summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch')
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch592
1 files changed, 0 insertions, 592 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
deleted file mode 100644
index de89d08d5c..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0800_2.patch
+++ /dev/null
@@ -1,592 +0,0 @@
1From 021fb42dd0cf2bf985b0e26ca50418eb42c00d09 Mon Sep 17 00:00:00 2001
2From: Viktor Dukhovni <openssl-users@dukhovni.org>
3Date: Wed, 17 Feb 2016 23:38:55 -0500
4Subject: [PATCH] Bring SSL method documentation up to date
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Reviewed-by: Emilia Käsper <emilia@openssl.org>
10
11Upstream-Status: Backport
12
13https://git.openssl.org/?p=openssl.git;a=commit;h=021fb42dd0cf2bf985b0e26ca50418eb42c00d09
14
15CVE: CVE-2016-0800 #2 patch
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 doc/apps/ciphers.pod | 29 ++++---
20 doc/apps/s_client.pod | 12 +--
21 doc/apps/s_server.pod | 8 +-
22 doc/ssl/SSL_CONF_cmd.pod | 33 ++++----
23 doc/ssl/SSL_CTX_new.pod | 168 ++++++++++++++++++++++++++++------------
24 doc/ssl/SSL_CTX_set_options.pod | 10 +++
25 doc/ssl/ssl.pod | 77 ++++++++++++++----
26 7 files changed, 226 insertions(+), 111 deletions(-)
27
28diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
29index 1c26e3b..8038b05 100644
30--- a/doc/apps/ciphers.pod
31+++ b/doc/apps/ciphers.pod
32@@ -38,25 +38,21 @@ SSL v2 and for SSL v3/TLS v1.
33
34 Like B<-v>, but include cipher suite codes in output (hex format).
35
36-=item B<-ssl3>
37+=item B<-ssl3>, B<-tls1>
38
39-only include SSL v3 ciphers.
40+This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
41
42 =item B<-ssl2>
43
44-only include SSL v2 ciphers.
45-
46-=item B<-tls1>
47-
48-only include TLS v1 ciphers.
49+Only include SSLv2 ciphers.
50
51 =item B<-h>, B<-?>
52
53-print a brief usage message.
54+Print a brief usage message.
55
56 =item B<cipherlist>
57
58-a cipher list to convert to a cipher preference list. If it is not included
59+A cipher list to convert to a cipher preference list. If it is not included
60 then the default cipher list will be used. The format is described below.
61
62 =back
63@@ -109,9 +105,10 @@ The following is a list of all permitted cipher strings and their meanings.
64
65 =item B<DEFAULT>
66
67-the default cipher list. This is determined at compile time and
68-is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
69-specified.
70+The default cipher list.
71+This is determined at compile time and is normally
72+B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>.
73+When used, this must be the first cipherstring specified.
74
75 =item B<COMPLEMENTOFDEFAULT>
76
77@@ -582,11 +579,11 @@ Note: these ciphers can also be used in SSL v3.
78 =head2 Deprecated SSL v2.0 cipher suites.
79
80 SSL_CK_RC4_128_WITH_MD5 RC4-MD5
81- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
82- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5
83- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5
84+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented.
85+ SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5
86+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented.
87 SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5
88- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5
89+ SSL_CK_DES_64_CBC_WITH_MD5 Not implemented.
90 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5
91
92 =head1 NOTES
93diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
94index 84d0527..618df96 100644
95--- a/doc/apps/s_client.pod
96+++ b/doc/apps/s_client.pod
97@@ -201,15 +201,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
98 given as a hexadecimal number without leading 0x, for example -psk
99 1a2b3c4d.
100
101-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
102+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
103
104-these options disable the use of certain SSL or TLS protocols. By default
105-the initial handshake uses a method which should be compatible with all
106-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
107-
108-Unfortunately there are still ancient and broken servers in use which
109-cannot handle this technique and will fail to connect. Some servers only
110-work if TLS is turned off.
111+These options require or disable the use of the specified SSL or TLS protocols.
112+By default the initial handshake uses a I<version-flexible> method which will
113+negotiate the highest mutually supported protocol version.
114
115 =item B<-fallback_scsv>
116
117diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
118index baca779..6f4acb7 100644
119--- a/doc/apps/s_server.pod
120+++ b/doc/apps/s_server.pod
121@@ -217,11 +217,11 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
122 given as a hexadecimal number without leading 0x, for example -psk
123 1a2b3c4d.
124
125-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
126+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
127
128-these options disable the use of certain SSL or TLS protocols. By default
129-the initial handshake uses a method which should be compatible with all
130-servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
131+These options require or disable the use of the specified SSL or TLS protocols.
