diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/apps/ciphers.pod | 25 | ||||
| -rw-r--r-- | doc/apps/s_client.pod | 18 | ||||
| -rw-r--r-- | doc/apps/s_server.pod | 6 | ||||
| -rw-r--r-- | doc/apps/s_time.pod | 10 | ||||
| -rw-r--r-- | doc/apps/sess_id.pod | 6 | ||||
| -rw-r--r-- | doc/ssl/SSL_CIPHER_get_name.pod | 4 | ||||
| -rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 11 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_new.pod | 31 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_cipher_list.pod | 4 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_generate_session_id.pod | 26 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 11 | ||||
| -rw-r--r-- | doc/ssl/SSL_get_default_timeout.pod | 2 | ||||
| -rw-r--r-- | doc/ssl/SSL_get_version.pod | 4 | ||||
| -rw-r--r-- | doc/ssl/SSL_new.pod | 2 | ||||
| -rw-r--r-- | doc/ssl/SSL_shutdown.pod | 4 | ||||
| -rw-r--r-- | doc/ssl/ssl.pod | 25 |
16 files changed, 50 insertions, 139 deletions
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index 6bdc07746e..5f8dac4e19 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -10,7 +10,6 @@ B<openssl> B<ciphers> [B<-s>] [B<-v>] [B<-V>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] [B<-stdname>] @@ -35,12 +34,9 @@ not used then ciphers excluded by the security level will still be listed. =item B<-v> Verbose option. List ciphers with a complete description of -protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, +protocol version, key exchange, authentication, encryption and mac algorithms used along with any key size restrictions and whether the algorithm is classed as an "export" cipher. -Note that without the B<-v> option, ciphers may seem to appear twice -in a cipher list; this is when similar ciphers are available for -SSL v2 and for SSL v3/TLS v1. =item B<-V> @@ -50,10 +46,6 @@ Like B<-v>, but include cipher suite codes in output (hex format). only include SSL v3 ciphers. -=item B<-ssl2> - -only include SSL v2 ciphers. - =item B<-tls1> only include TLS v1 ciphers. @@ -259,9 +251,9 @@ keys. ciphers suites using FORTEZZA key exchange, authentication, encryption or all FORTEZZA algorithms. Not implemented. -=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2> +=item B<TLSv1.2>, B<TLSv1>, B<SSLv3> -TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: +TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note: there are no ciphersuites specific to TLS v1.1. =item B<AES128>, B<AES256>, B<AES> @@ -605,17 +597,6 @@ Note: these ciphers can also be used in SSL v3. TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA -=head2 Deprecated SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 - SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - - =head1 NOTES Some compiled versions of OpenSSL may not include all the ciphers diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 2057dc86e0..17308b4801 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -58,10 +58,8 @@ B<openssl> B<s_client> [B<-ign_eof>] [B<-no_ign_eof>] [B<-quiet>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] -[B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_tls1_1>] @@ -248,11 +246,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +servers and permit them to use SSL v3 or TLS as appropriate. Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only @@ -279,10 +277,6 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B<ciphers> command for more information. -=item B<-serverpref> - -use the server's cipher preferences; only used for SSLV2. - =item B<-starttls protocol> send the protocol-specific message(s) to switch to TLS for communication. @@ -373,8 +367,8 @@ would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as "GET /" to retrieve a web page. If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, -B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried +nothing obvious like no client certificate then the B<-bugs>, +B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried in case it is a buggy server. In particular you should play with these options B<before> submitting a bug report to an OpenSSL mailing list. @@ -396,10 +390,6 @@ on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the B<-showcerts> option can be used to show the whole chain. -Since the SSLv23 client hello cannot include compression methods or extensions -these will only be supported if its use is disabled, for example by using the -B<-no_sslv2> option. - The B<s_client> utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 3085944e4b..1cc965f3e9 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -64,10 +64,8 @@ B<openssl> B<s_server> [B<-serverpref>] [B<-quiet>] [B<-no_tmp_rsa>] -[B<-ssl2>] [B<-ssl3>] [B<-tls1>] -[B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_dhe>] @@ -279,11 +277,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> +=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +servers and permit them to use SSL v3 or TLS as appropriate. =item B<-bugs> diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index 5a38aa2e03..b8dad09a03 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -19,7 +19,6 @@ B<openssl> B<s_time> [B<-verify depth>] [B<-nbio>] [B<-time seconds>] -[B<-ssl2>] [B<-ssl3>] [B<-bugs>] [B<-cipher cipherlist>] @@ -92,18 +91,17 @@ specified, they are both on by default and executed in sequence. turns on non-blocking I/O. -=item B<-ssl2>, B<-ssl3> +=item B<-ssl3> these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. +servers and permit them to use SSL v3 or TLS as appropriate. The timing program is not as rich in options to turn protocols on and off as the L<s_client(1)|s_client(1)> program and may not connect to all servers. