Blame SOURCES/openssl-1.0.2k-no-ssl2.patch

aa8173
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
aa8173
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2	2017-01-26 14:22:03.000000000 +0100
aa8173
+++ openssl-1.0.2k/apps/ciphers.c	2017-03-01 14:18:28.058046372 +0100
aa8173
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
aa8173
     "usage: ciphers args\n",
aa8173
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
aa8173
     " -V          - even more verbose\n",
aa8173
+#ifndef OPENSSL_NO_SSL2
aa8173
     " -ssl2       - SSL2 mode\n",
aa8173
+#endif
aa8173
     " -ssl3       - SSL3 mode\n",
aa8173
     " -tls1       - TLS1 mode\n",
aa8173
     NULL
aa8173
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
aa8173
--- openssl-1.0.2k/apps/s_client.c.no-ssl2	2017-03-01 14:04:57.000000000 +0100
aa8173
+++ openssl-1.0.2k/apps/s_client.c	2017-03-01 14:17:42.368974209 +0100
aa8173
@@ -380,7 +380,9 @@ static void sc_usage(void)
aa8173
                " -srp_strength int - minimal length in bits for N (default %d).\n",
aa8173
                SRP_MINIMAL_N);
aa8173
 #endif
aa8173
+#ifndef OPENSSL_NO_SSL2
aa8173
     BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
aa8173
+#endif
aa8173
 #ifndef OPENSSL_NO_SSL3_METHOD
aa8173
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
aa8173
 #endif
aa8173
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
aa8173
--- openssl-1.0.2k/apps/s_server.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
aa8173
+++ openssl-1.0.2k/apps/s_server.c	2017-03-01 14:13:54.154618822 +0100
aa8173
@@ -598,7 +598,9 @@ static void sv_usage(void)
aa8173
     BIO_printf(bio_err,
aa8173
                " -srpuserseed string - A seed string for a default user salt.\n");
aa8173
 #endif
aa8173
+#ifndef OPENSSL_NO_SSL2
aa8173
     BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
aa8173
+#endif
aa8173
 #ifndef OPENSSL_NO_SSL3_METHOD
aa8173
     BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
aa8173
 #endif
aa8173
@@ -610,7 +612,7 @@ static void sv_usage(void)
aa8173
     BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
aa8173
     BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
aa8173
     BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
aa8173
-    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
aa8173
+    BIO_printf(bio_err, " -no_ssl2      - No-op, SSLv2 is always disabled\n");
aa8173
     BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
aa8173
     BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
aa8173
     BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
aa8173
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
aa8173
--- openssl-1.0.2k/apps/s_time.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
aa8173
+++ openssl-1.0.2k/apps/s_time.c	2017-03-01 14:20:15.708572549 +0100
aa8173
@@ -191,7 +191,9 @@ static void s_time_usage(void)
aa8173
            SSL_CONNECT_NAME);
aa8173
 #ifdef FIONBIO
aa8173
     printf("-nbio         - Run with non-blocking IO\n");
aa8173
+#ifndef OPENSSL_NO_SSL2
aa8173
     printf("-ssl2         - Just use SSLv2\n");
aa8173
+#endif
aa8173
     printf("-ssl3         - Just use SSLv3\n");
aa8173
     printf("-bugs         - Turn on SSL bug compatibility\n");
aa8173
     printf("-new          - Just time new connections\n");
aa8173
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
aa8173
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
aa8173
+++ openssl-1.0.2k/doc/apps/ciphers.pod	2017-03-01 14:02:51.275041593 +0100
aa8173
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
aa8173
 B<openssl> B<ciphers>
aa8173
 [B<-v>]
aa8173
 [B<-V>]
aa8173
-[B<-ssl2>]
aa8173
 [B<-ssl3>]
aa8173
 [B<-tls1>]
aa8173
 [B<cipherlist>]
aa8173
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
aa8173
 
aa8173
 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
aa8173
 
aa8173
-=item B<-ssl2>
aa8173
-
aa8173
-Only include SSLv2 ciphers.
aa8173
-
aa8173
 =item B<-h>, B<-?>
aa8173
 
aa8173
 Print a brief usage message.
aa8173
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
aa8173
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
aa8173
+++ openssl-1.0.2k/doc/apps/s_client.pod	2017-03-01 14:06:28.389146669 +0100
aa8173
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
aa8173
 [B<-ign_eof>]
aa8173
 [B<-no_ign_eof>]
aa8173
 [B<-quiet>]
aa8173
-[B<-ssl2>]
aa8173
 [B<-ssl3>]
aa8173
 [B<-tls1>]
aa8173
 [B<-tls1_1>]
aa8173
 [B<-tls1_2>]
aa8173
 [B<-dtls1>]
aa8173
-[B<-no_ssl2>]
aa8173
 [B<-no_ssl3>]
aa8173
 [B<-no_tls1>]
aa8173
 [B<-no_tls1_1>]
aa8173
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
aa8173
 given as a hexadecimal number without leading 0x, for example -psk
aa8173
 1a2b3c4d.
aa8173
 
aa8173
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
aa8173
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
aa8173
 
