X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fssl%2FSSL_CONF_cmd.pod;h=c4f1309c03308c9e38a1d0237b86a30e915ab286;hp=874bd006c683ed2f8eca1391a74bffdfa21aca15;hb=2011b169fa90edd4d986e7dbbd3d64587d316a22;hpb=3db935a9e5e62fcbde719b2a03ce8941bb13514a diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index 874bd006c6..c4f1309c03 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -9,32 +9,203 @@ SSL_CONF_cmd - send configuration command #include int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); + int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); + int SSL_CONF_finish(SSL_CONF_CTX *cctx); =head1 DESCRIPTION The function SSL_CONF_cmd() performs configuration operation B with optional parameter B on B. Its purpose is to simplify application configuration of B or B structures by providing a common -framework for configuration files or command line options. +framework for command line options or configuration files. + +SSL_CONF_cmd_value_type() returns the type of value that B refers to. + +The function SSL_CONF_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + +=head1 SUPPORTED COMMAND LINE COMMANDS + +Currently supported B names for command lines (i.e. when the +flag B is set) are listed below. Note: all B names +are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the B parameter is not used. The default +prefix for command line commands is B<-> and that is reflected below. + +=over 4 + +=item B<-sigalgs> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B. B +is one of B, B or B and B is a supported algorithm +OID short name such as B, B, B, B of B. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<-client_sigalgs> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. +If a server does not request a certificate this option has no effect. + +The syntax of B is identical to B<-sigalgs>. If not set then +the value set for B<-sigalgs> will be used instead. + +=item B<-curves> + +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B argument is a colon separated list of curves. The curve can be +either the B name (e.g. B) or an OpenSSL OID name (e.g +B). Curve names are case sensitive. + +=item B<-named_curve> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B argument is a curve name or the special value B which +picks an appropriate curve based on client and server preferences. The curve +can be either the B name (e.g. B) or an OpenSSL OID name +(e.g B). Curve names are case sensitive. + +=item B<-cipher> + +Sets the cipher suite list to B. Note: syntax checking of B is +currently not performed unless a B or B structure is +associated with B. + +=item B<-cert> + +Attempts to use the file B as the certificate for the appropriate +context. It currently uses SSL_CTX_use_certificate_chain_file() if an B +structure is set or SSL_use_certificate_file() with filetype PEM if an B +structure is set. This option is only supported if certificate operations +are permitted. + +=item B<-key> + +Attempts to use the file B as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B<-key> option is set then a private key is +not loaded unless the flag B is set. + +=item B<-dhparam> + +Attempts to use the file B as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +Disables protocol support for SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B, +B, B and B respectively. + +=item B<-bugs> + +Various bug workarounds are set, same as setting B. + +=item B<-no_comp> + +Disables support for SSL/TLS compression, same as setting B. + +=item B<-no_ticket> + +Disables support for session tickets, same as setting B. + +=item B<-serverpref> + +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B. Only used by servers. + +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. + +=item B<-legacyrenegotiation> + +permits the use of unsafe legacy renegotiation. Equivalent to setting +B. + +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> + +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B. +Set by default. + +=item B<-strict> + +enables strict mode protocol handling. Equivalent to setting +B. + +=item B<-debug_broken_protocol> + +disables various checks and permits several kinds of broken protocol behaviour +for testing purposes: it should B be used in anything other than a test +environment. Only supported if OpenSSL is configured with +B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. + +=back =head1 SUPPORTED CONFIGURATION FILE COMMANDS Currently supported B names for configuration files (i.e. when the flag B is set) are listed below. All configuration file -B names and are case insensitive so B is recognised -as well as B. Unless otherwise states the B names +B names are case insensitive so B is recognised +as well as B. Unless otherwise stated the B names are also case insensitive. Note: the command prefix (if set) alters the recognised B values. =over 4 -=item B +=item B Sets the cipher suite list to B. Note: syntax checking of B is -currently not performed unless a B or B structure is +currently not performed unless an B or B structure is associated with B. +=item B + +Attempts to use the file B as the certificate for the appropriate +context. It currently uses SSL_CTX_use_certificate_chain_file() if an B +structure is set or SSL_use_certificate_file() with filetype PEM if an B +structure is set. This option is only supported if certificate operations +are permitted. + +=item B + +Attempts to use the file B as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B option is set then a private key is +not loaded unless the B is set. + +=item B + +Attempts to use the file B in the "serverinfo" extension using the +function SSL_CTX_use_serverinfo_file. + +=item B + +Attempts to use the file B as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + =item B This sets the supported signature algorithms for TLS v1.2. For clients this @@ -55,17 +226,17 @@ OpenSSL library are permissible. This sets the supported signature algorithms associated with client authentication for TLS v1.2. For servers the value is used in the supported signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to use for the client certificate. +used to determine which signature algorithm to with the client certificate. The syntax of B is identical to B. If not set then the value set for B will be used instead. =item B -This sets the supported elliptic curves. For servers the curves are -sent using the supported curves extension to TLS. For clients the it is used -to determine which curve to use. This affects curves used for both signatures -and key exchange. +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. The B argument is a colon separated list of curves. The curve can be either the B name (e.g. B) or an OpenSSL OID name (e.g @@ -73,12 +244,13 @@ B). Curve names are case sensitive. =item B -This sets the temporary curve used for ephemeral ECDH modes. +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers The B argument is a curve name or the special value B which -automatically picks an appropriate curve based on client and server -preferences. The curve can be either the B name (e.g. B) or an -OpenSSL OID name (e.g B). Curve names are case sensitive. +picks an appropriate curve based on client and server preferences. The curve +can be either the B name (e.g. B) or an OpenSSL OID name +(e.g B). Curve names are case sensitive. =item B @@ -87,9 +259,9 @@ The supported versions of the SSL or TLS protocol. The B argument is a comma separated list of supported protocols to enable or disable. If an protocol is preceded by B<-> that version is disabled. All versions are enabled by default, though applications may choose to -explicitly disable some version. Currently supported protocol -values are B, B, B, B and B. The -special value B refers to all supported versions. +explicitly disable some. Currently supported protocol values are +B, B, B and B. The special value B refers +to all supported versions. =item B @@ -111,9 +283,9 @@ B: use empty fragments as a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It is set by default. Inverse of B. -B enable various bug workarounds. Same as B. +B: enable various bug workarounds. Same as B. -B enable single use DH keys, set by default. Inverse of +B: enable single use DH keys, set by default. Inverse of B. Only used by servers. B enable single use ECDH keys, set by default. Inverse of @@ -124,6 +296,9 @@ determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B. Only used by servers. +B set +B flag. Only used by servers. + B permits the use of unsafe legacy renegotiation. Equivalent to B. @@ -133,89 +308,29 @@ Set by default. =back -=head1 SUPPORTED COMMAND LINE COMMANDS +=head1 SUPPORTED COMMAND TYPES -Currently supported B names for command lines (i.e. when the -flag B is set) are listed below. Note: all B names -and are case sensitive. Unless otherwise stated the B parameter is -noh used. The default prefix for command line commands is B<-> and that is -reflected below. +The function SSL_CONF_cmd_value_type() currently returns one of the following +types: =over 4 -=item B<-sigalgs> +=item B -Sets the supported signature algorithms to B. Equivalent to the -B file command. +The B string is unrecognised, this return value can be use to flag +syntax errors. -=item B<-client_sigalgs> +=item B -Sets the supported client signature algorithms to B. Equivalent to the -B file command. +The value is a string without any specific structure. -=item B<-curves> +=item B -Sets supported elliptic curves to B. Equivalent to B file -command. +The value is a file name. -=item B<-named_curve> +=item B -Sets supported ECDH parameters to B. For automatic curve selection -B should be set to B, otherwise the command is identical to -the B file command. - -=item B<-cipher> - -Sets the cipher suite list to B. Note: syntax checking of B is -currently not performed unless a B or B structure is -associated with B. - -=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - -Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B, B, -B B and B respectively. - -=item B<-bugs> - -Various bug workarounds are set, same as setting B. - -=item B<-no_comp> - -Disables support for SSL/TLS compression, same as setting B. - -=item B<-no_ticket> - -Disables support for session tickets, same as setting B. - -=item B<-serverpref> - -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B. Only used by servers. - -=item B<-legacyrenegotiation> - -permits the use of unsafe legacy renegotiation. Equivalent to setting -B. - -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> - -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B. -Set by default. - -=item B<-strict> - -enables strict mode protocol handling. Equivalent to setting -B. - -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. +The value is a directory name. =back @@ -246,9 +361,9 @@ commands. Applications can also use SSL_CTX_cmd() to process command lines though the utility function SSL_CTX_cmd_argv() is normally used instead. One way -to do this is to check for an initial prefix ("-", "--" or "--ssl-" for example) -on a command argument and pass the rest to B. The following argument -is passed to B (which may be NULL). +to do this is to set the prefix to an appropriate value using +SSL_CONF_CTX_set1_prefix(), pass the current argument to B and the +following argument to B (which may be NULL). In this case if the return value is positive then it is used to skip that number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is @@ -257,6 +372,12 @@ can be checked instead. If -3 is returned a required argument is missing and an error is indicated. If 0 is returned some other error occurred and this can be reported back to the user. +The function SSL_CONF_cmd_value_type() can be used by applications to +check for the existence of a command or to perform additional syntax +checking or translation of the command value. For example if the return +value is B an application could translate a relative +pathname to an absolute pathname. + =head1 EXAMPLES Set supported signature algorithms: @@ -285,7 +406,7 @@ Set automatic support for any elliptic curve for key exchange: =head1 RETURN VALUES -SSL_CONF_cmd() return 1 if the value of B is recognised and B is +SSL_CONF_cmd() returns 1 if the value of B is recognised and B is B used and 2 if both B and B are used. In other words it returns the number of arguments processed. This is useful when processing command lines. @@ -300,6 +421,8 @@ error occurred attempting to perform the operation: for example due to an error in the syntax of B in this case the error queue may provide additional information. +SSL_CONF_finish() returns 1 for success and 0 for failure. + =head1 SEE ALSO L, @@ -310,6 +433,9 @@ L =head1 HISTORY -SSL_CONF_cmd() was first added to OpenSSL 1.1.0 +SSL_CONF_cmd() was first added to OpenSSL 1.0.2 + +B doesn't have effect anymore since 1.1.0 but the define is kept +for backward compatibility. =cut