Blame SOURCES/openssl-1.0.2k-no-ssl2.patch

cfec1a
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
cfec1a
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2	2017-01-26 14:22:03.000000000 +0100
cfec1a
+++ openssl-1.0.2k/apps/ciphers.c	2017-03-01 14:18:28.058046372 +0100
cfec1a
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
cfec1a
     "usage: ciphers args\n",
cfec1a
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
cfec1a
     " -V          - even more verbose\n",
cfec1a
+#ifndef OPENSSL_NO_SSL2
cfec1a
     " -ssl2       - SSL2 mode\n",
cfec1a
+#endif
cfec1a
     " -ssl3       - SSL3 mode\n",
cfec1a
     " -tls1       - TLS1 mode\n",
cfec1a
     NULL
cfec1a
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
cfec1a
--- openssl-1.0.2k/apps/s_client.c.no-ssl2	2017-03-01 14:04:57.000000000 +0100
cfec1a
+++ openssl-1.0.2k/apps/s_client.c	2017-03-01 14:17:42.368974209 +0100
cfec1a
@@ -380,7 +380,9 @@ static void sc_usage(void)
cfec1a
                " -srp_strength int - minimal length in bits for N (default %d).\n",
cfec1a
                SRP_MINIMAL_N);
cfec1a
 #endif
cfec1a
+#ifndef OPENSSL_NO_SSL2
cfec1a
     BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
cfec1a
+#endif
cfec1a
 #ifndef OPENSSL_NO_SSL3_METHOD
cfec1a
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
cfec1a
 #endif
cfec1a
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
cfec1a
--- openssl-1.0.2k/apps/s_server.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
cfec1a
+++ openssl-1.0.2k/apps/s_server.c	2017-03-01 14:13:54.154618822 +0100
cfec1a
@@ -598,7 +598,9 @@ static void sv_usage(void)
cfec1a
     BIO_printf(bio_err,
cfec1a
                " -srpuserseed string - A seed string for a default user salt.\n");
cfec1a
 #endif
cfec1a
+#ifndef OPENSSL_NO_SSL2
cfec1a
     BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
cfec1a
+#endif
cfec1a
 #ifndef OPENSSL_NO_SSL3_METHOD
cfec1a
     BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
cfec1a
 #endif
cfec1a
@@ -610,7 +612,7 @@ static void sv_usage(void)
cfec1a
     BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
cfec1a
     BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
cfec1a
     BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
cfec1a
-    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
cfec1a
+    BIO_printf(bio_err, " -no_ssl2      - No-op, SSLv2 is always disabled\n");
cfec1a
     BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
cfec1a
     BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
cfec1a
     BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
cfec1a
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
cfec1a
--- openssl-1.0.2k/apps/s_time.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
cfec1a
+++ openssl-1.0.2k/apps/s_time.c	2017-03-01 14:20:15.708572549 +0100
cfec1a
@@ -191,7 +191,9 @@ static void s_time_usage(void)
cfec1a
            SSL_CONNECT_NAME);
cfec1a
 #ifdef FIONBIO
cfec1a
     printf("-nbio         - Run with non-blocking IO\n");
cfec1a
+#ifndef OPENSSL_NO_SSL2
cfec1a
     printf("-ssl2         - Just use SSLv2\n");
cfec1a
+#endif
cfec1a
     printf("-ssl3         - Just use SSLv3\n");
cfec1a
     printf("-bugs         - Turn on SSL bug compatibility\n");
cfec1a
     printf("-new          - Just time new connections\n");
cfec1a
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
cfec1a
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
cfec1a
+++ openssl-1.0.2k/doc/apps/ciphers.pod	2017-03-01 14:02:51.275041593 +0100
cfec1a
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
cfec1a
 B<openssl> B<ciphers>
cfec1a
 [B<-v>]
cfec1a
 [B<-V>]
cfec1a
-[B<-ssl2>]
cfec1a
 [B<-ssl3>]
cfec1a
 [B<-tls1>]
cfec1a
 [B<cipherlist>]
cfec1a
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
cfec1a
 
cfec1a
 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
cfec1a
 
cfec1a
-=item B<-ssl2>
cfec1a
-
cfec1a
-Only include SSLv2 ciphers.
cfec1a
-
cfec1a
 =item B<-h>, B<-?>
cfec1a
 
cfec1a
 Print a brief usage message.
cfec1a
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
cfec1a
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
cfec1a
+++ openssl-1.0.2k/doc/apps/s_client.pod	2017-03-01 14:06:28.389146669 +0100
cfec1a
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
cfec1a
 [B<-ign_eof>]
cfec1a
 [B<-no_ign_eof>]
cfec1a
 [B<-quiet>]
cfec1a
-[B<-ssl2>]
cfec1a
 [B<-ssl3>]
cfec1a
 [B<-tls1>]
cfec1a
 [B<-tls1_1>]
cfec1a
 [B<-tls1_2>]
cfec1a
 [B<-dtls1>]
cfec1a
-[B<-no_ssl2>]
cfec1a
 [B<-no_ssl3>]
cfec1a
 [B<-no_tls1>]
cfec1a
 [B<-no_tls1_1>]
cfec1a
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
cfec1a
 given as a hexadecimal number without leading 0x, for example -psk
cfec1a
 1a2b3c4d.
cfec1a
 
cfec1a
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
cfec1a
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
cfec1a
 
