|
|
cfec1a |
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
|
|
|
cfec1a |
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2 2017-01-26 14:22:03.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/apps/ciphers.c 2017-03-01 14:18:28.058046372 +0100
|
|
|
cfec1a |
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
|
|
|
cfec1a |
"usage: ciphers args\n",
|
|
|
cfec1a |
" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
|
|
|
cfec1a |
" -V - even more verbose\n",
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_SSL2
|
|
|
cfec1a |
" -ssl2 - SSL2 mode\n",
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
" -ssl3 - SSL3 mode\n",
|
|
|
cfec1a |
" -tls1 - TLS1 mode\n",
|
|
|
cfec1a |
NULL
|
|
|
cfec1a |
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
|
|
|
cfec1a |
--- openssl-1.0.2k/apps/s_client.c.no-ssl2 2017-03-01 14:04:57.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/apps/s_client.c 2017-03-01 14:17:42.368974209 +0100
|
|
|
cfec1a |
@@ -380,7 +380,9 @@ static void sc_usage(void)
|
|
|
cfec1a |
" -srp_strength int - minimal length in bits for N (default %d).\n",
|
|
|
cfec1a |
SRP_MINIMAL_N);
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_SSL2
|
|
|
cfec1a |
BIO_printf(bio_err, " -ssl2 - just use SSLv2\n");
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
#ifndef OPENSSL_NO_SSL3_METHOD
|
|
|
cfec1a |
BIO_printf(bio_err, " -ssl3 - just use SSLv3\n");
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
|
|
|
cfec1a |
--- openssl-1.0.2k/apps/s_server.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/apps/s_server.c 2017-03-01 14:13:54.154618822 +0100
|
|
|
cfec1a |
@@ -598,7 +598,9 @@ static void sv_usage(void)
|
|
|
cfec1a |
BIO_printf(bio_err,
|
|
|
cfec1a |
" -srpuserseed string - A seed string for a default user salt.\n");
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_SSL2
|
|
|
cfec1a |
BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
#ifndef OPENSSL_NO_SSL3_METHOD
|
|
|
cfec1a |
BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
|
|
|
cfec1a |
#endif
|
|
|
cfec1a |
@@ -610,7 +612,7 @@ static void sv_usage(void)
|
|
|
cfec1a |
BIO_printf(bio_err, " -timeout - Enable timeouts\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -chain - Read a certificate chain\n");
|
|
|
cfec1a |
- BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
|
|
|
cfec1a |
+ BIO_printf(bio_err, " -no_ssl2 - No-op, SSLv2 is always disabled\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
|
|
|
cfec1a |
BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
|
|
|
cfec1a |
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
|
|
|
cfec1a |
--- openssl-1.0.2k/apps/s_time.c.no-ssl2 2017-02-15 11:33:38.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/apps/s_time.c 2017-03-01 14:20:15.708572549 +0100
|
|
|
cfec1a |
@@ -191,7 +191,9 @@ static void s_time_usage(void)
|
|
|
cfec1a |
SSL_CONNECT_NAME);
|
|
|
cfec1a |
#ifdef FIONBIO
|
|
|
cfec1a |
printf("-nbio - Run with non-blocking IO\n");
|
|
|
cfec1a |
+#ifndef OPENSSL_NO_SSL2
|
|
|
cfec1a |
printf("-ssl2 - Just use SSLv2\n");
|
|
|
cfec1a |
+#endif
|
|
|
cfec1a |
printf("-ssl3 - Just use SSLv3\n");
|
|
|
cfec1a |
printf("-bugs - Turn on SSL bug compatibility\n");
|
|
|
cfec1a |
printf("-new - Just time new connections\n");
|
|
|
cfec1a |
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
|
|
|
cfec1a |
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/doc/apps/ciphers.pod 2017-03-01 14:02:51.275041593 +0100
|
|
|
cfec1a |
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
|
|
|
cfec1a |
B<openssl> B<ciphers>
|
|
|
cfec1a |
[B<-v>]
|
|
|
cfec1a |
[B<-V>]
|
|
|
cfec1a |
-[B<-ssl2>]
|
|
|
cfec1a |
[B<-ssl3>]
|
|
|
cfec1a |
[B<-tls1>]
|
|
|
cfec1a |
[B<cipherlist>]
|
|
|
cfec1a |
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
|
|
|
cfec1a |
|
|
|
cfec1a |
This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
|
|
|
cfec1a |
|
|
|
cfec1a |
-=item B<-ssl2>
|
|
|
cfec1a |
-
|
|
|
cfec1a |
-Only include SSLv2 ciphers.
