5 SSL_CONF_cmd - send configuration command
9 #include <openssl/ssl.h>
11 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
15 The function SSL_CONF_cmd() performs configuration operation B<cmd> with
16 optional parameter B<value> on B<ctx>. Its purpose is to simplify application
17 configuration of B<SSL_CTX> or B<SSL> structures by providing a common
18 framework for configuration files or command line options.
20 =head1 SUPPORTED CONFIGURATION FILE COMMANDS
22 Currently supported B<cmd> names for configuration files (i.e. when the
23 flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
24 B<cmd> names and are case insensitive so B<signaturealgorithms> is recognised
25 as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
26 are also case insensitive.
28 Note: the command prefix (if set) alters the recognised B<cmd> values.
34 Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
35 currently not performed unless an B<SSL> or B<SSL_CTX> structure is
36 associated with B<cctx>.
38 =item B<SignatureAlgorithms>
40 This sets the supported signature algorithms for TLS v1.2. For clients this
41 value is used directly for the supported signature algorithms extension. For
42 servers it is used to determine which signature algorithms to support.
44 The B<value> argument should be a colon separated list of signature algorithms
45 in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
46 is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
47 OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
48 Note: algorithm and hash names are case sensitive.
50 If this option is not set then all signature algorithms supported by the
51 OpenSSL library are permissible.
53 =item B<ClientSignatureAlgorithms>
55 This sets the supported signature algorithms associated with client
56 authentication for TLS v1.2. For servers the value is used in the supported
57 signature algorithms field of a certificate request. For clients it is
58 used to determine which signature algorithm to with the client certificate.
60 The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
61 the value set for B<SignatureAlgorithms> will be used instead.
65 This sets the supported elliptic curves. For servers the curves are
66 sent using the supported curves extension for TLS v1.2. For clients it is used
67 to determine which curve to use. This setting affects curves used for both
68 signatures and key exchange, if applicable.
70 The B<value> argument is a colon separated list of curves. The curve can be
71 either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
72 B<prime256v1>). Curve names are case sensitive.
74 =item B<ECDHParameters>
76 This sets the temporary curve used for ephemeral ECDH modes.
78 The B<value> argument is a curve name or the special value B<Automatic> which
79 picks an appropriate curve based on client and server preferences. The curve
80 can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
81 (e.g B<prime256v1>). Curve names are case sensitive.
85 The supported versions of the SSL or TLS protocol.
87 The B<value> argument is a comma separated list of supported protocols to
88 enable or disable. If an protocol is preceded by B<-> that version is disabled.
89 All versions are enabled by default, though applications may choose to
90 explicitly disable some. Currently supported protocol values are B<SSLv2>,
91 B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers
92 to all supported versions.
96 The B<value> argument is a comma separated list of various flags to set.
97 If a flag string is preceded B<-> it is disabled. See the
98 B<SSL_CTX_set_options> function for more details of individual options.
100 Each option is listed below. Where an operation is enabled by default
101 the B<-flag> syntax is needed to disable it.
103 B<SessionTicket>: session ticket support, enabled by default. Inverse of
104 B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
107 B<Compression>: SSL/TLS compression support, enabled by default. Inverse
108 of B<SSL_OP_NO_COMPRESSION>.
