-.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $
+.\" $OpenBSD: openssl.1,v 1.149 2023/07/03 06:22:07 beck Exp $
.\" ====================================================================
.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
.\"
.\" copied and put under another distribution licence
.\" [including the GNU Public Licence.]
.\"
-.Dd $Mdocdate: June 8 2023 $
+.Dd $Mdocdate: July 3 2023 $
.Dt OPENSSL 1
.Os
.Sh NAME
.Sh CIPHERS
.Nm openssl ciphers
.Op Fl hsVv
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Ar control
Print a brief usage message.
.It Fl s
Only list ciphers that are supported by the TLS method.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
+.It Fl tls1_2 | tls1_3
In combination with the
.Fl s
option, list the ciphers which could be used
.Op Fl crlf
.Op Fl debug
.Op Fl dtls
-.Op Fl dtls1
.Op Fl dtls1_2
.Op Fl extended_crl
.Op Fl groups Ar list
.Op Fl no_ign_eof
.Op Fl no_legacy_server_connect
.Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
.Op Fl no_tls1_2
.Op Fl no_tls1_3
.Op Fl pass Ar arg
.Op Fl state
.Op Fl status
.Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Fl tlsextdebug
Print extensive debugging information, including a hex dump of all traffic.
.It Fl dtls
Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
.It Fl dtls1_2
Permit only DTLS1.2.
.It Fl groups Ar list
.Fl ign_eof
after
.Fl quiet .
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2 and 1.3 respectively.
.It Fl no_ticket
Disable RFC 4507 session ticket support.
.It Fl pass Ar arg
The server response (if any) is printed out.
.It Fl timeout
Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2 or 1.3 respectively.
.It Fl tlsextdebug
Print a hex dump of any TLS extensions received from the server.
.It Fl use_srtp Ar profiles
.Op Fl no_dhe
.Op Fl no_ecdhe
.Op Fl no_ticket
-.Op Fl no_tls1
-.Op Fl no_tls1_1
.Op Fl no_tls1_2
.Op Fl no_tls1_3
.Op Fl no_tmp_rsa
.Op Fl status_url Ar url
.Op Fl status_verbose
.Op Fl timeout
-.Op Fl tls1
-.Op Fl tls1_1
.Op Fl tls1_2
.Op Fl tls1_3
.Op Fl tlsextdebug
program will be used.
.It Fl dtls
Permit any version of DTLS.
-.It Fl dtls1
-Permit only DTLS1.0.
.It Fl dtls1_2
Permit only DTLS1.2.
.It Fl groups Ar list
Disable ephemeral ECDH cipher suites.
.It Fl no_ticket
Disable RFC 4507 session ticket support.
-.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3
-Disable the use of TLS1.0, 1.1, 1.2, and 1.3, respectively.
+.It Fl no_tls1_2 | no_tls1_3
+Disable the use of TLS1.2, and 1.3, respectively.
.It Fl no_tmp_rsa
Disable temporary RSA key generation.
.It Fl nocert
printout of the OCSP response.
.It Fl timeout
Enable send/receive timeout on DTLS connections.
-.It Fl tls1 | tls1_1 | tls1_2 | tls1_3
-Permit only TLS1.0, 1.1, 1.2, or 1.3, respectively.
+.It Fl tls1_2 | tls1_3
+Permit only TLS1.2, or 1.3, respectively.
.It Fl tlsextdebug
Print a hex dump of any TLS extensions received from the server.
