Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION

[openssl.git] / doc / man3 / SSL_CONF_cmd.pod

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 97ebff047f2d04ce43074657d0135cfe07d69dd3..bbd622a687a94f05c6ba3753438aac75ca628d92 100644 (file)
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -58,9 +58,15 @@ Use server and not client preference order when determining which cipher suite,
 signature algorithm or elliptic curve to use for an incoming connection.
 Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
 
+=item B<-client_renegotiation>
+
+Allows servers to accept client-initiated renegotiation. Equivalent to
+setting B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION>.
+Only used by servers.
+
 =item B<-legacyrenegotiation>
 
-permits the use of unsafe legacy renegotiation. Equivalent to setting
+Permits the use of unsafe legacy renegotiation. Equivalent to setting
 B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
 
 =item B<-no_renegotiation>
@@ -70,13 +76,18 @@ B<SSL_OP_NO_RENEGOTIATION>.
 
 =item B<-no_resumption_on_reneg>
 
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
+Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only used by servers.
 
 =item B<-legacy_server_connect>, B<-no_legacy_server_connect>
 
-permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
+Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
 clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
+
+=item B<-immediate_renegotiation>
+
+Try to do a renegotiation immediately after the handshake.
+This is for debugging and has no option equivalent.
+Ignored by the B<openssl s_client> command.
 
 =item B<-prioritize_chacha>
 
@@ -92,7 +103,7 @@ that there will be no forward secrecy for the resumed session.
 
 =item B<-strict>
 
-enables strict mode protocol handling. Equivalent to setting
+Enables strict mode protocol handling. Equivalent to setting
 B<SSL_CERT_FLAG_TLS_STRICT>.
 
 =item B<-sigalgs> I<algs>
@@ -524,6 +535,10 @@ B<CANames>: use CA names extension, enabled by
 default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
 B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
 
+B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported
+by the negotiated ciphersuites and extensions. Equivalent to
+B<SSL_OP_ENABLE_KTLS>.
+
 =item B<VerifyMode>
 
 The B<value> argument is a comma separated list of flags to set.
@@ -724,7 +739,7 @@ B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT
 
-Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy