From bf24ac9b54170c9060079c3f7a040162361c8e5e Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 13 Nov 2015 23:34:29 +0000
Subject: [PATCH] Update and clarify ciphers documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 doc/apps/ciphers.pod | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 389b07c505..963339a9ce 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -12,6 +12,10 @@ B<openssl> B<ciphers>
 [B<-V>]
 [B<-ssl3>]
 [B<-tls1>]
+[B<-tls1_1>]
+[B<-tls1_2>]
+[B<-s>]
+[B<-psk>]
 [B<-stdname>]
 [B<cipherlist>]
 
@@ -31,6 +35,10 @@ Only list supported ciphers: those consistent with the security level. This
 is the actual cipher list an application will support. If this option is
 not used then ciphers excluded by the security level will still be listed.
 
+=item B<-psk>
+
+When combined with B<-s> includes cipher suites which require PSK.
+
 =item B<-v>
 
 Verbose option. List ciphers with a complete description of
@@ -44,11 +52,19 @@ Like B<-v>, but include cipher suite codes in output (hex format).
 
 =item B<-ssl3>
 
-only include SSL v3 ciphers.
+List the ciphers which would be used if SSL v3 was negotiated.
 
 =item B<-tls1>
 
-only include TLS v1 ciphers.
+List the ciphers which would be used if TLS v1.0 was negotiated.
+
+=item B<-tls1_1>
+
+List the ciphers which would be used if TLS v1.1 was negotiated.
+
+=item B<-tls1_2>
+
+List the ciphers which would be used if TLS v1.2 was negotiated.
 
 =item B<-stdname>
 
@@ -245,10 +261,15 @@ carry ECDH keys.
 cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
 keys.
 
-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
+=item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
+
+Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0
+or SSL v3.0 respectively. Note: there are no ciphersuites specific to TLS v1.1.
+Since this is only the minimum version if, for example, TLS v1.0 is supported
+then both TLS v1.0 and SSL v3.0 ciphersuites are included.
 
-TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
-there are no ciphersuites specific to TLS v1.1.
+Note: these cipher strings B<do not> change the negotiated version of SSL or
+TLS only the list of cipher suites.
 
 =item B<AES128>, B<AES256>, B<AES>
 
-- 
2.34.1