Merge OpenSSL 1.0.2g.

Relnotes:	yes

46 files changed, 110 insertions, 88 deletions

diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index 81b0bf7b02a5..d3088ecb3044 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA.PL 1"
-.TH CA.PL 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CA.PL 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index afc7a532b4bf..95e8fa1f9998 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH ASN1PARSE 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/c_rehash.1 b/secure/usr.bin/openssl/man/c_rehash.1
index a60ccb5cdd91..c6f356e4d035 100644
--- a/secure/usr.bin/openssl/man/c_rehash.1
+++ b/secure/usr.bin/openssl/man/c_rehash.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "C_REHASH 1"
-.TH C_REHASH 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH C_REHASH 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index d4cb79e9e51d..b22ed99511c0 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA 1"
-.TH CA 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CA 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index e10144adc728..e4dd7ed876fe 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CIPHERS 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -168,21 +168,18 @@ in a cipher list; this is when similar ciphers are available for
 .IP "\fB\-V\fR" 4
 .IX Item "-V"
 Like \fB\-v\fR, but include cipher suite codes in output (hex format).
-.IP "\fB\-ssl3\fR" 4
-.IX Item "-ssl3"
-only include \s-1SSL\s0 v3 ciphers.
+.IP "\fB\-ssl3\fR, \fB\-tls1\fR" 4
+.IX Item "-ssl3, -tls1"
+This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.
 .IP "\fB\-ssl2\fR" 4
 .IX Item "-ssl2"
-only include \s-1SSL\s0 v2 ciphers.
-.IP "\fB\-tls1\fR" 4
-.IX Item "-tls1"
-only include \s-1TLS\s0 v1 ciphers.
+Only include SSLv2 ciphers.
 .IP "\fB\-h\fR, \fB\-?\fR" 4
 .IX Item "-h, -?"
-print a brief usage message.
+Print a brief usage message.
 .IP "\fBcipherlist\fR" 4
 .IX Item "cipherlist"
-a cipher list to convert to a cipher preference list. If it is not included
+A cipher list to convert to a cipher preference list. If it is not included
 then the default cipher list will be used. The format is described below.
 .SH "CIPHER LIST FORMAT"
 .IX Header "CIPHER LIST FORMAT"
@@ -228,9 +225,10 @@ the current cipher list in order of encryption algorithm key length.
 The following is a list of all permitted cipher strings and their meanings.
 .IP "\fB\s-1DEFAULT\s0\fR" 4
 .IX Item "DEFAULT"
-the default cipher list. This is determined at compile time and
-is normally \fB\s-1ALL:\s0!EXPORT:!aNULL:!eNULL:!SSLv2\fR. This must be the firstcipher string
-specified.
+The default cipher list.
+This is determined at compile time and is normally
+\&\fB\s-1ALL:\s0!EXPORT:!aNULL:!eNULL:!SSLv2\fR.
+When used, this must be the first cipherstring specified.
 .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
 .IX Item "COMPLEMENTOFDEFAULT"
 the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
@@ -252,29 +250,41 @@ than 128 bits, and some cipher suites with 128\-bit keys.
 \&\*(L"medium\*(R" encryption cipher suites, currently some of those using 128 bit encryption.
 .IP "\fB\s-1LOW\s0\fR" 4
 .IX Item "LOW"
-\&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
-but excluding export cipher suites.
+Low strength encryption cipher suites, currently those using 64 or 56 bit
+encryption algorithms but excluding export cipher suites.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
 .IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
 .IX Item "EXP, EXPORT"
-export encryption algorithms. Including 40 and 56 bits algorithms.
+Export strength encryption algorithms. Including 40 and 56 bits algorithms.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
 .IP "\fB\s-1EXPORT40\s0\fR" 4
 .IX Item "EXPORT40"
-40 bit export encryption algorithms
+40\-bit export encryption algorithms
+As of OpenSSL 1.0.2g, these are disabled in default builds.
 .IP "\fB\s-1EXPORT56\s0\fR" 4
 .IX Item "EXPORT56"
-56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
+56\-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
 56 bit export ciphers is empty unless OpenSSL has been explicitly configured
 with support for experimental ciphers.
+As of OpenSSL 1.0.2g, these are disabled in default builds.
 .IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
 .IX Item "eNULL, NULL"
-the \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
-encryption at all and are a security risk they are disabled unless explicitly
-included.
+The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
+encryption at all and are a security risk they are not enabled via either the
+\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings.
+Be careful when building cipherlists out of lower-level primitives such as
+\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers.
+When in doubt, include \fB!eNULL\fR in your cipherlist.
 .IP "\fBaNULL\fR" 4
 .IX Item "aNULL"
-the cipher suites offering no authentication. This is currently the anonymous
+The cipher suites offering no authentication. This is currently the anonymous
 \&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable
 to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged.
