Also the associated configuration parameters and command line switches.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
[B<-bugs>]
[B<-comp>]
[B<-no_comp>]
[B<-bugs>]
[B<-comp>]
[B<-no_comp>]
[B<-sigalgs sigalglist>]
[B<-curves curvelist>]
[B<-cipher cipherlist>]
[B<-sigalgs sigalglist>]
[B<-curves curvelist>]
[B<-cipher cipherlist>]
[B<-legacy_server_connect>]
[B<-no_resumption_on_reneg>]
[B<-no_legacy_server_connect>]
[B<-legacy_server_connect>]
[B<-no_resumption_on_reneg>]
[B<-no_legacy_server_connect>]
[B<-strict>]
[B<-sigalgs val>]
[B<-client_sigalgs val>]
[B<-strict>]
[B<-sigalgs val>]
[B<-client_sigalgs val>]
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.
+=item B<-allow_no_dhe_kex>
+
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
+
=item B<-strict>
enables strict mode protocol handling. Equivalent to setting
=item B<-strict>
enables strict mode protocol handling. Equivalent to setting
default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,
B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.
default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,
B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.
+B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
+resumption. This means that there will be no forward secrecy for the resumed
+session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>.
+
=item B<VerifyMode>
The B<value> argument is a comma separated list of flags to set.
=item B<VerifyMode>
The B<value> argument is a comma separated list of flags to set.
Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
messages, and ignore renegotiation requests via ClientHello.
Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
messages, and ignore renegotiation requests via ClientHello.
+=item SSL_OP_ALLOW_NO_DHE_KEX
+
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
+
=back
The following options no longer have any effect but their identifiers are
=back
The following options no longer have any effect but their identifiers are