.It Fl use_srtp Ar profiles
-/* $OpenBSD: s_client.c,v 1.60 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_client.c,v 1.61 2023/07/03 06:22:07 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
#endif
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_client_opt_protocol_version_dtls1(void)
-{
- cfg.meth = DTLS_client_method();
- cfg.min_version = DTLS1_VERSION;
- cfg.max_version = DTLS1_VERSION;
- cfg.socket_type = SOCK_DGRAM;
- return (0);
-}
-#endif
-
#ifndef OPENSSL_NO_DTLS1_2
static int
s_client_opt_protocol_version_dtls1_2(void)
}
#endif
-static int
-s_client_opt_protocol_version_tls1(void)
-{
- cfg.min_version = TLS1_VERSION;
- cfg.max_version = TLS1_VERSION;
- return (0);
-}
-
-static int
-s_client_opt_protocol_version_tls1_1(void)
-{
- cfg.min_version = TLS1_1_VERSION;
- cfg.max_version = TLS1_1_VERSION;
- return (0);
-}
-
static int
s_client_opt_protocol_version_tls1_2(void)
{
.opt.func = s_client_opt_protocol_version_dtls,
},
#endif
-#ifndef OPENSSL_NO_DTLS1
- {
- .name = "dtls1",
- .desc = "Just use DTLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_dtls1,
- },
-#endif
#ifndef OPENSSL_NO_DTLS1_2
{
.name = "dtls1_2",
.opt.value = &cfg.off,
.value = SSL_OP_NO_TICKET,
},
- {
- .name = "no_tls1",
- .desc = "Disable the use of TLSv1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1,
- },
- {
- .name = "no_tls1_1",
- .desc = "Disable the use of TLSv1.1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1_1,
- },
{
.name = "no_tls1_2",
.desc = "Disable the use of TLSv1.2",
.opt.flag = &cfg.enable_timeouts,
},
#endif
- {
- .name = "tls1",
- .desc = "Just use TLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_tls1,
- },
- {
- .name = "tls1_1",
- .desc = "Just use TLSv1.1",
- .type = OPTION_FUNC,
- .opt.func = s_client_opt_protocol_version_tls1_1,
- },
{
.name = "tls1_2",
.desc = "Just use TLSv1.2",
"[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n"
" [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n"
" [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n"
- " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n"
+ " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1_2] [-extended_crl]\n"
" [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n"
" [-issuer_checks] [-key keyfile] [-keyform der | pem]\n"
" [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n"
" [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n"
- " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n"
+ " [-no_legacy_server_connect] [-no_ticket] \n"
" [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n"
" [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n"
" [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n"
" [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n"
- " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
+ " [-tls1_2] [-tls1_3] [-tlsextdebug]\n"
" [-use_srtp profiles] [-verify depth] [-verify_return_error]\n"
" [-x509_strict] [-xmpphost host]\n");
fprintf(stderr, "\n");
-/* $OpenBSD: s_server.c,v 1.56 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: s_server.c,v 1.57 2023/07/03 06:22:07 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
}
#endif
-#ifndef OPENSSL_NO_DTLS1
-static int
-s_server_opt_protocol_version_dtls1(void)
-{
- cfg.meth = DTLS_server_method();
- cfg.min_version = DTLS1_VERSION;
- cfg.max_version = DTLS1_VERSION;
- cfg.socket_type = SOCK_DGRAM;
- return (0);
-}
-#endif
-
#ifndef OPENSSL_NO_DTLS1_2
static int
s_server_opt_protocol_version_dtls1_2(void)
}
#endif
-static int
-s_server_opt_protocol_version_tls1(void)
-{
- cfg.min_version = TLS1_VERSION;
- cfg.max_version = TLS1_VERSION;
- return (0);
-}
-
-static int
-s_server_opt_protocol_version_tls1_1(void)
-{
- cfg.min_version = TLS1_1_VERSION;
- cfg.max_version = TLS1_1_VERSION;
- return (0);
-}
-
static int
s_server_opt_protocol_version_tls1_2(void)
{
.opt.func = s_server_opt_protocol_version_dtls,
},
#endif
-#ifndef OPENSSL_NO_DTLS1
- {
- .name = "dtls1",
- .desc = "Just use DTLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_dtls1,
- },
-#endif
#ifndef OPENSSL_NO_DTLS1_2
{
.name = "dtls1_2",
.opt.value = &cfg.off,
.value = SSL_OP_NO_SSLv3,
},
- {
- .name = "no_tls1",
- .desc = "Just disable TLSv1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1,
- },
- {
- .name = "no_tls1_1",
- .desc = "Just disable TLSv1.1",
- .type = OPTION_VALUE_OR,
- .opt.value = &cfg.off,
- .value = SSL_OP_NO_TLSv1_1,
- },
{
.name = "no_tls1_2",
.desc = "Just disable TLSv1.2",
.opt.flag = &cfg.enable_timeouts,
},
#endif
- {
- .name = "tls1",
- .desc = "Just talk TLSv1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_tls1,
- },
- {
- .name = "tls1_1",
- .desc = "Just talk TLSv1.1",
- .type = OPTION_FUNC,
- .opt.func = s_server_opt_protocol_version_tls1_1,
- },
{
.name = "tls1_2",
.desc = "Just talk TLSv1.2",
" [-context id] [-crl_check] [-crl_check_all] [-crlf]\n"
" [-dcert file] [-dcertform der | pem] [-debug]\n"
" [-dhparam file] [-dkey file] [-dkeyform der | pem]\n"
- " [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n"
+ " [-dpass arg] [-dtls] [-dtls1_2] [-groups list] [-HTTP]\n"
" [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
" [-keyform der | pem] [-keymatexport label]\n"
" [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n"
" [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
- " [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
- " [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
+ " [-no_dhe] [-no_ecdhe] [-no_ticket] \n"
+ " [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
" [-nocert] [-pass arg] [-quiet] [-servername name]\n"
" [-servername_fatal] [-serverpref] [-state] [-status]\n"
" [-status_timeout nsec] [-status_url url]\n"
- " [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n"
+ " [-status_verbose] [-timeout] \n"
" [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n"
" [-Verify depth] [-verify depth] [-verify_return_error]\n"
" [-WWW] [-www]\n");
projects / openbsd / commitdiff