mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 21:13:38 +08:00
Update the SSL/TLS connection options
Refactor common flags for SSL/TLS connection options. Update SSL_CONF_cmd.pod to match ordering. Rewrite much of the documentation. Fixes #10160 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10191)
This commit is contained in:
parent
c98eab85b8
commit
8b3efb5302
@ -41,6 +41,7 @@ B<openssl> B<s_server>
|
||||
[B<-no_resume_ephemeral>]
|
||||
[B<-www>]
|
||||
[B<-WWW>]
|
||||
[B<-http_server_binmode>]
|
||||
[B<-servername>]
|
||||
[B<-servername_fatal>]
|
||||
[B<-cert2> I<infile>]
|
||||
@ -88,7 +89,6 @@ B<openssl> B<s_server>
|
||||
[B<-no_comp>]
|
||||
[B<-comp>]
|
||||
[B<-no_ticket>]
|
||||
[B<-num_tickets>]
|
||||
[B<-serverpref>]
|
||||
[B<-legacy_renegotiation>]
|
||||
[B<-no_renegotiation>]
|
||||
@ -125,16 +125,17 @@ B<openssl> B<s_server>
|
||||
[B<-use_srtp> I<val>]
|
||||
[B<-alpn> I<val>]
|
||||
[B<-keylogfile> I<outfile>]
|
||||
[B<-max_early_data> I<int>]
|
||||
[B<-recv_max_early_data> I<int>]
|
||||
[B<-max_early_data> I<int>]
|
||||
[B<-early_data>]
|
||||
[B<-stateless>]
|
||||
[B<-anti_replay>]
|
||||
[B<-no_anti_replay>]
|
||||
[B<-http_server_binmode>]
|
||||
[B<-num_tickets>]
|
||||
{- $OpenSSL::safe::opt_name_synopsis -}
|
||||
{- $OpenSSL::safe::opt_version_synopsis -}
|
||||
{- $OpenSSL::safe::opt_v_synopsis -}
|
||||
{- $OpenSSL::safe::opt_s_synopsis -}
|
||||
{- $OpenSSL::safe::opt_x_synopsis -}
|
||||
{- $OpenSSL::safe::opt_trust_synopsis -}
|
||||
{- $OpenSSL::safe::opt_r_synopsis -}
|
||||
@ -371,6 +372,11 @@ In addition, the special URL C</stats> will return status
|
||||
information like the B<-www> option.
|
||||
Neither of these options can be used in conjunction with B<-early_data>.
|
||||
|
||||
=item B<-http_server_binmode>
|
||||
|
||||
When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
|
||||
by the client in binary mode.
|
||||
|
||||
=item B<-id_prefix> I<val>
|
||||
|
||||
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
|
||||
@ -641,15 +647,12 @@ has been negotiated, and early data is enabled on the server. A full handshake
|
||||
is forced if a session ticket is used a second or subsequent time. Any early
|
||||
data that was sent will be rejected.
|
||||
|
||||
=item B<-http_server_binmode>
|
||||
|
||||
When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
|
||||
by the client in binary mode.
|
||||
|
||||
{- $OpenSSL::safe::opt_name_item -}
|
||||
|
||||
{- $OpenSSL::safe::opt_version_item -}
|
||||
|
||||
{- $OpenSSL::safe::opt_s_item -}
|
||||
|
||||
{- $OpenSSL::safe::opt_x_item -}
|
||||
|
||||
{- $OpenSSL::safe::opt_trust_item -}
|
||||
|
@ -9,168 +9,38 @@ SSL_CONF_cmd - send configuration command
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
|
||||
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
|
||||
int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value);
|
||||
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The function SSL_CONF_cmd() performs configuration operation B<cmd> with
|
||||
The function SSL_CONF_cmd() performs configuration operation B<option> with
|
||||
optional parameter B<value> on B<ctx>. Its purpose is to simplify application
|
||||
configuration of B<SSL_CTX> or B<SSL> structures by providing a common
|
||||
framework for command line options or configuration files.
|
||||
|
||||
SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to.
|
||||
SSL_CONF_cmd_value_type() returns the type of value that B<option> refers to.
|
||||
|
||||
=head1 SUPPORTED COMMAND LINE COMMANDS
|
||||
|
||||
Currently supported B<cmd> names for command lines (i.e. when the
|
||||
flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
|
||||
Currently supported B<option> names for command lines (i.e. when the
|
||||
flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<option> names
|
||||
are case sensitive. Unless otherwise stated commands can be used by
|
||||
both clients and servers and the B<value> parameter is not used. The default
|
||||
prefix for command line commands is B<-> and that is reflected below.
