summaryrefslogtreecommitdiffstats
path: root/secure/lib/libssl/man/SSL_CTX_new.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_new.3')
-rw-r--r--secure/lib/libssl/man/SSL_CTX_new.3157
1 files changed, 102 insertions, 55 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_new.3 b/secure/lib/libssl/man/SSL_CTX_new.3
index e1b41a0..beeeaec 100644
--- a/secure/lib/libssl/man/SSL_CTX_new.3
+++ b/secure/lib/libssl/man/SSL_CTX_new.3
@@ -133,19 +133,53 @@
.\" ========================================================================
.\"
.IX Title "SSL_CTX_new 3"
-.TH SSL_CTX_new 3 "2016-01-28" "1.0.1r" "OpenSSL"
+.TH SSL_CTX_new 3 "2016-03-01" "1.0.1s" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
-SSL_CTX_new \- create a new SSL_CTX object as framework for TLS/SSL enabled functions
+SSL_CTX_new,
+SSLv23_method, SSLv23_server_method, SSLv23_client_method,
+TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
+TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method,
+TLSv1_method, TLSv1_server_method, TLSv1_client_method,
+SSLv3_method, SSLv3_server_method, SSLv3_client_method,
+SSLv2_method, SSLv2_server_method, SSLv2_client_method,
+DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method \-
+create a new SSL_CTX object as framework for TLS/SSL enabled functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
+\& const SSL_METHOD *SSLv23_method(void);
+\& const SSL_METHOD *SSLv23_server_method(void);
+\& const SSL_METHOD *SSLv23_client_method(void);
+\& const SSL_METHOD *TLSv1_2_method(void);
+\& const SSL_METHOD *TLSv1_2_server_method(void);
+\& const SSL_METHOD *TLSv1_2_client_method(void);
+\& const SSL_METHOD *TLSv1_1_method(void);
+\& const SSL_METHOD *TLSv1_1_server_method(void);
+\& const SSL_METHOD *TLSv1_1_client_method(void);
+\& const SSL_METHOD *TLSv1_method(void);
+\& const SSL_METHOD *TLSv1_server_method(void);
+\& const SSL_METHOD *TLSv1_client_method(void);
+\& #ifndef OPENSSL_NO_SSL3_METHOD
+\& const SSL_METHOD *SSLv3_method(void);
+\& const SSL_METHOD *SSLv3_server_method(void);
+\& const SSL_METHOD *SSLv3_client_method(void);
+\& #endif
+\& #ifndef OPENSSL_NO_SSL2
+\& const SSL_METHOD *SSLv2_method(void);
+\& const SSL_METHOD *SSLv2_server_method(void);
+\& const SSL_METHOD *SSLv2_client_method(void);
+\& #endif
+\&
+\& const SSL_METHOD *DTLSv1_method(void);
+\& const SSL_METHOD *DTLSv1_server_method(void);
+\& const SSL_METHOD *DTLSv1_client_method(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
@@ -156,71 +190,84 @@ SSL_CTX_new \- create a new SSL_CTX object as framework for TLS/SSL enabled func
The \s-1SSL_CTX\s0 object uses \fBmethod\fR as connection method. The methods exist
in a generic type (for client and server use), a server only type, and a
client only type. \fBmethod\fR can be of the following types:
-.IP "SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)" 4
-.IX Item "SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void)"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand
-the SSLv2 protocol. A client will send out SSLv2 client hello messages
-and will also indicate that it only understand SSLv2. A server will only
-understand SSLv2 client hello messages.
-.IP "SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)" 4
-.IX Item "SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
-SSLv3 protocol. A client will send out SSLv3 client hello messages
-and will indicate that it only understands SSLv3. A server will only understand
-SSLv3 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*\fI_method()\fR.
-.IP "TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)" 4
-.IX Item "TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
-TLSv1 protocol. A client will send out TLSv1 client hello messages
-and will indicate that it only understands TLSv1. A server will only understand
-TLSv1 client hello messages. This especially means, that it will
-not understand SSLv2 client hello messages which are widely used for
-compatibility reasons, see SSLv23_*\fI_method()\fR. It will also not understand
-SSLv3 client hello messages.
-.IP "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" 4
-.IX Item "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)"
-A \s-1TLS/SSL\s0 connection established with these methods may understand the SSLv2,
-SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+.IP "\fISSLv23_method()\fR, \fISSLv23_server_method()\fR, \fISSLv23_client_method()\fR" 4
+.IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()"
+These are the general-purpose \fIversion-flexible\fR \s-1SSL/TLS\s0 methods.
+The actual protocol version used will be negotiated to the highest version
+mutually supported by the client and the server.
+The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
+Most applications should use these method, and avoid the version specific
+methods described below.
.Sp
-If the cipher list does not contain any SSLv2 ciphersuites (the default
-cipher list does not) or extensions are required (for example server name)
-a client will send out TLSv1 client hello messages including extensions and
-will indicate that it also understands TLSv1.1, TLSv1.2 and permits a
-fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2
-protocols. This is the best choice when compatibility is a concern.