132+By default the initial handshake uses a I<version-flexible> method which will
133+negotiate the highest mutually supported protocol version.
134
135 =item B<-bugs>
136
137diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
138index 2bf1a60..e81d76a 100644
139--- a/doc/ssl/SSL_CONF_cmd.pod
140+++ b/doc/ssl/SSL_CONF_cmd.pod
141@@ -74,7 +74,7 @@ B<prime256v1>). Curve names are case sensitive.
142
143 =item B<-named_curve>
144
145-This sets the temporary curve used for ephemeral ECDH modes. Only used by
146+This sets the temporary curve used for ephemeral ECDH modes. Only used by
147 servers
148
149 The B<value> argument is a curve name or the special value B<auto> which
150@@ -85,7 +85,7 @@ can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
151 =item B<-cipher>
152
153 Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
154-currently not performed unless a B<SSL> or B<SSL_CTX> structure is
155+currently not performed unless a B<SSL> or B<SSL_CTX> structure is
156 associated with B<cctx>.
157
158 =item B<-cert>
159@@ -111,9 +111,9 @@ operations are permitted.
160
161 =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
162
163-Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
164-by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
165-B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.
166+Disables protocol support for SSLv2, SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2
167+by setting the corresponding options B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>,
168+B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> respectively.
169
170 =item B<-bugs>
171
172@@ -177,7 +177,7 @@ Note: the command prefix (if set) alters the recognised B<cmd> values.
173 =item B<CipherString>
174
175 Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
176-currently not performed unless an B<SSL> or B<SSL_CTX> structure is
177+currently not performed unless an B<SSL> or B<SSL_CTX> structure is
178 associated with B<cctx>.
179
180 =item B<Certificate>
181@@ -244,7 +244,7 @@ B<prime256v1>). Curve names are case sensitive.
182
183 =item B<ECDHParameters>
184
185-This sets the temporary curve used for ephemeral ECDH modes. Only used by
186+This sets the temporary curve used for ephemeral ECDH modes. Only used by
187 servers
188
189 The B<value> argument is a curve name or the special value B<Automatic> which
190@@ -258,10 +258,11 @@ The supported versions of the SSL or TLS protocol.
191
192 The B<value> argument is a comma separated list of supported protocols to
193 enable or disable. If an protocol is preceded by B<-> that version is disabled.
194-All versions are enabled by default, though applications may choose to
195-explicitly disable some. Currently supported protocol values are B<SSLv2>,
196-B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers
197-to all supported versions.
198+Currently supported protocol values are B<SSLv2>, B<SSLv3>, B<TLSv1>,
199+B<TLSv1.1> and B<TLSv1.2>.
200+All protocol versions other than B<SSLv2> are enabled by default.
201+To avoid inadvertent enabling of B<SSLv2>, when SSLv2 is disabled, it is not
202+possible to enable it via the B<Protocol> command.
203
204 =item B<Options>
205
206@@ -339,16 +340,16 @@ The value is a directory name.
207 The order of operations is significant. This can be used to set either defaults
208 or values which cannot be overridden. For example if an application calls:
209
210- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
211+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
212 SSL_CONF_cmd(ctx, userparam, uservalue);
213
214-it will disable SSLv2 support by default but the user can override it. If
215+it will disable SSLv3 support by default but the user can override it. If
216 however the call sequence is:
217
218 SSL_CONF_cmd(ctx, userparam, uservalue);
219- SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
220+ SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
221
222-SSLv2 is B<always> disabled and attempt to override this by the user are
223+then SSLv3 is B<always> disabled and attempt to override this by the user are
224 ignored.
225
226 By checking the return code of SSL_CTX_cmd() it is possible to query if a
227@@ -372,7 +373,7 @@ can be checked instead. If -3 is returned a required argument is missing
228 and an error is indicated. If 0 is returned some other error occurred and
229 this can be reported back to the user.
