summaryrefslogtreecommitdiffstats
path: root/secure/lib/libssl/man/SSL_CTX_set_options.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_set_options.3')
-rw-r--r--secure/lib/libssl/man/SSL_CTX_set_options.3122
1 files changed, 57 insertions, 65 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libssl/man/SSL_CTX_set_options.3
index 2d2604d..c2911a6 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_options.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:47:41 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
@@ -15,12 +14,6 @@
.if t .sp .5v
.if n .sp
..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
.de Vb \" Begin verbatim text
.ft CW
.nf
@@ -28,15 +21,14 @@
..
.de Ve \" End verbatim text
.ft R
-
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available. \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
@@ -56,10 +48,10 @@
. ds R" ''
'br\}
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD. Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
.if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
. rr F
.\}
.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
-.bd B 3
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
@@ -135,22 +126,23 @@
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
.\"
.IX Title "SSL_CTX_set_options 3"
-.TH SSL_CTX_set_options 3 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SSL_CTX_set_options 3 "2006-07-29" "0.9.8b" "OpenSSL"
.SH "NAME"
-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options \- manipulate \s-1SSL\s0 engine options
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options \- manipulate SSL engine options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
.Ve
+.PP
.Vb 2
\& long SSL_CTX_set_options(SSL_CTX *ctx, long options);
\& long SSL_set_options(SSL *ssl, long options);
.Ve
+.PP
.Vb 2
\& long SSL_CTX_get_options(SSL_CTX *ctx);
\& long SSL_get_options(SSL *ssl);
@@ -175,7 +167,7 @@ operation (|). Options can only be added but can never be reset.
\&\fISSL_CTX_set_options()\fR and \fISSL_set_options()\fR affect the (external)
protocol behaviour of the \s-1SSL\s0 library. The (internal) behaviour of
the \s-1API\s0 can be changed by using the similar
-SSL_CTX_set_mode(3) and \fISSL_set_mode()\fR functions.
+\&\fISSL_CTX_set_mode\fR\|(3) and \fISSL_set_mode()\fR functions.
.PP
During a handshake, the option settings of the \s-1SSL\s0 object are used. When
a new \s-1SSL\s0 object is created from a context using \fISSL_new()\fR, the current
@@ -183,58 +175,58 @@ option setting is copied. Changes to \fBctx\fR do not affect already created
\&\s-1SSL\s0 objects. \fISSL_clear()\fR does not affect the settings.
.PP
The following \fBbug workaround\fR options are available:
-.Ip "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4
+.IP "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4
.IX Item "SSL_OP_MICROSOFT_SESS_ID_BUG"
www.microsoft.com \- when talking SSLv2, if session-id reuse is
performed, the session-id passed back in the server-finished message
is different from the one decided upon.
-.Ip "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4
+.IP "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_CHALLENGE_BUG"
-Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
+Netscape\-Commerce/1.12, when talking SSLv2, accepts a 32 byte
challenge but then appears to only use 16 bytes when generating the
encryption keys. Using 16 bytes is ok but it should be ok to use 32.
According to the SSLv3 spec, one should use 32 bytes for the challenge
when operating in SSLv2/v3 compatibility mode, but as mentioned above,
this breaks this server so 16 bytes is the way to go.
-.Ip "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4
+.IP "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG"
ssl3.netscape.com:443, first a connection is established with \s-1RC4\-MD5\s0.
-If it is then resumed, we end up using \s-1DES-CBC3\-SHA\s0. It should be
+If it is then resumed, we end up using \s-1DES\-CBC3\-SHA\s0. It should be
\&\s-1RC4\-MD5\s0 according to 7.6.1.3, 'cipher_suite'.
.Sp
-Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
+Netscape\-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
It only really shows up when connecting via SSLv2/v3 then reconnecting
via SSLv3. The cipher list changes....
.Sp
\&\s-1NEW\s0 \s-1INFORMATION\s0. Try connecting with a cipher list of just
-\&\s-1DES-CBC-SHA:RC4\-MD5\s0. For some weird reason, each new connection uses
-\&\s-1RC4\-MD5\s0, but a re-connect tries to use \s-1DES-CBC-SHA\s0. So netscape, when
-doing a re-connect, always takes the first cipher in the cipher list.
-.Ip "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4
+\&\s-1DES\-CBC\-SHA:RC4\-MD5\s0. For some weird reason, each new connection uses
+\&\s-1RC4\-MD5\s0, but a re-connect tries to use \s-1DES\-CBC\-SHA\s0. So netscape, when
+doing a re\-connect, always takes the first cipher in the cipher list.
+.IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4
.IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG"
\&...
-.Ip "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
+.IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
.IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER"
\&...
-.Ip "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
+.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
.IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING"
-\&...
-.Ip "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
+.IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
.IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG"
\&...
-.Ip "\s-1SSL_OP_TLS_D5_BUG\s0" 4
+.IP "\s-1SSL_OP_TLS_D5_BUG\s0" 4
.IX Item "SSL_OP_TLS_D5_BUG"
\&...
-.Ip "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4
+.IP "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4
.IX Item "SSL_OP_TLS_BLOCK_PADDING_BUG"
\&...
-.Ip "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
+.IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
.IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS"
Disables a countermeasure against a \s-1SSL\s0 3.0/TLS 1.0 protocol
vulnerability affecting \s-1CBC\s0 ciphers, which cannot be handled by some
broken \s-1SSL\s0 implementations. This option has no effect for connections
using other ciphers.