cfec1a
 These options require or disable the use of the specified SSL or TLS protocols.
cfec1a
 By default the initial handshake uses a I<version-flexible> method which will
cfec1a
@@ -326,8 +324,8 @@ would typically be used (https uses port
cfec1a
 then an HTTP command can be given such as "GET /" to retrieve a web page.
cfec1a
 
cfec1a
 If the handshake fails then there are several possible causes, if it is
cfec1a
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
cfec1a
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
cfec1a
+nothing obvious like no client certificate then the B<-bugs>,
cfec1a
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
cfec1a
 in case it is a buggy server. In particular you should play with these
cfec1a
 options B<before> submitting a bug report to an OpenSSL mailing list.
cfec1a
 
cfec1a
@@ -349,10 +347,6 @@ on the command line is no guarantee that
cfec1a
 If there are problems verifying a server certificate then the
cfec1a
 B<-showcerts> option can be used to show the whole chain.
cfec1a
 
cfec1a
-Since the SSLv23 client hello cannot include compression methods or extensions
cfec1a
-these will only be supported if its use is disabled, for example by using the
cfec1a
-B<-no_sslv2> option.
cfec1a
-
cfec1a
 The B<s_client> utility is a test tool and is designed to continue the
cfec1a
 handshake after any certificate verification errors. As a result it will
cfec1a
 accept any certificate chain (trusted or not) sent by the peer. None test
cfec1a
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
cfec1a
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
cfec1a
+++ openssl-1.0.2k/doc/apps/s_server.pod	2017-03-01 14:04:17.871077754 +0100
cfec1a
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
cfec1a
 [B<-keytab filename>]
cfec1a
 [B<-quiet>]
cfec1a
 [B<-no_tmp_rsa>]
cfec1a
-[B<-ssl2>]
cfec1a
 [B<-ssl3>]
cfec1a
 [B<-tls1>]
cfec1a
 [B<-tls1_1>]
cfec1a
 [B<-tls1_2>]
cfec1a
-[B<-no_ssl2>]
cfec1a
 [B<-no_ssl3>]
cfec1a
 [B<-no_tls1>]
cfec1a
 [B<-no_dhe>]
cfec1a
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
cfec1a
 given as a hexadecimal number without leading 0x, for example -psk
cfec1a
 1a2b3c4d.
cfec1a
 
cfec1a
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
cfec1a
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
cfec1a
 
cfec1a
 These options require or disable the use of the specified SSL or TLS protocols.
cfec1a
 By default the initial handshake uses a I<version-flexible> method which will
cfec1a
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
cfec1a
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2	2017-02-15 11:33:38.000000000 +0100
cfec1a
+++ openssl-1.0.2k/doc/apps/s_time.pod	2017-03-01 14:03:50.440432769 +0100
cfec1a
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
cfec1a
 [B<-verify depth>]
cfec1a
 [B<-nbio>]
cfec1a
 [B<-time seconds>]
cfec1a
-[B<-ssl2>]
cfec1a
 [B<-ssl3>]
cfec1a
 [B<-bugs>]
cfec1a
 [B<-cipher cipherlist>]
cfec1a
@@ -99,9 +98,9 @@ specified, they are both on by default a
cfec1a
 
cfec1a
 turns on non-blocking I/O.
cfec1a
 
cfec1a
-=item B<-ssl2>, B<-ssl3>
cfec1a
+=item B<-ssl3>
cfec1a
 
cfec1a
-these options disable the use of certain SSL or TLS protocols. By default
cfec1a
+this option disables the use of certain SSL or TLS protocols. By default
cfec1a
 the initial handshake uses a method which should be compatible with all
cfec1a
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
cfec1a
 The timing program is not as rich in options to turn protocols on and off as
cfec1a
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
cfec1a
 
cfec1a
 Unfortunately there are a lot of ancient and broken servers in use which
cfec1a
 cannot handle this technique and will fail to connect. Some servers only
cfec1a
-work if TLS is turned off with the B<-ssl3> option; others
cfec1a
-will only support SSL v2 and may need the B<-ssl2> option.
cfec1a
+work if TLS is turned off with the B<-ssl3> option.
cfec1a
 
cfec1a
 =item B<-bugs>
cfec1a
 
cfec1a
@@ -144,7 +142,7 @@ which both client and server can agree,
cfec1a
 for details.
cfec1a
 
cfec1a
 If the handshake fails then there are several possible causes, if it is
cfec1a
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
cfec1a
+nothing obvious like no client certificate then the B<-bugs>,
cfec1a
 B<-ssl3> options can be tried
cfec1a
 in case it is a buggy server. In particular you should play with these
cfec1a
 options B<before> submitting a bug report to an OpenSSL mailing list.
cfec1a
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
cfec1a
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
cfec1a
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod	2017-03-01 14:09:12.981016773 +0100
cfec1a
@@ -123,13 +123,8 @@ used.
cfec1a
 
cfec1a
 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
cfec1a
 
cfec1a
-A TLS/SSL connection established with these methods will only understand the
cfec1a
-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
cfec1a
-also indicate that it only understand SSLv2.  A server will only understand
cfec1a
-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
cfec1a
-and should not be used.
cfec1a
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
cfec1a
-with SSLv2.
cfec1a
+These calls are provided only as stubs for keeping ABI compatibility. There
cfec1a
+is no support for SSLv2 built in the library.
cfec1a
 
cfec1a
 =item DTLS_method(), DTLS_server_method(), DTLS_client_method()
cfec1a