230
231-The function SSL_CONF_cmd_value_type() can be used by applications to
232+The function SSL_CONF_cmd_value_type() can be used by applications to
233 check for the existence of a command or to perform additional syntax
234 checking or translation of the command value. For example if the return
235 value is B<SSL_CONF_TYPE_FILE> an application could translate a relative
236diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
237index 491ac8c..b8cc879 100644
238--- a/doc/ssl/SSL_CTX_new.pod
239+++ b/doc/ssl/SSL_CTX_new.pod
240@@ -2,13 +2,55 @@
241
242 =head1 NAME
243
244-SSL_CTX_new - create a new SSL_CTX object as framework for TLS/SSL enabled functions
245+SSL_CTX_new,
246+SSLv23_method, SSLv23_server_method, SSLv23_client_method,
247+TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
248+TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method,
249+TLSv1_method, TLSv1_server_method, TLSv1_client_method,
250+SSLv3_method, SSLv3_server_method, SSLv3_client_method,
251+SSLv2_method, SSLv2_server_method, SSLv2_client_method,
252+DTLS_method, DTLS_server_method, DTLS_client_method,
253+DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method,
254+DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method -
255+create a new SSL_CTX object as framework for TLS/SSL enabled functions
256
257 =head1 SYNOPSIS
258
259 #include <openssl/ssl.h>
260
261 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
262+ const SSL_METHOD *SSLv23_method(void);
263+ const SSL_METHOD *SSLv23_server_method(void);
264+ const SSL_METHOD *SSLv23_client_method(void);
265+ const SSL_METHOD *TLSv1_2_method(void);
266+ const SSL_METHOD *TLSv1_2_server_method(void);
267+ const SSL_METHOD *TLSv1_2_client_method(void);
268+ const SSL_METHOD *TLSv1_1_method(void);
269+ const SSL_METHOD *TLSv1_1_server_method(void);
270+ const SSL_METHOD *TLSv1_1_client_method(void);
271+ const SSL_METHOD *TLSv1_method(void);
272+ const SSL_METHOD *TLSv1_server_method(void);
273+ const SSL_METHOD *TLSv1_client_method(void);
274+ #ifndef OPENSSL_NO_SSL3_METHOD
275+ const SSL_METHOD *SSLv3_method(void);
276+ const SSL_METHOD *SSLv3_server_method(void);
277+ const SSL_METHOD *SSLv3_client_method(void);
278+ #endif
279+ #ifndef OPENSSL_NO_SSL2
280+ const SSL_METHOD *SSLv2_method(void);
281+ const SSL_METHOD *SSLv2_server_method(void);
282+ const SSL_METHOD *SSLv2_client_method(void);
283+ #endif
284+
285+ const SSL_METHOD *DTLS_method(void);
286+ const SSL_METHOD *DTLS_server_method(void);
287+ const SSL_METHOD *DTLS_client_method(void);
288+ const SSL_METHOD *DTLSv1_2_method(void);
289+ const SSL_METHOD *DTLSv1_2_server_method(void);
290+ const SSL_METHOD *DTLSv1_2_client_method(void);
291+ const SSL_METHOD *DTLSv1_method(void);
292+ const SSL_METHOD *DTLSv1_server_method(void);
293+ const SSL_METHOD *DTLSv1_client_method(void);
294
295 =head1 DESCRIPTION
296
297@@ -23,65 +65,88 @@ client only type. B<method> can be of the following types:
298
299 =over 4
300
301-=item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)
302+=item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()
303+
304+These are the general-purpose I<version-flexible> SSL/TLS methods.
305+The actual protocol version used will be negotiated to the highest version
306+mutually supported by the client and the server.
307+The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
308+Most applications should use these method, and avoid the version specific
309+methods described below.
310+
311+The list of protocols available can be further limited using the
312+B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
313+B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> options of the
314+L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions.
315+Clients should avoid creating "holes" in the set of protocols they support,
316+when disabling a protocol, make sure that you also disable either all previous
317+or all subsequent protocol versions.
318+In clients, when a protocol version is disabled without disabling I<all>
319+previous protocol versions, the effect is to also disable all subsequent
320+protocol versions.
321+
322+The SSLv2 and SSLv3 protocols are deprecated and should generally not be used.
323+Applications should typically use L<SSL_CTX_set_options(3)> in combination with
324+the B<SSL_OP_NO_SSLv3> flag to disable negotiation of SSLv3 via the above
325+I<version-flexible> SSL/TLS methods.
326+The B<SSL_OP_NO_SSLv2> option is set by default, and would need to be cleared
327+via L<SSL_CTX_clear_options(3)> in order to enable negotiation of SSLv2.
328+
329+=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
330
331-A TLS/SSL connection established with these methods will only understand
332-the SSLv2 protocol. A client will send out SSLv2 client hello messages
333-and will also indicate that it only understand SSLv2. A server will only
334-understand SSLv2 client hello messages.
335+A TLS/SSL connection established with these methods will only understand the
336+TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages and
337+will also indicate that it only understand TLSv1.2. A server will only
338+understand TLSv1.2 client hello messages.
