1 files changed, 34 insertions, 14 deletions

diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index 5c07e53..f5e2ec3 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -100,18 +100,6 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 ...
 
-=item SSL_OP_TLS_ROLLBACK_BUG
-
-Disable version rollback attack detection.
-
-During the client key exchange, the client must send the same information
-about acceptable SSL/TLS protocol levels as during the first hello. Some
-clients violate this rule by adapting to the server's answer. (Example:
-the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
-only understands up to SSLv3. In this case the client must still use the
-same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
-to the server's answer and violate the version rollback protection.)
-
 =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 
 Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
@@ -133,6 +121,18 @@ The following B<modifying> options are available:
 
 =over 4
 
+=item SSL_OP_TLS_ROLLBACK_BUG
+
+Disable version rollback attack detection.
+
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
+
 =item SSL_OP_SINGLE_DH_USE
 
 Always create a new key when using temporary/ephemeral DH parameters
@@ -142,7 +142,7 @@ the DH parameters were not generated using "strong" primes
 (e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>).
 If "strong" primes were used, it is not strictly necessary to generate
 a new DH key during each handshake but it is also recommended.
-SSL_OP_SINGLE_DH_USE should therefore be enabled whenever
+B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever
 temporary/ephemeral DH parameters are used.
 
 =item SSL_OP_EPHEMERAL_RSA
@@ -157,6 +157,14 @@ SSL/TLS specifications and may lead to interoperability problems with
 clients and should therefore never be used. Ciphers with EDH (ephemeral
 Diffie-Hellman) key exchange should be used instead.
 
+=item SSL_OP_CIPHER_SERVER_PREFERENCE
+
+When choosing a cipher, use the server's preferences instead of the client
+preferences. When not set, the SSL server will always follow the clients
+preferences. When set, the SSLv3/TLSv1 server will choose following its
+own preferences. Because of the different protocol, for SSLv2 the server
+will send his list of preferences to the client and the client chooses.
+
 =item SSL_OP_PKCS1_CHECK_1
 
 ...
@@ -187,6 +195,12 @@ Do not use the SSLv3 protocol.
 
 Do not use the TLSv1 protocol.
 
+=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+
+When performing renegotiation as a server, always start a new session
+(i.e., session resumption requests are only accepted in the initial
+handshake).  This option is not needed for clients.
+
 =back
 
 =head1 RETURN VALUES
@@ -205,7 +219,13 @@ L<dhparam(1)|dhparam(1)>
 
 =head1 HISTORY
 
-SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6.
+B<SSL_OP_CIPHER_SERVER_PREFERENCE> and
+B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> have been added in
+OpenSSL 0.9.7.
+
+B<SSL_OP_TLS_ROLLBACK_BUG> has been added in OpenSSL 0.9.6 and was automatically
+enabled with B<SSL_OP_ALL>. As of 0.9.7, it is no longer included in B<SSL_OP_ALL>
+and must be explicitly set.
 
 B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e.
 Versions up to OpenSSL 0.9.6c do not include the countermeasure that