X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman3%2FSSL_CONF_cmd.pod;h=5179e29bc4a585e52e5600bfaa2948dd144dc022;hp=f5c6576ed0aa6c54575170cdfda14c048f41c731;hb=1c4b15458670aea5d3849d4b57b8c0ce34a54fbe;hpb=5a185729a3b029845c4596657b4495b3a8ead6f0 diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index f5c6576ed0..5179e29bc4 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_CONF_cmd_value_type, SSL_CONF_finish, +SSL_CONF_cmd_value_type, SSL_CONF_cmd - send configuration command =head1 SYNOPSIS @@ -11,7 +11,6 @@ SSL_CONF_cmd - send configuration command int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); - int SSL_CONF_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION @@ -22,10 +21,6 @@ framework for command line options or configuration files. SSL_CONF_cmd_value_type() returns the type of value that B refers to. -The function SSL_CONF_finish() must be called after all configuration -operations have been completed. It is used to finalise any operations -or to process defaults. - =head1 SUPPORTED COMMAND LINE COMMANDS Currently supported B names for command lines (i.e. when the @@ -62,16 +57,25 @@ If a server does not request a certificate this option has no effect. The syntax of B is identical to B<-sigalgs>. If not set then the value set for B<-sigalgs> will be used instead. +=item B<-groups> + +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. + +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + =item B<-curves> -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. +This is a synonym for the "-groups" command. -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. =item B<-named_curve> @@ -110,6 +114,17 @@ Attempts to use the file B as the set of temporary DH parameters for the appropriate context. This option is only supported if certificate operations are permitted. +=item B<-record_padding> + +Attempts to pad TLS 1.3 records so that they are a multiple of B in +length on send. A B of 0 or 1 turns off padding. Otherwise, the +B must be >1 or <=16384. + +=item B<-no_renegotiation> + +Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +B. + =item B<-min_protocol>, B<-max_protocol> Sets the minimum and maximum supported protocol. @@ -156,6 +171,13 @@ Use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B. Only used by servers. +=item B<-prioritize_chacha> + +Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of +its preference list. This usually indicates a client without AES hardware +acceleration (e.g. mobile) is in use. Equivalent to B. +Only used by servers. Requires B<-serverpref>. + =item B<-no_resumption_on_reneg> set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. @@ -171,6 +193,11 @@ permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B. Set by default. +=item B<-allow_no_dhe_kex> + +In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. + =item B<-strict> enables strict mode protocol handling. Equivalent to setting @@ -236,6 +263,17 @@ Attempts to use the file B as the set of temporary DH parameters for the appropriate context. This option is only supported if certificate operations are permitted. +=item B + +Attempts to pad TLS 1.3 records so that they are a multiple of B in +length on send. A B of 0 or 1 turns off padding. Otherwise, the +B must be >1 or <=16384. + +=item B + +Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +B. + =item B This sets the supported signature algorithms for TLS v1.2. For clients this @@ -261,16 +299,24 @@ used to determine which signature algorithm to with the client certificate. The syntax of B is identical to B. If not set then the value set for B will be used instead. -=item B +=item B -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for both +signatures and key exchange, if applicable. It also affects the preferred +key_share sent by a client in a TLSv1.3 compatible connection. -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. +The B argument is a colon separated list of groups. The group can be +either the B name (e.g. B), some other commonly used name where +applicable (e.g. B) or an OpenSSL OID name (e.g B). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. The first listed group will be the one used for a +key_share by a TLSv1.3 client. + +=item B + +This is a synonym for the "Groups" command. =item B @@ -343,21 +389,26 @@ B: enable various bug workarounds. Same as B. B: enable single use DH keys, set by default. Inverse of B. Only used by servers. -B enable single use ECDH keys, set by default. Inverse of +B: enable single use ECDH keys, set by default. Inverse of B. Only used by servers. -B use server and not client preference order when +B: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B. Only used by servers. -B set +B: prioritizes ChaCha ciphers when the client has a +ChaCha20 cipher at the top of its preference list. This usually indicates +a mobile client is in use. Equivalent to B. +Only used by servers. + +B: set B flag. Only used by servers. -B permits the use of unsafe legacy renegotiation. +B: permits the use of unsafe legacy renegotiation. Equivalent to B. -B permits the use of unsafe legacy renegotiation +B: permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to B. Set by default. @@ -365,6 +416,16 @@ B: use encrypt-then-mac extension, enabled by default. Inverse of B: that is, B<-EncryptThenMac> is the same as setting B. +B: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on +resumption. This means that there will be no forward secrecy for the resumed +session. Equivalent to B. + +B: If set then dummy Change Cipher Spec (CCS) messages are sent +in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that +middleboxes that do not understand TLSv1.3 will not drop the connection. This +option is set by default. A future version of OpenSSL may not set this by +default. Equivalent to B. + =item B The B argument is a comma separated list of flags to set. @@ -380,6 +441,18 @@ occurs if the client does not present a certificate. Servers only. B requests a certificate from a client only on the initial connection: not when renegotiating. Servers only. +B configures the connection to support requests but does +not require a certificate from the client post-handshake. A certificate will +not be requested during the initial handshake. The server application must +provide a mechanism to request a certificate post-handshake. Servers only. +TLSv1.3 only. + +B configures the connection to support requests and +requires a certificate from the client post-handshake: an error occurs if the +client does not present a certificate. A certificate will not be requested +during the initial handshake. The server application must provide a mechanism +to request a certificate post-handshake. Servers only. TLSv1.3 only. + =item B, B A file or directory of certificates in PEM format whose names are used as the @@ -437,7 +510,7 @@ SSLv3 is B disabled and attempt to override this by the user are ignored. By checking the return code of SSL_CONF_cmd() it is possible to query if a -given B is recognised, this is useful is SSL_CONF_cmd() values are +given B is recognised, this is useful if SSL_CONF_cmd() values are mixed with additional application specific operations. For example an application might call SSL_CONF_cmd() and if it returns @@ -530,8 +603,6 @@ error occurred attempting to perform the operation: for example due to an error in the syntax of B in this case the error queue may provide additional information. -SSL_CONF_finish() returns 1 for success and 0 for failure. - =head1 SEE ALSO L, @@ -554,9 +625,11 @@ B. B and B where added in OpenSSL 1.1.0. +B and B were added in OpenSSL 1.1.1. + =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2017 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy