diff options
69 files changed, 229 insertions, 5569 deletions
@@ -847,7 +847,6 @@ PROCESS_ARGS: { if ($1 eq "ssl") { - $disabled{"ssl2"} = "option(ssl)"; $disabled{"ssl3"} = "option(ssl)"; } elsif ($1 eq "tls") @@ -1062,12 +1061,6 @@ if (defined($disabled{"ec"})) $disabled{"ecdh"} = "forced"; } -# SSL 2.0 requires MD5 and RSA -if (defined($disabled{"md5"}) || defined($disabled{"rsa"})) - { - $disabled{"ssl2"} = "forced"; - } - # SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH if (defined($disabled{"md5"}) || defined($disabled{"sha"}) || (defined($disabled{"rsa"}) diff --git a/INSTALL.VMS b/INSTALL.VMS index e5d43a57ab..6a50e6f4e7 100644 --- a/INSTALL.VMS +++ b/INSTALL.VMS @@ -134,7 +134,7 @@ Currently, the logical names supported are: will not be implemented. Supported algorithms to do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD, SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC, - SSL2. So, for example, having the logical name + SSL3. So, for example, having the logical name OPENSSL_NO_RSA with the value YES means that the LIBCRYPTO.OLB library will not contain an RSA implementation. diff --git a/Netware/do_tests.pl b/Netware/do_tests.pl index ac482dbe2b..f8909a43cc 100644 --- a/Netware/do_tests.pl +++ b/Netware/do_tests.pl @@ -270,22 +270,6 @@ sub ssl_tests print( OUT "\n========================================================\n"); print( OUT "SSL TESTS:\n\n"); - system("ssltest -ssl2 (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2:"); - log_output("ssltest -ssl2", $outFile); - - system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with server authentication:"); - log_output("$ssltest -ssl2 -server_auth", $outFile); - - system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with client authentication:"); - log_output("$ssltest -ssl2 -client_auth", $outFile); - - system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with both client and server authentication:"); - log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile); - system("ssltest -ssl3 (CLIB_OPT)/>$outFile"); log_desc("Testing sslv3:"); log_output("ssltest -ssl3", $outFile); @@ -318,26 +302,10 @@ sub ssl_tests log_desc("Testing sslv2/sslv3 with both client and server authentication:"); log_output("$ssltest -server_auth -client_auth", $outFile); - system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 via BIO pair:"); - log_output("ssltest -bio_pair -ssl2", $outFile); - system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile"); log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:"); log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile); - system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with server authentication via BIO pair:"); - log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile); - - system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with client authentication via BIO pair:"); - log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile); - - system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile"); - log_desc("Testing sslv2 with both client and server authentication via BIO pair:"); - log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile); - system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile"); log_desc("Testing sslv3 via BIO pair:"); log_output("ssltest -bio_pair -ssl3", $outFile); diff --git a/apps/ciphers.c b/apps/ciphers.c index 85760cd42d..7de7dd3b38 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -73,7 +73,6 @@ static const char *ciphers_usage[]={ "usage: ciphers args\n", " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", " -V - even more verbose\n", -" -ssl2 - SSL2 mode\n", " -ssl3 - SSL3 mode\n", " -tls1 - TLS1 mode\n", NULL @@ -130,10 +129,6 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-stdname") == 0) stdname=verbose=1; #endif -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3 else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); @@ -210,9 +205,7 @@ int MAIN(int argc, char **argv) int id2 = (int)((id >> 8) & 0xffL); int id3 = (int)(id & 0xffL); - if ((id & 0xff000000L) == 0x02000000L) - BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */ - else if ((id & 0xff000000L) == 0x03000000L) + if ((id & 0xff000000L) == 0x03000000L) BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */ else BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ diff --git a/apps/s_cb.c b/apps/s_cb.c index 0184125447..f3892f92e6 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -621,8 +621,6 @@ static const char *ssl_version_str(int version) { switch (version) { - case