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<-sigalgs>
|
||||
|
||||
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
|
||||
For clients this
|
||||
value is used directly for the supported signature algorithms extension. For
|
||||
servers it is used to determine which signature algorithms to support.
|
||||
|
||||
The B<value> argument should be a colon separated list of signature algorithms
|
||||
in order of decreasing preference of the form B<algorithm+hash> or
|
||||
B<signature_scheme>. B<algorithm>
|
||||
is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
|
||||
OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
|
||||
Note: algorithm and hash names are case sensitive.
|
||||
B<signature_scheme> is one of the signature schemes defined in TLSv1.3,
|
||||
specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>,
|
||||
or B<rsa_pss_pss_sha256>.
|
||||
|
||||
If this option is not set then all signature algorithms supported by the
|
||||
OpenSSL library are permissible.
|
||||
|
||||
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
|
||||
using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
|
||||
identifiers) are ignored in TLSv1.3 and will not be negotiated.
|
||||
|
||||
=item B<-client_sigalgs>
|
||||
|
||||
This sets the supported signature algorithms associated with client
|
||||
authentication for TLSv1.2 and TLSv1.3.
|
||||
For servers the value is used in the
|
||||
B<signature_algorithms> field of a B<CertificateRequest> message.
|
||||
For clients it is
|
||||
used to determine which signature algorithm to use with the client certificate.
|
||||
If a server does not request a certificate this option has no effect.
|
||||
|
||||
The syntax of B<value> is identical to B<-sigalgs>. If not set then
|
||||
the value set for B<-sigalgs> will be used instead.
|
||||
|
||||
=item B<-groups>
|
||||
|
||||
This sets the supported groups. For clients, the groups are
|
||||
sent using the supported groups extension. For servers, it is used
|
||||
to determine which group to use. This setting affects groups used for
|
||||
signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
|
||||
will also be used for the B<key_share> sent by a client in a TLSv1.3
|
||||
B<ClientHello>.
|
||||
|
||||
The B<value> argument is a colon separated list of groups. The group can be
|
||||
either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
|
||||
applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name
|
||||
(e.g B<prime256v1>). Group names are case sensitive. The list should be in
|
||||
order of preference with the most preferred group first.
|
||||
|
||||
Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>,
|
||||
B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>,
|
||||
B<ffdhe8192>.
|
||||
|
||||
=item B<-curves>
|
||||
|
||||
This is a synonym for the "-groups" command.
|
||||
|
||||
=item B<-named_curve>
|
||||
|
||||
This sets the temporary curve used for ephemeral ECDH modes. Only used by
|
||||
servers
|
||||
|
||||
The B<value> argument is a curve name or the special value B<auto> which
|
||||
picks an appropriate curve based on client and server preferences. The curve
|
||||
can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
|
||||
(e.g B<prime256v1>). Curve names are case sensitive.
|
||||
|
||||
=item B<-cipher>
|
||||
|
||||
Sets the TLSv1.2 and below ciphersuite list to B<value>. This list will be
|
||||
combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
|
||||
of B<value> is currently not performed unless a B<SSL> or B<SSL_CTX> structure is
|
||||
associated with B<cctx>.
|
||||
|
||||
=item B<-ciphersuites>
|
||||
|
||||
Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon
|
||||
(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
|
||||
list will be combined any configured TLSv1.2 and below ciphersuites.
|
||||
See L<openssl-ciphers(1)> for more information.
|
||||
|
||||
|
||||
=item B<-cert>
|
||||
|
||||
Attempts to use the file B<value> as the certificate for the appropriate
|
||||
context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
|
||||
structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
|
||||
structure is set. This option is only supported if certificate operations
|
||||
are permitted.
|
||||
|
||||
=item B<-key>
|
||||
|
||||
Attempts to use the file B<value> as the private key for the appropriate
|
||||
context. This option is only supported if certificate operations
|
||||
are permitted. Note: if no B<-key> option is set then a private key is
|
||||
not loaded unless the flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
|
||||
|
||||
=item B<-dhparam>
|
||||
|
||||
Attempts to use the file B<value> as the set of temporary DH parameters for
|
||||
the appropriate context. This option is only supported if certificate
|
||||
operations are permitted.
