From: Matt Caswell Date: Thu, 5 Jul 2018 15:53:56 +0000 (+0100) Subject: Document SSL_CTX_set_recv_max_early_data() etc X-Git-Tag: OpenSSL_1_1_1-pre9~189 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=2ce71b60272325c4453914b501a2c2ff1b75c80d Document SSL_CTX_set_recv_max_early_data() etc Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6655) --- diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index cf6f7579b5..27c127d397 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -6,6 +6,10 @@ SSL_set_max_early_data, SSL_CTX_set_max_early_data, SSL_get_max_early_data, SSL_CTX_get_max_early_data, +SSL_set_recv_max_early_data, +SSL_CTX_set_recv_max_early_data, +SSL_get_recv_max_early_data, +SSL_CTX_get_recv_max_early_data, SSL_SESSION_get_max_early_data, SSL_SESSION_set_max_early_data, SSL_write_early_data, @@ -24,6 +28,12 @@ SSL_set_allow_early_data_cb uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx); int SSL_set_max_early_data(SSL *s, uint32_t max_early_data); uint32_t SSL_get_max_early_data(const SSL *s); + + int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data); + uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx); + int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data); + uint32_t SSL_get_recv_max_early_data(const SSL *s); + uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s); int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data); @@ -195,9 +205,26 @@ since there is no practical benefit from using only one of them. If the maximum early data setting for a server is non-zero then replay protection is automatically enabled (see L below). -In the event that the current maximum early data setting for the server is -different to that originally specified in a session that a client is resuming -with then the lower of the two values will apply. +If the server rejects the early data sent by a client then it will skip over +the data that is sent. The maximum amount of received early data that is skipped +is controlled by the recv_max_early_data setting. If a client sends more than +this then the connection will abort. This value can be set by calling +SSL_CTX_set_recv_max_early_data() or SSL_set_recv_max_early_data(). The current +value for this setting can be obtained by calling +SSL_CTX_get_recv_max_early_data() or SSL_get_recv_max_early_data(). The default +value for this setting is 16,384 bytes. + +The recv_max_early_data value also has an impact on early data that is accepted. +The amount of data that is accepted will always be the lower of the +max_early_data for the session and the recv_max_early_data setting for the +server. If a client sends more data than this then the connection will abort. + +The configured value for max_early_data on a server may change over time as +required. However clients may have tickets containing the previously configured +max_early_data value. The recv_max_early_data should always be equal to or +higher than any recently configured max_early_data value in order to avoid +aborted connections. The recv_max_early_data should never be set to less than +the current configured max_early_data value. Some server applications may wish to have more control over whether early data is accepted or not, for example to mitigate replay risks (see L