SSL2_VERSION: - return "SSL 2.0"; case SSL3_VERSION: return "SSL 3.0"; case TLS1_VERSION: @@ -649,67 +647,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * str_version = ssl_version_str(version); - if (version == SSL2_VERSION) - { - str_details1 = "???"; - - if (len > 0) - { - switch (((const unsigned char*)buf)[0]) - { - case 0: - str_details1 = ", ERROR:"; - str_details2 = " ???"; - if (len >= 3) - { - unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2]; - - switch (err) - { - case 0x0001: - str_details2 = " NO-CIPHER-ERROR"; - break; - case 0x0002: - str_details2 = " NO-CERTIFICATE-ERROR"; - break; - case 0x0004: - str_details2 = " BAD-CERTIFICATE-ERROR"; - break; - case 0x0006: - str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR"; - break; - } - } - - break; - case 1: - str_details1 = ", CLIENT-HELLO"; - break; - case 2: - str_details1 = ", CLIENT-MASTER-KEY"; - break; - case 3: - str_details1 = ", CLIENT-FINISHED"; - break; - case 4: - str_details1 = ", SERVER-HELLO"; - break; - case 5: - str_details1 = ", SERVER-VERIFY"; - break; - case 6: - str_details1 = ", SERVER-FINISHED"; - break; - case 7: - str_details1 = ", REQUEST-CERTIFICATE"; - break; - case 8: - str_details1 = ", CLIENT-CERTIFICATE"; - break; - } - } - } - if (version == SSL3_VERSION || version == TLS1_VERSION || version == TLS1_1_VERSION || @@ -1829,11 +1766,6 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, case SSL_SECOP_CURVE_CHECK: nm = "Check Curve"; break; - case SSL_SECOP_SSL2_COMPAT: - BIO_puts(sdb->out, "SSLv2 compatible"); - show_bits = 0; - nm = NULL; - break; case SSL_SECOP_VERSION: BIO_printf(sdb->out, "Version=%s", ssl_version_str(nid)); show_bits = 0; diff --git a/apps/s_client.c b/apps/s_client.c index cde7713300..1a30ef2241 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -335,7 +335,6 @@ static void sc_usage(void) BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); #endif - BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); #ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); #endif @@ -345,9 +344,8 @@ static void sc_usage(void) BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); - BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); + BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); - BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err," command to see what is available\n"); BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); @@ -912,10 +910,6 @@ static char *jpake_secret = NULL; meth=TLSv1_client_method(); } #endif -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); @@ -2198,14 +2192,12 @@ end: static void print_stuff(BIO *bio, SSL *s, int full) { X509 *peer=NULL; - char *p; - static const char *space=" "; char buf[BUFSIZ]; STACK_OF(X509) *sk; STACK_OF(X509_NAME) *sk2; const SSL_CIPHER *c; X509_NAME *xn; - int j,i; + int i; #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; #endif @@ -2267,34 +2259,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) { BIO_printf(bio,"---\nNo client certificate CA names sent\n"); } - p=SSL_get_shared_ciphers(s,buf,sizeof buf); - if (p != NULL) - { - /* This works only for SSL 2. In later protocol - * versions, the client does not know what other - * ciphers (in addition to the one to be used - * in the current connection) the server supports. */ - - BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n"); - j=i=0; - while (*p) - { - if (*p == ':') - { - BIO_write(bio,space,15-j%25); - i++; - j=0; - BIO_write(bio,((i%3)?" ":"\n"),1); - } - else - { - BIO_write(bio,p,1); - j++; - } - p++; - } - BIO_write(bio,"\n",1); - } ssl_print_sigalgs(bio, s); ssl_print_tmp_key(bio, s); diff --git a/apps/s_server.c b/apps/s_server.c index d7d3ab25d6..504d3d9f07 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -508,7 +508,6 @@ static void sv_usage(void) BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif - BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); #ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); #endif @@ -520,7 +519,6 @@ static void sv_usage(void) BIO_printf(bio_err," -timeout - Enable timeouts\n"); BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); - BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); @@ -1406,13 +1404,6 @@ int MAIN(int argc, char *argv[]) { www=2; } else if (strcmp(*argv,"-HTTP") == 0) { www=3; } -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - { - no_ecdhe=1; - meth=SSLv2_server_method(); - } -#endif #ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) { meth=SSLv3_server_method(); } @@ -1768,9 +1759,6 @@ bad: