Add the SSL_METHOD for TLSv1.3 and all other base changes required

Includes addition of the various options to s_server/s_client. Also adds one of the new TLS1.3 ciphersuites. This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not a "real" TLS1.3 ciphersuite). Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-10-21 17:39:33 +0100
committer: Matt Caswell <matt@openssl.org> 2016-11-02 13:08:21 +0000
commit: 582a17d662d123eafbb70c9eaaa140a2559b7cdb (patch)
tree: dbdc271e94609b3095b676a93bac0f242692a1e9 /doc
parent: ffd3d0ef34aac46c06379cc50d38c5c0324c3d4c (diff)
7 files changed, 30 insertions, 17 deletions
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index c392077653..30f572139c 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -15,6 +15,7 @@ B<openssl> B<ciphers>
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
+[B<-tls1_3>]
 [B<-s>]
 [B<-psk>]
 [B<-srp>]
@@ -69,6 +70,11 @@ L<SSL_CIPHER_description(3)>.
 
 Like B<-v>, but include the official cipher suite values in hex.
 
+=item B<-tls1_3>
+
+In combination with the B<-s> option, list the ciphers which would be used if
+TLSv1.3 were negotiated.
+
 =item B<-tls1_2>
 
 In combination with the B<-s> option, list the ciphers which would be used if
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 4a2a28021c..4f21ea4093 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -68,10 +68,12 @@ B<openssl> B<s_client>
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
+[B<-tls1_3>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_tls1_1>]
 [B<-no_tls1_2>]
+[B<-no_tls1_3>]
 [B<-dtls>]
 [B<-dtls1>]
 [B<-dtls1_2>]
@@ -336,7 +338,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default B<s_client> will negotiate the highest mutually supported protocol
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index b0d7888730..b6c5659972 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -69,6 +69,9 @@ B<openssl> B<s_server>
 [B<-quiet>]
 [B<-ssl3>]
 [B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-tls1_3>]
 [B<-dtls>]
 [B<-dtls1>]
 [B<-dtls1_2>]
@@ -81,6 +84,7 @@ B<openssl> B<s_server>
 [B<-no_tls1>]
 [B<-no_tls1_1>]
 [B<-no_tls1_2>]
+[B<-no_tls1_3>]
 [B<-no_dhe>]
 [B<-bugs>]
 [B<-comp>]
@@ -295,7 +299,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default B<s_server> will negotiate the highest mutually supported protocol
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index d8c0e9b95d..60b80d39ee 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -121,12 +121,13 @@ if specified.
 To restrict the supported protocol versions use these commands rather
 than the deprecated alternative commands below.
 
-=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
 
-Disables protocol support for SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2 by setting the
-corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>
-and B<SSL_OP_NO_TLSv1_2> respectively.
-These options are deprecated, instead use B<-min_protocol> and B<-max_protocol>.
+Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
+setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
+respectively. These options are deprecated, instead use B<-min_protocol> and
+B<-max_protocol>.
 
 =item B<-bugs>
 
diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod
index 29387d343f..512fca8de0 100644
--- a/doc/man3/SSL_CTX_new.pod
+++ b/doc/man3/SSL_CTX_new.pod
@@ -156,12 +156,12 @@ and be able to negotiate with all possible clients, but to only
 allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
 
 The list of protocols available can also be limited using the
-B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> and
-B<SSL_OP_NO_TLSv1_2> options of the L<SSL_CTX_set_options(3)> or
-L<SSL_set_options(3)> functions, but this approach is not recommended.
-Clients should avoid creating "holes" in the set of protocols they support.
-When disabling a protocol, make sure that you also disable either all previous
-or all subsequent protocol versions.
+B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>,
+B<SSL_OP_NO_TLSv1_3> and B<SSL_OP_NO_TLSv1_2> options of the
+L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions, but this approach
+is not recommended. Clients should avoid creating "holes" in the set of
+protocols they support. When disabling a protocol, make sure that you also
+disable either all previous or all subsequent protocol versions.
 In clients, when a protocol version is disabled without disabling I<all>
 previous protocol versions, the effect is to also disable all subsequent
 protocol versions.
diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod
index 3e9fe80b70..5996d48fe3 100644
--- a/doc/man3/SSL_CTX_set_min_proto_version.pod
+++ b/doc/man3/SSL_CTX_set_min_proto_version.pod
@@ -29,8 +29,8 @@ versions down to the lowest version, or up to the highest version
 supported by the library, respectively.
 
 Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>,
-B<TLS1_1_VERSION>, B<TLS1_2_VERSION> for TLS and B<DTLS1_VERSION>,
-B<DTLS1_2_VERSION> for DTLS.
+B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<TLS1_3_VERSION> for TLS and
+B<DTLS1_VERSION>, B<DTLS1_2_VERSION> for DTLS.
 
 =head1 RETURN VALUES
 
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 63609f3a31..921c812ef3 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -155,9 +155,9 @@ own preferences.
 
 
 =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
-SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
+SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
 
-These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2 protocol
+These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
 versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
 respectively.
 As of OpenSSL 1.1.0, these options are deprecated, use
author	Matt Caswell <matt@openssl.org>	2016-10-21 17:39:33 +0100
committer	Matt Caswell <matt@openssl.org>	2016-11-02 13:08:21 +0000
commit	582a17d662d123eafbb70c9eaaa140a2559b7cdb (patch)
tree	dbdc271e94609b3095b676a93bac0f242692a1e9 /doc
parent	ffd3d0ef34aac46c06379cc50d38c5c0324c3d4c (diff)