From 304e9c4c08227be0556cc497519e0efccbba6988 Mon Sep 17 00:00:00 2001
From: Kaspar Brand <kbrand@apache.org>
Date: Fri, 18 Nov 2011 05:27:00 +0000
Subject: drop SSLv2 support (set SSL_OP_NO_SSLv2 for any new SSL_CTX)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1203491 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_ssl.xml | 28 ++++++++++------------------
 docs/manual/upgrading.xml   |  3 ++-
 2 files changed, 12 insertions(+), 19 deletions(-)

(limited to 'docs')

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 3b342b47bf..041446961e 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -61,7 +61,7 @@ compatibility variables.</p>
  <th>Description:</th>
 </tr>
 <tr><td><code>HTTPS</code></td>                         <td>flag</td>      <td>HTTPS is being used.</td></tr>
-<tr><td><code>SSL_PROTOCOL</code></td>                  <td>string</td>    <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
+<tr><td><code>SSL_PROTOCOL</code></td>                  <td>string</td>    <td>The SSL protocol version (SSLv3, TLSv1)</td></tr>
 <tr><td><code>SSL_SESSION_ID</code></td>                <td>string</td>    <td>The hex-encoded SSL session id</td></tr>
 <tr><td><code>SSL_SESSION_RESUMED</code></td>           <td>string</td>    <td>Initial or Resumed SSL Session.  Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
 <tr><td><code>SSL_SECURE_RENEG</code></td>              <td>string</td>    <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
@@ -563,7 +563,7 @@ by the applicable Security Policy.
 
 <directivesynopsis>
 <name>SSLProtocol</name>
-<description>Configure usable SSL protocol versions</description>
+<description>Configure usable SSL/TLS protocol versions</description>
 <syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
 <default>SSLProtocol all</default>
 <contextlist><context>server config</context>
@@ -571,17 +571,11 @@ by the applicable Security Policy.
 
 <usage>
 <p>
-This directive can be used to control which versions of the SSL protocol
+This directive can be used to control which versions of the SSL/TLS protocol
 will be accepted in new connections.</p>
 <p>
 The available (case-insensitive) <em>protocol</em>s are:</p>
 <ul>
-<li><code>SSLv2</code>
-    <p>
-    This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
-    original SSL protocol as designed by Netscape Corporation.  Though it's
-    use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
-
 <li><code>SSLv3</code>
     <p>
     This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
@@ -592,19 +586,17 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
 <li><code>TLSv1</code>
     <p>
     This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
-    successor to SSLv3 and is defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC2246</a>.
-    Which has been obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC4346</a>.</p></li>
+    successor to SSLv3 and was originally defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>
+    (obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC 4346</a>
+    and <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a> in
+    the meantime).</p></li>
 
-<li><code>All</code>
+<li><code>all</code>
     <p>
-    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
-    convenient way for enabling all protocols except one when used in
-    combination with the minus sign on a protocol as the example above
-    shows.</p></li>
+    This is a shortcut for ``<code>+SSLv3 +TLSv1</code>''.</p></li>
 </ul>
 <example><title>Example</title>
-#   enable SSLv3 and TLSv1, but not SSLv2<br />
-SSLProtocol all -SSLv2
+SSLProtocol TLSv1
 </example>
 </usage>
 </directivesynopsis>
diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml
index 300fe19e5f..0b844516e4 100644
--- a/docs/manual/upgrading.xml
+++ b/docs/manual/upgrading.xml
@@ -294,7 +294,8 @@
       <li><module>mod_ssl</module>: The default format of the <code>*_DN</code>
       variables has changed. The old format can still be used with the new
       <code>LegacyDNStringFormat</code> argument to <directive
-      module="mod_ssl">SSLOptions</directive>.</li>
+      module="mod_ssl">SSLOptions</directive>. The SSLv2 protocol is
+      no longer supported.</li>
 
       <li><program>htpasswd</program> now uses MD5 hash by default on
       all platforms.</li>
-- 
cgit v1.2.3