From: Matt Caswell Date: Thu, 29 Oct 2015 14:50:40 +0000 (+0000) Subject: Remove some SSLv2 references X-Git-Tag: OpenSSL_1_1_0-pre1~325 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=87d9cafa332bd006086b56dc645c03fe7cfed654 Remove some SSLv2 references There were a few remaining references to SSLv2 support which are no longer relevant now that it has been removed. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte --- diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index e8eeb15f15..bebd20485c 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -371,16 +371,16 @@ argument. The order of operations is significant. This can be used to set either defaults or values which cannot be overridden. For example if an application calls: - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); SSL_CONF_cmd(ctx, userparam, uservalue); -it will disable SSLv2 support by default but the user can override it. If +it will disable SSLv3 support by default but the user can override it. If however the call sequence is: SSL_CONF_cmd(ctx, userparam, uservalue); - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); -SSLv2 is B disabled and attempt to override this by the user are +SSLv3 is B disabled and attempt to override this by the user are ignored. By checking the return code of SSL_CTX_cmd() it is possible to query if a @@ -416,9 +416,9 @@ Set supported signature algorithms: SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); -Enable all protocols except SSLv3 and SSLv2: +Enable all protocols except SSLv3: - SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); + SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); Only enable TLSv1.2: diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 3a75cdab59..7754e75bfb 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op. When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the SSL server will always follow the clients -preferences. When set, the SSLv3/TLSv1 server will choose following its -own preferences. Because of the different protocol, for SSLv2 the server -will send its list of preferences to the client and the client chooses. +preferences. When set, the SSL/TLS server will choose following its +own preferences. =item SSL_OP_PKCS1_CHECK_1 @@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses. ... - -=item SSL_OP_NO_SSLv2 - -Do not use the SSLv2 protocol. - =item SSL_OP_NO_SSLv3 Do not use the SSLv3 protocol. @@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as described in RFC5746. This counters the prefix attack described in CVE-2009-3555 and elsewhere. -The deprecated and highly broken SSLv2 protocol does not support -renegotiation at all: its use is B discouraged. - This attack has far reaching consequences which application writers should be aware of. In the description below an implementation supporting secure renegotiation is referred to as I. A server not supporting secure diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index 947c8687f4..e0a9bd47bc 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, whether the closure was initiated by the peer or by something -else. - =item E0 The read operation was not successful, because either an error occurred diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod index a9841ed331..1fff8548c8 100644 --- a/doc/ssl/SSL_write.pod +++ b/doc/ssl/SSL_write.pod @@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, why the closure happened. - =item E0 The write operation was not successful, because either an error occurred diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 9413907b02..421d50066d 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -93,9 +93,7 @@ inside this header file. =item B -That's the sub header file dealing with the SSLv2 protocol only. -I. +Unused. Present for backwards compatibility only. =item B @@ -175,7 +173,7 @@ definitions in the header files. =item char *B(SSL_CIPHER *cipher); -Returns a string like "C" or "C" which indicates the +Returns a string like "C" or "C" which indicates the SSL/TLS protocol version to which I belongs (i.e. where it was defined in the specification the first time). diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 7e30aba3c2..a8e20935a5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -856,7 +856,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f) } /* - * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa + * what if we are setup for one protocol version but want to talk another */ if (t->method != f->method) { t->method->ssl_free(t); /* cleanup current */ @@ -1361,7 +1361,6 @@ int SSL_set_cipher_list(SSL *s, const char *str) return 1; } -/* works well for SSLv2, not so good for SSLv3 */ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { char *p; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 56ec70f995..5a9406656e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -555,7 +555,7 @@ struct ssl_cipher_st { int alg_bits; /* Number of bits for algorithm */ }; -/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ +/* Used to hold SSL/TLS functions */ struct ssl_method_st { int version; int (*ssl_new) (SSL *s);