Remove some SSLv2 references

There were a few remaining references to SSLv2 support which are no longer relevant now that it has been removed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-29 14:50:40 +00:00 · 2015-10-29 14:50:40 +00:00 · 87d9cafa33
commit 87d9cafa33
parent b7fa1f989d
7 changed files with 12 additions and 33 deletions
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@ -371,16 +371,16 @@ argument.
 The order of operations is significant. This can be used to set either defaults
 or values which cannot be overridden. For example if an application calls:
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
 SSL_CONF_cmd(ctx, userparam, uservalue);
-it will disable SSLv2 support by default but the user can override it. If 
+it will disable SSLv3 support by default but the user can override it. If
 however the call sequence is:
 SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
-SSLv2 is B<always> disabled and attempt to override this by the user are
+SSLv3 is B<always> disabled and attempt to override this by the user are
 ignored.
 By checking the return code of SSL_CTX_cmd() it is possible to query if a
@ -416,9 +416,9 @@ Set supported signature algorithms:
 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
-Enable all protocols except SSLv3 and SSLv2:
+Enable all protocols except SSLv3:
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
+ SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
 Only enable TLSv1.2:
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@ -141,9 +141,8 @@ This option is no longer implemented and is treated as no op.
 When choosing a cipher, use the server's preferences instead of the client
 preferences. When not set, the SSL server will always follow the clients
-preferences. When set, the SSLv3/TLSv1 server will choose following its
+preferences. When set, the SSL/TLS server will choose following its
-own preferences. Because of the different protocol, for SSLv2 the server
+own preferences.
 will send its list of preferences to the client and the client chooses.
 =item SSL_OP_PKCS1_CHECK_1
@ -154,11 +153,6 @@ will send its list of preferences to the client and the client chooses.
 ...
 =item SSL_OP_NO_SSLv2
 Do not use the SSLv2 protocol.
 =item SSL_OP_NO_SSLv3
 Do not use the SSLv3 protocol.
@ -200,9 +194,6 @@ OpenSSL always attempts to use secure renegotiation as
 described in RFC5746. This counters the prefix attack described in
 CVE-2009-3555 and elsewhere.
 The deprecated and highly broken SSLv2 protocol does not support
 renegotiation at all: its use is B<strongly> discouraged.
 This attack has far reaching consequences which application writers should be
 aware of. In the description below an implementation supporting secure
 renegotiation is referred to as I<patched>. A server not supporting secure
--- a/doc/ssl/SSL_read.pod
+++ b/doc/ssl/SSL_read.pod
@ -98,11 +98,6 @@ incomplete. Call SSL_get_error() with the return value B<ret> to find out,
 whether an error occurred or the connection was shut down cleanly
 (SSL_ERROR_ZERO_RETURN).
 SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
 only be detected, whether the underlying connection was closed. It cannot
 be checked, whether the closure was initiated by the peer or by something
 else.
 =item E<lt>0
 The read operation was not successful, because either an error occurred
--- a/doc/ssl/SSL_write.pod
+++ b/doc/ssl/SSL_write.pod
@ -86,10 +86,6 @@ was closed. Call SSL_get_error() with the return value B<ret> to find out,
 whether an error occurred or the connection was shut down cleanly
 (SSL_ERROR_ZERO_RETURN).
 SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
 only be detected, whether the underlying connection was closed. It cannot
 be checked, why the closure happened.
 =item E<lt>0
 The write operation was not successful, because either an error occurred
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@ -93,9 +93,7 @@ inside this header file.
 =item B<ssl2.h>
-That's the sub header file dealing with the SSLv2 protocol only.
+Unused. Present for backwards compatibility only.
 I<Usually you don't have to include it explicitly because
 it's already included by ssl.h>.
 =item B<ssl3.h>
@ -175,7 +173,7 @@ definitions in the header files.
 =item char *B<SSL_CIPHER_get_version>(SSL_CIPHER *cipher);
-Returns a string like "C<TLSv1/SSLv3>" or "C<SSLv2>" which indicates the
+Returns a string like "C<SSLv3>" or "C<TLSv1.2>" which indicates the
 SSL/TLS protocol version to which I<cipher> belongs (i.e. where it was defined
 in the specification the first time).
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -856,7 +856,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f)
    }
    /*
-     * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa
+     * what if we are setup for one protocol version but want to talk another
     */
    if (t->method != f->method) {
        t->method->ssl_free(t); /* cleanup current */
@ -1361,7 +1361,6 @@ int SSL_set_cipher_list(SSL *s, const char *str)
    return 1;
 }
 /* works well for SSLv2, not so good for SSLv3 */
 char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
 {
    char *p;
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -555,7 +555,7 @@ struct ssl_cipher_st {
    int alg_bits;               /* Number of bits for algorithm */
 };
-/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
+/* Used to hold SSL/TLS functions */
 struct ssl_method_st {
    int version;
    int (*ssl_new) (SSL *s);