diff options
Diffstat (limited to 'secure/lib/libssl')
84 files changed, 468 insertions, 108 deletions
diff --git a/secure/lib/libssl/Makefile.man b/secure/lib/libssl/Makefile.man index 06f684e..6b092db 100644 --- a/secure/lib/libssl/Makefile.man +++ b/secure/lib/libssl/Makefile.man @@ -33,6 +33,7 @@ MAN+= SSL_CTX_set_session_cache_mode.3 MAN+= SSL_CTX_set_session_id_context.3 MAN+= SSL_CTX_set_ssl_version.3 MAN+= SSL_CTX_set_timeout.3 +MAN+= SSL_CTX_set_tlsext_ticket_key_cb.3 MAN+= SSL_CTX_set_tmp_dh_callback.3 MAN+= SSL_CTX_set_tmp_rsa_callback.3 MAN+= SSL_CTX_set_verify.3 diff --git a/secure/lib/libssl/man/SSL_CIPHER_get_name.3 b/secure/lib/libssl/man/SSL_CIPHER_get_name.3 index 7ee9797..5aefa50 100644 --- a/secure/lib/libssl/man/SSL_CIPHER_get_name.3 +++ b/secure/lib/libssl/man/SSL_CIPHER_get_name.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CIPHER_get_name 3" -.TH SSL_CIPHER_get_name 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CIPHER_get_name 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,8 +151,12 @@ returned. \&\fBalg_bits\fR is not \s-1NULL\s0, it contains the number of bits processed by the chosen algorithm. If \fBcipher\fR is \s-1NULL\s0, 0 is returned. .PP -\&\fISSL_CIPHER_get_version()\fR returns the protocol version for \fBcipher\fR, currently -\&\*(L"SSLv2\*(R", \*(L"SSLv3\*(R", or \*(L"TLSv1\*(R". If \fBcipher\fR is \s-1NULL\s0, \*(L"(\s-1NONE\s0)\*(R" is returned. +\&\fISSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol +version that first defined the cipher. +This is currently \fBSSLv2\fR or \fBTLSv1/SSLv3\fR. +In some cases it should possibly return \*(L"TLSv1.2\*(R" but does not; +use \fISSL_CIPHER_description()\fR instead. +If \fBcipher\fR is \s-1NULL\s0, \*(L"(\s-1NONE\s0)\*(R" is returned. .PP \&\fISSL_CIPHER_description()\fR returns a textual description of the cipher used into the buffer \fBbuf\fR of length \fBlen\fR provided. \fBlen\fR must be at least @@ -175,7 +179,8 @@ sequence: Textual representation of the cipher name. .IP "<protocol version>" 4 .IX Item "<protocol version>" -Protocol version: \fBSSLv2\fR, \fBSSLv3\fR. The TLSv1 ciphers are flagged with SSLv3. +Protocol version: \fBSSLv2\fR, \fBSSLv3\fR, \fBTLSv1.2\fR. The TLSv1.0 ciphers are +flagged with SSLv3. No new ciphers were added by TLSv1.1. .IP "Kx=<key exchange>" 4 .IX Item "Kx=<key exchange>" Key exchange method: \fB\s-1RSA\s0\fR (for export ciphers as \fB\s-1RSA\s0(512)\fR or @@ -207,6 +212,12 @@ Some examples for the output of \fISSL_CIPHER_description()\fR: \& RC4\-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 \& EXP\-RC4\-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export .Ve +.PP +A comp[lete list can be retrieved by invoking the following command: +.PP +.Vb 1 +\& openssl ciphers \-v ALL +.Ve .SH "BUGS" .IX Header "BUGS" If \fISSL_CIPHER_description()\fR is called with \fBcipher\fR being \s-1NULL\s0, the diff --git a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 b/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 index 835116c..19dc636 100644 --- a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 +++ b/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_COMP_add_compression_method 3" -.TH SSL_COMP_add_compression_method 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_COMP_add_compression_method 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index 2d62aaa..5de9d3a 100644 --- a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_add_extra_chain_cert 3" -.TH SSL_CTX_add_extra_chain_cert 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_add_extra_chain_cert 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,6 +150,15 @@ these certificates explicitly specified. If no chain is specified, the library will try to complete the chain from the available \s-1CA\s0 certificates in the trusted \s-1CA\s0 storage, see \&\fISSL_CTX_load_verify_locations\fR\|(3). +.PP +The \fBx509\fR certificate provided to \fISSL_CTX_add_extra_chain_cert()\fR will be freed by the library when the \fB\s-1SSL_CTX\s0\fR is destroyed. An application \fBshould not\fR free the \fBx509\fR object. +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +Only one set of extra chain certificates can be specified per \s-1SSL_CTX\s0 +structure. Different chains for different certificates (for example if both +\&\s-1RSA\s0 and \s-1DSA\s0 certificates are specified by the same server) or different \s-1SSL\s0 +structures with the same parent \s-1SSL_CTX\s0 cannot be specified using this +function. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_add_extra_chain_cert()\fR returns 1 on success. Check out the diff --git a/secure/lib/libssl/man/SSL_CTX_add_session.3 b/secure/lib/libssl/man/SSL_CTX_add_session.3 index 752ef36..3ce2f7a 100644 --- a/secure/lib/libssl/man/SSL_CTX_add_session.3 +++ b/secure/lib/libssl/man/SSL_CTX_add_session.