aa8173
 These options require or disable the use of the specified SSL or TLS protocols.
aa8173
 By default the initial handshake uses a I<version-flexible> method which will
aa8173
@@ -326,8 +324,8 @@ would typically be used (https uses port
aa8173
 then an HTTP command can be given such as "GET /" to retrieve a web page.
aa8173
 
aa8173
 If the handshake fails then there are several possible causes, if it is
aa8173
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
aa8173
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
aa8173
+nothing obvious like no client certificate then the B<-bugs>,
aa8173
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
aa8173
 in case it is a buggy server. In particular you should play with these
aa8173
 options B<before> submitting a bug report to an OpenSSL mailing list.
aa8173
 
aa8173
@@ -349,10 +347,6 @@ on the command line is no guarantee that
aa8173
 If there are problems verifying a server certificate then the
aa8173
 B<-showcerts> option can be used to show the whole chain.
aa8173
 
aa8173
-Since the SSLv23 client hello cannot include compression methods or extensions
aa8173
-these will only be supported if its use is disabled, for example by using the
aa8173
-B<-no_sslv2> option.
aa8173
-
aa8173
 The B<s_client> utility is a test tool and is designed to continue the
aa8173
 handshake after any certificate verification errors. As a result it will
aa8173
 accept any certificate chain (trusted or not) sent by the peer. None test
aa8173
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
aa8173
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
aa8173
+++ openssl-1.0.2k/doc/apps/s_server.pod	2017-03-01 14:04:17.871077754 +0100
aa8173
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
aa8173
 [B<-keytab filename>]
aa8173
 [B<-quiet>]
aa8173
 [B<-no_tmp_rsa>]
aa8173
-[B<-ssl2>]
aa8173
 [B<-ssl3>]
aa8173
 [B<-tls1>]
aa8173
 [B<-tls1_1>]
aa8173
 [B<-tls1_2>]
aa8173
-[B<-no_ssl2>]
aa8173
 [B<-no_ssl3>]
aa8173
 [B<-no_tls1>]
aa8173
 [B<-no_dhe>]
aa8173
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
aa8173
 given as a hexadecimal number without leading 0x, for example -psk
aa8173
 1a2b3c4d.
aa8173
 
aa8173
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
aa8173
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
aa8173
 
aa8173
 These options require or disable the use of the specified SSL or TLS protocols.
aa8173
 By default the initial handshake uses a I<version-flexible> method which will
aa8173
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
aa8173
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2	2017-02-15 11:33:38.000000000 +0100
aa8173
+++ openssl-1.0.2k/doc/apps/s_time.pod	2017-03-01 14:03:50.440432769 +0100
aa8173
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
aa8173
 [B<-verify depth>]
aa8173
 [B<-nbio>]
aa8173
 [B<-time seconds>]
aa8173
-[B<-ssl2>]
aa8173
 [B<-ssl3>]
aa8173
 [B<-bugs>]
aa8173
 [B<-cipher cipherlist>]
aa8173
@@ -99,9 +98,9 @@ specified, they are both on by default a
aa8173
 
aa8173
 turns on non-blocking I/O.
aa8173
 
aa8173
-=item B<-ssl2>, B<-ssl3>
aa8173
+=item B<-ssl3>
aa8173
 
aa8173
-these options disable the use of certain SSL or TLS protocols. By default
aa8173
+this option disables the use of certain SSL or TLS protocols. By default
aa8173
 the initial handshake uses a method which should be compatible with all
aa8173
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
aa8173
 The timing program is not as rich in options to turn protocols on and off as
aa8173
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
aa8173
 
aa8173
 Unfortunately there are a lot of ancient and broken servers in use which
aa8173
 cannot handle this technique and will fail to connect. Some servers only
aa8173
-work if TLS is turned off with the B<-ssl3> option; others
aa8173
-will only support SSL v2 and may need the B<-ssl2> option.
aa8173
+work if TLS is turned off with the B<-ssl3> option.
aa8173
 
aa8173
 =item B<-bugs>
aa8173
 
aa8173
@@ -144,7 +142,7 @@ which both client and server can agree,
aa8173
 for details.
aa8173
 
aa8173
 If the handshake fails then there are several possible causes, if it is
aa8173
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
aa8173
+nothing obvious like no client certificate then the B<-bugs>,
aa8173
 B<-ssl3> options can be tried
aa8173
 in case it is a buggy server. In particular you should play with these
aa8173
 options B<before> submitting a bug report to an OpenSSL mailing list.
aa8173
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
aa8173
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
aa8173
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod	2017-03-01 14:09:12.981016773 +0100
aa8173
@@ -123,13 +123,8 @@ used.
aa8173
 
aa8173
 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
aa8173
 
aa8173
-A TLS/SSL connection established with these methods will only understand the
aa8173
-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
aa8173
-also indicate that it only understand SSLv2.  A server will only understand
aa8173
-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
aa8173
-and should not be used.
aa8173
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
aa8173
-with SSLv2.
aa8173
+These calls are provided only as stubs for keeping ABI compatibility. There
aa8173
+is no support for SSLv2 built in the library.
aa8173
 
aa8173
 =item DTLS_method(), DTLS_server_method(), DTLS_client_method()
aa8173