-.Ip "\s-1SSL_OP_ALL\s0" 4
+.IP "\s-1SSL_OP_ALL\s0" 4
.IX Item "SSL_OP_ALL"
All of the above bug workarounds.
.PP
@@ -243,7 +235,7 @@ options if compatibility with somewhat broken implementations is
desired.
.PP
The following \fBmodifying\fR options are available:
-.Ip "\s-1SSL_OP_TLS_ROLLBACK_BUG\s0" 4
+.IP "\s-1SSL_OP_TLS_ROLLBACK_BUG\s0" 4
.IX Item "SSL_OP_TLS_ROLLBACK_BUG"
Disable version rollback attack detection.
.Sp
@@ -254,59 +246,59 @@ the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)
-.Ip "\s-1SSL_OP_SINGLE_DH_USE\s0" 4
+.IP "\s-1SSL_OP_SINGLE_DH_USE\s0" 4
.IX Item "SSL_OP_SINGLE_DH_USE"
Always create a new key when using temporary/ephemeral \s-1DH\s0 parameters
-(see SSL_CTX_set_tmp_dh_callback(3)).
+(see \fISSL_CTX_set_tmp_dh_callback\fR\|(3)).
This option must be used to prevent small subgroup attacks, when
the \s-1DH\s0 parameters were not generated using \*(L"strong\*(R" primes
-(e.g. when using DSA-parameters, see dhparam(1)).
+(e.g. when using DSA\-parameters, see \fIdhparam\fR\|(1)).
If \*(L"strong\*(R" primes were used, it is not strictly necessary to generate
a new \s-1DH\s0 key during each handshake but it is also recommended.
\&\fB\s-1SSL_OP_SINGLE_DH_USE\s0\fR should therefore be enabled whenever
temporary/ephemeral \s-1DH\s0 parameters are used.
-.Ip "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
+.IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
.IX Item "SSL_OP_EPHEMERAL_RSA"
Always use ephemeral (temporary) \s-1RSA\s0 key when doing \s-1RSA\s0 operations
-(see SSL_CTX_set_tmp_rsa_callback(3)).
+(see \fISSL_CTX_set_tmp_rsa_callback\fR\|(3)).
According to the specifications this is only done, when a \s-1RSA\s0 key
can only be used for signature operations (namely under export ciphers
with restricted \s-1RSA\s0 keylength). By setting this option, ephemeral
\&\s-1RSA\s0 keys are always used. This option breaks compatibility with the
\&\s-1SSL/TLS\s0 specifications and may lead to interoperability problems with
clients and should therefore never be used. Ciphers with \s-1EDH\s0 (ephemeral
-Diffie-Hellman) key exchange should be used instead.
-.Ip "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
+Diffie\-Hellman) key exchange should be used instead.
+.IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
.IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
When choosing a cipher, use the server's preferences instead of the client
preferences. When not set, the \s-1SSL\s0 server will always follow the clients
preferences. When set, the SSLv3/TLSv1 server will choose following its
own preferences. Because of the different protocol, for SSLv2 the server
-will send his list of preferences to the client and the client chooses.
-.Ip "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4
+will send its list of preferences to the client and the client chooses.
+.IP "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4
.IX Item "SSL_OP_PKCS1_CHECK_1"
\&...
-.Ip "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4
+.IP "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4
.IX Item "SSL_OP_PKCS1_CHECK_2"
\&...
-.Ip "\s-1SSL_OP_NETSCAPE_CA_DN_BUG\s0" 4
+.IP "\s-1SSL_OP_NETSCAPE_CA_DN_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_CA_DN_BUG"
If we accept a netscape connection, demand a client cert, have a
-non-self-sighed \s-1CA\s0 which does not have it's \s-1CA\s0 in netscape, and the
+non-self-signed \s-1CA\s0 which does not have its \s-1CA\s0 in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
-.Ip "\s-1SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG\s0" 4
+.IP "\s-1SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG"
\&...
-.Ip "SSL_OP_NO_SSLv2" 4
+.IP "SSL_OP_NO_SSLv2" 4
.IX Item "SSL_OP_NO_SSLv2"
Do not use the SSLv2 protocol.
-.Ip "SSL_OP_NO_SSLv3" 4
+.IP "SSL_OP_NO_SSLv3" 4
.IX Item "SSL_OP_NO_SSLv3"
Do not use the SSLv3 protocol.
-.Ip "SSL_OP_NO_TLSv1" 4
+.IP "SSL_OP_NO_TLSv1" 4
.IX Item "SSL_OP_NO_TLSv1"
Do not use the TLSv1 protocol.
-.Ip "\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0" 4
+.IP "\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0" 4
.IX Item "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION"
When performing renegotiation as a server, always start a new session
(i.e., session resumption requests are only accepted in the initial
@@ -319,10 +311,10 @@ after adding \fBoptions\fR.
\&\fISSL_CTX_get_options()\fR and \fISSL_get_options()\fR return the current bitmask.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-ssl(3), SSL_new(3), SSL_clear(3),
-SSL_CTX_set_tmp_dh_callback(3),
-SSL_CTX_set_tmp_rsa_callback(3),
-dhparam(1)
+\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), \fISSL_clear\fR\|(3),
+\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3),
+\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3),
+\&\fIdhparam\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR and
OpenPOWER on IntegriCloud