Hi, The attached patches filter the -ssl2/-ssl3/-tls1 options based on the supported protocols compiled into the tools.
The patches apply to openssl-1.0.1e and openssl-1.0.0k. Many thanks, Mike
diff -ru openssl-1.0.0k/apps/ciphers.c openssl-1.0.0k-new/apps/ciphers.c --- openssl-1.0.0k/apps/ciphers.c 2013-02-05 11:58:46.000000000 +0000 +++ openssl-1.0.0k-new/apps/ciphers.c 2013-06-24 11:50:11.000000000 +0100 @@ -73,9 +73,15 @@ "usage: ciphers args\n", " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", " -V - even more verbose\n", +#ifndef OPENSSL_NO_SSL2 " -ssl2 - SSL2 mode\n", +#endif +#ifndef OPENSSL_NO_SSL3 " -ssl3 - SSL3 mode\n", +#endif +#ifndef OPENSSL_NO_TLS1 " -tls1 - TLS1 mode\n", +#endif NULL }; diff -ru openssl-1.0.0k/apps/s_client.c openssl-1.0.0k-new/apps/s_client.c --- openssl-1.0.0k/apps/s_client.c 2013-02-05 11:58:46.000000000 +0000 +++ openssl-1.0.0k-new/apps/s_client.c 2013-06-24 11:50:19.000000000 +0100 @@ -316,11 +316,20 @@ BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); # endif #endif +#ifndef OPENSSL_NO_SSL2 BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); +#endif +#ifndef OPENSSL_NO_TLS1 BIO_printf(bio_err," -tls1 - just use TLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err," -mtu - set the link layer MTU\n"); + BIO_printf(bio_err," -timeout - Enable timeouts for DTLSv1\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU for DTLSv1\n"); +#endif BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); diff -ru openssl-1.0.0k/apps/s_server.c openssl-1.0.0k-new/apps/s_server.c --- openssl-1.0.0k/apps/s_server.c 2013-02-05 11:58:46.000000000 +0000 +++ openssl-1.0.0k-new/apps/s_server.c 2013-06-24 11:50:23.000000000 +0100 @@ -456,12 +456,20 @@ BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); # endif #endif +#ifndef OPENSSL_NO_SSL2 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); +#endif +#ifndef OPENSSL_NO_TLS1 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); - BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set link layer MTU\n"); + BIO_printf(bio_err," -timeout - Enable timeouts for DTLSv1\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU for DTLSv1\n"); +#endif BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); diff -ru openssl-1.0.0k/apps/s_time.c openssl-1.0.0k-new/apps/s_time.c --- openssl-1.0.0k/apps/s_time.c 2013-02-05 11:47:28.000000000 +0000 +++ openssl-1.0.0k-new/apps/s_time.c 2013-06-24 11:50:35.000000000 +0100 @@ -186,8 +186,12 @@ printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME); #ifdef FIONBIO printf("-nbio - Run with non-blocking IO\n"); +#ifndef OPENSSL_NO_SSL2 printf("-ssl2 - Just use SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 printf("-ssl3 - Just use SSLv3\n"); +#endif printf("-bugs - Turn on SSL bug compatibility\n"); printf("-new - Just time new connections\n"); printf("-reuse - Just time connection reuse\n");
diff -ru openssl-1.0.1e/apps/ciphers.c openssl-1.0.1e-new/apps/ciphers.c --- openssl-1.0.1e/apps/ciphers.c 2013-02-11 15:26:04.000000000 +0000 +++ openssl-1.0.1e-new/apps/ciphers.c 2013-06-24 11:56:49.000000000 +0100 @@ -73,9 +73,15 @@ "usage: ciphers args\n", " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", " -V - even more verbose\n", +#ifndef OPENSSL_NO_SSL2 " -ssl2 - SSL2 mode\n", +#endif +#ifndef OPENSSL_NO_SSL3 " -ssl3 - SSL3 mode\n", +#endif +#ifndef OPENSSL_NO_TLS1 " -tls1 - TLS1 mode\n", +#endif NULL }; diff -ru openssl-1.0.1e/apps/s_client.c openssl-1.0.1e-new/apps/s_client.c --- openssl-1.0.1e/apps/s_client.c 2013-02-11 15:26:04.000000000 +0000 +++ openssl-1.0.1e-new/apps/s_client.c 2013-06-24 11:58:25.000000000 +0100 @@ -329,13 +329,22 @@ BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); #endif +#ifndef OPENSSL_NO_SSL2 BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); +#endif +#ifndef OPENSSL_NO_TLS1 BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1 BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err," -mtu - set the link layer MTU\n"); + BIO_printf(bio_err," -timeout - Enable timeouts for DTLSv1\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU for DTLSv1\n"); +#endif BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); diff -ru openssl-1.0.1e/apps/s_server.c openssl-1.0.1e-new/apps/s_server.c --- openssl-1.0.1e/apps/s_server.c 2013-02-11 15:26:04.000000000 +0000 +++ openssl-1.0.1e-new/apps/s_server.c 2013-06-24 11:59:05.000000000 +0100 @@ -513,14 +513,22 @@ BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif +#ifndef OPENSSL_NO_SSL2 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); +#endif +#ifndef OPENSSL_NO_TLS1 BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); - BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set link layer MTU\n"); + BIO_printf(bio_err," -timeout - Enable timeouts for DTLSv1\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU for DTLSv1\n"); +#endif BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); diff -ru openssl-1.0.1e/apps/s_time.c openssl-1.0.1e-new/apps/s_time.c --- openssl-1.0.1e/apps/s_time.c 2013-02-11 15:26:04.000000000 +0000 +++ openssl-1.0.1e-new/apps/s_time.c 2013-06-24 11:56:49.000000000 +0100 @@ -186,8 +186,12 @@ printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME); #ifdef FIONBIO printf("-nbio - Run with non-blocking IO\n"); +#ifndef OPENSSL_NO_SSL2 printf("-ssl2 - Just use SSLv2\n"); +#endif +#ifndef OPENSSL_NO_SSL3 printf("-ssl3 - Just use SSLv3\n"); +#endif printf("-bugs - Turn on SSL bug compatibility\n"); printf("-new - Just time new connections\n"); printf("-reuse - Just time connection reuse\n");