You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
217 lines
9.5 KiB
217 lines
9.5 KiB
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c |
|
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2 2017-01-26 14:22:03.000000000 +0100 |
|
+++ openssl-1.0.2k/apps/ciphers.c 2017-03-01 14:18:28.058046372 +0100 |
|
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = { |
|
"usage: ciphers args\n", |
|
" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", |
|
" -V - even more verbose\n", |
|
+#ifndef OPENSSL_NO_SSL2 |
|
" -ssl2 - SSL2 mode\n", |
|
+#endif |
|
" -ssl3 - SSL3 mode\n", |
|
" -tls1 - TLS1 mode\n", |
|
NULL |
|
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c |
|
--- openssl-1.0.2k/apps/s_client.c.no-ssl2 2017-03-01 14:04:57.000000000 +0100 |
|
+++ openssl-1.0.2k/apps/s_client.c 2017-03-01 14:17:42.368974209 +0100 |
|
@@ -380,7 +380,9 @@ static void sc_usage(void) |
|
" -srp_strength int - minimal length in bits for N (default %d).\n", |
|
SRP_MINIMAL_N); |
|
#endif |
|
+#ifndef OPENSSL_NO_SSL2 |
|
BIO_printf(bio_err, " -ssl2 - just use SSLv2\n"); |
|
+#endif |
|
#ifndef OPENSSL_NO_SSL3_METHOD |
|
BIO_printf(bio_err, " -ssl3 - just use SSLv3\n"); |
|
#endif |
|
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c |
|
--- openssl-1.0.2k/apps/s_server.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100 |
|
+++ openssl-1.0.2k/apps/s_server.c 2017-03-01 14:13:54.154618822 +0100 |
|
@@ -598,7 +598,9 @@ static void sv_usage(void) |
|
BIO_printf(bio_err, |
|
" -srpuserseed string - A seed string for a default user salt.\n"); |
|
#endif |
|
+#ifndef OPENSSL_NO_SSL2 |
|
BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n"); |
|
+#endif |
|
#ifndef OPENSSL_NO_SSL3_METHOD |
|
BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n"); |
|
#endif |
|
@@ -610,7 +612,7 @@ static void sv_usage(void) |
|
BIO_printf(bio_err, " -timeout - Enable timeouts\n"); |
|
BIO_printf(bio_err, " -mtu - Set link layer MTU\n"); |
|
BIO_printf(bio_err, " -chain - Read a certificate chain\n"); |
|
- BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n"); |
|
+ BIO_printf(bio_err, " -no_ssl2 - No-op, SSLv2 is always disabled\n"); |
|
BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n"); |
|
BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); |
|
BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); |
|
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c |
|
--- openssl-1.0.2k/apps/s_time.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100 |
|
+++ openssl-1.0.2k/apps/s_time.c 2017-03-01 14:20:15.708572549 +0100 |
|
@@ -191,7 +191,9 @@ static void s_time_usage(void) |
|
SSL_CONNECT_NAME); |
|
#ifdef FIONBIO |
|
printf("-nbio - Run with non-blocking IO\n"); |
|
+#ifndef OPENSSL_NO_SSL2 |
|
printf("-ssl2 - Just use SSLv2\n"); |
|
+#endif |
|
printf("-ssl3 - Just use SSLv3\n"); |
|
printf("-bugs - Turn on SSL bug compatibility\n"); |
|
printf("-new - Just time new connections\n"); |
|
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod |
|
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100 |
|
+++ openssl-1.0.2k/doc/apps/ciphers.pod 2017-03-01 14:02:51.275041593 +0100 |
|
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher |
|
B<openssl> B<ciphers> |
|
[B<-v>] |
|
[B<-V>] |
|
-[B<-ssl2>] |
|
[B<-ssl3>] |
|
[B<-tls1>] |
|
[B<cipherlist>] |
|
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod |
|
|
|
This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. |
|
|
|
-=item B<-ssl2> |
|
- |
|
-Only include SSLv2 ciphers. |
|
- |
|
=item B<-h>, B<-?> |
|
|
|
Print a brief usage message. |
|
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod |
|
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100 |
|
+++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-01 14:06:28.389146669 +0100 |
|
@@ -33,13 +33,11 @@ B<openssl> B<s_client> |
|
[B<-ign_eof>] |
|
[B<-no_ign_eof>] |
|
[B<-quiet>] |
|
-[B<-ssl2>] |
|
[B<-ssl3>] |
|
[B<-tls1>] |
|
[B<-tls1_1>] |
|
[B<-tls1_2>] |
|
[B<-dtls1>] |
|
-[B<-no_ssl2>] |
|
[B<-no_ssl3>] |
|
[B<-no_tls1>] |
|
[B<-no_tls1_1>] |
|
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK |
|
given as a hexadecimal number without leading 0x, for example -psk |
|
1a2b3c4d. |
|
|
|
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
|
|
These options require or disable the use of the specified SSL or TLS protocols. |
|
By default the initial handshake uses a I<version-flexible> method which will |
|
@@ -326,8 +324,8 @@ would typically be used (https uses port |
|
then an HTTP command can be given such as "GET /" to retrieve a web page. |
|
|
|
If the handshake fails then there are several possible causes, if it is |