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-ssl3> option; others -will only support SSL v2 and may need the B<-ssl2> option. +work if TLS is turned off with the B<-ssl3> option. =item B<-bugs> @@ -137,7 +135,7 @@ which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command for details. If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>, +nothing obvious like no client certificate then the B<-bugs> and B<-ssl3> options can be tried in case it is a buggy server. In particular you should play with these options B<before> submitting a bug report to an OpenSSL mailing list. diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod index fb5ce12962..a8b0ef09eb 100644 --- a/doc/apps/sess_id.pod +++ b/doc/apps/sess_id.pod @@ -92,7 +92,7 @@ Theses are described below in more detail. =item B<Protocol> -this is the protocol in use TLSv1, SSLv3 or SSLv2. +this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3. =item B<Cipher> @@ -111,10 +111,6 @@ the session ID context in hex format. this is the SSL session master key. -=item B<Key-Arg> - -the key argument, this is only used in SSL v2. - =item B<Start Time> this is the session start time represented as an integer in standard Unix format. diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod index 2048bfb8a1..ec7011efe9 100644 --- a/doc/ssl/SSL_CIPHER_get_name.pod +++ b/doc/ssl/SSL_CIPHER_get_name.pod @@ -25,7 +25,7 @@ chosen algorithm. If B<cipher> is NULL, 0 is returned. SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol version that first defined the cipher. -This is currently B<SSLv2> or B<TLSv1/SSLv3>. +This is currently B<TLSv1/SSLv3>. In some cases it should possibly return "TLSv1.2" but does not; use SSL_CIPHER_description() instead. If B<cipher> is NULL, "(NONE)" is returned. @@ -56,7 +56,7 @@ Textual representation of the cipher name. =item <protocol version> -Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are +Protocol version: B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx=<key exchange> diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index f96d8d941d..90a20d6c49 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -109,10 +109,10 @@ Attempts to use the file B<value> as the set of temporary DH parameters for the appropriate context. This option is only supported if certificate operations are permitted. -=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> -Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>, +Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B<SSL_OP_NO_SSL3>, B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. =item B<-bugs> @@ -259,7 +259,7 @@ The supported versions of the SSL or TLS protocol. The B<value> argument is a comma separated list of supported protocols to enable or disable. If an protocol is preceded by B<-> that version is disabled. All versions are enabled by default, though applications may choose to -explicitly disable some. Currently supported protocol values are B<SSLv2>, +explicitly disable some. Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers to all supported versions. @@ -435,4 +435,7 @@ L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> SSL_CONF_cmd() was first added to OpenSSL 1.0.2 +B<SSL_OP_NO_SSL2> doesn't have effect anymore since 1.1.0 but the define is kept +for backward compatibility. + =cut diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod index 7593cf60cf..0da3f7be8e 100644 --- a/doc/ssl/SSL_CTX_new.pod +++ b/doc/ssl/SSL_CTX_new.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_CTX_new, SSLv2_method, SSLv2_server_method, SSLv2_client_method, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions +SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method - create a new SSL_CTX object as framework for TLS/SSL enabled functions =head1 SYNOPSIS @@ -23,14 +23,6 @@ client only type. B<method> can be of the following types: =over 4 -=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void) - -A TLS/SSL connection established with these methods will only understand -the SSLv2 protocol. A client will send out SSLv2 client hello messages -and will also indicate that it only understand SSLv2. A server will only -understand SSLv2 client hello messages. The SSLv2 protocol is deprecated -and very broken: its use is B<strongly> discouraged. - =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) A TLS/SSL connection established with these methods will only understand the @@ -62,33 +54,25 @@ SSLv3 client hello messages. =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) -A TLS/SSL connection established with these methods may understand the SSLv2, +A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. -If