From a6419d1ed873a94bce99ae2b880885b8780d6eb9 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Wed, 17 Jan 2018 23:21:19 -0600 Subject: [PATCH] Update documentation for SSL_set1_sigalgs() These functions can now take both "sig+hash" strings and algorithm-specific identifiers like "rsa_pss_pss_sha256" that indicate a particular entry from the TLS signature algorithm registry. Also clarify that only the "_list" form allows for the new-style names (the non-"list" interfaces take sig and hasn NIDs, which cannot access all of the new-style schemes). Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/5068) --- doc/man3/SSL_CTX_set1_sigalgs.pod | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index 40c4211257..a634eb8821 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -30,8 +30,10 @@ algorithms. SSL_CTX_set1_sigalgs_list() and SSL_set1_sigalgs_list() set the supported signature algorithms for B or B. The B parameter -must be a null terminated string consisting or a colon separated list of -public key algorithms and digests separated by B<+>. +must be a null terminated string consisting of a colon separated list of +elements, where each element is either a combination of a public key +algorithm and a digest separated by B<+>, or a TLS 1.3-style named +SignatureScheme such as rsa_pss_pss_sha256. SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set @@ -77,7 +79,7 @@ example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". The TLS 1.3 signature scheme names (such as "rsa_pss_sha256") can also -be used. +be used with the B<_list> forms of the API. The use of MD5 as a digest is strongly discouraged due to security weaknesses. -- 2.34.1