diff options
author | Matt Caswell <matt@openssl.org> | 2015-10-29 14:50:40 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-10-30 09:17:22 +0000 |
commit | 87d9cafa332bd006086b56dc645c03fe7cfed654 (patch) | |
tree | 299d281d0ed31067bb9417d5faff2a194950996f /doc | |
parent | b7fa1f989d0059ad7b992c11797f37f095d61204 (diff) |
Remove some SSLv2 references
There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 12 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 13 | ||||
-rw-r--r-- | doc/ssl/SSL_read.pod | 5 | ||||
-rw-r--r-- | doc/ssl/SSL_write.pod | 4 | ||||
-rw-r--r-- | doc/ssl/ssl.pod | 6 |
5 files changed, 10 insertions, 30 deletions
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index e8eeb15f15..bebd20485c 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -371,16 +371,16 @@ argument. The order of operations is significant. This can be used to set either defaults or values which cannot be overridden. For example if an application calls: - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); SSL_CONF_cmd(ctx, userparam, uservalue); -it will disable SSLv2 support by default but the user can override it. If +it will disable SSLv3 support by default but the user can override it. If however the call sequence is: SSL_CONF_cmd(ctx, userparam, uservalue); - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); -SSLv2 is B<always> disabled and attempt to override this by the user are +SSLv3 is B<always> disabled and attempt to override this by the user are ignored. By checking the return code of SSL_CTX_cmd() it is possible to query if a @@ -416,9 +416,9 @@ Set supported signature algorithms: SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); -Enable all protocols except SSLv3 and SSLv2: +Enable all protocols except SSLv3: - SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); Only enable TLSv1.2: diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 3a75cdab59..7754e75bfb 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op. When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the SSL server will always follow the clients -preferences. When set, the SSLv3/TLSv1 server will choose following its -own preferences. Because of the different protocol, for SSLv2 the server -will send its list of preferences to the client and the client chooses. +preferences. When set, the SSL/TLS server will choose following its +own preferences. =item SSL_OP_PKCS1_CHECK_1 @@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses. ... - -=item SSL_OP_NO_SSLv2 - -Do not use the SSLv2 protocol. - =item SSL_OP_NO_SSLv3 Do not use the SSLv3 protocol. @@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere. -The deprecated and highly broken SSLv2 protocol does not support -renegotiation at all: its use is B<strongly> discouraged. - This attack has far reaching consequences which application writers should be aware of. In the description below an implementation supporting secure renegotiation is referred to as I<patched>. A server not supporting secure diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index 947c8687f4..e0a9bd47bc 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, whether the closure was initiated by the peer or by something -else. - =item E<lt>0 The read operation was not successful, because either an error occurred diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod index a9841ed331..1fff8548c8 100644 --- a/doc/ssl/SSL_write.pod +++ b/doc/ssl/SSL_write.pod @@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B<ret> to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, why the closure happened. - =item E<lt>0 The write operation was not successful, because either an error occurred diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 9413907b02..421d50066d 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -93,9 +93,7 @@ inside this header file. =item B<ssl2.h> -That's the sub header file dealing with the SSLv2 protocol only. -I<Usually you don't have to include it explicitly because -it's already included by ssl.h>. +Unused. Present for backwards compatibility only. =item B<ssl3.h> @@ -175,7 +173,7 @@ definitions in the header files. =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); -Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the +Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined in the specification the first time). |