the cipher list does not contain any SSLv2 ciphersuites (the default -cipher list does not) or extensions are required (for example server name) +If extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern. -If any SSLv2 ciphersuites are included in the cipher list and no extensions -are required then SSLv2 compatible client hellos will be used by clients and -SSLv2 will be accepted by servers. This is B<not> recommended due to the -insecurity of SSLv2 and the limited nature of the SSLv2 client hello -prohibiting the use of extensions. - =back -The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, +The list of protocols available can later be limited using the SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 options of the SSL_CTX_set_options() or SSL_set_options() functions. Using these options it is possible to choose e.g. SSLv23_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLSv1, TLSv1.1 or TLS v1.2. -Applications which never want to support SSLv2 (even is the cipher string -is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. +Applications which never want to support SSLv3 can set SSL_OP_NO_SSLv3. SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to its default @@ -111,6 +95,11 @@ The return value points to an allocated SSL_CTX object. =back +=head1 HISTORY + +SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in +OpenSSL 1.1.0. + =head1 SEE ALSO L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>, diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod index 8b41917334..c2c349f65e 100644 --- a/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -54,10 +54,6 @@ of 512 bits and the server is not configured to use temporary RSA keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated and the handshake will fail. -If the cipher list does not contain any SSLv2 cipher suites (this is the -default) then SSLv2 is effectively disabled and neither clients nor servers -will attempt to use SSLv2. - =head1 RETURN VALUES SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod index 798e8443a7..cd72572b27 100644 --- a/doc/ssl/SSL_CTX_set_generate_session_id.pod +++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod @@ -32,9 +32,8 @@ of the parent context of B<ssl>. When a new session is established between client and server, the server generates a session id. The session id is an arbitrary sequence of bytes. -The length of the session id is 16 bytes for SSLv2 sessions and between -1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical -but must be unique for the server. Additionally, the session id is +The length of the session id is between 1 and 32 bytes. The session id is not +security critical but must be unique for the server. Additionally, the session id is transmitted in the clear when reusing the session so it must not contain sensitive information. @@ -51,21 +50,14 @@ The callback is only allowed to generate a shorter id and reduce B<id_len>; the callback B<must never> increase B<id_len> or write to the location B<id> exceeding the given limit. -If a SSLv2 session id is generated and B<id_len> is reduced, it will be -restored after the callback has finished and the session id will be padded -with 0x00. It is not recommended to change the B<id_len> for SSLv2 sessions. -The callback can use the L<SSL_get_version(3)|SSL_get_version(3)> function -to check, whether the session is of type SSLv2. - The location B<id> is filled with 0x00 before the callback is called, so the callback may only fill part of the possible length and leave B<id_len> untouched while maintaining reproducibility. Since the sessions must be distinguished, session ids must be unique. Without the callback a random number is used, so that the probability -of generating the same session id is extremely small (2^128 possible ids -for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the -uniqueness of the generated session id, the callback must call +of generating the same session id is extremely small (2^256 for SSLv3/TLSv1). +In order to assure the uniqueness of the generated session id, the callback must call SSL_has_matching_session_id() and generate another id if a conflict occurs. If an id conflict is not resolved, the handshake will fail. If the application codes e.g. a unique host id, a unique process number, and @@ -85,10 +77,6 @@ Collisions can also occur when using an external session cache, since the external cache is not tested with SSL_has_matching_session_id() and the same race condition applies. -When calling SSL_has_matching_session_id() for an SSLv2 session with -reduced B<id_len>, the match operation will be performed using the -fixed length required and with a 0x00 padded id. - The callback must return 0 if it cannot generate a session id for whatever reason and return 1 on success. @@ -104,12 +92,6 @@ server id given, and will fill the rest with pseudo random bytes: unsigned int *id_len) { unsigned int count = 0; - const char *version; - - version = SSL_get_version(ssl); - if (!strcmp(version, "SSLv2")) - /* we must not change id_len */; - do { RAND_pseudo_bytes(id, *id_len); /* Prefix the session_id with the required prefix. NB: If our diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 65062ad68c..1594fb6eec 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -63,18 +63,11 @@ The following B<bug workaround> options are available: =item SSL_OP_MICROSOFT_SESS_ID_BUG -www.microsoft.com - when talking SSLv2, if session-id reuse is -performed, the session-id passed back in the server-finished message -is different from the one decided upon. +As of OpenSSL 1.0.0 this option has no effect. =item SSL_OP_NETSCAPE_CHALLENGE_BUG -Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte -challenge but then appears to only use 16 bytes when generating the -encryption keys. Using 16 bytes is ok but it should be ok to use 32. -According to the SSLv3 spec, one should use 32 bytes for the challenge -when operating in SSLv2/v3 compatibility mode, but as mentioned above, -this breaks this server so 16 bytes is the way to go. +As of OpenSSL 1.0.0 this option has no effect. =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG diff --git a/doc/ssl/SSL_get_default_timeout.pod b/doc/ssl/SSL_get_default_timeout.pod index a648a9b82d..3a067fe892 100644 --- a/doc/ssl/SSL_get_default_timeout.pod +++ b/doc/ssl/SSL_get_default_timeout.pod @@ -24,7 +24,7 @@ L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, the hardcoded default timeout for the protocol will be used. SSL_get_default_timeout() return this hardcoded value, which is 300 seconds -for all currently supported protocols (SSLv2, SSLv3, and TLSv1). +for all currently supported protocols. =head1 RETURN VALUES diff --git a/doc/ssl/SSL_get_version.pod b/doc/ssl/SSL_get_version.pod index 9ae6f25508..b91bb47f78 100644 --- a/doc/ssl/SSL_get_version.pod +++ b/doc/ssl/SSL_get_version.pod @@ -21,10 +21,6 @@ The following strings can be returned: =over 4 -=item SSLv2 - -The connection uses the SSLv2 protocol. - =item SSLv3 The connection uses the SSLv3 protocol. diff --git a/doc/ssl/SSL_new.pod b/doc/ssl/SSL_new.pod index 25300e978f..f0774a57ae 100644 --- a/doc/ssl/SSL_new.pod +++ b/doc/ssl/SSL_new.pod @@ -14,7 +14,7 @@ SSL_new - create a new SSL structure for a connection SSL_new() creates a new B<SSL> structure which is needed to hold the data for a TLS/SSL connection. The new structure inherits the settings -of the underlying context B<ctx>: connection method (SSLv2/v3/TLSv1), +of the underlying context B<ctx>: connection method, options, verification settings, timeout settings. =head1 RETURN VALUES diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index efbff5a0a3..b2bf9cb1b8 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -60,9 +60,7 @@ SSL_get_shutdown() (see also L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> call. It is therefore recommended, to check the return value of SSL_shutdown() and call SSL_shutdown() again, if the bidirectional shutdown is not yet -complete (return value of the first call is 0). As the shutdown is not -specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on -the first call. +complete (return value of the first call is 0). The behaviour of SSL_shutdown() additionally depends on the underlying BIO. diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 8d5b8c380e..ceb9766245 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -45,8 +45,8 @@ structures: =item B<SSL_METHOD> (SSL Method) That's a dispatch structure describing the internal B<ssl> library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B<SSL_CTX>. +methods/functions which implement the various protocol versions (SSLv3 +TLSv1, ...). It's needed to create an B<SSL_CTX>. =item B<SSL_CIPHER> (SSL Cipher) @@ -105,8 +105,8 @@ it's already included by ssl.h>. =item B<ssl23.h> -That's the sub header file dealing with the combined use of the SSLv2 and -SSLv3 protocols. +That's the sub header file dealing with the combined use of different +protocol version. I<Usually you don't have to include it explicitly because it's already included by ssl.h>. @@ -130,18 +130,6 @@ protocol methods defined in B<SSL_METHOD> structures. =over 4 -=item const SSL_METHOD *B<SSLv2_client_method>(void); - -Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. - -=item const SSL_METHOD *B<SSLv2_server_method>(void); - -Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. - -=item const SSL_METHOD *B<SSLv2_method>(void); - -Constructor for the SSLv2 SSL_METHOD structure for combined client and server. - =item const SSL_METHOD *B<SSLv3_client_method>(void); Constructor for the SSLv3 SSL_METHOD structure for a dedicated client. @@ -189,7 +177,7 @@ I<alg_bits>) and the bits which are actually used (the return value). =item const char *B<SSL_CIPHER_get_name>(SSL_CIPHER *cipher); Return the internal name of I<cipher> as a string. These are the various -strings defined by the I<SSL2_TXT_xxx>, I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> +strings defined by the I<SSL3_TXT_xxx> and I<TLS1_TXT_xxx> definitions in the header files. =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher); @@ -758,5 +746,8 @@ L<SSL_get_psk_identity(3)|SSL_get_psk_identity(3)> The L<ssl(3)|ssl(3)> document appeared in OpenSSL 0.9.2 +B<SSLv2_client_method>, B<SSLv2_server_method> and B<SSLv2_method> where removed +in OpenSSL 1.1.0. + =cut |