+These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR
+ciphers.
+Be careful when building cipherlists out of lower-level primitives such as
+\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers.
+When in doubt, include \fB!aNULL\fR in your cipherlist.
 .IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
 .IX Item "kRSA, RSA"
 cipher suites using \s-1RSA\s0 key exchange.
@@ -659,11 +669,11 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3.
 .IX Subsection "Deprecated SSL v2.0 cipher suites."
 .Vb 7
 \& SSL_CK_RC4_128_WITH_MD5                 RC4\-MD5
-\& SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP\-RC4\-MD5
-\& SSL_CK_RC2_128_CBC_WITH_MD5             RC2\-MD5
-\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    EXP\-RC2\-MD5
+\& SSL_CK_RC4_128_EXPORT40_WITH_MD5        Not implemented.
+\& SSL_CK_RC2_128_CBC_WITH_MD5             RC2\-CBC\-MD5
+\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5    Not implemented.
 \& SSL_CK_IDEA_128_CBC_WITH_MD5            IDEA\-CBC\-MD5
-\& SSL_CK_DES_64_CBC_WITH_MD5              DES\-CBC\-MD5
+\& SSL_CK_DES_64_CBC_WITH_MD5              Not implemented.
 \& SSL_CK_DES_192_EDE3_CBC_WITH_MD5        DES\-CBC3\-MD5
 .Ve
 .SH "NOTES"
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
index 7355c9a03206..aadb94308b5c 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CMS 1"
-.TH CMS 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CMS 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index 24c4efe2f764..6f9f1cf4e114 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL 1"
-.TH CRL 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CRL 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index f8d4573e2243..a2d5c2e8d31e 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH CRL2PKCS7 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index 746b2add1077..456c2a436257 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DGST 1"
-.TH DGST 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH DGST 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index 28959e35c148..d7d937e66259 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH DHPARAM 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 933fb28a05f6..0c50725a60cb 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA 1"
-.TH DSA 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH DSA 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index 58622b954e65..d85fa499b7d1 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH DSAPARAM 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1
index 5382d829fe90..005bd7929219 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/ec.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EC 1"
-.TH EC 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH EC 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1
index 3737f865075a..b09d3c9243ca 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/ecparam.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH ECPARAM 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 8378679178fb..204a08349cd0 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ENC 1"
-.TH ENC 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH ENC 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1
index 558f9f4faf5e..f2baf455245e 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/errstr.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH ERRSTR 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index e98a2814de9f..de31ae9a6c07 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENDSA 1"
-.TH GENDSA 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH GENDSA 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1
index ad8fbd306d2a..ebd59f756dac 100644
--- a/secure/usr.bin/openssl/man/genpkey.1
+++ b/secure/usr.bin/openssl/man/genpkey.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH GENPKEY 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index f8415b0d8c1d..ad705e714109 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENRSA 1"
-.TH GENRSA 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH GENRSA 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index f78ebd37c246..11b1d22160a3 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "NSEQ 1"
-.TH NSEQ 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH NSEQ 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index da78b9b38f08..4f040108613f 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OCSP 1"
-.TH OCSP 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH OCSP 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index bcdb8750930f..e59468fcc02c 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH OPENSSL 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index 6fd59b80174c..9c3a37010395 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PASSWD 1"
-.TH PASSWD 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PASSWD 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index c43b106c75e2..957a6c663ff3 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS12 1"
-.TH PKCS12 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKCS12 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index 7ea5a4d2ca3f..59bcf19e8e7b 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7 1"
-.TH PKCS7 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKCS7 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index bccfbefc7d8d..aa1187bce67a 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS8 1"
-.TH PKCS8 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKCS8 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1
index a2da1932841c..488dbd380d99 100644
--- a/secure/usr.bin/openssl/man/pkey.1
+++ b/secure/usr.bin/openssl/man/pkey.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEY 1"
-.TH PKEY 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKEY 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1
index 809cdf0ee60a..5c0019d6accc 100644
--- a/secure/usr.bin/openssl/man/pkeyparam.1
+++ b/secure/usr.bin/openssl/man/pkeyparam.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKEYPARAM 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1
index 7311f5234f09..f33a0c38ee56 100644
--- a/secure/usr.bin/openssl/man/pkeyutl.1
+++ b/secure/usr.bin/openssl/man/pkeyutl.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH PKEYUTL 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -246,6 +246,19 @@ Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option
 which specifies the digest in use for sign, verify and verifyrecover operations.
 The value \fBalg\fR should represent a digest name as used in the
 \&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR.