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_add_session 3" -.TH SSL_CTX_add_session 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_add_session 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -168,7 +168,7 @@ If a server \s-1SSL_CTX\s0 is configured with the \s-1SSL_SESS_CACHE_NO_INTERNAL flag then the internal cache will not be populated automatically by new sessions negotiated by the \s-1SSL/TLS\s0 implementation, even though the internal cache will be searched automatically for session-resume requests (the -latter can be surpressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the +latter can be suppressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the application can use \fISSL_CTX_add_session()\fR directly to have full control over the sessions that can be resumed if desired. .SH "RETURN VALUES" diff --git a/secure/lib/libssl/man/SSL_CTX_ctrl.3 b/secure/lib/libssl/man/SSL_CTX_ctrl.3 index 24c943c..a9d7e48 100644 --- a/secure/lib/libssl/man/SSL_CTX_ctrl.3 +++ b/secure/lib/libssl/man/SSL_CTX_ctrl.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_ctrl 3" -.TH SSL_CTX_ctrl 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_ctrl 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 b/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 index 5929025..6ed2246 100644 --- a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 +++ b/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_flush_sessions 3" -.TH SSL_CTX_flush_sessions 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_flush_sessions 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_free.3 b/secure/lib/libssl/man/SSL_CTX_free.3 index 5efdabb..83d368d 100644 --- a/secure/lib/libssl/man/SSL_CTX_free.3 +++ b/secure/lib/libssl/man/SSL_CTX_free.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_free 3" -.TH SSL_CTX_free 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_free 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 index 14f68d6..4a167a5 100644 --- a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 +++ b/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_get_ex_new_index 3" -.TH SSL_CTX_get_ex_new_index 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_get_ex_new_index 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 index 1c31370e..4500cdd 100644 --- a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 +++ b/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_get_verify_mode 3" -.TH SSL_CTX_get_verify_mode 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_get_verify_mode 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 index 8ec3c95..50fc72f 100644 --- a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 +++ b/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_load_verify_locations 3" -.TH SSL_CTX_load_verify_locations 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_load_verify_locations 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_new.3 b/secure/lib/libssl/man/SSL_CTX_new.3 index d7157cf..02e2956 100644 --- a/secure/lib/libssl/man/SSL_CTX_new.3 +++ b/secure/lib/libssl/man/SSL_CTX_new.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_new 3" -.TH SSL_CTX_new 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_new 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,20 +172,34 @@ compatibility reasons, see SSLv23_*\fI_method()\fR. It will also not understand SSLv3 client hello messages. .IP "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" 4 .IX Item "SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)" -A \s-1TLS/SSL\s0 connection established with these methods will understand the SSLv2, -SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello messages -and will indicate that it also understands SSLv3 and TLSv1. A server will -understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best -choice when compatibility is a concern. +A \s-1TLS/SSL\s0 connection established with these methods may understand the SSLv2, +SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +.Sp +If the cipher list does not contain any SSLv2 ciphersuites (the default +cipher list does not) or extensions are required (for example server name) +a client will send out TLSv1 client hello messages including extensions and +will indicate that it also understands TLSv1.1, TLSv1.2 and permits a +fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 +protocols. This is the best choice when compatibility is a concern. +.Sp +If any SSLv2 ciphersuites are included in the cipher list and no extensions +are required then SSLv2 compatible client hellos will be used by clients and +SSLv2 will be accepted by servers. This is \fBnot\fR recommended due to the +insecurity of SSLv2 and the limited nature of the SSLv2 client hello +prohibiting the use of extensions. .PP The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, -SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the \fB\f(BISSL_CTX_set_options()\fB\fR or -\&\fB\f(BISSL_set_options()\fB\fR functions. Using these options it is possible to choose -e.g. \fISSLv23_server_method()\fR and be able to negotiate with all possible -clients, but to only allow newer protocols like SSLv3 or TLSv1. +SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 +options of the \fISSL_CTX_set_options()\fR or \fISSL_set_options()\fR functions. +Using these options it is possible to choose e.g. \fISSLv23_server_method()\fR and +be able to negotiate with all possible clients, but to only allow newer +protocols like TLSv1, TLSv1.1 or \s-1TLS\s0 v1.2. +.PP +Applications which never want to support SSLv2 (even is the cipher string +is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. .PP \&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, -the callbacks, the keys and certificates, and the options to its default +the callbacks, the keys and certificates and the options to its default values. .SH "RETURN VALUES" .IX Header "RETURN VALUES" diff --git a/secure/lib/libssl/man/SSL_CTX_sess_number.3 b/secure/lib/libssl/man/SSL_CTX_sess_number.3 index f0b66a3..2e0b9d6 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_number.3 +++ b/secure/lib/libssl/man/SSL_CTX_sess_number.