From 91e7614a630cd651e856fcba17d53543bb13b2ec Mon Sep 17 00:00:00 2001 From: beck Date: Mon, 3 Jul 2023 06:22:07 +0000 Subject: [PATCH] Remove the tls1.0 and 1.1 related options from the openssl(1) toolkit ok tb@ --- usr.bin/openssl/openssl.1 | 37 ++++++-------------- usr.bin/openssl/s_client.c | 70 +++--------------------------------- usr.bin/openssl/s_server.c | 72 +++----------------------------------- 3 files changed, 20 insertions(+), 159 deletions(-) diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 45ae95fa5b4..9868955691b 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.148 2023/06/08 09:40:17 schwarze Exp $ +.\" $OpenBSD: openssl.1,v 1.149 2023/07/03 06:22:07 beck Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: June 8 2023 $ +.Dd $Mdocdate: July 3 2023 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -911,8 +911,6 @@ Specify the directories to process. .Sh CIPHERS .Nm openssl ciphers .Op Fl hsVv -.Op Fl tls1 -.Op Fl tls1_1 .Op Fl tls1_2 .Op Fl tls1_3 .Op Ar control @@ -936,7 +934,7 @@ The options are as follows: Print a brief usage message. .It Fl s Only list ciphers that are supported by the TLS method. -.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 +.It Fl tls1_2 | tls1_3 In combination with the .Fl s option, list the ciphers which could be used @@ -4265,7 +4263,6 @@ Verify the input data and output the recovered data. .Op Fl crlf .Op Fl debug .Op Fl dtls -.Op Fl dtls1 .Op Fl dtls1_2 .Op Fl extended_crl .Op Fl groups Ar list @@ -4286,8 +4283,6 @@ Verify the input data and output the recovered data. .Op Fl no_ign_eof .Op Fl no_legacy_server_connect .Op Fl no_ticket -.Op Fl no_tls1 -.Op Fl no_tls1_1 .Op Fl no_tls1_2 .Op Fl no_tls1_3 .Op Fl pass Ar arg @@ -4307,8 +4302,6 @@ Verify the input data and output the recovered data. .Op Fl state .Op Fl status .Op Fl timeout -.Op Fl tls1 -.Op Fl tls1_1 .Op Fl tls1_2 .Op Fl tls1_3 .Op Fl tlsextdebug @@ -4412,8 +4405,6 @@ as required by some servers. Print extensive debugging information, including a hex dump of all traffic. .It Fl dtls Permit any version of DTLS. -.It Fl dtls1 -Permit only DTLS1.0. .It Fl dtls1_2 Permit only DTLS1.2. .It Fl groups Ar list @@ -4455,8 +4446,8 @@ Can be used to override the implicit .Fl ign_eof after .Fl quiet . -.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3 -Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively. +.It Fl no_tls1_2 | no_tls1_3 +Disable the use of TLS1.2 and 1.3 respectively. .It Fl no_ticket Disable RFC 4507 session ticket support. .It Fl pass Ar arg @@ -4529,8 +4520,8 @@ Send a certificate status request to the server (OCSP stapling). The server response (if any) is printed out. .It Fl timeout Enable send/receive timeout on DTLS connections. -.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 -Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively. +.It Fl tls1_2 | tls1_3 +Permit only TLS1.2 or 1.3 respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. .It Fl use_srtp Ar profiles @@ -4599,8 +4590,6 @@ will be used. .Op Fl no_dhe .Op Fl no_ecdhe .Op Fl no_ticket -.Op Fl no_tls1 -.Op Fl no_tls1_1 .Op Fl no_tls1_2 .Op Fl no_tls1_3 .Op Fl no_tmp_rsa @@ -4616,8 +4605,6 @@ will be used. .Op Fl status_url Ar url .Op Fl status_verbose .Op Fl timeout -.Op Fl tls1 -.Op Fl tls1_1 .Op Fl tls1_2 .Op Fl tls1_3 .Op Fl tlsextdebug @@ -4749,8 +4736,6 @@ If this fails, a static set of parameters hard coded into the program will be used. .It Fl dtls Permit any version of DTLS. -.It Fl dtls1 -Permit only DTLS1.0. .It Fl dtls1_2 Permit only DTLS1.2. .It Fl groups Ar list @@ -4813,8 +4798,8 @@ Disable ephemeral DH cipher suites. Disable ephemeral ECDH cipher suites. .It Fl no_ticket Disable RFC 4507 session ticket support. -.