Blame SOURCES/openssl-1.0.2k-no-ssl2.patch

e62613
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
e62613
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2	2017-01-26 14:22:03.000000000 +0100
e62613
+++ openssl-1.0.2k/apps/ciphers.c	2017-03-01 14:18:28.058046372 +0100
e62613
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
e62613
     "usage: ciphers args\n",
e62613
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
e62613
     " -V          - even more verbose\n",
e62613
+#ifndef OPENSSL_NO_SSL2
e62613
     " -ssl2       - SSL2 mode\n",
e62613
+#endif
e62613
     " -ssl3       - SSL3 mode\n",
e62613
     " -tls1       - TLS1 mode\n",
e62613
     NULL
e62613
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
e62613
--- openssl-1.0.2k/apps/s_client.c.no-ssl2	2017-03-01 14:04:57.000000000 +0100
e62613
+++ openssl-1.0.2k/apps/s_client.c	2017-03-01 14:17:42.368974209 +0100
e62613
@@ -380,7 +380,9 @@ static void sc_usage(void)
e62613
                " -srp_strength int - minimal length in bits for N (default %d).\n",
e62613
                SRP_MINIMAL_N);
e62613
 #endif
e62613
+#ifndef OPENSSL_NO_SSL2
e62613
     BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
e62613
+#endif
e62613
 #ifndef OPENSSL_NO_SSL3_METHOD
e62613
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
e62613
 #endif
e62613
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
e62613
--- openssl-1.0.2k/apps/s_server.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
e62613
+++ openssl-1.0.2k/apps/s_server.c	2017-03-01 14:13:54.154618822 +0100
e62613
@@ -598,7 +598,9 @@ static void sv_usage(void)
e62613
     BIO_printf(bio_err,
e62613
                " -srpuserseed string - A seed string for a default user salt.\n");
e62613
 #endif
e62613
+#ifndef OPENSSL_NO_SSL2
e62613
     BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
e62613
+#endif
e62613
 #ifndef OPENSSL_NO_SSL3_METHOD
e62613
     BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
e62613
 #endif
e62613
@@ -610,7 +612,7 @@ static void sv_usage(void)
e62613
     BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
e62613
     BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
e62613
     BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
e62613
-    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
e62613
+    BIO_printf(bio_err, " -no_ssl2      - No-op, SSLv2 is always disabled\n");
e62613
     BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
e62613
     BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
e62613
     BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
e62613
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
e62613
--- openssl-1.0.2k/apps/s_time.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
e62613
+++ openssl-1.0.2k/apps/s_time.c	2017-03-01 14:20:15.708572549 +0100
e62613
@@ -191,7 +191,9 @@ static void s_time_usage(void)
e62613
            SSL_CONNECT_NAME);
e62613
 #ifdef FIONBIO
e62613
     printf("-nbio         - Run with non-blocking IO\n");
e62613
+#ifndef OPENSSL_NO_SSL2
e62613
     printf("-ssl2         - Just use SSLv2\n");
e62613
+#endif
e62613
     printf("-ssl3         - Just use SSLv3\n");
e62613
     printf("-bugs         - Turn on SSL bug compatibility\n");
e62613
     printf("-new          - Just time new connections\n");
e62613
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
e62613
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
e62613
+++ openssl-1.0.2k/doc/apps/ciphers.pod	2017-03-01 14:02:51.275041593 +0100
e62613
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
e62613
 B<openssl> B<ciphers>
e62613
 [B<-v>]
e62613
 [B<-V>]
e62613
-[B<-ssl2>]
e62613
 [B<-ssl3>]
e62613
 [B<-tls1>]
e62613
 [B<cipherlist>]
e62613
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
e62613
 
e62613
 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
e62613
 
e62613
-=item B<-ssl2>
e62613
-
e62613
-Only include SSLv2 ciphers.
e62613
-
e62613
 =item B<-h>, B<-?>
e62613
 
e62613
 Print a brief usage message.
e62613
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
e62613
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
e62613
+++ openssl-1.0.2k/doc/apps/s_client.pod	2017-03-01 14:06:28.389146669 +0100
e62613
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
e62613
 [B<-ign_eof>]
e62613
 [B<-no_ign_eof>]
e62613
 [B<-quiet>]
e62613
-[B<-ssl2>]
e62613
 [B<-ssl3>]
e62613
 [B<-tls1>]
e62613
 [B<-tls1_1>]
e62613
 [B<-tls1_2>]
e62613
 [B<-dtls1>]
e62613
-[B<-no_ssl2>]
e62613
 [B<-no_ssl3>]
e62613
 [B<-no_tls1>]
e62613
 [B<-no_tls1_1>]
e62613
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
e62613
 given as a hexadecimal number without leading 0x, for example -psk
e62613
 1a2b3c4d.
e62613
 
e62613
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
e62613
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
e62613
 