|
||||
|
||||
=item B<-record_padding>
|
||||
|
||||
Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in
|
||||
length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the
|
||||
B<value> must be >1 or <=16384.
|
||||
|
||||
=item B<-no_renegotiation>
|
||||
|
||||
Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
|
||||
B<SSL_OP_NO_RENEGOTIATION>.
|
||||
|
||||
=item B<-min_protocol>, B<-max_protocol>
|
||||
|
||||
Sets the minimum and maximum supported protocol.
|
||||
Currently supported protocol values are B<SSLv3>, B<TLSv1>,
|
||||
B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS,
|
||||
and B<None> for no limit.
|
||||
If either bound is not specified then only the other bound applies,
|
||||
if specified.
|
||||
To restrict the supported protocol versions use these commands rather
|
||||
than the deprecated alternative commands below.
|
||||
|
||||
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
|
||||
|
||||
Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
|
||||
setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
|
||||
B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
|
||||
respectively. These options are deprecated, instead use B<-min_protocol> and
|
||||
B<-max_protocol>.
|
||||
|
||||
=item B<-bugs>
|
||||
|
||||
Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
|
||||
|
||||
=item B<-no_comp>
|
||||
|
||||
Disables support for SSL/TLS compression, same as setting
|
||||
B<SSL_OP_NO_COMPRESSION>.
|
||||
As of OpenSSL 1.1.0, compression is off by default.
|
||||
|
||||
=item B<-comp>
|
||||
|
||||
Enables support for SSL/TLS compression, same as clearing
|
||||
@ -178,12 +48,6 @@ B<SSL_OP_NO_COMPRESSION>.
|
||||
This command was introduced in OpenSSL 1.1.0.
|
||||
As of OpenSSL 1.1.0, compression is off by default.
|
||||
|
||||
=item B<-no_comp>
|
||||
|
||||
Disables support for SSL/TLS compression, same as setting
|
||||
B<SSL_OP_NO_COMPRESSION>.
|
||||
As of OpenSSL 1.1.0, compression is off by default.
|
||||
|
||||
=item B<-no_ticket>
|
||||
|
||||
Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
|
||||
@ -194,28 +58,33 @@ Use server and not client preference order when determining which cipher suite,
|
||||
signature algorithm or elliptic curve to use for an incoming connection.
|
||||
Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
|
||||
|
||||
=item B<-prioritize_chacha>
|
||||
|
||||
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
|
||||
its preference list. This usually indicates a client without AES hardware
|
||||
acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
|
||||
Only used by servers. Requires B<-serverpref>.
|
||||
|
||||
=item B<-no_resumption_on_reneg>
|
||||
|
||||
set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
|
||||
|
||||
=item B<-legacyrenegotiation>
|
||||
|
||||
permits the use of unsafe legacy renegotiation. Equivalent to setting
|
||||
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
|
||||
|
||||
=item B<-no_renegotiation>
|
||||
|
||||
Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
|
||||
B<SSL_OP_NO_RENEGOTIATION>.
|
||||
|
||||
=item B<-no_resumption_on_reneg>
|
||||
|
||||
set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
|
||||
|
||||
=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
|
||||
|
||||
permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
|
||||
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
|
||||
Set by default.
|
||||
|
||||
=item B<-prioritize_chacha>
|
||||
|
||||
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
|
||||
its preference list. This usually indicates a client without AES hardware
|
||||
acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
|
||||
Only used by servers. Requires B<-serverpref>.
|
||||
|
||||
=item B<-allow_no_dhe_kex>
|
||||
|
||||
In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
|
||||
@ -226,6 +95,144 @@ that there will be no forward secrecy for the resumed session.
|
||||
enables strict mode protocol handling. Equivalent to setting
|
||||
B<SSL_CERT_FLAG_TLS_STRICT>.
|
||||
|
||||
=item B<-sigalgs> I<algs>
|
||||
|
||||
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
|
||||
For clients this value is used directly for the supported signature
|
||||
algorithms extension. For servers it is used to determine which signature
|
||||
algorithms to support.
|
||||
|
||||
The B<algs> argument should be a colon separated list of signature
|
||||
algorithms in order of decreasing preference of the form B<algorithm+hash>
|
||||
or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and
|
||||
B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>,
|
||||
B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case
|
||||
sensitive. B<signature_scheme> is one of the signature schemes defined in
|
||||
TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>,
|
||||
B<ed25519>, or B<rsa_pss_pss_sha256>.