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3 -Disable the use of TLS1.0, 1.1, 1.2, and 1.3, respectively. +.It Fl no_tls1_2 | no_tls1_3 +Disable the use of TLS1.2, and 1.3, respectively. .It Fl no_tmp_rsa Disable temporary RSA key generation. .It Fl nocert @@ -4849,8 +4834,8 @@ Enables certificate status request support (OCSP stapling) and gives a verbose printout of the OCSP response. .It Fl timeout Enable send/receive timeout on DTLS connections. -.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 -Permit only TLS1.0, 1.1, 1.2, or 1.3, respectively. +.It Fl tls1_2 | tls1_3 +Permit only TLS1.2, or 1.3, respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. .It Fl use_srtp Ar profiles diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c index 82a8128243c..21bb632810e 100644 --- a/usr.bin/openssl/s_client.c +++ b/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.60 2023/03/06 14:32:06 tb Exp $ */ +/* $OpenBSD: s_client.c,v 1.61 2023/07/03 06:22:07 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -296,18 +296,6 @@ s_client_opt_protocol_version_dtls(void) } #endif -#ifndef OPENSSL_NO_DTLS1 -static int -s_client_opt_protocol_version_dtls1(void) -{ - cfg.meth = DTLS_client_method(); - cfg.min_version = DTLS1_VERSION; - cfg.max_version = DTLS1_VERSION; - cfg.socket_type = SOCK_DGRAM; - return (0); -} -#endif - #ifndef OPENSSL_NO_DTLS1_2 static int s_client_opt_protocol_version_dtls1_2(void) @@ -320,22 +308,6 @@ s_client_opt_protocol_version_dtls1_2(void) } #endif -static int -s_client_opt_protocol_version_tls1(void) -{ - cfg.min_version = TLS1_VERSION; - cfg.max_version = TLS1_VERSION; - return (0); -} - -static int -s_client_opt_protocol_version_tls1_1(void) -{ - cfg.min_version = TLS1_1_VERSION; - cfg.max_version = TLS1_1_VERSION; - return (0); -} - static int s_client_opt_protocol_version_tls1_2(void) { @@ -505,14 +477,6 @@ static const struct option s_client_options[] = { .opt.func = s_client_opt_protocol_version_dtls, }, #endif -#ifndef OPENSSL_NO_DTLS1 - { - .name = "dtls1", - .desc = "Just use DTLSv1", - .type = OPTION_FUNC, - .opt.func = s_client_opt_protocol_version_dtls1, - }, -#endif #ifndef OPENSSL_NO_DTLS1_2 { .name = "dtls1_2", @@ -659,20 +623,6 @@ static const struct option s_client_options[] = { .opt.value = &cfg.off, .value = SSL_OP_NO_TICKET, }, - { - .name = "no_tls1", - .desc = "Disable the use of TLSv1", - .type = OPTION_VALUE_OR, - .opt.value = &cfg.off, - .value = SSL_OP_NO_TLSv1, - }, - { - .name = "no_tls1_1", - .desc = "Disable the use of TLSv1.1", - .type = OPTION_VALUE_OR, - .opt.value = &cfg.off, - .value = SSL_OP_NO_TLSv1_1, - }, { .name = "no_tls1_2", .desc = "Disable the use of TLSv1.2", @@ -805,18 +755,6 @@ static const struct option s_client_options[] = { .opt.flag = &cfg.enable_timeouts, }, #endif - { - .name = "tls1", - .desc = "Just use TLSv1", - .type = OPTION_FUNC, - .opt.func = s_client_opt_protocol_version_tls1, - }, - { - .name = "tls1_1", - .desc = "Just use TLSv1.1", - .type = OPTION_FUNC, - .opt.func = s_client_opt_protocol_version_tls1_1, - }, { .name = "tls1_2", .desc = "Just use TLSv1.2", @@ -880,17 +818,17 @@ sc_usage(void) "[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n" " [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n" " [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n" - " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n" + " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1_2] [-extended_crl]\n" " [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n" " [-issuer_checks] [-key keyfile] [-keyform der | pem]\n" " [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n" " [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n" - " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n" + " [-no_legacy_server_connect] [-no_ticket] \n" " [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n" " [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n" " [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n" " [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n" - " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n" + " [-tls1_2] [-tls1_3] [-tlsextdebug]\n" " [-use_srtp