diff options
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_new.3')
-rw-r--r-- | secure/lib/libssl/man/SSL_CTX_new.3 | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_new.3 b/secure/lib/libssl/man/SSL_CTX_new.3 index d7157cf..02e2956 100644 --- a/secure/lib/libssl/man/SSL_CTX_new.3 +++ b/secure/lib/libssl/man/SSL_CTX_new.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_new 3" -.TH SSL_CTX_new 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_new 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,20 +172,34 @@ compatibility reasons, see SSLv23_*\fI_method()\fR. It will also not understand SSLv3 client hello messages. .IP "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" 4 .IX Item "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" -A \s-1TLS/SSL\s0 connection established with these methods will understand the SSLv2, -SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages -and will indicate that it also understands SSLv3 and TLSv1. A server will -understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best -choice when compatibility is a concern. +A \s-1TLS/SSL\s0 connection established with these methods may understand the SSLv2, +SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +.Sp +If the cipher list does not contain any SSLv2 ciphersuites (the default +cipher list does not) or extensions are required (for example server name) +a client will send out TLSv1 client hello messages including extensions and +will indicate that it also understands TLSv1.1, TLSv1.2 and permits a +fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 +protocols. This is the best choice when compatibility is a concern. +.Sp +If any SSLv2 ciphersuites are included in the cipher list and no extensions +are required then SSLv2 compatible client hellos will be used by clients and +SSLv2 will be accepted by servers. This is \fBnot\fR recommended due to the +insecurity of SSLv2 and the limited nature of the SSLv2 client hello +prohibiting the use of extensions. .PP The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, -SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the \fB\f(BISSL_CTX_set_options()\fB\fR or -\&\fB\f(BISSL_set_options()\fB\fR functions. Using these options it is possible to choose -e.g. \fISSLv23_server_method()\fR and be able to negotiate with all possible -clients, but to only allow newer protocols like SSLv3 or TLSv1. +SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 +options of the \fISSL_CTX_set_options()\fR or \fISSL_set_options()\fR functions. +Using these options it is possible to choose e.g. \fISSLv23_server_method()\fR and +be able to negotiate with all possible clients, but to only allow newer +protocols like TLSv1, TLSv1.1 or \s-1TLS\s0 v1.2. +.PP +Applications which never want to support SSLv2 (even is the cipher string +is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. .PP \&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, -the callbacks, the keys and certificates, and the options to its default +the callbacks, the keys and certificates and the options to its default values. .SH "RETURN VALUES" .IX Header "RETURN VALUES" |