Blob Blame Raw
diff -up openssl-1.0.2k/apps/ciphers.c.no-ssl2 openssl-1.0.2k/apps/ciphers.c
--- openssl-1.0.2k/apps/ciphers.c.no-ssl2	2017-01-26 14:22:03.000000000 +0100
+++ openssl-1.0.2k/apps/ciphers.c	2017-03-01 14:18:28.058046372 +0100
@@ -73,7 +73,9 @@ static const char *ciphers_usage[] = {
     "usage: ciphers args\n",
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
     " -V          - even more verbose\n",
+#ifndef OPENSSL_NO_SSL2
     " -ssl2       - SSL2 mode\n",
+#endif
     " -ssl3       - SSL3 mode\n",
     " -tls1       - TLS1 mode\n",
     NULL
diff -up openssl-1.0.2k/apps/s_client.c.no-ssl2 openssl-1.0.2k/apps/s_client.c
--- openssl-1.0.2k/apps/s_client.c.no-ssl2	2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/apps/s_client.c	2017-03-01 14:17:42.368974209 +0100
@@ -380,7 +380,9 @@ static void sc_usage(void)
                " -srp_strength int - minimal length in bits for N (default %d).\n",
                SRP_MINIMAL_N);
 #endif
+#ifndef OPENSSL_NO_SSL2
     BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
+#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
 #endif
diff -up openssl-1.0.2k/apps/s_server.c.no-ssl2 openssl-1.0.2k/apps/s_server.c
--- openssl-1.0.2k/apps/s_server.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/apps/s_server.c	2017-03-01 14:13:54.154618822 +0100
@@ -598,7 +598,9 @@ static void sv_usage(void)
     BIO_printf(bio_err,
                " -srpuserseed string - A seed string for a default user salt.\n");
 #endif
+#ifndef OPENSSL_NO_SSL2
     BIO_printf(bio_err, " -ssl2         - Just talk SSLv2\n");
+#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
     BIO_printf(bio_err, " -ssl3         - Just talk SSLv3\n");
 #endif
@@ -610,7 +612,7 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -timeout      - Enable timeouts\n");
     BIO_printf(bio_err, " -mtu          - Set link layer MTU\n");
     BIO_printf(bio_err, " -chain        - Read a certificate chain\n");
-    BIO_printf(bio_err, " -no_ssl2      - Just disable SSLv2\n");
+    BIO_printf(bio_err, " -no_ssl2      - No-op, SSLv2 is always disabled\n");
     BIO_printf(bio_err, " -no_ssl3      - Just disable SSLv3\n");
     BIO_printf(bio_err, " -no_tls1      - Just disable TLSv1\n");
     BIO_printf(bio_err, " -no_tls1_1    - Just disable TLSv1.1\n");
diff -up openssl-1.0.2k/apps/s_time.c.no-ssl2 openssl-1.0.2k/apps/s_time.c
--- openssl-1.0.2k/apps/s_time.c.no-ssl2	2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/apps/s_time.c	2017-03-01 14:20:15.708572549 +0100
@@ -191,7 +191,9 @@ static void s_time_usage(void)
            SSL_CONNECT_NAME);
 #ifdef FIONBIO
     printf("-nbio         - Run with non-blocking IO\n");
+#ifndef OPENSSL_NO_SSL2
     printf("-ssl2         - Just use SSLv2\n");
+#endif
     printf("-ssl3         - Just use SSLv3\n");
     printf("-bugs         - Turn on SSL bug compatibility\n");
     printf("-new          - Just time new connections\n");
diff -up openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2 openssl-1.0.2k/doc/apps/ciphers.pod
--- openssl-1.0.2k/doc/apps/ciphers.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/doc/apps/ciphers.pod	2017-03-01 14:02:51.275041593 +0100
@@ -9,7 +9,6 @@ ciphers - SSL cipher display and cipher
 B<openssl> B<ciphers>
 [B<-v>]
 [B<-V>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 [B<cipherlist>]
@@ -42,10 +41,6 @@ Like B<-v>, but include cipher suite cod
 
 This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
 
-=item B<-ssl2>
-
-Only include SSLv2 ciphers.
-
 =item B<-h>, B<-?>
 
 Print a brief usage message.
diff -up openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_client.pod
--- openssl-1.0.2k/doc/apps/s_client.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_client.pod	2017-03-01 14:06:28.389146669 +0100
@@ -33,13 +33,11 @@ B<openssl> B<s_client>
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-quiet>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
 [B<-dtls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_tls1_1>]
@@ -207,7 +205,7 @@ Use the PSK key B<key> when using a PSK
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default the initial handshake uses a I<version-flexible> method which will
@@ -326,8 +324,8 @@ would typically be used (https uses port
 then an HTTP command can be given such as "GET /" to retrieve a web page.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
+nothing obvious like no client certificate then the B<-bugs>,
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
 
@@ -349,10 +347,6 @@ on the command line is no guarantee that
 If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show the whole chain.
 
-Since the SSLv23 client hello cannot include compression methods or extensions
-these will only be supported if its use is disabled, for example by using the
-B<-no_sslv2> option.
-
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. None test
diff -up openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_server.pod
--- openssl-1.0.2k/doc/apps/s_server.pod.no-ssl2	2017-03-01 14:04:57.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_server.pod	2017-03-01 14:04:17.871077754 +0100
@@ -42,12 +42,10 @@ B<openssl> B<s_server>
 [B<-keytab filename>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 [B<-tls1_1>]
 [B<-tls1_2>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
@@ -229,7 +227,7 @@ Use the PSK key B<key> when using a PSK
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
 These options require or disable the use of the specified SSL or TLS protocols.
 By default the initial handshake uses a I<version-flexible> method which will
diff -up openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2 openssl-1.0.2k/doc/apps/s_time.pod
--- openssl-1.0.2k/doc/apps/s_time.pod.no-ssl2	2017-02-15 11:33:38.000000000 +0100
+++ openssl-1.0.2k/doc/apps/s_time.pod	2017-03-01 14:03:50.440432769 +0100
@@ -20,7 +20,6 @@ B<openssl> B<s_time>
 [B<-verify depth>]
 [B<-nbio>]
 [B<-time seconds>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
@@ -99,9 +98,9 @@ specified, they are both on by default a
 
 turns on non-blocking I/O.
 
-=item B<-ssl2>, B<-ssl3>
+=item B<-ssl3>
 
-these options disable the use of certain SSL or TLS protocols. By default
+this option disables the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
@@ -109,8 +108,7 @@ the L<s_client(1)|s_client(1)> program a
 
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-ssl3> option; others
-will only support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off with the B<-ssl3> option.
 
 =item B<-bugs>
 
@@ -144,7 +142,7 @@ which both client and server can agree,
 for details.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+nothing obvious like no client certificate then the B<-bugs>,
 B<-ssl3> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
diff -up openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2 openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod
--- openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod.no-ssl2	2017-01-26 14:22:04.000000000 +0100
+++ openssl-1.0.2k/doc/ssl/SSL_CTX_new.pod	2017-03-01 14:09:12.981016773 +0100
@@ -123,13 +123,8 @@ used.
 
 =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
 
-A TLS/SSL connection established with these methods will only understand the
-SSLv2 protocol.  A client will send out SSLv2 client hello messages and will
-also indicate that it only understand SSLv2.  A server will only understand
-SSLv2 client hello messages.  The SSLv2 protocol offers little to no security
-and should not be used.
-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
-with SSLv2.
+These calls are provided only as stubs for keeping ABI compatibility. There
+is no support for SSLv2 built in the library.
 
 =item DTLS_method(), DTLS_server_method(), DTLS_client_method()