|
||||
|
||||
If this option is not set then all signature algorithms supported by the
|
||||
OpenSSL library are permissible.
|
||||
|
||||
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
|
||||
using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
|
||||
identifiers) are ignored in TLSv1.3 and will not be negotiated.
|
||||
|
||||
=item B<-client_sigalgs> I<algs>
|
||||
|
||||
This sets the supported signature algorithms associated with client
|
||||
authentication for TLSv1.2 and TLSv1.3. For servers the B<algs> is used
|
||||
in the B<signature_algorithms> field of a B<CertificateRequest> message.
|
||||
For clients it is used to determine which signature algorithm to use with
|
||||
the client certificate. If a server does not request a certificate this
|
||||
option has no effect.
|
||||
|
||||
The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the
|
||||
value set for B<-sigalgs> will be used instead.
|
||||
|
||||
=item B<-groups> I<groups>
|
||||
|
||||
This sets the supported groups. For clients, the groups are sent using
|
||||
the supported groups extension. For servers, it is used to determine which
|
||||
group to use. This setting affects groups used for signatures (in TLSv1.2
|
||||
and earlier) and key exchange. The first group listed will also be used
|
||||
for the B<key_share> sent by a client in a TLSv1.3 B<ClientHello>.
|
||||
|
||||
The B<groups> argument is a colon separated list of groups. The group can
|
||||
be either the B<NIST> name (e.g. B<P-256>), some other commonly used name
|
||||
where applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name
|
||||
(e.g B<prime256v1>). Group names are case sensitive. The list should be
|
||||
in order of preference with the most preferred group first.
|
||||
|
||||
Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>,
|
||||
B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>,
|
||||
B<ffdhe8192>.
|
||||
|
||||
=item B<-curves> I<groups>
|
||||
|
||||
This is a synonym for the B<-groups> command.
|
||||
|
||||
=item B<-named_curve> I<curve>
|
||||
|
||||
This sets the temporary curve used for ephemeral ECDH modes. Only used
|
||||
by servers.
|
||||
|
||||
The B<groups> argument is a curve name or the special value B<auto> which
|
||||
picks an appropriate curve based on client and server preferences. The
|
||||
curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
|
||||
(e.g B<prime256v1>). Curve names are case sensitive.
|
||||
|
||||
=item B<-cipher> I<ciphers>
|
||||
|
||||
Sets the TLSv1.2 and below ciphersuite list to B<ciphers>. This list will be
|
||||
combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
|
||||
of B<ciphers> is currently not performed unless a B<SSL> or B<SSL_CTX>
|
||||
structure is associated with B<ctx>.
|
||||
|
||||
=item B<-ciphersuites> I<1.3ciphers>
|
||||
|
||||
Sets the available ciphersuites for TLSv1.3 to value. This is a
|
||||
colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
|
||||
list will be combined any configured TLSv1.2 and below ciphersuites.
|
||||
See L<openssl-ciphers(1)> for more information.
|
||||
|
||||
=item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>
|
||||
|
||||
Sets the minimum and maximum supported protocol. Currently supported
|
||||
protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3>
|
||||
for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> for no limit.
|
||||
If either bound is not specified then only the other bound applies,
|
||||
if specified. To restrict the supported protocol versions use these
|
||||
commands rather than the deprecated alternative commands below.
|
||||
|
||||
=item B<-record_padding> I<padding>
|
||||
|
||||
Attempts to pad TLSv1.3 records so that they are a multiple of B<padding>
|
||||
in length on send. A B<padding> of 0 or 1 turns off padding. Otherwise,
|
||||
the B<padding> must be >1 or <=16384.
|
||||
|
||||
=item B<-debug_broken_protocol>
|
||||
|
||||
=item B<-no_middlebox>
|
||||
|
||||
=back
|
||||
|
||||
=head2 Additional Options
|
||||
|
||||
The following options are accepted by SSL_CONF_cmd(), but are not
|
||||
processed by the OpenSSL commands.