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_sess_number 3" -.TH SSL_CTX_sess_number 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_sess_number 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 index d931729..b6748a7 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 +++ b/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_sess_set_cache_size 3" -.TH SSL_CTX_sess_set_cache_size 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_sess_set_cache_size 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 index b35640c..1cf7f31 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 +++ b/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_sess_set_get_cb 3" -.TH SSL_CTX_sess_set_get_cb 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_sess_set_get_cb 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_sessions.3 b/secure/lib/libssl/man/SSL_CTX_sessions.3 index 9fa3ce2..6e43552 100644 --- a/secure/lib/libssl/man/SSL_CTX_sessions.3 +++ b/secure/lib/libssl/man/SSL_CTX_sessions.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_sessions 3" -.TH SSL_CTX_sessions 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_sessions 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 b/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 index be092fc..97293ff 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_cert_store 3" -.TH SSL_CTX_set_cert_store 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_cert_store 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 index 3cf5643..709fc39 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_cert_verify_callback 3" -.TH SSL_CTX_set_cert_verify_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_cert_verify_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 index 4582ed2..7f6d90d 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_cipher_list 3" -.TH SSL_CTX_set_cipher_list 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_cipher_list 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -180,6 +180,10 @@ client only supports export \s-1RSA\s0 ciphers with a asymmetric key length of 512 bits and the server is not configured to use temporary \s-1RSA\s0 keys), the \*(L"no shared cipher\*(R" (\s-1SSL_R_NO_SHARED_CIPHER\s0) error is generated and the handshake will fail. +.PP +If the cipher list does not contain any SSLv2 cipher suites (this is the +default) then SSLv2 is effectively disabled and neither clients nor servers +will attempt to use SSLv2. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_set_cipher_list()\fR and \fISSL_set_cipher_list()\fR return 1 if any cipher diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 index dd5ffee..6b30038 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_client_CA_list 3" -.TH SSL_CTX_set_client_CA_list 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_client_CA_list 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -162,7 +162,7 @@ the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s .SH "NOTES" .IX Header "NOTES" When a \s-1TLS/SSL\s0 server requests a client certificate (see -\&\fB\f(BISSL_CTX_set_verify_options()\fB\fR), it sends a list of CAs, for which +\&\fB\f(BISSL_CTX_set_verify\fB\|(3)\fR), it sends a list of CAs, for which it will accept certificates, to the client. .PP This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 index f1ffac8..cd4db2e 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_client_cert_cb 3" -.TH SSL_CTX_set_client_cert_cb 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_client_cert_cb 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -157,7 +157,7 @@ using the \fBx509\fR and \fBpkey\fR arguments and \*(L"1\*(R" must be returned. certificate will be installed into \fBssl\fR, see the \s-1NOTES\s0 and \s-1BUGS\s0 sections. If no certificate should be set, \*(L"0\*(R" has to be returned and no certificate will be sent. A negative return value will suspend the handshake and the -handshake function will return immediatly. \fISSL_get_error\fR\|(3) +handshake function will return immediately. \fISSL_get_error\fR\|(3) will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to indicate, that the handshake was suspended. The next call to the handshake function will again lead to the call of \fIclient_cert_cb()\fR. It is the job of the \fIclient_cert_cb()\fR to store information diff --git a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 index faff127..f10adaf 