profiles] [-verify depth] [-verify_return_error]\n" " [-x509_strict] [-xmpphost host]\n"); fprintf(stderr, "\n"); diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c index a7f6146c4c3..12eb90699e7 100644 --- a/usr.bin/openssl/s_server.c +++ b/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.56 2023/03/06 14:32:06 tb Exp $ */ +/* $OpenBSD: s_server.c,v 1.57 2023/07/03 06:22:07 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -341,18 +341,6 @@ s_server_opt_protocol_version_dtls(void) } #endif -#ifndef OPENSSL_NO_DTLS1 -static int -s_server_opt_protocol_version_dtls1(void) -{ - cfg.meth = DTLS_server_method(); - cfg.min_version = DTLS1_VERSION; - cfg.max_version = DTLS1_VERSION; - cfg.socket_type = SOCK_DGRAM; - return (0); -} -#endif - #ifndef OPENSSL_NO_DTLS1_2 static int s_server_opt_protocol_version_dtls1_2(void) @@ -365,22 +353,6 @@ s_server_opt_protocol_version_dtls1_2(void) } #endif -static int -s_server_opt_protocol_version_tls1(void) -{ - cfg.min_version = TLS1_VERSION; - cfg.max_version = TLS1_VERSION; - return (0); -} - -static int -s_server_opt_protocol_version_tls1_1(void) -{ - cfg.min_version = TLS1_1_VERSION; - cfg.max_version = TLS1_1_VERSION; - return (0); -} - static int s_server_opt_protocol_version_tls1_2(void) { @@ -648,14 +620,6 @@ static const struct option s_server_options[] = { .opt.func = s_server_opt_protocol_version_dtls, }, #endif -#ifndef OPENSSL_NO_DTLS1 - { - .name = "dtls1", - .desc = "Just use DTLSv1", - .type = OPTION_FUNC, - .opt.func = s_server_opt_protocol_version_dtls1, - }, -#endif #ifndef OPENSSL_NO_DTLS1_2 { .name = "dtls1_2", @@ -816,20 +780,6 @@ static const struct option s_server_options[] = { .opt.value = &cfg.off, .value = SSL_OP_NO_SSLv3, }, - { - .name = "no_tls1", - .desc = "Just disable TLSv1", - .type = OPTION_VALUE_OR, - .opt.value = &cfg.off, - .value = SSL_OP_NO_TLSv1, - }, - { - .name = "no_tls1_1", - .desc = "Just disable TLSv1.1", - .type = OPTION_VALUE_OR, - .opt.value = &cfg.off, - .value = SSL_OP_NO_TLSv1_1, - }, { .name = "no_tls1_2", .desc = "Just disable TLSv1.2", @@ -934,18 +884,6 @@ static const struct option s_server_options[] = { .opt.flag = &cfg.enable_timeouts, }, #endif - { - .name = "tls1", - .desc = "Just talk TLSv1", - .type = OPTION_FUNC, - .opt.func = s_server_opt_protocol_version_tls1, - }, - { - .name = "tls1_1", - .desc = "Just talk TLSv1.1", - .type = OPTION_FUNC, - .opt.func = s_server_opt_protocol_version_tls1_1, - }, { .name = "tls1_2", .desc = "Just talk TLSv1.2", @@ -1050,17 +988,17 @@ sv_usage(void) " [-context id] [-crl_check] [-crl_check_all] [-crlf]\n" " [-dcert file] [-dcertform der | pem] [-debug]\n" " [-dhparam file] [-dkey file] [-dkeyform der | pem]\n" - " [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n" + " [-dpass arg] [-dtls] [-dtls1_2] [-groups list] [-HTTP]\n" " [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n" " [-keyform der | pem] [-keymatexport label]\n" " [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n" " [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n" - " [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n" - " [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n" + " [-no_dhe] [-no_ecdhe] [-no_ticket] \n" + " [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n" " [-nocert] [-pass arg] [-quiet] [-servername name]\n" " [-servername_fatal] [-serverpref] [-state] [-status]\n" " [-status_timeout nsec] [-status_url url]\n" - " [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n" + " [-status_verbose] [-timeout] \n" " [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n" " [-Verify depth] [-verify depth] [-verify_return_error]\n" " [-WWW] [-www]\n"); -- 2.20.1