Update OpenSSL 0.9.7d -> 0.9.7e.

1 files changed, 66 insertions, 64 deletions

diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index 80e8138dd1c5..b539f130fc10 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:31 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CIPHERS 1"
-.TH CIPHERS 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CIPHERS 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-ciphers \- \s-1SSL\s0 cipher display and cipher list tool.
+ciphers \- SSL cipher display and cipher list tool.
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBciphers\fR
@@ -157,7 +147,7 @@ The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered
 the appropriate cipherlist.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-v\fR" 4
+.IP "\fB\-v\fR" 4
 .IX Item "-v"
 verbose option. List ciphers with a complete description of
 protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange,
@@ -166,19 +156,19 @@ restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher.
 Note that without the \fB\-v\fR option, ciphers may seem to appear twice
 in a cipher list; this is when similar ciphers are available for
 \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
-.Ip "\fB\-ssl3\fR" 4
+.IP "\fB\-ssl3\fR" 4
 .IX Item "-ssl3"
 only include \s-1SSL\s0 v3 ciphers.
-.Ip "\fB\-ssl2\fR" 4
+.IP "\fB\-ssl2\fR" 4
 .IX Item "-ssl2"
 only include \s-1SSL\s0 v2 ciphers.
-.Ip "\fB\-tls1\fR" 4
+.IP "\fB\-tls1\fR" 4
 .IX Item "-tls1"
 only include \s-1TLS\s0 v1 ciphers.
-.Ip "\fB\-h\fR, \fB\-?\fR" 4
+.IP "\fB\-h\fR, \fB\-?\fR" 4
 .IX Item "-h, -?"
 print a brief usage message.
-.Ip "\fBcipherlist\fR" 4
+.IP "\fBcipherlist\fR" 4
 .IX Item "cipherlist"
 a cipher list to convert to a cipher preference list. If it is not included
 then the default cipher list will be used. The format is described below.
@@ -202,13 +192,13 @@ Lists of cipher suites can be combined in a single cipher string using the
 algorithms.
 .PP
 Each cipher string can be optionally preceded by the characters \fB!\fR,
-\&\fB-\fR or \fB+\fR.
+\&\fB\-\fR or \fB+\fR.
 .PP
 If \fB!\fR is used then the ciphers are permanently deleted from the list.
 The ciphers deleted can never reappear in the list even if they are
 explicitly stated.
 .PP
-If \fB-\fR is used then the ciphers are deleted from the list, but some or
+If \fB\-\fR is used then the ciphers are deleted from the list, but some or
 all of the ciphers can be added again by later options.
 .PP
 If \fB+\fR is used then the ciphers are moved to the end of the list. This
@@ -224,107 +214,107 @@ the current cipher list in order of encryption algorithm key length.
 .SH "CIPHER STRINGS"
 .IX Header "CIPHER STRINGS"
 The following is a list of all permitted cipher strings and their meanings.
-.Ip "\fB\s-1DEFAULT\s0\fR" 4
+.IP "\fB\s-1DEFAULT\s0\fR" 4
 .IX Item "DEFAULT"
 the default cipher list. This is determined at compile time and is normally
 \&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string
 specified.
-.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
+.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
 .IX Item "COMPLEMENTOFDEFAULT"
 the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
 this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is
 not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
-.Ip "\fB\s-1ALL\s0\fR" 4
+.IP "\fB\s-1ALL\s0\fR" 4
 .IX Item "ALL"
 all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled.
-.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
+.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
 .IX Item "COMPLEMENTOFALL"
 the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR.
-.Ip "\fB\s-1HIGH\s0\fR" 4
+.IP "\fB\s-1HIGH\s0\fR" 4
 .IX Item "HIGH"
 \&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger
 than 128 bits.
-.Ip "\fB\s-1MEDIUM\s0\fR" 4
+.IP "\fB\s-1MEDIUM\s0\fR" 4
 .IX Item "MEDIUM"
 \&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption.
-.Ip "\fB\s-1LOW\s0\fR" 4
+.IP "\fB\s-1LOW\s0\fR" 4
 .IX Item "LOW"
 \&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
 but excluding export cipher suites.
-.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
+.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
 .IX Item "EXP, EXPORT"
 export encryption algorithms. Including 40 and 56 bits algorithms.
-.Ip "\fB\s-1EXPORT40\s0\fR" 4
+.IP "\fB\s-1EXPORT40\s0\fR" 4
 .IX Item "EXPORT40"
 40 bit export encryption algorithms
-.Ip "\fB\s-1EXPORT56\s0\fR" 4
+.IP "\fB\s-1EXPORT56\s0\fR" 4
 .IX Item "EXPORT56"
 56 bit export encryption algorithms.
-.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
+.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
 .IX Item "eNULL, NULL"
 the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no
 encryption at all and are a security risk they are disabled unless explicitly
 included.
-.Ip "\fBaNULL\fR" 4
+.IP "\fBaNULL\fR" 4
 .IX Item "aNULL"
 the cipher suites offering no authentication. This is currently the anonymous
 \&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R"
 attack and so their use is normally discouraged.