|
|
|
cfec1a |
-
|
|
|
cfec1a |
=item B<-h>, B<-?>
|
|
|
cfec1a |
|
|
|
cfec1a |
Print a brief usage message.
|
|
|
cfec1a |
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
|
|
|
cfec1a |
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/doc/apps/s_client.pod 2017-03-01 14:06:28.389146669 +0100
|
|
|
cfec1a |
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
|
|
|
cfec1a |
[B<-ign_eof>]
|
|
|
cfec1a |
[B<-no_ign_eof>]
|
|
|
cfec1a |
[B<-quiet>]
|
|
|
cfec1a |
-[B<-ssl2>]
|
|
|
cfec1a |
[B<-ssl3>]
|
|
|
cfec1a |
[B<-tls1>]
|
|
|
cfec1a |
[B<-tls1_1>]
|
|
|
cfec1a |
[B<-tls1_2>]
|
|
|
cfec1a |
[B<-dtls1>]
|
|
|
cfec1a |
-[B<-no_ssl2>]
|
|
|
cfec1a |
[B<-no_ssl3>]
|
|
|
cfec1a |
[B<-no_tls1>]
|
|
|
cfec1a |
[B<-no_tls1_1>]
|
|
|
cfec1a |
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
|
|
|
cfec1a |
given as a hexadecimal number without leading 0x, for example -psk
|
|
|
cfec1a |
1a2b3c4d.
|
|
|
cfec1a |
|
|
|
cfec1a |
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
|
cfec1a |
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
|
cfec1a |
|
|
|
cfec1a |
These options require or disable the use of the specified SSL or TLS protocols.
|
|
|
cfec1a |
By default the initial handshake uses a I<version-flexible> method which will
|
|
|
cfec1a |
@@ -326,8 +324,8 @@ would typically be used (https uses port
|
|
|
cfec1a |
then an HTTP command can be given such as "GET /" to retrieve a web page.
|
|
|
cfec1a |
|
|
|
cfec1a |
If the handshake fails then there are several possible causes, if it is
|
|
|
cfec1a |
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
|
|
|
cfec1a |
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
|
|
|
cfec1a |
+nothing obvious like no client certificate then the B<-bugs>,
|
|
|
cfec1a |
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
|
|
|
cfec1a |
in case it is a buggy server. In particular you should play with these
|
|
|
cfec1a |
options B<before> submitting a bug report to an OpenSSL mailing list.
|
|
|
cfec1a |
|
|
|
cfec1a |
@@ -349,10 +347,6 @@ on the command line is no guarantee that
|
|
|
cfec1a |
If there are problems verifying a server certificate then the
|
|
|
cfec1a |
B<-showcerts> option can be used to show the whole chain.
|
|
|
cfec1a |
|
|
|
cfec1a |
-Since the SSLv23 client hello cannot include compression methods or extensions
|
|
|
cfec1a |
-these will only be supported if its use is disabled, for example by using the
|
|
|
cfec1a |
-B<-no_sslv2> option.
|
|
|
cfec1a |
-
|
|
|
cfec1a |
The B<s_client> utility is a test tool and is designed to continue the
|
|
|
cfec1a |
handshake after any certificate verification errors. As a result it will
|
|
|
cfec1a |
accept any certificate chain (trusted or not) sent by the peer. None test
|
|
|
cfec1a |
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
|
|
|
cfec1a |
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 2017-03-01 14:04:57.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/doc/apps/s_server.pod 2017-03-01 14:04:17.871077754 +0100
|
|
|
cfec1a |
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
|
|
|
cfec1a |
[B<-keytab filename>]
|
|
|
cfec1a |
[B<-quiet>]
|
|
|
cfec1a |
[B<-no_tmp_rsa>]
|
|
|
cfec1a |
-[B<-ssl2>]
|
|
|
cfec1a |
[B<-ssl3>]
|
|
|
cfec1a |
[B<-tls1>]
|
|
|
cfec1a |
[B<-tls1_1>]
|
|
|
cfec1a |
[B<-tls1_2>]
|
|
|
cfec1a |
-[B<-no_ssl2>]
|
|
|
cfec1a |
[B<-no_ssl3>]
|
|
|
cfec1a |
[B<-no_tls1>]
|
|
|
cfec1a |
[B<-no_dhe>]
|
|
|
cfec1a |
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
|
|
|
cfec1a |
given as a hexadecimal number without leading 0x, for example -psk
|
|
|
cfec1a |
1a2b3c4d.
