1 files changed, 34 insertions, 27 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libssl/man/SSL_CTX_set_options.3
index 2e7a8d065a99..8937e092181c 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_options.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_options 3"
-.TH SSL_CTX_set_options 3 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH SSL_CTX_set_options 3 "2015-01-15" "1.0.1l" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -207,9 +216,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 .IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
 .IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER"
 \&...
-.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
-.IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING"
-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
+.IP "\s-1SSL_OP_SAFARI_ECDHE_ECDSA_BUG\s0" 4
+.IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG"
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on \s-1OS X.
+OS X 10.8..10.8.3\s0 has broken support for ECDHE-ECDSA ciphers.
 .IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
 .IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG"
 \&...
@@ -221,10 +231,15 @@ As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 \&...
 .IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
 .IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS"
-Disables a countermeasure against a \s-1SSL\s0 3.0/TLS 1.0 protocol
+Disables a countermeasure against a \s-1SSL 3.0/TLS 1.0\s0 protocol
 vulnerability affecting \s-1CBC\s0 ciphers, which cannot be handled by some
 broken \s-1SSL\s0 implementations.  This option has no effect for connections
 using other ciphers.
+.IP "\s-1SSL_OP_TLSEXT_PADDING\s0" 4
+.IX Item "SSL_OP_TLSEXT_PADDING"
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
 .IP "\s-1SSL_OP_ALL\s0" 4
 .IX Item "SSL_OP_ALL"
 All of the above bug workarounds.
@@ -258,15 +273,7 @@ a new \s-1DH\s0 key during each handshake but it is also recommended.
 temporary/ephemeral \s-1DH\s0 parameters are used.
 .IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
 .IX Item "SSL_OP_EPHEMERAL_RSA"
-Always use ephemeral (temporary) \s-1RSA\s0 key when doing \s-1RSA\s0 operations
-(see \fISSL_CTX_set_tmp_rsa_callback\fR\|(3)).
-According to the specifications this is only done, when a \s-1RSA\s0 key
-can only be used for signature operations (namely under export ciphers
-with restricted \s-1RSA\s0 keylength). By setting this option, ephemeral
-\&\s-1RSA\s0 keys are always used. This option breaks compatibility with the
-\&\s-1SSL/TLS\s0 specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with \s-1EDH\s0 (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
 .IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
 When choosing a cipher, use the server's preferences instead of the client
@@ -312,16 +319,16 @@ not be used by clients or servers.
 .IP "\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0" 4
 .IX Item "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION"
 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
-servers. See the \fB\s-1SECURE\s0 \s-1RENEGOTIATION\s0\fR section for more details.
+servers. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
 .IP "\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0" 4
 .IX Item "SSL_OP_LEGACY_SERVER_CONNECT"
 Allow legacy insecure renegotiation between OpenSSL and unpatched servers
 \&\fBonly\fR: this option is currently set by default. See the
-\&\fB\s-1SECURE\s0 \s-1RENEGOTIATION\s0\fR section for more details.
+\&\fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
 .SH "SECURE RENEGOTIATION"
 .IX Header "SECURE RENEGOTIATION"
 OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in \s-1RFC5746\s0. This counters the prefix attack described in
+described in \s-1RFC5746.\s0 This counters the prefix attack described in
 \&\s-1CVE\-2009\-3555\s0 and elsewhere.
 .PP
 The deprecated and highly broken SSLv2 protocol does not support
@@ -339,7 +346,7 @@ renegotiation implementation.
 Connections and renegotiation are always permitted by OpenSSL implementations.
 .SS "Unpatched client and patched OpenSSL server"
 .IX Subsection "Unpatched client and patched OpenSSL server"
-The initial connection suceeds but client renegotiation is denied by the
+The initial connection succeeds but client renegotiation is denied by the
 server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal
 \&\fBhandshake_failure\fR alert in \s-1SSL\s0 v3.0.
 .PP