if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, -"warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); @@ -1855,9 +1843,6 @@ bad: if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, - "warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); diff --git a/apps/s_time.c b/apps/s_time.c index 81dad53243..6542be2827 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -186,7 +186,6 @@ static void s_time_usage(void) printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME); #ifdef FIONBIO printf("-nbio - Run with non-blocking IO\n"); - printf("-ssl2 - Just use SSLv2\n"); printf("-ssl3 - Just use SSLv3\n"); printf("-bugs - Turn on SSL bug compatibility\n"); printf("-new - Just time new connections\n"); @@ -282,10 +281,6 @@ static int parseArgs(int argc, char **argv) } else if(strcmp(*argv,"-bugs") == 0) st_bugs=1; -#ifndef OPENSSL_NO_SSL2 - else if(strcmp(*argv,"-ssl2") == 0) - s_time_meth=SSLv2_client_method(); -#endif #ifndef OPENSSL_NO_SSL3 else if(strcmp(*argv,"-ssl3") == 0) s_time_meth=SSLv3_client_method(); @@ -430,8 +425,6 @@ int MAIN(int argc, char **argv) ver='t'; else if (ver == SSL3_VERSION) ver='3'; - else if (ver == SSL2_VERSION) - ver='2'; else ver='*'; } @@ -523,8 +516,6 @@ next: ver='t'; else if (ver == SSL3_VERSION) ver='3'; - else if (ver == SSL2_VERSION) - ver='2'; else ver='*'; } diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 547796baa7..33005ccee3 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -51,7 +51,6 @@ F RSAREF_F_RSA_PRIVATE_DECRYPT F RSAREF_F_RSA_PRIVATE_ENCRYPT F RSAREF_F_RSA_PUBLIC_DECRYPT F RSAREF_F_RSA_PUBLIC_ENCRYPT -#F SSL_F_CLIENT_CERTIFICATE R SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 R SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c index 311e1fe2f8..99f9cd568f 100644 --- a/crypto/evp/c_alld.c +++ b/crypto/evp/c_alld.c @@ -69,7 +69,6 @@ void OpenSSL_add_all_digests(void) #endif #ifndef OPENSSL_NO_MD5 EVP_add_digest(EVP_md5()); - EVP_add_digest_alias(SN_md5,"ssl2-md5"); EVP_add_digest_alias(SN_md5,"ssl3-md5"); #endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0) diff --git a/crypto/threads/mttest.c b/crypto/threads/mttest.c index eba7aa8a6e..da2707ef7a 100644 --- a/crypto/threads/mttest.c +++ b/crypto/threads/mttest.c @@ -217,8 +217,6 @@ int main(int argc, char *argv[]) cache_stats=1; else if (strcmp(*argv,"-ssl3") == 0) ssl_method=SSLv3_method(); - else if (strcmp(*argv,"-ssl2") == 0) - ssl_method=SSLv2_method(); else if (strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; diff --git a/demos/ssl/cli.cpp b/demos/ssl/cli.cpp index 5b4406d16f..a5bee1c7b9 100644 --- a/demos/ssl/cli.cpp +++ b/demos/ssl/cli.cpp @@ -38,7 +38,7 @@ void main () SSL_METHOD *meth; SSLeay_add_ssl_algorithms(); - meth = SSLv2_client_method(); + meth = SSLv23_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); CHK_NULL(ctx); diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 6bdc07746e..5f8dac4e19 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -10,7 +10,6 @@ B<openssl> B<ciphers> [B<-s>] [B<-v>] [B<-V>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] [B<-stdname>] @@ -35,12 +34,9 @@ not used then ciphers excluded by the security level will still be listed. =item B<-v> Verbose option. List ciphers with a complete description of -protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, +protocol version, key exchange, authentication, encryption and mac algorithms used along with any key size restrictions and whether the algorithm is classed as an "export" cipher. -Note that without the B<-v> option, ciphers may seem to appear twice -in a cipher list; this is when similar ciphers are available for -SSL v2 and for SSL v3/TLS v1. =item B<-V> @@ -50,10 +46,6 @@ Like B<-v>, but include cipher suite codes in output (hex format). only include SSL v3 ciphers. -=item B<-ssl2> - -only include SSL v2 ciphers. - =item B<-tls1> only include TLS v1 ciphers. @@ -259,9 +251,9 @@ keys. ciphers suites using FORTEZZA key exchange, authentication, encryption or all FORTEZZA algorithms. Not implemented. -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2> +=item B<TLSv1.2>, B<TLSv1>, B<SSLv3> -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: +TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note: there are no ciphersuites specific to TLS v1.1. =item B<AES128>, B<AES256>, B<AES> @@ -605,17 +597,6 @@ Note: these ciphers can also be used in SSL v3. TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA -=head2 Deprecated SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 - SSL_CK_RC2_128_CBC_ |