|
|
|
cfec1a |
|
|
|
cfec1a |
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
|
cfec1a |
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
|
|
|
cfec1a |
|
|
|
cfec1a |
These options require or disable the use of the specified SSL or TLS protocols.
|
|
|
cfec1a |
By default the initial handshake uses a I<version-flexible> method which will
|
|
|
cfec1a |
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
|
|
|
cfec1a |
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 2017-02-15 11:33:38.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/doc/apps/s_time.pod 2017-03-01 14:03:50.440432769 +0100
|
|
|
cfec1a |
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
|
|
|
cfec1a |
[B<-verify depth>]
|
|
|
cfec1a |
[B<-nbio>]
|
|
|
cfec1a |
[B<-time seconds>]
|
|
|
cfec1a |
-[B<-ssl2>]
|
|
|
cfec1a |
[B<-ssl3>]
|
|
|
cfec1a |
[B<-bugs>]
|
|
|
cfec1a |
[B<-cipher cipherlist>]
|
|
|
cfec1a |
@@ -99,9 +98,9 @@ specified, they are both on by default a
|
|
|
cfec1a |
|
|
|
cfec1a |
turns on non-blocking I/O.
|
|
|
cfec1a |
|
|
|
cfec1a |
-=item B<-ssl2>, B<-ssl3>
|
|
|
cfec1a |
+=item B<-ssl3>
|
|
|
cfec1a |
|
|
|
cfec1a |
-these options disable the use of certain SSL or TLS protocols. By default
|
|
|
cfec1a |
+this option disables the use of certain SSL or TLS protocols. By default
|
|
|
cfec1a |
the initial handshake uses a method which should be compatible with all
|
|
|
cfec1a |
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
|
|
|
cfec1a |
The timing program is not as rich in options to turn protocols on and off as
|
|
|
cfec1a |
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
|
|
|
cfec1a |
|
|
|
cfec1a |
Unfortunately there are a lot of ancient and broken servers in use which
|
|
|
cfec1a |
cannot handle this technique and will fail to connect. Some servers only
|
|
|
cfec1a |
-work if TLS is turned off with the B<-ssl3> option; others
|
|
|
cfec1a |
-will only support SSL v2 and may need the B<-ssl2> option.
|
|
|
cfec1a |
+work if TLS is turned off with the B<-ssl3> option.
|
|
|
cfec1a |
|
|
|
cfec1a |
=item B<-bugs>
|
|
|
cfec1a |
|
|
|
cfec1a |
@@ -144,7 +142,7 @@ which both client and server can agree,
|
|
|
cfec1a |
for details.
|
|
|
cfec1a |
|
|
|
cfec1a |
If the handshake fails then there are several possible causes, if it is
|
|
|
cfec1a |
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
|
|
|
cfec1a |
+nothing obvious like no client certificate then the B<-bugs>,
|
|
|
cfec1a |
B<-ssl3> options can be tried
|
|
|
cfec1a |
in case it is a buggy server. In particular you should play with these
|
|
|
cfec1a |
options B<before> submitting a bug report to an OpenSSL mailing list.
|
|
|
cfec1a |
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
|
|
|
cfec1a |
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 2017-01-26 14:22:04.000000000 +0100
|
|
|
cfec1a |
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod 2017-03-01 14:09:12.981016773 +0100
|
|
|
cfec1a |
@@ -123,13 +123,8 @@ used.
|
|
|
cfec1a |
|
|
|
cfec1a |
=item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
|
|
|
cfec1a |
|
|
|
cfec1a |
-A TLS/SSL connection established with these methods will only understand the
|
|
|
cfec1a |
-SSLv2 protocol. A client will send out SSLv2 client hello messages and will
|
|
|
cfec1a |
-also indicate that it only understand SSLv2. A server will only understand
|
|
|
cfec1a |
-SSLv2 client hello messages. The SSLv2 protocol offers little to no security
|
|
|
cfec1a |
-and should not be used.
|
|
|
cfec1a |
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
|
|
|
cfec1a |
-with SSLv2.
|
|
|
cfec1a |
+These calls are provided only as stubs for keeping ABI compatibility. There
|
|
|
cfec1a |
+is no support for SSLv2 built in the library.
|
|
|
cfec1a |
|
|
|
cfec1a |
=item DTLS_method(), DTLS_server_method(), DTLS_client_method()
|
|
|
cfec1a |
|