110 B<EmptyFragments>: use empty fragments as a countermeasure against a
111 SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
112 is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
114 B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>.
116 B<DHSingle>: enable single use DH keys, set by default. Inverse of
117 B<SSL_OP_DH_SINGLE>. Only used by servers.
119 B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of
120 B<SSL_OP_ECDH_SINGLE>. Only used by servers.
122 B<ServerPreference> use server and not client preference order when
123 determining which cipher suite, signature algorithm or elliptic curve
124 to use for an incoming connection. Equivalent to
125 B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
127 B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
128 Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
130 B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
131 for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
136 =head1 SUPPORTED COMMAND LINE COMMANDS
138 Currently supported B<cmd> names for command lines (i.e. when the
139 flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
140 and are case sensitive. Unless otherwise stated the B<value> parameter is
141 not used. The default prefix for command line commands is B<-> and that is
148 Sets the supported signature algorithms to B<value>. Equivalent to the
149 B<SignatureAlgorithms> file command.
151 =item B<-client_sigalgs>
153 Sets the supported client signature algorithms to B<value>. Equivalent to the
154 B<ClientSignatureAlgorithms> file command.
158 Sets supported elliptic curves to B<value>. Equivalent to B<Curves> file
161 =item B<-named_curve>
163 Sets supported ECDH parameters to B<value>. For automatic curve selection
164 B<value> should be set to B<auto>, otherwise the command is identical to
165 the B<ECDHParameters> file command.
169 Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
170 currently not performed unless a B<SSL> or B<SSL_CTX> structure is
171 associated with B<cctx>.
173 =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
175 Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
176 by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
177 B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.
181 Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
185 Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
189 Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
193 Use server and not client preference order when determining which cipher suite,
194 signature algorithm or elliptic curve to use for an incoming connection.
195 Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
197 =item B<-legacyrenegotiation>
199 permits the use of unsafe legacy renegotiation. Equivalent to setting
200 B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
202 =item B<-legacy_server_connect>, B<-no_legacy_server_connect>
204 permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
205 clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
210 enables strict mode protocol handling. Equivalent to setting
211 B<SSL_CERT_FLAG_TLS_STRICT>.
213 =item B<-debug_broken_protocol>
215 disables various checks and permits several kinds of broken protocol behaviour
216 for testing purposes: it should B<NEVER> be used in anything other than a test
217 environment. Only supported if OpenSSL is configured with
218 B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.
224 The order of operations is significant. This can be used to set either defaults
225 or values which cannot be overridden. For example if an application calls:
227 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
228 SSL_CONF_cmd(ctx, userparam, uservalue);
230 it will disable SSLv2 support by default but the user can override it. If
231 however the call sequence is:
233 SSL_CONF_cmd(ctx, userparam, uservalue);
234 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
236 SSLv2 is B<always> disabled and attempt to override this by the user are
239 By checking the return code of SSL_CTX_cmd() it is possible to query if a
240 given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
241 mixed with additional application specific operations.
243 For example an application might call SSL_CTX_cmd() and if it returns
244 -2 (unrecognised command) continue with processing of application specific
247 Applications can also use SSL_CTX_cmd() to process command lines though the
248 utility function SSL_CTX_cmd_argv() is normally used instead. One way
249 to do this is to set the prefix to an appropriate value using
250 SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
251 following argument to B<value> (which may be NULL).
253 In this case if the return value is positive then it is used to skip that
254 number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
255 returned then B<cmd> is not recognised and application specific arguments
256 can be checked instead. If -3 is returned a required argument is missing
257 and an error is indicated. If 0 is returned some other error occurred and
258 this can be reported back to the user.
262 Set supported signature algorithms:
264 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
266 Enable all protocols except SSLv3 and SSLv2:
268 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
272 SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
274 Disable TLS session tickets:
276 SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
278 Set supported curves to P-256, P-384:
280 SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
282 Set automatic support for any elliptic curve for key exchange:
284 SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");
288 SSL_CONF_cmd() return 1 if the value of B<cmd> is recognised and B<value> is
289 B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
290 returns the number of arguments processed. This is useful when processing
293 A return value of -2 means B<cmd> is not recognised.
295 A return value of -3 means B<cmd> is recognised and the command requires a
296 value but B<value> is NULL.
298 A return code of 0 indicates that both B<cmd> and B<value> are valid but an
299 error occurred attempting to perform the operation: for example due to an
300 error in the syntax of B<value> in this case the error queue may provide
301 additional information.
305 L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
306 L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
307 L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
308 L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
309 L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
313 SSL_CONF_cmd() was first added to OpenSSL 1.1.0