|
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
+nothing obvious like no client certificate then the B<-bugs>, |
|
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried |
|
in case it is a buggy server. In particular you should play with these |
|
options B<before> submitting a bug report to an OpenSSL mailing list. |
|
|
|
@@ -349,10 +347,6 @@ on the command line is no guarantee that |
|
If there are problems verifying a server certificate then the |
|
B<-showcerts> option can be used to show the whole chain. |
|
|
|
-Since the SSLv23 client hello cannot include compression methods or extensions |
|
-these will only be supported if its use is disabled, for example by using the |
|
-B<-no_sslv2> option. |
|
- |
|
The B<s_client> utility is a test tool and is designed to continue the |
|
handshake after any certificate verification errors. As a result it will |
|
accept any certificate chain (trusted or not) sent by the peer. None test |
|
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod |
|
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100 |
|
+++ openssl-1.0.2k/doc/apps/s_server.pod 2017-03-01 14:04:17.871077754 +0100 |
|
@@ -42,12 +42,10 @@ B<openssl> B<s_server> |
|
[B<-keytab filename>] |
|
[B<-quiet>] |
|
[B<-no_tmp_rsa>] |
|
-[B<-ssl2>] |
|
[B<-ssl3>] |
|
[B<-tls1>] |
|
[B<-tls1_1>] |
|
[B<-tls1_2>] |
|
-[B<-no_ssl2>] |
|
[B<-no_ssl3>] |
|
[B<-no_tls1>] |
|
[B<-no_dhe>] |
|
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK |
|
given as a hexadecimal number without leading 0x, for example -psk |
|
1a2b3c4d. |
|
|
|
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> |
|
|
|
These options require or disable the use of the specified SSL or TLS protocols. |
|
By default the initial handshake uses a I<version-flexible> method which will |
|
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod |
|
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 2017-02-15 11:33:38.000000000 +0100 |
|
+++ openssl-1.0.2k/doc/apps/s_time.pod 2017-03-01 14:03:50.440432769 +0100 |
|
@@ -20,7 +20,6 @@ B<openssl> B<s_time> |
|
[B<-verify depth>] |
|
[B<-nbio>] |
|
[B<-time seconds>] |
|
-[B<-ssl2>] |
|
[B<-ssl3>] |
|
[B<-bugs>] |
|
[B<-cipher cipherlist>] |
|
@@ -99,9 +98,9 @@ specified, they are both on by default a |
|
|
|
turns on non-blocking I/O. |
|
|
|
-=item B<-ssl2>, B<-ssl3> |
|
+=item B<-ssl3> |
|
|
|
-these options disable the use of certain SSL or TLS protocols. By default |
|
+this option disables the use of certain SSL or TLS protocols. By default |
|
the initial handshake uses a method which should be compatible with all |
|
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. |
|
The timing program is not as rich in options to turn protocols on and off as |
|
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a |
|
|
|
Unfortunately there are a lot of ancient and broken servers in use which |
|
cannot handle this technique and will fail to connect. Some servers only |
|
-work if TLS is turned off with the B<-ssl3> option; others |
|
-will only support SSL v2 and may need the B<-ssl2> option. |
|
+work if TLS is turned off with the B<-ssl3> option. |
|
|
|
=item B<-bugs> |
|
|
|
@@ -144,7 +142,7 @@ which both client and server can agree, |
|
for details. |
|
|
|
If the handshake fails then there are several possible causes, if it is |
|
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, |
|
+nothing obvious like no client certificate then the B<-bugs>, |
|
B<-ssl3> options can be tried |
|
in case it is a buggy server. In particular you should play with these |
|
options B<before> submitting a bug report to an OpenSSL mailing list. |
|
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod |
|
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100 |
|
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod 2017-03-01 14:09:12.981016773 +0100 |
|
@@ -123,13 +123,8 @@ used. |
|
|
|
=item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() |
|
|
|
-A TLS/SSL connection established with these methods will only understand the |
|
-SSLv2 protocol. A client will send out SSLv2 client hello messages and will |
|
-also indicate that it only understand SSLv2. A server will only understand |
|
-SSLv2 client hello messages. The SSLv2 protocol offers little to no security |
|
-and should not be used. |
|
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available |
|
-with SSLv2. |
|
+These calls are provided only as stubs for keeping ABI compatibility. There |
|
+is no support for SSLv2 built in the library. |
|
|
|
=item DTLS_method(), DTLS_server_method(), DTLS_client_method() |
|
|
|
|