339
340-=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
341+=item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()
342
343 A TLS/SSL connection established with these methods will only understand the
344-SSLv3 protocol. A client will send out SSLv3 client hello messages
345-and will indicate that it only understands SSLv3. A server will only understand
346-SSLv3 client hello messages. This especially means, that it will
347-not understand SSLv2 client hello messages which are widely used for
348-compatibility reasons, see SSLv23_*_method().
349+TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages and
350+will also indicate that it only understand TLSv1.1. A server will only
351+understand TLSv1.1 client hello messages.
352
353-=item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
354+=item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()
355
356 A TLS/SSL connection established with these methods will only understand the
357-TLSv1 protocol. A client will send out TLSv1 client hello messages
358-and will indicate that it only understands TLSv1. A server will only understand
359-TLSv1 client hello messages. This especially means, that it will
360-not understand SSLv2 client hello messages which are widely used for
361-compatibility reasons, see SSLv23_*_method(). It will also not understand
362-SSLv3 client hello messages.
363-
364-=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
365-
366-A TLS/SSL connection established with these methods may understand the SSLv2,
367-SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
368-
369-If the cipher list does not contain any SSLv2 ciphersuites (the default
370-cipher list does not) or extensions are required (for example server name)
371-a client will send out TLSv1 client hello messages including extensions and
372-will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
373-fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
374-protocols. This is the best choice when compatibility is a concern.
375-
376-If any SSLv2 ciphersuites are included in the cipher list and no extensions
377-are required then SSLv2 compatible client hellos will be used by clients and
378-SSLv2 will be accepted by servers. This is B<not> recommended due to the
379-insecurity of SSLv2 and the limited nature of the SSLv2 client hello
380-prohibiting the use of extensions.
381+TLSv1 protocol. A client will send out TLSv1 client hello messages and will
382+indicate that it only understands TLSv1. A server will only understand TLSv1
383+client hello messages.
384
385-=back
386+=item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()
387+
388+A TLS/SSL connection established with these methods will only understand the
389+SSLv3 protocol. A client will send out SSLv3 client hello messages and will
390+indicate that it only understands SSLv3. A server will only understand SSLv3
391+client hello messages. The SSLv3 protocol is deprecated and should not be
392+used.
393+
394+=item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()
395+
396+A TLS/SSL connection established with these methods will only understand the
397+SSLv2 protocol. A client will send out SSLv2 client hello messages and will
398+also indicate that it only understand SSLv2. A server will only understand
399+SSLv2 client hello messages. The SSLv2 protocol offers little to no security
400+and should not be used.
401+As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available
402+with SSLv2.
403
404-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
405-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
406-options of the SSL_CTX_set_options() or SSL_set_options() functions.
407-Using these options it is possible to choose e.g. SSLv23_server_method() and
408-be able to negotiate with all possible clients, but to only allow newer
409-protocols like TLSv1, TLSv1.1 or TLS v1.2.
410+=item DTLS_method(), DTLS_server_method(), DTLS_client_method()
411
412-Applications which never want to support SSLv2 (even is the cipher string
413-is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
414+These are the version-flexible DTLS methods.
415+
416+=item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()
417+
418+These are the version-specific methods for DTLSv1.2.
419+
420+=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
421+
422+These are the version-specific methods for DTLSv1.
423+
424+=back
425
426-SSL_CTX_new() initializes the list of ciphers, the session cache setting,
427-the callbacks, the keys and certificates and the options to its default
428-values.
429+SSL_CTX_new() initializes the list of ciphers, the session cache setting, the
430+callbacks, the keys and certificates and the options to its default values.
431
432 =head1 RETURN VALUES
433
434@@ -91,8 +156,8 @@ The following return values can occur:
435
436 =item NULL
437
438-The creation of a new SSL_CTX object failed. Check the error stack to
439-find out the reason.
440+The creation of a new SSL_CTX object failed. Check the error stack to find out
441+the reason.
442
443 =item Pointer to an SSL_CTX object
444
445@@ -102,6 +167,7 @@ The return value points to an allocated SSL_CTX object.
446
447 =head1 SEE ALSO
448
449+L<SSL_CTX_set_options(3)>, L<SSL_CTX_clear_options(3)>, L<SSL_set_options(3)>,
450 L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
451 L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
452
453diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
454index e80a72c..9a7e98c 100644
455--- a/doc/ssl/SSL_CTX_set_options.pod
456+++ b/doc/ssl/SSL_CTX_set_options.pod
457@@ -189,15 +189,25 @@ browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
458 =item SSL_OP_NO_SSLv2
459
460 Do not use the SSLv2 protocol.
461+As of OpenSSL 1.0.2g the B<SSL_OP_NO_SSLv2> option is set by default.
462
463 =item SSL_OP_NO_SSLv3
464
465 Do not use the SSLv3 protocol.
466+It is recommended that applications should set this option.
