Adds DTLS 1.3 functionality to s_client and s_server documentation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22260)

4 files changed, 40 insertions, 37 deletions

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 032edb2a36..2ce027a97b 100644
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -543,13 +543,13 @@ This option must be provided in order to use a PSK cipher.
 =item B<-psk_session> I<file>
 
 Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
-Note that this will only work if TLSv1.3 is negotiated.
+Note that this will only work if (D)TLSv1.3 is negotiated.
 
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
-conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
-available where OpenSSL has support for SCTP enabled.
+conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option
+is only available where OpenSSL has support for SCTP enabled.
 
 =item B<-sctp_label_bug>
 
@@ -619,11 +619,11 @@ option enables various workarounds.
 
 =item B<-no_tx_cert_comp>
 
-Disables support for sending TLSv1.3 compressed certificates.
+Disables support for sending (D)TLSv1.3 compressed certificates.
 
 =item B<-no_rx_cert_comp>
 
-Disables support for receiving TLSv1.3 compressed certificate.
+Disables support for receiving (D)TLSv1.3 compressed certificate.
 
 =item B<-comp>
 
@@ -748,7 +748,8 @@ for example "http/1.1" or "spdy/3".
 An empty list of protocols is treated specially and will cause the
 client to advertise support for the TLS extension but disconnect just
 after receiving ServerHello with a list of server supported protocols.
-The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3> is
+used.
 
 =item B<-ct>, B<-noct>
 
@@ -778,8 +779,8 @@ data and when the server accepts the early data.
 
 =item B<-enable_pha>
 
-For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
-happen whether or not a certificate has been provided via B<-cert>.
+For (D)TLSv1.3 only, send the Post-Handshake Authentication extension. This
+will happen whether or not a certificate has been provided via B<-cert>.
 
 =item B<-use_srtp> I<value>
 
@@ -889,7 +890,7 @@ End the current SSL connection and exit.
 
 =item B<R>
 
-Renegotiate the SSL session (TLSv1.2 and below only).
+Renegotiate the SSL session ((D)TLSv1.2 and below only).
 
 =item B<C>
 
@@ -897,11 +898,11 @@ Attempt to reconnect to the server using a resumption handshake.
 
 =item B<k>
 
-Send a key update message to the server (TLSv1.3 only)
+Send a key update message to the server ((D)TLSv1.3 only)
 
 =item B<K>
 
-Send a key update message to the server and request one back (TLSv1.3 only)
+Send a key update message to the server and request one back ((D)TLSv1.3 only)
 
 =back
 
@@ -942,7 +943,7 @@ Reconnect to the peer and attempt a resumption handshake
 
 =item B<keyup>
 
-Send a Key Update message. TLSv1.3 only. This command takes an optional
+Send a Key Update message. (D)TLSv1.3 only. This command takes an optional
 argument. If the argument "req" is supplied then the peer is also requested to
 update its keys. Otherwise if "noreq" is supplied the the peer is not requested
 to update its keys. The default is "req".
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 268eca066b..8513e44342 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -617,11 +617,11 @@ option enables various workarounds.
 
 =item B<-no_tx_cert_comp>
 
-Disables support for sending TLSv1.3 compressed certificates.
+Disables support for sending (D)TLSv1.3 compressed certificates.
 
 =item B<-no_rx_cert_comp>
 
-Disables support for receiving TLSv1.3 compressed certificates.
+Disables support for receiving (D)TLSv1.3 compressed certificates.
 
 =item B<-no_comp>
 
@@ -642,14 +642,14 @@ more information.
 
 =item B<-no_ticket>
 
-Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
-is negotiated. See B<-num_tickets>.
+Disable RFC4507bis session ticket support. This option has no effect if
+(D)TLSv1.3 is negotiated. See B<-num_tickets>.
 
 =item B<-num_tickets>
 
 Control the number of tickets that will be sent to the client after a full
-handshake in TLSv1.3. The default number of tickets is 2. This option does not
-affect the number of tickets sent after a resumption handshake.
+handshake in (D)TLSv1.3. The default number of tickets is 2. This option does
+not affect the number of tickets sent after a resumption handshake.
 