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<-cert> I<file>
|
||||
|
||||
Attempts to use B<file> as the certificate for the appropriate context. It
|
||||
currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
|
||||
structure is set or SSL_use_certificate_file() with filetype PEM if an
|
||||
B<SSL> structure is set. This option is only supported if certificate
|
||||
operations are permitted.
|
||||
|
||||
=item B<-key> I<file>
|
||||
|
||||
Attempts to use B<file> as the private key for the appropriate context. This
|
||||
option is only supported if certificate operations are permitted. Note:
|
||||
if no B<-key> option is set then a private key is not loaded unless the
|
||||
flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
|
||||
|
||||
=item B<-dhparam> I<file>
|
||||
|
||||
Attempts to use B<file> as the set of temporary DH parameters for
|
||||
the appropriate context. This option is only supported if certificate
|
||||
operations are permitted.
|
||||
|
||||
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
|
||||
|
||||
Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
|
||||
setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
|
||||
B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
|
||||
respectively. These options are deprecated, use B<-min_protocol> and
|
||||
B<-max_protocol> instead.
|
||||
|
||||
=item B<-anti_replay>, B<-no_anti_replay>
|
||||
|
||||
Switches replay protection, on or off respectively. With replay protection on,
|
||||
@ -242,13 +249,13 @@ required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>.
|
||||
|
||||
=head1 SUPPORTED CONFIGURATION FILE COMMANDS
|
||||
|
||||
Currently supported B<cmd> names for configuration files (i.e. when the
|
||||
Currently supported B<option> names for configuration files (i.e., when the
|
||||
flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
|
||||
B<cmd> names are case insensitive so B<signaturealgorithms> is recognised
|
||||
B<option> names are case insensitive so B<signaturealgorithms> is recognised
|
||||
as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
|
||||
are also case insensitive.
|
||||
|
||||
Note: the command prefix (if set) alters the recognised B<cmd> values.
|
||||
Note: the command prefix (if set) alters the recognised B<option> values.
|
||||
|
||||
=over 4
|
||||
|
||||
@ -257,12 +264,12 @@ Note: the command prefix (if set) alters the recognised B<cmd> values.
|
||||
Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be
|
||||
combined with any configured TLSv1.3 ciphersuites. Note: syntax
|
||||
checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX>
|
||||
structure is associated with B<cctx>.
|
||||
structure is associated with B<ctx>.
|
||||
|
||||
=item B<Ciphersuites>
|
||||
|
||||
Sets the available ciphersuites for TLSv1.3 to B<value>. This is a simple colon
|
||||
(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
|
||||
Sets the available ciphersuites for TLSv1.3 to B<value>. This is a
|
||||
colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
|
||||
list will be combined any configured TLSv1.2 and below ciphersuites.
|
||||
See L<openssl-ciphers(1)> for more information.
|
||||
|
||||
@ -540,7 +547,7 @@ types:
|
||||
|
||||
=item B<SSL_CONF_TYPE_UNKNOWN>
|
||||
|
||||
The B<cmd> string is unrecognised, this return value can be use to flag
|
||||
The B<option> string is unrecognised, this return value can be use to flag
|
||||
syntax errors.
|
||||
|
||||
=item B<SSL_CONF_TYPE_STRING>
|
||||
@ -580,7 +587,7 @@ SSLv3 is B<always> disabled and attempt to override this by the user are
|
||||
ignored.
|
||||
|
||||
By checking the return code of SSL_CONF_cmd() it is possible to query if a
|
||||
given B<cmd> is recognised, this is useful if SSL_CONF_cmd() values are
|
||||
given B<option> is recognised, this is useful if SSL_CONF_cmd() values are
|
||||
mixed with additional application specific operations.
|
||||
|
||||
For example an application might call SSL_CONF_cmd() and if it returns
|
||||
@ -590,12 +597,12 @@ commands.
|
||||
Applications can also use SSL_CONF_cmd() to process command lines though the
|
||||
utility function SSL_CONF_cmd_argv() is normally used instead. One way
|
||||
to do this is to set the prefix to an appropriate value using
|
||||
SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
|
||||
SSL_CONF_CTX_set1_prefix(), pass the current argument to B<option> and the
|
||||
following argument to B<value> (which may be NULL).
|
||||
|
||||
In this case if the return value is positive then it is used to skip that
|
||||
number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is
|
||||
returned then B<cmd> is not recognised and application specific arguments
|
||||
returned then B<option> is not recognised and application specific arguments
|
||||
can be checked instead. If -3 is returned a required argument is missing
|
||||
and an error is indicated. If 0 is returned some other error occurred and
|
||||
this can be reported back to the user.
