=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- src/usr.bin/openssl/openssl.1 2015/07/27 17:28:39 1.17 +++ src/usr.bin/openssl/openssl.1 2015/08/02 12:43:44 1.18 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.17 2015/07/27 17:28:39 sobrado Exp $ +.\" $OpenBSD: openssl.1,v 1.18 2015/08/02 12:43:44 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -112,7 +112,7 @@ .\" .\" OPENSSL .\" -.Dd $Mdocdate: July 27 2015 $ +.Dd $Mdocdate: August 2 2015 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -1414,7 +1414,7 @@ .Sh CIPHERS .Nm openssl ciphers .Op Fl hVv -.Op Fl ssl3 | tls1 +.Op Fl tls1 .Op Ar cipherlist .Pp The @@ -1428,8 +1428,6 @@ .Bl -tag -width Ds .It Fl h , \&? Print a brief usage message. -.It Fl ssl3 -Only include SSL v3 ciphers. .It Fl tls1 Only include TLS v1 ciphers. .It Fl V @@ -1438,14 +1436,12 @@ but include cipher suite codes in output (hex format). .It Fl v Verbose option. -List ciphers with a complete description of protocol version -.Pq SSLv3, which includes TLS , +List ciphers with a complete description of protocol version, key exchange, authentication, encryption and mac algorithms used along with any key size restrictions. Note that without the .Fl v -option, ciphers may seem to appear twice in a cipher list; -this is when similar ciphers are available for SSL v3/TLS v1. +option, ciphers may seem to appear twice in a cipher list. .It Ar cipherlist A cipher list to convert to a cipher preference list. If it is not included, the default cipher list will be used. @@ -1468,9 +1464,7 @@ or cipher suites of a certain type. For example .Em SHA1 -represents all cipher suites using the digest algorithm SHA1, and -.Em SSLv3 -represents all SSL v3 algorithms. +represents all cipher suites using the digest algorithm SHA1. .Pp Lists of cipher suites can be combined in a single .Em cipher string @@ -1578,8 +1572,8 @@ Cipher suites using RSA authentication, i.e. the certificates carry RSA keys. .It Ar aDSS , DSS Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. -.It Ar TLSv1 , SSLv3 -TLS v1.0 or SSL v3.0 cipher suites, respectively. +.It Ar TLSv1 +TLS v1.0 cipher suites. .It Ar DH Cipher suites using DH, including anonymous DH. .It Ar ADH @@ -5148,8 +5142,6 @@ are .Cm pkcs1 for PKCS#1 padding; -.Cm sslv3 -for SSLv3 padding; .Cm none for no padding; .Cm oaep @@ -6475,7 +6467,6 @@ .Op Fl msg .Op Fl nbio .Op Fl nbio_test -.Op Fl no_ssl3 .Op Fl no_ticket .Op Fl no_tls1 .Op Fl no_tls1_1 @@ -6490,7 +6481,6 @@ .Op Fl reconnect .Op Fl servername Ar name .Op Fl showcerts -.Op Fl ssl3 .Op Fl starttls Ar protocol .Op Fl state .Op Fl tls1 @@ -6599,10 +6589,7 @@ Turns on non-blocking I/O. .It Fl nbio_test Tests non-blocking I/O. -.It Xo -.Fl no_ssl3 | no_tls1 | no_tls1_1 | no_tls1_2 | -.Fl ssl3 | tls1 -.Xc +.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1 These options disable the use of certain SSL or TLS protocols. By default, the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3 or TLS as appropriate. @@ -6717,15 +6704,10 @@ .Pp If the handshake fails, there are several possible causes; if it is nothing obvious like no client certificate, then the -.Fl bugs , ssl3 , tls1 , no_ssl3 , no_tls1 , no_tls1_1 , +.Fl bugs , tls1 , no_tls1 , no_tls1_1 , and .Fl no_tls1_2 options can be tried in case it is a buggy server. -In particular these options should be tried -.Em before -submitting a bug report to an -.Nm OpenSSL -mailing list. .Pp A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty @@ -6801,7 +6783,6 @@ .Op Fl nbio .Op Fl nbio_test .Op Fl no_dhe -.Op Fl no_ssl3 .Op Fl no_tls1 .Op Fl no_tls1_1 .Op Fl no_tls1_2 @@ -6811,7 +6792,6 @@ .Op Fl psk_hint Ar hint .Op Fl quiet .Op Fl serverpref -.Op Fl ssl3 .Op Fl state .Op Fl tls1 .Op Fl Verify Ar depth @@ -6952,10 +6932,7 @@ .It Fl no_dhe If this option is set, no DH parameters will be loaded, effectively disabling the ephemeral DH cipher suites. -.It Xo -.Fl no_ssl3 | no_tls1 | no_tls1_1 | no_tls1_2 | -.Fl ssl3 | tls1 -.Xc +.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | tls1 These options disable the use of certain SSL or TLS protocols. By default, the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3 or TLS as appropriate. @@ -7090,7 +7067,6 @@ .Op Fl nbio .Op Fl new .Op Fl reuse -.Op Fl ssl3 .Op Fl time Ar seconds .Op Fl verify Ar depth .Op Fl www Ar page @@ -7160,21 +7136,6 @@ .Fl reuse are specified, they are both on by default and executed in sequence. -.It Fl ssl3 -This option disables the use of certain SSL or TLS protocols. -By default, the initial handshake uses a method -which should be compatible with all servers and permit them to use -SSL v3 or TLS as appropriate. -The timing program is not as rich in options to turn protocols on and off as -the -.Nm s_client -program and may not connect to all servers. -.Pp -Unfortunately there are a lot of ancient and broken servers in use which -cannot handle this technique and will fail to connect. -Some servers only work if TLS is turned off with the -.Fl ssl3 -option. .It Fl time Ar seconds Specifies how long .Pq in seconds @@ -7210,7 +7171,7 @@ To connect to an SSL HTTP server and get the default page the command .Bd -literal -offset indent $ openssl s_time -connect servername:443 -www / -CApath yourdir \e - -CAfile yourfile.pem -cipher commoncipher [-ssl3] + -CAfile yourfile.pem -cipher commoncipher .Ed .Pp would typically be used @@ -7224,12 +7185,7 @@ If the handshake fails, there are several possible causes: if it is nothing obvious like no client certificate, the .Fl bugs -and -.Fl ssl3 -options can be tried in case it is a buggy server. -In particular you should play with these options -.Em before -submitting a bug report to an OpenSSL mailing list. +option can be tried in case it is a buggy server. .Pp A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty @@ -7358,7 +7314,7 @@ .Pp .Bl -tag -width "Verify return code " -compact .It Ar Protocol -This is the protocol in use: TLSv1 or SSLv3. +This is the protocol in use. .It Ar Cipher The cipher used is the actual raw SSL or TLS cipher code; see the SSL or TLS specifications for more information.