+This value is used only for sanity-checking the lengths of data passed in to
+the \fBpkeyutl\fR and for creating the structures that make up the signature
+(e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
+In case of \s-1RSA, ECDSA\s0 and \s-1DSA\s0 signatures, this utility
+will not perform hashing on input data but rather use the data directly as
+input of signature algorithm. Depending on key type, signature type and mode
+of padding, the maximum acceptable lengths of input data differ. In general,
+with \s-1RSA\s0 the signed data can't be longer than the key modulus, in case of \s-1ECDSA\s0
+and \s-1DSA\s0 the data shouldn't be longer than field size, otherwise it will be
+silently truncated to field size.
+.PP
+In other words, if the value of digest is \fBsha1\fR the input should be 20 bytes
+long binary encoding of \s-1SHA\-1\s0 hash function output.
 .SH "RSA ALGORITHM"
 .IX Header "RSA ALGORITHM"
 The \s-1RSA\s0 algorithm supports encrypt, decrypt, sign, verify and verifyrecover
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index 2f0804979d0b..1aee0abf3cb2 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND 1"
-.TH RAND 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH RAND 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index 2b8eb1b30ce4..a16807b20411 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "REQ 1"
-.TH REQ 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH REQ 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -433,9 +433,12 @@ command line options \fBpassin\fR and \fBpassout\fR override the
 configuration file values.
 .IP "\fBdefault_bits\fR" 4
 .IX Item "default_bits"
-This specifies the default key size in bits. If not specified then
-512 is used. It is used if the \fB\-new\fR option is used. It can be
-overridden by using the \fB\-newkey\fR option.
+Specifies the default key size in bits.
+.Sp
+This option is used in conjunction with the \fB\-new\fR option to generate
+a new key. It can be overridden by specifying an explicit key size in
+the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If
+no key size is specified then 2048 bits is used.
 .IP "\fBdefault_keyfile\fR" 4
 .IX Item "default_keyfile"
 This is the default filename to write a private key to. If not
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index 12f6bb785ec7..fa72520d3a78 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA 1"
-.TH RSA 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH RSA 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 5d1d7ec1efd6..62d2ecdc5721 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH RSAUTL 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 74aae106804f..89fc87a56e4f 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH S_CLIENT 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -305,15 +305,11 @@ Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
 Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example \-psk
 1a2b3c4d.
-.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
-.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
-these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
-the initial handshake uses a method which should be compatible with all
-servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
-.Sp
-Unfortunately there are still ancient and broken servers in use which
-cannot handle this technique and will fail to connect. Some servers only
-work if \s-1TLS\s0 is turned off.
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
+.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
+These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
+By default the initial handshake uses a \fIversion-flexible\fR method which will
+negotiate the highest mutually supported protocol version.
 .IP "\fB\-fallback_scsv\fR" 4
 .IX Item "-fallback_scsv"
 Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index 0436ae1d047a..94dfd5f979e3 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH S_SERVER 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -321,11 +321,11 @@ Use the \s-1PSK\s0 identity hint \fBhint\fR when using a \s-1PSK\s0 cipher suite
 Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example \-psk
 1a2b3c4d.
-.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
-.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
-these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
-the initial handshake uses a method which should be compatible with all
-servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4
+.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2"
+These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
+By default the initial handshake uses a \fIversion-flexible\fR method which will
+negotiate the highest mutually supported protocol version.
 .IP "\fB\-bugs\fR" 4
 .IX Item "-bugs"
 there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
index 284acc1cf999..9414c1d5023e 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_TIME 1"
-.TH S_TIME 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH S_TIME 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index b0c54f70aeed..19af06b0a30f 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH SESS_ID 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index 092218e781fd..b691b9b76a4a 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME 1"
-.TH SMIME 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH SMIME 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index 08639bd50c8d..9350efa36eb6 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPEED 1"
-.TH SPEED 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH SPEED 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index 8a551794a143..e42adced31f2 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPKAC 1"
-.TH SPKAC 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH SPKAC 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1
index ba62c06a9061..803b7139d2f2 100644
--- a/secure/usr.bin/openssl/man/ts.1
+++ b/secure/usr.bin/openssl/man/ts.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "TS 1"
-.TH TS 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH TS 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
index 5faa438b6a6e..7a0c4518c4f3 100644
--- a/secure/usr.bin/openssl/man/tsget.1
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "TSGET 1"
-.TH TSGET 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH TSGET 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index 9141659ef38d..18d891b6f8ae 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERIFY 1"
-.TH VERIFY 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH VERIFY 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 40ec2acd256f..36751c49289c 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERSION 1"
-.TH VERSION 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH VERSION 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index 46a9476d94be..8d4f47d73e67 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509 1"
-.TH X509 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH X509 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1
index b4f3246f1002..da85a1026759 100644
--- a/secure/usr.bin/openssl/man/x509v3_config.1
+++ b/secure/usr.bin/openssl/man/x509v3_config.1
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509V3_CONFIG 1"
-.TH X509V3_CONFIG 1 "2016-01-28" "1.0.2f" "OpenSSL"
+.TH X509V3_CONFIG 1 "2016-03-01" "1.0.2g" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l