isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.0.2k-no-ssl2.patch

fd2893
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
fd2893
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2	2017-01-26 14:22:03.000000000 +0100
fd2893
+++ openssl-1.0.2k/apps/ciphers.c	2017-03-01 14:18:28.058046372 +0100
fd2893
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
fd2893
     "usage: ciphers args\n",
fd2893
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
fd2893
     " -V          - even more verbose\n",
fd2893
+#ifndef OPENSSL_NO_SSL2
fd2893
     " -ssl2       - SSL2 mode\n",
fd2893
+#endif
fd2893
     " -ssl3       - SSL3 mode\n",
fd2893
     " -tls1       - TLS1 mode\n",
fd2893
     NULL
fd2893
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
fd2893
--- openssl-1.0.2k/apps/s_client.c.no-ssl2	2017-03-01 14:04:57.000000000 +0100
fd2893
+++ openssl-1.0.2k/apps/s_client.c	2017-03-01 14:17:42.368974209 +0100
fd2893
@@ -380,7 +380,9 @@ static void sc_usage(void)
fd2893
                " -srp_strength int - minimal length in bits for N (default %d).\n",
fd2893
                SRP_MINIMAL_N);
fd2893
 #endif
fd2893
+#ifndef OPENSSL_NO_SSL2
fd2893
     BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
fd2893
+#endif
fd2893
 #ifndef OPENSSL_NO_SSL3_METHOD
fd2893
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
fd2893
 #endif
fd2893
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
fd2893
--- openssl-1.0.2k/apps/s_server.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
fd2893
+++ openssl-1.0.2k/apps/s_server.c	2017-03-01 14:13:54.154618822 +0100
fd2893
@@ -598,7 +598,9 @@ static void sv_usage(void)
fd2893
     BIO_printf(bio_err,
fd2893
                " -srpuserseed string - A seed string for a default user salt.\n");
fd2893
 #endif
fd2893
+#ifndef OPENSSL_NO_SSL2
fd2893
     BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
fd2893
+#endif
fd2893
 #ifndef OPENSSL_NO_SSL3_METHOD
fd2893
     BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
fd2893
 #endif
fd2893
@@ -610,7 +612,7 @@ static void sv_usage(void)
fd2893
     BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
fd2893
     BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
fd2893
     BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
fd2893
-    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
fd2893
+    BIO_printf(bio_err, " -no_ssl2      - No-op, SSLv2 is always disabled\n");
fd2893
     BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
fd2893
     BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
fd2893
     BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
fd2893
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
fd2893
--- openssl-1.0.2k/apps/s_time.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
fd2893
+++ openssl-1.0.2k/apps/s_time.c	2017-03-01 14:20:15.708572549 +0100
fd2893
@@ -191,7 +191,9 @@ static void s_time_usage(void)
fd2893
            SSL_CONNECT_NAME);
fd2893
 #ifdef FIONBIO
fd2893
     printf("-nbio         - Run with non-blocking IO\n");
fd2893
+#ifndef OPENSSL_NO_SSL2
fd2893
     printf("-ssl2         - Just use SSLv2\n");
fd2893
+#endif
fd2893
     printf("-ssl3         - Just use SSLv3\n");
fd2893
     printf("-bugs         - Turn on SSL bug compatibility\n");
fd2893
     printf("-new          - Just time new connections\n");
fd2893
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
fd2893
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
fd2893
+++ openssl-1.0.2k/doc/apps/ciphers.pod	2017-03-01 14:02:51.275041593 +0100
fd2893
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
fd2893
 B<openssl> B<ciphers>
fd2893
 [B<-v>]
fd2893
 [B<-V>]
fd2893
-[B<-ssl2>]
fd2893
 [B<-ssl3>]
fd2893
 [B<-tls1>]
fd2893
 [B<cipherlist>]
fd2893
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
fd2893
 
fd2893
 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
fd2893
 
fd2893
-=item B<-ssl2>
fd2893
-
fd2893
-Only include SSLv2 ciphers.
fd2893
-
fd2893
 =item B<-h>, B<-?>
fd2893
 
fd2893
 Print a brief usage message.
fd2893
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
fd2893
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
fd2893
+++ openssl-1.0.2k/doc/apps/s_client.pod	2017-03-01 14:06:28.389146669 +0100
fd2893
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
fd2893
 [B<-ign_eof>]
fd2893
 [B<-no_ign_eof>]
fd2893
 [B<-quiet>]
fd2893
-[B<-ssl2>]
fd2893
 [B<-ssl3>]
fd2893
 [B<-tls1>]
fd2893
 [B<-tls1_1>]
fd2893
 [B<-tls1_2>]
fd2893
 [B<-dtls1>]
fd2893
-[B<-no_ssl2>]
fd2893
 [B<-no_ssl3>]
fd2893
 [B<-no_tls1>]
fd2893
 [B<-no_tls1_1>]
fd2893
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
fd2893
 given as a hexadecimal number without leading 0x, for example -psk
fd2893
 1a2b3c4d.
fd2893
 
fd2893
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
fd2893
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
fd2893
 