+The list of protocols available can be further limited using the
+\&\fBSSL_OP_NO_SSLv2\fR, \fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR,
+\&\fBSSL_OP_NO_TLSv1_1\fR and \fBSSL_OP_NO_TLSv1_2\fR options of the
+\&\fISSL_CTX_set_options\fR\|(3) or \fISSL_set_options\fR\|(3) functions.
+Clients should avoid creating \*(L"holes\*(R" in the set of protocols they support,
+when disabling a protocol, make sure that you also disable either all previous
+or all subsequent protocol versions.
+In clients, when a protocol version is disabled without disabling \fIall\fR
+previous protocol versions, the effect is to also disable all subsequent
+protocol versions.
.Sp
-If any SSLv2 ciphersuites are included in the cipher list and no extensions
-are required then SSLv2 compatible client hellos will be used by clients and
-SSLv2 will be accepted by servers. This is \fBnot\fR recommended due to the
-insecurity of SSLv2 and the limited nature of the SSLv2 client hello
-prohibiting the use of extensions.
-.PP
-The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
-SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2
-options of the \fISSL_CTX_set_options()\fR or \fISSL_set_options()\fR functions.
-Using these options it is possible to choose e.g. \fISSLv23_server_method()\fR and
-be able to negotiate with all possible clients, but to only allow newer
-protocols like TLSv1, TLSv1.1 or \s-1TLS\s0 v1.2.
-.PP
-Applications which never want to support SSLv2 (even is the cipher string
-is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2.
+The SSLv2 and SSLv3 protocols are deprecated and should generally not be used.
+Applications should typically use \fISSL_CTX_set_options\fR\|(3) in combination with
+the \fBSSL_OP_NO_SSLv3\fR flag to disable negotiation of SSLv3 via the above
+\&\fIversion-flexible\fR \s-1SSL/TLS\s0 methods.
+The \fBSSL_OP_NO_SSLv2\fR option is set by default, and would need to be cleared
+via \fISSL_CTX_clear_options\fR\|(3) in order to enable negotiation of SSLv2.
+.IP "\fITLSv1_2_method()\fR, \fITLSv1_2_server_method()\fR, \fITLSv1_2_client_method()\fR" 4
+.IX Item "TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()"
+A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages and
+will also indicate that it only understand TLSv1.2. A server will only
+understand TLSv1.2 client hello messages.
+.IP "\fITLSv1_1_method()\fR, \fITLSv1_1_server_method()\fR, \fITLSv1_1_client_method()\fR" 4
+.IX Item "TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()"
+A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages and
+will also indicate that it only understand TLSv1.1. A server will only
+understand TLSv1.1 client hello messages.
+.IP "\fITLSv1_method()\fR, \fITLSv1_server_method()\fR, \fITLSv1_client_method()\fR" 4
+.IX Item "TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()"
+A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+TLSv1 protocol. A client will send out TLSv1 client hello messages and will
+indicate that it only understands TLSv1. A server will only understand TLSv1
+client hello messages.
+.IP "\fISSLv3_method()\fR, \fISSLv3_server_method()\fR, \fISSLv3_client_method()\fR" 4
+.IX Item "SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()"
+A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+SSLv3 protocol. A client will send out SSLv3 client hello messages and will
+indicate that it only understands SSLv3. A server will only understand SSLv3
+client hello messages. The SSLv3 protocol is deprecated and should not be
+used.
+.IP "\fISSLv2_method()\fR, \fISSLv2_server_method()\fR, \fISSLv2_client_method()\fR" 4
+.IX Item "SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()"
+A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+SSLv2 protocol. A client will send out SSLv2 client hello messages and will
+also indicate that it only understand SSLv2. A server will only understand
+SSLv2 client hello messages. The SSLv2 protocol offers little to no security
+and should not be used.
+As of OpenSSL 1.0.1s, \s-1EXPORT\s0 ciphers and 56\-bit \s-1DES\s0 are no longer available
+with SSLv2.
+.IP "\fIDTLSv1_method()\fR, \fIDTLSv1_server_method()\fR, \fIDTLSv1_client_method()\fR" 4
+.IX Item "DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()"
+These are the version-specific methods for DTLSv1.
.PP
-\&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting,
-the callbacks, the keys and certificates and the options to its default
-values.
+\&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, the
+callbacks, the keys and certificates and the options to its default values.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
-The creation of a new \s-1SSL_CTX\s0 object failed. Check the error stack to
-find out the reason.
+The creation of a new \s-1SSL_CTX\s0 object failed. Check the error stack to find out
+the reason.
.IP "Pointer to an \s-1SSL_CTX\s0 object" 4
.IX Item "Pointer to an SSL_CTX object"
The return value points to an allocated \s-1SSL_CTX\s0 object.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
+\&\fISSL_CTX_set_options\fR\|(3), \fISSL_CTX_clear_options\fR\|(3), \fISSL_set_options\fR\|(3),
\&\fISSL_CTX_free\fR\|(3), \fISSL_accept\fR\|(3),
\&\fIssl\fR\|(3), \fISSL_set_connect_state\fR\|(3)
OpenPOWER on IntegriCloud