 =item B<-serverpref>
 
@@ -760,8 +760,8 @@ connect to that peer and complete the handshake.
 =item B<-sctp>
 
 Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
-conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
-available where OpenSSL has support for SCTP enabled.
+conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option
+is only available where OpenSSL has support for SCTP enabled.
 
 =item B<-sctp_label_bug>
 
@@ -789,7 +789,8 @@ The I<val> list is a comma-separated list of supported protocol
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
-The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3>
+is used.
 
 =item B<-ktls>
 
@@ -837,16 +838,16 @@ B<-WWW>, B<-HTTP> or B<-rev>.
 
 =item B<-stateless>
 
-Require TLSv1.3 cookies.
+Require (D)TLSv1.3 cookies.
 
 =item B<-anti_replay>, B<-no_anti_replay>
 
 Switches replay protection on or off, respectively. Replay protection is on by
 default unless overridden by a configuration file. When it is on, OpenSSL will
-automatically detect if a session ticket has been used more than once, TLSv1.3
-has been negotiated, and early data is enabled on the server. A full handshake
-is forced if a session ticket is used a second or subsequent time. Any early
-data that was sent will be rejected.
+automatically detect if a session ticket has been used more than once,
+(D)TLSv1.3 has been negotiated, and early data is enabled on the server. A full
+handshake is forced if a session ticket is used a second or subsequent time.
+Any early data that was sent will be rejected.
 
 =item B<-tfo>
 
@@ -922,12 +923,12 @@ End the current SSL connection and exit.
 
 =item B<r>
 
-Renegotiate the SSL session (TLSv1.2 and below only).
+Renegotiate the SSL session ((D)TLSv1.2 and below only).
 
 =item B<R>
 
-Renegotiate the SSL session and request a client certificate (TLSv1.2 and below
-only).
+Renegotiate the SSL session and request a client certificate ((D)TLSv1.2 and
+below only).
 
 =item B<P>
 
@@ -940,15 +941,15 @@ Print out some session cache status information.
 
 =item B<k>
 
-Send a key update message to the client (TLSv1.3 only)
+Send a key update message to the client ((D)TLSv1.3 only).
 
 =item B<K>
 
-Send a key update message to the client and request one back (TLSv1.3 only)
+Send a key update message to the client and request one back ((D)TLSv1.3 only).
 
 =item B<c>
 
-Send a certificate request to the client (TLSv1.3 only)
+Send a certificate request to the client ((D)TLSv1.3 only).
 
 =back
 
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index f4274d53b7..66191b1cb8 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -609,12 +609,12 @@ the B<no_> options.
 The B<no_*> options do not work with B<s_time> and B<ciphers> commands but work with
 B<s_client> and B<s_server> commands.
 
-=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
+=item B<-dtls>, B<-dtls1>, B<-dtls1_2>, B<-dtls1_3>
 
 These options specify to use DTLS instead of TLS.
 With B<-dtls>, clients will negotiate any supported DTLS protocol version.
-Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
-respectively.
+Use the B<-dtls1>, B<-dtls1_2> or B<-dtls1_3> options to support only DTLS1.0,
+DTLS1.2 or DTLS1.3 respectively.
 
 =back
 
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index 06dac990cf..92d77a2bf1 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -162,11 +162,12 @@ $OpenSSL::safe::opt_version_synopsis = ""
 . "$OpenSSL::safe::opt_versiontls_synopsis\n"
 . "[B<-dtls>]\n"
 . "[B<-dtls1>]\n"
-. "[B<-dtls1_2>]";
+. "[B<-dtls1_2>]\n"
+. "[B<-dtls1_3>]";
 $OpenSSL::safe::opt_version_item = "\n"
 . "$OpenSSL::safe::opt_versiontls_item\n"
 . "\n"
-. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n"
+. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>, B<-dtls1_3>\n"
 . "\n"
 . "These specify the use of DTLS instead of TLS.\n"
 . "See L<openssl(1)/TLS Version Options>.";