467
468 =item SSL_OP_NO_TLSv1
469
470 Do not use the TLSv1 protocol.
471
472+=item SSL_OP_NO_TLSv1_1
473+
474+Do not use the TLSv1.1 protocol.
475+
476+=item SSL_OP_NO_TLSv1_2
477+
478+Do not use the TLSv1.2 protocol.
479+
480 =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
481
482 When performing renegotiation as a server, always start a new session
483diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
484index 242087e..70cca17 100644
485--- a/doc/ssl/ssl.pod
486+++ b/doc/ssl/ssl.pod
487@@ -130,41 +130,86 @@ protocol methods defined in B<SSL_METHOD> structures.
488
489 =over 4
490
491-=item const SSL_METHOD *B<SSLv2_client_method>(void);
492+=item const SSL_METHOD *B<SSLv23_method>(void);
493
494-Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
495+Constructor for the I<version-flexible> SSL_METHOD structure for
496+clients, servers or both.
497+See L<SSL_CTX_new(3)> for details.
498
499-=item const SSL_METHOD *B<SSLv2_server_method>(void);
500+=item const SSL_METHOD *B<SSLv23_client_method>(void);
501
502-Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
503+Constructor for the I<version-flexible> SSL_METHOD structure for
504+clients.
505
506-=item const SSL_METHOD *B<SSLv2_method>(void);
507+=item const SSL_METHOD *B<SSLv23_client_method>(void);
508
509-Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
510+Constructor for the I<version-flexible> SSL_METHOD structure for
511+servers.
512
513-=item const SSL_METHOD *B<SSLv3_client_method>(void);
514+=item const SSL_METHOD *B<TLSv1_2_method>(void);
515
516-Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
517+Constructor for the TLSv1.2 SSL_METHOD structure for clients, servers
518+or both.
519
520-=item const SSL_METHOD *B<SSLv3_server_method>(void);
521+=item const SSL_METHOD *B<TLSv1_2_client_method>(void);
522
523-Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
524+Constructor for the TLSv1.2 SSL_METHOD structure for clients.
525
526-=item const SSL_METHOD *B<SSLv3_method>(void);
527+=item const SSL_METHOD *B<TLSv1_2_server_method>(void);
528+
529+Constructor for the TLSv1.2 SSL_METHOD structure for servers.
530+
531+=item const SSL_METHOD *B<TLSv1_1_method>(void);
532
533-Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
534+Constructor for the TLSv1.1 SSL_METHOD structure for clients, servers
535+or both.
536+
537+=item const SSL_METHOD *B<TLSv1_1_client_method>(void);
538+
539+Constructor for the TLSv1.1 SSL_METHOD structure for clients.
540+
541+=item const SSL_METHOD *B<TLSv1_1_server_method>(void);
542+
543+Constructor for the TLSv1.1 SSL_METHOD structure for servers.
544+
545+=item const SSL_METHOD *B<TLSv1_method>(void);
546+
547+Constructor for the TLSv1 SSL_METHOD structure for clients, servers
548+or both.
549
550 =item const SSL_METHOD *B<TLSv1_client_method>(void);
551
552-Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
553+Constructor for the TLSv1 SSL_METHOD structure for clients.
554
555 =item const SSL_METHOD *B<TLSv1_server_method>(void);
556
557-Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
558+Constructor for the TLSv1 SSL_METHOD structure for servers.
559
560-=item const SSL_METHOD *B<TLSv1_method>(void);
561+=item const SSL_METHOD *B<SSLv3_method>(void);
562+
563+Constructor for the SSLv3 SSL_METHOD structure for clients, servers
564+or both.
565+
566+=item const SSL_METHOD *B<SSLv3_client_method>(void);
567+
568+Constructor for the SSLv3 SSL_METHOD structure for clients.
569+
570+=item const SSL_METHOD *B<SSLv3_server_method>(void);
571+
572+Constructor for the SSLv3 SSL_METHOD structure for servers.
573+
574+=item const SSL_METHOD *B<SSLv2_method>(void);
575+
576+Constructor for the SSLv2 SSL_METHOD structure for clients, servers
577+or both.
578+
579+=item const SSL_METHOD *B<SSLv2_client_method>(void);
580+
581+Constructor for the SSLv2 SSL_METHOD structure for clients.
582+
583+=item const SSL_METHOD *B<SSLv2_server_method>(void);
584
585-Constructor for the TLSv1 SSL_METHOD structure for combined client and server.
586+Constructor for the SSLv2 SSL_METHOD structure for servers.
587
588 =back
589
590--
5912.3.5
592