|
||||
@ -608,17 +615,17 @@ pathname to an absolute pathname.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is
|
||||
B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
|
||||
SSL_CONF_cmd() returns 1 if the value of B<option> is recognised and B<value> is
|
||||
B<NOT> used and 2 if both B<option> and B<value> are used. In other words it
|
||||
returns the number of arguments processed. This is useful when processing
|
||||
command lines.
|
||||
|
||||
A return value of -2 means B<cmd> is not recognised.
|
||||
A return value of -2 means B<option> is not recognised.
|
||||
|
||||
A return value of -3 means B<cmd> is recognised and the command requires a
|
||||
A return value of -3 means B<option> is recognised and the command requires a
|
||||
value but B<value> is NULL.
|
||||
|
||||
A return code of 0 indicates that both B<cmd> and B<value> are valid but an
|
||||
A return code of 0 indicates that both B<option> and B<value> are valid but an
|
||||
error occurred attempting to perform the operation: for example due to an
|
||||
error in the syntax of B<value> in this case the error queue may provide
|
||||
additional information.
|
||||
|
@ -65,7 +65,7 @@ $OpenSSL::safe::opt_x_synopsis = ""
|
||||
$OpenSSL::safe::opt_x_item = ""
|
||||
. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
|
||||
. "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
|
||||
. "B<-xkeyform> B<DER>|B<PEM>>\n"
|
||||
. "B<-xkeyform> B<DER>|B<PEM>\n"
|
||||
. "\n"
|
||||
. "Set extended certificate verification options.\n"
|
||||
. "See L<openssl(1)/Extended Verification Options> for details.";
|
||||
@ -143,16 +143,17 @@ $OpenSSL::safe::opt_version_item = "\n"
|
||||
. "See L<openssl(1)/TLS Version Options>.";
|
||||
|
||||
# SSL connection options.
|
||||
# TODO options will probably be re-ordered.
|
||||
# TODO # options will probably be re-ordered.
|
||||
$OpenSSL::safe::opt_s_synopsis = ""
|
||||
. "[B<-bugs>]\n"
|
||||
. "[B<-no_comp>]\n"
|
||||
. "[B<-comp>]\n"
|
||||
. "[B<-no_ticket>]\n"
|
||||
. "[B<-serverpref>]\n"
|
||||
. "[B<-legacy_renegotiation>]\n"
|
||||
. "[B<-no_renegotiation>]\n"
|
||||
. "[B<-legacy_server_connect>]\n"
|
||||
. "[B<-no_resumption_on_reneg>]\n"
|
||||
. "[B<-legacy_server_connect>]\n"
|
||||
. "[B<-no_legacy_server_connect>]\n"
|
||||
. "[B<-allow_no_dhe_kex>]\n"
|
||||
. "[B<-prioritize_chacha>]\n"
|
||||
@ -161,7 +162,7 @@ $OpenSSL::safe::opt_s_synopsis = ""
|
||||
. "[B<-client_sigalgs> I<algs>]\n"
|
||||
. "[B<-groups> I<groups>]\n"
|
||||
. "[B<-curves> I<curves>]\n"
|
||||
. "[B<-named_curve> I<curves>]\n"
|
||||
. "[B<-named_curve> I<curve>]\n"
|
||||
. "[B<-cipher> I<ciphers>]\n"
|
||||
. "[B<-ciphersuites> I<1.3ciphers>]\n"
|
||||
. "[B<-min_protocol> I<minprot>]\n"
|
||||
@ -170,12 +171,12 @@ $OpenSSL::safe::opt_s_synopsis = ""
|
||||
. "[B<-debug_broken_protocol>]\n"
|
||||
. "[B<-no_middlebox>]";
|
||||
$OpenSSL::safe::opt_s_item = ""
|
||||
. "=item B<-bugs>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,"
|
||||
. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-legacy_server_connect>,\n"
|
||||
. "B<-no_resumption_on_reneg>, B<-no_legacy_server_connect>,\n"
|
||||
. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
|
||||
. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
|
||||
. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
|
||||
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
|
||||
. "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
|
||||
. "I<curves>, B<-named_curve> I<curves>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
|
||||
. "I<curves>, B<-named_curve> I<curve>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
|
||||
. "I<1.3ciphers>, B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>,\n"
|
||||
. "B<-record_padding> I<padding>, B<-debug_broken_protocol>, B<-no_middlebox>\n"
|
||||
. "\n"
|
||||
|
Loading…
Reference in New Issue
Block a user