e62613
 These options require or disable the use of the specified SSL or TLS protocols.
e62613
 By default the initial handshake uses a I<version-flexible> method which will
e62613
@@ -326,8 +324,8 @@ would typically be used (https uses port
e62613
 then an HTTP command can be given such as "GET /" to retrieve a web page.
e62613
 
e62613
 If the handshake fails then there are several possible causes, if it is
e62613
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
e62613
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
e62613
+nothing obvious like no client certificate then the B<-bugs>,
e62613
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
e62613
 in case it is a buggy server. In particular you should play with these
e62613
 options B<before> submitting a bug report to an OpenSSL mailing list.
e62613
 
e62613
@@ -349,10 +347,6 @@ on the command line is no guarantee that
e62613
 If there are problems verifying a server certificate then the
e62613
 B<-showcerts> option can be used to show the whole chain.
e62613
 
e62613
-Since the SSLv23 client hello cannot include compression methods or extensions
e62613
-these will only be supported if its use is disabled, for example by using the
e62613
-B<-no_sslv2> option.
e62613
-
e62613
 The B<s_client> utility is a test tool and is designed to continue the
e62613
 handshake after any certificate verification errors. As a result it will
e62613
 accept any certificate chain (trusted or not) sent by the peer. None test
e62613
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
e62613
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
e62613
+++ openssl-1.0.2k/doc/apps/s_server.pod	2017-03-01 14:04:17.871077754 +0100
e62613
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
e62613
 [B<-keytab filename>]
e62613
 [B<-quiet>]
e62613
 [B<-no_tmp_rsa>]
e62613
-[B<-ssl2>]
e62613
 [B<-ssl3>]
e62613
 [B<-tls1>]
e62613
 [B<-tls1_1>]
e62613
 [B<-tls1_2>]
e62613
-[B<-no_ssl2>]
e62613
 [B<-no_ssl3>]
e62613
 [B<-no_tls1>]
e62613
 [B<-no_dhe>]
e62613
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
e62613
 given as a hexadecimal number without leading 0x, for example -psk
e62613
 1a2b3c4d.
e62613
 
e62613
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
e62613
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
e62613
 
e62613
 These options require or disable the use of the specified SSL or TLS protocols.
e62613
 By default the initial handshake uses a I<version-flexible> method which will
e62613
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
e62613
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2	2017-02-15 11:33:38.000000000 +0100
e62613
+++ openssl-1.0.2k/doc/apps/s_time.pod	2017-03-01 14:03:50.440432769 +0100
e62613
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
e62613
 [B<-verify depth>]
e62613
 [B<-nbio>]
e62613
 [B<-time seconds>]
e62613
-[B<-ssl2>]
e62613
 [B<-ssl3>]
e62613
 [B<-bugs>]
e62613
 [B<-cipher cipherlist>]
e62613
@@ -99,9 +98,9 @@ specified, they are both on by default a
e62613
 
e62613
 turns on non-blocking I/O.
e62613
 
e62613
-=item B<-ssl2>, B<-ssl3>
e62613
+=item B<-ssl3>
e62613
 
e62613
-these options disable the use of certain SSL or TLS protocols. By default
e62613
+this option disables the use of certain SSL or TLS protocols. By default
e62613
 the initial handshake uses a method which should be compatible with all
e62613
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
e62613
 The timing program is not as rich in options to turn protocols on and off as
e62613
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
e62613
 
e62613
 Unfortunately there are a lot of ancient and broken servers in use which
e62613
 cannot handle this technique and will fail to connect. Some servers only
e62613
-work if TLS is turned off with the B<-ssl3> option; others
e62613
-will only support SSL v2 and may need the B<-ssl2> option.
e62613
+work if TLS is turned off with the B<-ssl3> option.
e62613
 
e62613
 =item B<-bugs>
e62613
 
e62613
@@ -144,7 +142,7 @@ which both client and server can agree,
e62613
 for details.
e62613
 
e62613
 If the handshake fails then there are several possible causes, if it is
e62613
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
e62613
+nothing obvious like no client certificate then the B<-bugs>,
e62613
 B<-ssl3> options can be tried
e62613
 in case it is a buggy server. In particular you should play with these
e62613
 options B<before> submitting a bug report to an OpenSSL mailing list.
e62613
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
e62613
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
e62613
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod	2017-03-01 14:09:12.981016773 +0100
e62613
@@ -123,13 +123,8 @@ used.
e62613
 
e62613
 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
e62613
 
e62613
-A TLS/SSL connection established with these methods will only understand the
e62613
-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
e62613
-also indicate that it only understand SSLv2.  A server will only understand
e62613
-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
e62613
-and should not be used.
e62613
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
e62613
-with SSLv2.
e62613
+These calls are provided only as stubs for keeping ABI compatibility. There
e62613
+is no support for SSLv2 built in the library.
e62613
 
e62613
 =item DTLS_method(), DTLS_server_method(), DTLS_client_method()
e62613