fd2893
 These options require or disable the use of the specified SSL or TLS protocols.
fd2893
 By default the initial handshake uses a I<version-flexible> method which will
fd2893
@@ -326,8 +324,8 @@ would typically be used (https uses port
fd2893
 then an HTTP command can be given such as "GET /" to retrieve a web page.
fd2893
 
fd2893
 If the handshake fails then there are several possible causes, if it is
fd2893
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
fd2893
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
fd2893
+nothing obvious like no client certificate then the B<-bugs>,
fd2893
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
fd2893
 in case it is a buggy server. In particular you should play with these
fd2893
 options B<before> submitting a bug report to an OpenSSL mailing list.
fd2893
 
fd2893
@@ -349,10 +347,6 @@ on the command line is no guarantee that
fd2893
 If there are problems verifying a server certificate then the
fd2893
 B<-showcerts> option can be used to show the whole chain.
fd2893
 
fd2893
-Since the SSLv23 client hello cannot include compression methods or extensions
fd2893
-these will only be supported if its use is disabled, for example by using the
fd2893
-B<-no_sslv2> option.
fd2893
-
fd2893
 The B<s_client> utility is a test tool and is designed to continue the
fd2893
 handshake after any certificate verification errors. As a result it will
fd2893
 accept any certificate chain (trusted or not) sent by the peer. None test
fd2893
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
fd2893
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
fd2893
+++ openssl-1.0.2k/doc/apps/s_server.pod	2017-03-01 14:04:17.871077754 +0100
fd2893
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
fd2893
 [B<-keytab filename>]
fd2893
 [B<-quiet>]
fd2893
 [B<-no_tmp_rsa>]
fd2893
-[B<-ssl2>]
fd2893
 [B<-ssl3>]
fd2893
 [B<-tls1>]
fd2893
 [B<-tls1_1>]
fd2893
 [B<-tls1_2>]
fd2893
-[B<-no_ssl2>]
fd2893
 [B<-no_ssl3>]
fd2893
 [B<-no_tls1>]
fd2893
 [B<-no_dhe>]
fd2893
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
fd2893
 given as a hexadecimal number without leading 0x, for example -psk
fd2893
 1a2b3c4d.
fd2893
 
fd2893
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
fd2893
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
fd2893
 
fd2893
 These options require or disable the use of the specified SSL or TLS protocols.
fd2893
 By default the initial handshake uses a I<version-flexible> method which will
fd2893
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
fd2893
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2	2017-02-15 11:33:38.000000000 +0100
fd2893
+++ openssl-1.0.2k/doc/apps/s_time.pod	2017-03-01 14:03:50.440432769 +0100
fd2893
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
fd2893
 [B<-verify depth>]
fd2893
 [B<-nbio>]
fd2893
 [B<-time seconds>]
fd2893
-[B<-ssl2>]
fd2893
 [B<-ssl3>]
fd2893
 [B<-bugs>]
fd2893
 [B<-cipher cipherlist>]
fd2893
@@ -99,9 +98,9 @@ specified, they are both on by default a
fd2893
 
fd2893
 turns on non-blocking I/O.
fd2893
 
fd2893
-=item B<-ssl2>, B<-ssl3>
fd2893
+=item B<-ssl3>
fd2893
 
fd2893
-these options disable the use of certain SSL or TLS protocols. By default
fd2893
+this option disables the use of certain SSL or TLS protocols. By default
fd2893
 the initial handshake uses a method which should be compatible with all
fd2893
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
fd2893
 The timing program is not as rich in options to turn protocols on and off as
fd2893
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
fd2893
 
fd2893
 Unfortunately there are a lot of ancient and broken servers in use which
fd2893
 cannot handle this technique and will fail to connect. Some servers only
fd2893
-work if TLS is turned off with the B<-ssl3> option; others
fd2893
-will only support SSL v2 and may need the B<-ssl2> option.
fd2893
+work if TLS is turned off with the B<-ssl3> option.
fd2893
 
fd2893
 =item B<-bugs>
fd2893
 
fd2893
@@ -144,7 +142,7 @@ which both client and server can agree,
fd2893
 for details.
fd2893
 
fd2893
 If the handshake fails then there are several possible causes, if it is
fd2893
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
fd2893
+nothing obvious like no client certificate then the B<-bugs>,
fd2893
 B<-ssl3> options can be tried
fd2893
 in case it is a buggy server. In particular you should play with these
fd2893
 options B<before> submitting a bug report to an OpenSSL mailing list.
fd2893
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
fd2893
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
fd2893
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod	2017-03-01 14:09:12.981016773 +0100
fd2893
@@ -123,13 +123,8 @@ used.
fd2893
 
fd2893
 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
fd2893
 
fd2893
-A TLS/SSL connection established with these methods will only understand the
fd2893
-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
fd2893
-also indicate that it only understand SSLv2.  A server will only understand
fd2893
-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
fd2893
-and should not be used.
fd2893
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
fd2893
-with SSLv2.
fd2893
+These calls are provided only as stubs for keeping ABI compatibility. There
fd2893
+is no support for SSLv2 built in the library.
fd2893
 
fd2893
 =item DTLS_method(), DTLS_server_method(), DTLS_client_method()
fd2893