Remove SSLv2 support

The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <levitte@openssl.org>

5 files changed, 14 insertions, 51 deletions

diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 6bdc077..5f8dac4 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -10,7 +10,6 @@ B<openssl> B<ciphers>
 [B<-s>]
 [B<-v>]
 [B<-V>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
 [B<-stdname>]
@@ -35,12 +34,9 @@ not used then ciphers excluded by the security level will still be listed.
 =item B<-v>
 
 Verbose option. List ciphers with a complete description of
-protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange,
+protocol version, key exchange,
 authentication, encryption and mac algorithms used along with any key size
 restrictions and whether the algorithm is classed as an "export" cipher.
-Note that without the B<-v> option, ciphers may seem to appear twice
-in a cipher list; this is when similar ciphers are available for
-SSL v2 and for SSL v3/TLS v1.
 
 =item B<-V>
 
@@ -50,10 +46,6 @@ Like B<-v>, but include cipher suite codes in output (hex format).
 
 only include SSL v3 ciphers.
 
-=item B<-ssl2>
-
-only include SSL v2 ciphers.
-
 =item B<-tls1>
 
 only include TLS v1 ciphers.
@@ -259,9 +251,9 @@ keys.
 ciphers suites using FORTEZZA key exchange, authentication, encryption or all
 FORTEZZA algorithms. Not implemented.
 
-=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
+=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>
 
-TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
+TLS v1.2, TLS v1.0 or SSL v3.0 cipher suites respectively. Note:
 there are no ciphersuites specific to TLS v1.1.
 
 =item B<AES128>, B<AES256>, B<AES>
@@ -605,17 +597,6 @@ Note: these ciphers can also be used in SSL v3.
  TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
  TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
 
-=head2 Deprecated SSL v2.0 cipher suites.
-
- SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
- SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
- SSL_CK_RC2_128_CBC_WITH_MD5             RC2-MD5
- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP-RC2-MD5
- SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA-CBC-MD5
- SSL_CK_DES_64_CBC_WITH_MD5              DES-CBC-MD5
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES-CBC3-MD5
-
-
 =head1 NOTES
 
 Some compiled versions of OpenSSL may not include all the ciphers
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 2057dc8..17308b4 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -58,10 +58,8 @@ B<openssl> B<s_client>
 [B<-ign_eof>]
 [B<-no_ign_eof>]
 [B<-quiet>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_tls1_1>]
@@ -248,11 +246,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 
 Unfortunately there are still ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
@@ -279,10 +277,6 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
-=item B<-serverpref>
-
-use the server's cipher preferences; only used for SSLV2.
-
 =item B<-starttls protocol>
 
 send the protocol-specific message(s) to switch to TLS for communication.
@@ -373,8 +367,8 @@ would typically be used (https uses port 443). If the connection succeeds
 then an HTTP command can be given such as "GET /" to retrieve a web page.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
-B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> options can be tried
+nothing obvious like no client certificate then the B<-bugs>,
+B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
 
@@ -396,10 +390,6 @@ on the command line is no guarantee that the certificate works.
 If there are problems verifying a server certificate then the
 B<-showcerts> option can be used to show the whole chain.
 
-Since the SSLv23 client hello cannot include compression methods or extensions
-these will only be supported if its use is disabled, for example by using the
-B<-no_sslv2> option.
-
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will
 accept any certificate chain (trusted or not) sent by the peer. None test
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 3085944..1cc965f 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -64,10 +64,8 @@ B<openssl> B<s_server>
 [B<-serverpref>]
 [B<-quiet>]
 [B<-no_tmp_rsa>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
-[B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
@@ -279,11 +277,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
 
-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
+=item B<-ssl3>, B<-tls1>, B<-no_ssl3>, B<-no_tls1>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 
 =item B<-bugs>
 
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index 5a38aa2..b8dad09 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -19,7 +19,6 @@ B<openssl> B<s_time>
 [B<-verify depth>]
 [B<-nbio>]
 [B<-time seconds>]
-[B<-ssl2>]
 [B<-ssl3>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
@@ -92,18 +91,17 @@ specified, they are both on by default and executed in sequence.
 
 turns on non-blocking I/O.
 
-=item B<-ssl2>, B<-ssl3>
+=item B<-ssl3>
 
 these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
+servers and permit them to use SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
 the L<s_client(1)|s_client(1)> program and may not connect to all servers.
 
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-ssl3> option; others
-will only support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off with the B<-ssl3> option.
 
 =item B<-bugs>
 
@@ -137,7 +135,7 @@ which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command
 for details.
 
 If the handshake fails then there are several possible causes, if it is
-nothing obvious like no client certificate then the B<-bugs>, B<-ssl2>,
+nothing obvious like no client certificate then the B<-bugs> and
 B<-ssl3> options can be tried
 in case it is a buggy server. In particular you should play with these
 options B<before> submitting a bug report to an OpenSSL mailing list.
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index fb5ce12..a8b0ef0 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -92,7 +92,7 @@ Theses are described below in more detail.
 
 =item B<Protocol>
 
-this is the protocol in use TLSv1, SSLv3 or SSLv2.
+this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
 
 =item B<Cipher>
 
@@ -111,10 +111,6 @@ the session ID context in hex format.
 
 this is the SSL session master key.
 
-=item B<Key-Arg>
-
-the key argument, this is only used in SSL v2.
-
 =item B<Start Time>
 
 this is the session start time represented as an integer in standard Unix format.