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_default_passwd_cb 3" -.TH SSL_CTX_set_default_passwd_cb 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_default_passwd_cb 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 index b75db37..9796a36 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_generate_session_id 3" -.TH SSL_CTX_set_generate_session_id 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_generate_session_id 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 index 6866ec3..ce25dc9 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_info_callback 3" -.TH SSL_CTX_set_info_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_info_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 index a9f4f91..0757e0e 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_max_cert_list 3" -.TH SSL_CTX_set_max_cert_list 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_max_cert_list 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_mode.3 b/secure/lib/libssl/man/SSL_CTX_set_mode.3 index a355039..81cb0e9 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_mode.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_mode.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_mode 3" -.TH SSL_CTX_set_mode 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_mode 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 index 5854028..409782b 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_msg_callback 3" -.TH SSL_CTX_set_msg_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_msg_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libssl/man/SSL_CTX_set_options.3 index 50bcaa7..b4943de 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_options.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_options.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_options 3" -.TH SSL_CTX_set_options 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_options 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -345,7 +345,7 @@ renegotiation implementation. Connections and renegotiation are always permitted by OpenSSL implementations. .SS "Unpatched client and patched OpenSSL server" .IX Subsection "Unpatched client and patched OpenSSL server" -The initial connection suceeds but client renegotiation is denied by the +The initial connection succeeds but client renegotiation is denied by the server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal \&\fBhandshake_failure\fR alert in \s-1SSL\s0 v3.0. .PP diff --git a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 index 7535bf4..7727a56 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_psk_client_callback 3" -.TH SSL_CTX_set_psk_client_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_psk_client_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 index 20f519c..5e51332 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_quiet_shutdown 3" -.TH SSL_CTX_set_quiet_shutdown 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_quiet_shutdown 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 index 554e1f5..40811d9 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_session_cache_mode 3" -.TH SSL_CTX_set_session_cache_mode 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_session_cache_mode 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 index f1eb254..b197662 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_session_id_context 3" -.TH SSL_CTX_set_session_id_context 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_session_id_context 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 index 546b3d3..b03716a 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_ssl_version 3" -.TH SSL_CTX_set_ssl_version 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_ssl_version 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_timeout.3 b/secure/lib/libssl/man/SSL_CTX_set_timeout.3 index 24c2253..97cb2a4f 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_timeout.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_timeout.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_timeout 3" -.TH SSL_CTX_set_timeout 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_timeout 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 new file mode 100644 index 0000000..b0d969b3 --- /dev/null +++ b/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -0,0 +1,307 @@ +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.ie \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.el \{\ +. de IX +.. +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_set_tlsext_ticket_key_cb 3" +.TH SSL_CTX_set_tlsext_ticket_key_cb 3 "2014-08-06" "1.0.1i" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_tlsext_ticket_key_cb \- set a callback for session ticket processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include <openssl/tls1.h> +\& +\& long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, +\& int (*cb)(SSL *s, unsigned char key_name[16], +\& unsigned char iv[EVP_MAX_IV_LENGTH], +\& EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_tlsext_ticket_key_cb()\fR sets a callback fuction \fIcb\fR for handling +session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in +\&\s-1RFC5077\s0 