-.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
+.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
 .IX Item "kRSA, RSA"
 cipher suites using \s-1RSA\s0 key exchange.
-.Ip "\fBkEDH\fR" 4
+.IP "\fBkEDH\fR" 4
 .IX Item "kEDH"
 cipher suites using ephemeral \s-1DH\s0 key agreement.
-.Ip "\fBkDHr\fR, \fBkDHd\fR" 4
+.IP "\fBkDHr\fR, \fBkDHd\fR" 4
 .IX Item "kDHr, kDHd"
 cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
 and \s-1DSS\s0 keys respectively. Not implemented.
-.Ip "\fBaRSA\fR" 4
+.IP "\fBaRSA\fR" 4
 .IX Item "aRSA"
 cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys.
-.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
+.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
 .IX Item "aDSS, DSS"
 cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys.
-.Ip "\fBaDH\fR" 4
+.IP "\fBaDH\fR" 4
 .IX Item "aDH"
 cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
 \&\s-1DH\s0 keys.  Not implemented.
-.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
+.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
 .IX Item "kFZA, aFZA, eFZA, FZA"
 ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all
 \&\s-1FORTEZZA\s0 algorithms. Not implemented.
-.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
+.IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
 .IX Item "TLSv1, SSLv3, SSLv2"
 \&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively.
-.Ip "\fB\s-1DH\s0\fR" 4
+.IP "\fB\s-1DH\s0\fR" 4
 .IX Item "DH"
 cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0.
-.Ip "\fB\s-1ADH\s0\fR" 4
+.IP "\fB\s-1ADH\s0\fR" 4
 .IX Item "ADH"
 anonymous \s-1DH\s0 cipher suites.
-.Ip "\fB\s-1AES\s0\fR" 4
+.IP "\fB\s-1AES\s0\fR" 4
 .IX Item "AES"
 cipher suites using \s-1AES\s0.
-.Ip "\fB3DES\fR" 4
+.IP "\fB3DES\fR" 4
 .IX Item "3DES"
 cipher suites using triple \s-1DES\s0.
-.Ip "\fB\s-1DES\s0\fR" 4
+.IP "\fB\s-1DES\s0\fR" 4
 .IX Item "DES"
 cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
-.Ip "\fB\s-1RC4\s0\fR" 4
+.IP "\fB\s-1RC4\s0\fR" 4
 .IX Item "RC4"
 cipher suites using \s-1RC4\s0.
-.Ip "\fB\s-1RC2\s0\fR" 4
+.IP "\fB\s-1RC2\s0\fR" 4
 .IX Item "RC2"
 cipher suites using \s-1RC2\s0.
-.Ip "\fB\s-1IDEA\s0\fR" 4
+.IP "\fB\s-1IDEA\s0\fR" 4
 .IX Item "IDEA"
 cipher suites using \s-1IDEA\s0.
-.Ip "\fB\s-1MD5\s0\fR" 4
+.IP "\fB\s-1MD5\s0\fR" 4
 .IX Item "MD5"
 cipher suites using \s-1MD5\s0.
-.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
+.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
 .IX Item "SHA1, SHA"
 cipher suites using \s-1SHA1\s0.
 .SH "CIPHER SUITE NAMES"
@@ -332,7 +322,7 @@ cipher suites using \s-1SHA1\s0.
 The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
 relevant specification and their OpenSSL equivalents. It should be noted,
 that several cipher suite names do not include the authentication used,
-e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
+e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 .Sh "\s-1SSL\s0 v3.0 cipher suites."
 .IX Subsection "SSL v3.0 cipher suites."
 .Vb 10
@@ -347,6 +337,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 \& SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 .Ve
+.PP
 .Vb 12
 \& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
 \& SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
@@ -361,6 +352,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
 \& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 5
 \& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
 \& SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
@@ -368,6 +360,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
 \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 3
 \& SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
 \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
@@ -387,6 +380,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 \& TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 .Ve
+.PP
 .Vb 12
 \& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
 \& TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
@@ -401,6 +395,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
 \& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 5
 \& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
 \& TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
@@ -414,18 +409,21 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
 \& TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
 .Ve
+.PP
 .Vb 4
 \& TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
 \& TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
 \& TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
 \& TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
 .Ve
+.PP
 .Vb 4
 \& TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
 \& TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
 \& TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
 \& TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
 .Ve
+.PP
 .Vb 2
 \& TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
 \& TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
@@ -466,22 +464,26 @@ Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers:
 .Vb 1
 \& openssl ciphers -v 'ALL:eNULL'
 .Ve
+.PP
 Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by
 strength:
 .PP
 .Vb 1
 \& openssl ciphers -v 'ALL:!ADH:@STRENGTH'
 .Ve
+.PP
 Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
 .PP
 .Vb 1
 \& openssl ciphers -v '3DES:+RSA'
 .Ve
+.PP
 Include all \s-1RC4\s0 ciphers but leave out those without authentication:
 .PP
 .Vb 1
 \& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
 .Ve
+.PP
 Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without
 encryption.
 .PP
@@ -490,7 +492,7 @@ encryption.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-s_client(1), s_server(1), ssl(3)
+\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were