) Verify return code 0 (ok) @@ -7615,7 +7585,7 @@ These are described below in more detail. .Pp .Bl -tag -width "Verify return code " -compact .It Ar Protocol -This is the protocol in use: TLSv1, SSLv3, or SSLv2. +This is the protocol in use: TLSv1 or SSLv3. .It Ar Cipher The cipher used is the actual raw SSL or TLS cipher code; see the SSL or TLS specifications for more information. @@ -7625,8 +7595,6 @@ The SSL session ID in hex format. The session ID context in hex format. .It Ar Master-Key This is the SSL session master key. -.It Ar Key-Arg -The key argument; this is only used in SSL v2. .It Ar Start Time This is the session start time, represented as an integer in standard .Ux |