provide an enhanced session resumption capability where the server +implementation is not required to maintain per session state. It only applies +to \s-1TLS\s0 and there is no SSLv3 implementation. +.PP +The callback is available when the OpenSSL library was built without +\&\fI\s-1OPENSSL_NO_TLSEXT\s0\fR being defined. +.PP +The callback function \fIcb\fR will be called for every client instigated \s-1TLS\s0 +session when session ticket extension is presented in the \s-1TLS\s0 hello +message. It is the responsibility of this function to create or retrieve the +cryptographic parameters and to maintain their state. +.PP +The OpenSSL library uses your callback function to help implement a common \s-1TLS\s0 +ticket construction state according to \s-1RFC5077\s0 Section 4 such that per session +state is unnecessary and a small set of cryptographic variables needs to be +maintained by the callback function implementation. +.PP +In order to reuse a session, a \s-1TLS\s0 client must send the a session ticket +extension to the server. The client can only send exactly one session ticket. +The server, through the callback function, either agrees to reuse the session +ticket information or it starts a full \s-1TLS\s0 handshake to create a new session +ticket. +.PP +Before the callback function is started \fIctx\fR and \fIhctx\fR have been +initialised with EVP_CIPHER_CTX_init and HMAC_CTX_init respectively. +.PP +For new sessions tickets, when the client doesn't present a session ticket, or +an attempted retreival of the ticket failed, or a renew option was indicated, +the callback function will be called with \fIenc\fR equal to 1. The OpenSSL +library expects that the function will set an arbitary \fIname\fR, initialize +\&\fIiv\fR, and set the cipher context \fIctx\fR and the hash context \fIhctx\fR. +.PP +The \fIname\fR is 16 characters long and is used as a key identifier. +.PP +The \fIiv\fR length is the length of the \s-1IV\s0 of the corresponding cipher. The +maximum \s-1IV\s0 length is \s-1EVP_MAX_IV_LENGTH\s0 bytes defined in \fBevp.h\fR. +.PP +The initialization vector \fIiv\fR should be a random value. The cipher context +\&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be +set using EVP_EncryptInit_ex. The hmac context can be set using HMAC_Init_ex. +.PP +When the client presents a session ticket, the callback function with be called +with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retreive a set +of parameters. In this case \fIname\fR and \fIiv\fR have already been parsed out of +the session ticket. The OpenSSL library expects that the \fIname\fR will be used +to retrieve a cryptographic parameters and that the cryptographic context +\&\fIctx\fR will be set with the retreived parameters and the initialization vector +\&\fIiv\fR. using a function like EVP_DecryptInit_ex. The \fIhctx\fR needs to be set +using HMAC_Init_ex. +.PP +If the \fIname\fR is still valid but a renewal of the ticket is required the +callback function should return 2. The library will call the callback again +with an arguement of enc equal to 1 to set the new ticket. +.PP +The return value of the \fIcb\fR function is used by OpenSSL to determine what +further processing will occur. The following return values have meaning: +.IP "2" 4 +.IX Item "2" +This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can +continue on those parameters. Additionally it indicates that the session +ticket is in a renewal period and should be replaced. The OpenSSL library will +call \fIcb\fR again with an enc argument of 1 to set the new ticket (see \s-1RFC5077\s0 +3.3 paragraph 2). +.IP "1" 4 +.IX Item "1" +This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can +continue on those parameters. +.IP "0" 4 +This indicates that it was not possible to set/retrieve a session ticket and +the \s-1SSL/TLS\s0 session will continue by by negiotationing a set of cryptographic +parameters or using the alternate \s-1SSL/TLS\s0 resumption mechanism, session ids. +.Sp +If called with enc equal to 0 the library will call the \fIcb\fR again to get +a new set of parameters. +.IP "less than 0" 4 +.IX Item "less than 0" +This indicates an error. +.SH "NOTES" +.IX Header "NOTES" +Session resumption shortcuts the \s-1TLS\s0 so that the client certificate +negiotation don't occur. It makes up for this by storing client certificate +an all other negotiated state information encrypted within the ticket. In a +resumed session the applications will have all this state information available +exactly as if a full negiotation had occured. +.PP +If an attacker can obtain the key used to encrypt a session ticket, they can +obtain the master secret for any ticket using that key and decrypt any traffic +using that session: even if the ciphersuite supports forward secrecy. As +a result applications may wish to use multiple keys and avoid using long term +keys stored in files. +.PP +Applications can use longer keys to maintain a consistent level of security. +For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key +the overall security is only 128 bits because breaking the ticket key will +enable an attacker to obtain the session keys. