[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri Oct 30 09:23:44 UTC 2015


The branch master has been updated
       via  87d9cafa332bd006086b56dc645c03fe7cfed654 (commit)
      from  b7fa1f989d0059ad7b992c11797f37f095d61204 (commit)


- Log -----------------------------------------------------------------
commit 87d9cafa332bd006086b56dc645c03fe7cfed654
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Oct 29 14:50:40 2015 +0000

    Remove some SSLv2 references
    
    There were a few remaining references to SSLv2 support which are no longer
    relevant now that it has been removed.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CONF_cmd.pod        | 12 ++++++------
 doc/ssl/SSL_CTX_set_options.pod | 13 ++-----------
 doc/ssl/SSL_read.pod            |  5 -----
 doc/ssl/SSL_write.pod           |  4 ----
 doc/ssl/ssl.pod                 |  6 ++----
 ssl/ssl_lib.c                   |  3 +--
 ssl/ssl_locl.h                  |  2 +-
 7 files changed, 12 insertions(+), 33 deletions(-)

diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index e8eeb15..bebd204 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -371,16 +371,16 @@ argument.
 The order of operations is significant. This can be used to set either defaults
 or values which cannot be overridden. For example if an application calls:
 
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
  SSL_CONF_cmd(ctx, userparam, uservalue);
 
-it will disable SSLv2 support by default but the user can override it. If 
+it will disable SSLv3 support by default but the user can override it. If
 however the call sequence is:
 
  SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
 
-SSLv2 is B<always> disabled and attempt to override this by the user are
+SSLv3 is B<always> disabled and attempt to override this by the user are
 ignored.
 
 By checking the return code of SSL_CTX_cmd() it is possible to query if a
@@ -416,9 +416,9 @@ Set supported signature algorithms:
 
  SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
 
-Enable all protocols except SSLv3 and SSLv2:
+Enable all protocols except SSLv3:
 
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
 
 Only enable TLSv1.2:
 
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 3a75cda..7754e75 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op.
 
 When choosing a cipher, use the server's preferences instead of the client
 preferences. When not set, the SSL server will always follow the clients
-preferences. When set, the SSLv3/TLSv1 server will choose following its
-own preferences. Because of the different protocol, for SSLv2 the server
-will send its list of preferences to the client and the client chooses.
+preferences. When set, the SSL/TLS server will choose following its
+own preferences.
 
 =item SSL_OP_PKCS1_CHECK_1
 
@@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses.
 ...
 
 
-
-=item SSL_OP_NO_SSLv2
-
-Do not use the SSLv2 protocol.
-
 =item SSL_OP_NO_SSLv3
 
 Do not use the SSLv3 protocol.
@@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as
 described in RFC5746. This counters the prefix attack described in
 CVE-2009-3555 and elsewhere.
 
-The deprecated and highly broken SSLv2 protocol does not support
-renegotiation at all: its use is B<strongly> discouraged.
-
 This attack has far reaching consequences which application writers should be
 aware of. In the description below an implementation supporting secure
 renegotiation is referred to as I<patched>. A server not supporting secure
diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod
index 947c868..e0a9bd4 100644
--- a/doc/ssl/SSL_read.pod
+++ b/doc/ssl/SSL_read.pod
@@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B<ret> to find out,
 whether an error occurred or the connection was shut down cleanly
 (SSL_ERROR_ZERO_RETURN).
 
-SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
-only be detected, whether the underlying connection was closed. It cannot
-be checked, whether the closure was initiated by the peer or by something
-else.
-
 =item E<lt>0
 
 The read operation was not successful, because either an error occurred
diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod
index a9841ed..1fff854 100644
--- a/doc/ssl/SSL_write.pod
+++ b/doc/ssl/SSL_write.pod
@@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B<ret> to find out,
 whether an error occurred or the connection was shut down cleanly
 (SSL_ERROR_ZERO_RETURN).
 
-SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
-only be detected, whether the underlying connection was closed. It cannot
-be checked, why the closure happened.
-
 =item E<lt>0
 
 The write operation was not successful, because either an error occurred
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 9413907..421d500 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -93,9 +93,7 @@ inside this header file.
 
 =item B<ssl2.h>
 
-That's the sub header file dealing with the SSLv2 protocol only.
-I<Usually you don't have to include it explicitly because
-it's already included by ssl.h>.
+Unused. Present for backwards compatibility only.
 
 =item B<ssl3.h>
 
@@ -175,7 +173,7 @@ definitions in the header files.
 
 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
 
-Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the
 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
 in the specification the first time).
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7e30aba..a8e2093 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -856,7 +856,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f)
     }
 
     /*
-     * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
+     * what if we are setup for one protocol version but want to talk another
      */
     if (t->method != f->method) {
         t->method->ssl_free(t); /* cleanup current */
@@ -1361,7 +1361,6 @@ int SSL_set_cipher_list(SSL *s, const char *str)
     return 1;
 }
 
-/* works well for SSLv2, not so good for SSLv3 */
 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
 {
     char *p;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 56ec70f..5a94066 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -555,7 +555,7 @@ struct ssl_cipher_st {
     int alg_bits;               /* Number of bits for algorithm */
 };
 
-/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+/* Used to hold SSL/TLS functions */
 struct ssl_method_st {
     int version;
     int (*ssl_new) (SSL *s);


More information about the openssl-commits mailing list