diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index eabea2b43c73..3095e06bfe02 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -672,9 +672,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) { long ssl_ctx_options; - ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; - if (getenv("SSL_ALLOW_SSL2") == NULL) - ssl_ctx_options |= SSL_OP_NO_SSLv2; + ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index 5b9f0db54936..53a4e424a834 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 15, 2014 +.Dd March 25, 2015 .Dt FETCH 3 .Os .Sh NAME @@ -441,10 +441,8 @@ By default allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the -.Ev SSL_ALLOW_SSL2 -and .Ev SSL_ALLOW_SSL3 -environment variables to allow SSLv2 and SSLv3, respectively, and +environment variable to allow SSLv3 and .Ev SSL_NO_TLS1 , .Ev SSL_NO_TLS1_1 and .Ev SSL_NO_TLS1_2 @@ -646,8 +644,6 @@ which proxies should not be used. Same as .Ev NO_PROXY , for compatibility. -.It Ev SSL_ALLOW_SSL2 -Allow SSL version 2 when negotiating the connection (not recommended). .It Ev SSL_ALLOW_SSL3 Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE diff --git a/sys/sys/param.h b/sys/sys/param.h index 925c5845eafe..cb8b9bd67401 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -58,7 +58,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1100066 /* Master, propagated to newvers */ +#define __FreeBSD_version 1100067 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, diff --git a/usr.bin/fetch/fetch.1 b/usr.bin/fetch/fetch.1 index 10df42153c53..58b59ad52eaa 100644 --- a/usr.bin/fetch/fetch.1 +++ b/usr.bin/fetch/fetch.1 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 28, 2014 +.Dd March 25, 2015 .Dt FETCH 1 .Os .Sh NAME @@ -39,7 +39,6 @@ .Sh SYNOPSIS .Nm .Op Fl 146AadFlMmnPpqRrsUv -.Op Fl -allow-sslv2 .Op Fl B Ar bytes .Op Fl -bind-address= Ns Ar host .Op Fl -ca-cert= Ns Ar file @@ -113,9 +112,6 @@ Some broken Web sites will return a redirect instead of a not-found error when the requested object does not exist. .It Fl a , -retry Automatically retry the transfer upon soft failures. -.It Fl -allow-sslv2 -[SSL] -Allow SSL version 2 when negotiating the connection. .It Fl B Ar bytes , Fl -buffer-size= Ns Ar bytes Specify the read buffer size in bytes. The default is 16,384 bytes. @@ -350,7 +346,6 @@ for a description of additional environment variables, including .Ev NETRC , .Ev NO_PROXY , .Ev no_proxy , -.Ev SSL_ALLOW_SSL2 , .Ev SSL_CA_CERT_FILE , .Ev SSL_CA_CERT_PATH , .Ev SSL_CLIENT_CERT_FILE , diff --git a/usr.bin/fetch/fetch.c b/usr.bin/fetch/fetch.c index 3f64151fef16..3fbf34388c7d 100644 --- a/usr.bin/fetch/fetch.c +++ b/usr.bin/fetch/fetch.c @@ -102,7 +102,6 @@ enum options OPTION_HTTP_REFERER, OPTION_HTTP_USER_AGENT, OPTION_NO_PROXY, - OPTION_SSL_ALLOW_SSL2, OPTION_SSL_CA_CERT_FILE, OPTION_SSL_CA_CERT_PATH, OPTION_SSL_CLIENT_CERT_FILE, @@ -154,7 +153,6 @@ static struct option longopts[] = { "referer", required_argument, NULL, OPTION_HTTP_REFERER }, { "user-agent", required_argument, NULL, OPTION_HTTP_USER_AGENT }, { "no-proxy", required_argument, NULL, OPTION_NO_PROXY }, - { "allow-sslv2", no_argument, NULL, OPTION_SSL_ALLOW_SSL2 }, { "ca-cert", required_argument, NULL, OPTION_SSL_CA_CERT_FILE }, { "ca-path", required_argument, NULL, OPTION_SSL_CA_CERT_PATH }, { "cert", required_argument, NULL, OPTION_SSL_CLIENT_CERT_FILE }, @@ -845,17 +843,17 @@ static void usage(void) { fprintf(stderr, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n", -"usage: fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]", -" [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]", -" [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]", -" [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]", -" [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]", +"usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]", +" [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]", +" [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]", +" [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]", +" [-o file] [--referer=URL] [-S bytes] [-T seconds]", " [--user-agent=agent-string] [-w seconds] URL ...", -" fetch [-146AadFlMmnPpqRrsUv] [--allow-sslv2] [-B bytes]", -" [--bind-address=host] [--ca-cert=file] [--ca-path=dir] [--cert=file]", -" [--crl=file] [-i file] [--key=file] [-N file] [--no-passive]", -" [--no-proxy=list] [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]", -" [--no-verify-peer] [-o file] [--referer=URL] [-S bytes] [-T seconds]", +" fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]", +" [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]", +" [-i file] [--key=file] [-N file] [--no-passive] [--no-proxy=list]", +" [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] [--no-verify-peer]", +" [-o file] [--referer=URL] [-S bytes] [-T seconds]", " [--user-agent=agent-string] [-w seconds] -h host -f file [-c dir]"); } @@ -1004,9 +1002,6 @@ main(int argc, char *argv[]) case OPTION_NO_PROXY: setenv("NO_PROXY", optarg, 1); break; - case OPTION_SSL_ALLOW_SSL2: - setenv("SSL_ALLOW_SSL2", "", 1); - break; case OPTION_SSL_CA_CERT_FILE: setenv("SSL_CA_CERT_FILE", optarg, 1); break;