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Reference Implemention: + SSL_CTX_set_tlsext_ticket_key_cb(\s-1SSL\s0,ssl_tlsext_ticket_key_cb); + .... +.PP +.Vb 6 +\& static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) +\& { +\& if (enc) { /* create new session */ +\& if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) { +\& return \-1; /* insufficient random */ +\& } +\& +\& key = currentkey(); /* something that you need to implement */ +\& if ( !key ) { +\& /* current key doesn\*(Aqt exist or isn\*(Aqt valid */ +\& key = createkey(); /* something that you need to implement. +\& * createkey needs to initialise, a name, +\& * an aes_key, a hmac_key and optionally +\& * an expire time. */ +\& if ( !key ) { /* key couldn\*(Aqt be created */ +\& return 0; +\& } +\& } +\& memcpy(key_name, key\->name, 16); +\& +\& EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv); +\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); +\& +\& return 1; +\& +\& } else { /* retrieve session */ +\& key = findkey(name); +\& +\& if (!key || key\->expire < now() ) { +\& return 0; +\& } +\& +\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); +\& EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv ); +\& +\& if (key\->expire < ( now() \- RENEW_TIME ) ) { +\& /* return 2 \- this session will get a new ticket even though the current is still valid */ +\& return 2; +\& } +\& return 1; +\& +\& } +\& } +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +returns 0 to indicate the callback function was set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3), +\&\fISSL_session_reused\fR\|(3), +\&\fISSL_CTX_add_session\fR\|(3), +\&\fISSL_CTX_sess_number\fR\|(3), +\&\fISSL_CTX_sess_set_get_cb\fR\|(3), +\&\fISSL_CTX_set_session_id_context\fR\|(3), +.SH "HISTORY" +.IX Header "HISTORY" +This function was introduced in OpenSSL 0.9.8h diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 index 0886646..4664653 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_tmp_dh_callback 3" -.TH SSL_CTX_set_tmp_dh_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_tmp_dh_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,11 +140,9 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_se \& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); \& long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); \& -\& void SSL_set_tmp_dh_callback(SSL_CTX *ctx, +\& void SSL_set_tmp_dh_callback(SSL *ctx, \& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); \& long SSL_set_tmp_dh(SSL *ssl, DH *dh) -\& -\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -208,7 +206,7 @@ instead (see \fIdhparam\fR\|(1)), but in this case \s-1SSL_OP_SINGLE_DH_USE\s0 is mandatory. .PP Application authors may compile in \s-1DH\s0 parameters. Files dh512.pem, -dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current +dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current version of the OpenSSL distribution contain the '\s-1SKIP\s0' \s-1DH\s0 parameters, which use safe primes and were generated verifiably pseudo-randomly. These files can be converted into C code using the \fB\-C\fR option of the diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 index 52167a9..42189f8 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_tmp_rsa_callback 3" -.TH SSL_CTX_set_tmp_rsa_callback 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_tmp_rsa_callback 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_set_verify.3 b/secure/lib/libssl/man/SSL_CTX_set_verify.3 index 09bc4be..15777e1 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_verify.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_verify.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_verify 3" -.TH SSL_CTX_set_verify 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_set_verify 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -228,8 +228,8 @@ certificates would not be present, most likely a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R", \&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum -depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, -allowing for the peer certificate and additional 9 \s-1CA\s0 certificates. +depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100, +allowing for the peer certificate and additional 100 \s-1CA\s0 certificates. .PP The \fBverify_callback\fR function is used to control the behaviour when the \&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and diff --git a/secure/lib/libssl/man/SSL_CTX_use_certificate.3 b/secure/lib/libssl/man/SSL_CTX_use_certificate.3 index c2348fc..8c56743 100644 --- a/secure/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/secure/lib/libssl/man/SSL_CTX_use_certificate.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_use_certificate 3" -.TH SSL_CTX_use_certificate 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_use_certificate 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 index a5ae5f9..82735f6 100644 --- a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 +++ b/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_use_psk_identity_hint 3" -.TH SSL_CTX_use_psk_identity_hint 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_CTX_use_psk_identity_hint 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_SESSION_free.3 b/secure/lib/libssl/man/SSL_SESSION_free.3 index a4101e5..5379d25 100644 --- a/secure/lib/libssl/man/SSL_SESSION_free.3 +++ b/secure/lib/libssl/man/SSL_SESSION_free.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_SESSION_free 3" -.TH SSL_SESSION_free 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_SESSION_free 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 index 31f1749..5732f21 100644 --- a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 +++ b/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_SESSION_get_ex_new_index 3" -.TH SSL_SESSION_get_ex_new_index 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_SESSION_get_ex_new_index 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_SESSION_get_time.3 b/secure/lib/libssl/man/SSL_SESSION_get_time.3 index d42d221..beda3cb 100644 --- a/secure/lib/libssl/man/SSL_SESSION_get_time.3 +++ b/secure/lib/libssl/man/SSL_SESSION_get_time.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_SESSION_get_time 3" -.TH SSL_SESSION_get_time 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_SESSION_get_time 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_accept.3 b/secure/lib/libssl/man/SSL_accept.3 index 79e5193..c9030e0 100644 --- a/secure/lib/libssl/man/SSL_accept.3 +++ b/secure/lib/libssl/man/SSL_accept.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_accept 3" -.TH SSL_accept 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_accept 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_alert_type_string.3 b/secure/lib/libssl/man/SSL_alert_type_string.3 index 6383b60..91928a0 100644 --- a/secure/lib/libssl/man/SSL_alert_type_string.3 +++ b/secure/lib/libssl/man/SSL_alert_type_string.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_alert_type_string 3" -.TH SSL_alert_type_string 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_alert_type_string 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_clear.3 b/secure/lib/libssl/man/SSL_clear.3 index eafd97c..199d248 100644 --- a/secure/lib/libssl/man/SSL_clear.3 +++ b/secure/lib/libssl/man/SSL_clear.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_clear 3" -.TH SSL_clear 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_clear 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_connect.3 b/secure/lib/libssl/man/SSL_connect.3 index 9703367..72851af 100644 --- a/secure/lib/libssl/man/SSL_connect.3 +++ b/secure/lib/libssl/man/SSL_connect.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_connect 3" -.TH SSL_connect 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_connect 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_do_handshake.3 b/secure/lib/libssl/man/SSL_do_handshake.3 index a26b6c9..8c53494 100644 --- a/secure/lib/libssl/man/SSL_do_handshake.3 +++ b/secure/lib/libssl/man/SSL_do_handshake.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_do_handshake 3" -.TH SSL_do_handshake 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_do_handshake 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_free.3 b/secure/lib/libssl/man/SSL_free.3 index 471e7ab..552cf26 100644 --- a/secure/lib/libssl/man/SSL_free.3 +++ b/secure/lib/libssl/man/SSL_free.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_free 3" -.TH SSL_free 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_free 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_SSL_CTX.3 b/secure/lib/libssl/man/SSL_get_SSL_CTX.3 index 4541f4d..d383f6a 100644 --- a/secure/lib/libssl/man/SSL_get_SSL_CTX.3 +++ b/secure/lib/libssl/man/SSL_get_SSL_CTX.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_SSL_CTX 3" -.TH SSL_get_SSL_CTX 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_SSL_CTX 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_ciphers.3 b/secure/lib/libssl/man/SSL_get_ciphers.3 index 4c5ef08..6c785d4 100644 --- a/secure/lib/libssl/man/SSL_get_ciphers.3 +++ b/secure/lib/libssl/man/SSL_get_ciphers.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_ciphers 3" -.TH SSL_get_ciphers 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_ciphers 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_client_CA_list.3 b/secure/lib/libssl/man/SSL_get_client_CA_list.3 index e5f9a99..6b83efc 100644 --- a/secure/lib/libssl/man/SSL_get_client_CA_list.3 +++ b/secure/lib/libssl/man/SSL_get_client_CA_list.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_client_CA_list 3" -.TH SSL_get_client_CA_list 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_client_CA_list 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_current_cipher.3 b/secure/lib/libssl/man/SSL_get_current_cipher.3 index d04f136..3d837a5 100644 --- a/secure/lib/libssl/man/SSL_get_current_cipher.3 +++ b/secure/lib/libssl/man/SSL_get_current_cipher.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_current_cipher 3" -.TH SSL_get_current_cipher 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_current_cipher 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_default_timeout.3 b/secure/lib/libssl/man/SSL_get_default_timeout.3 index 88ea757..515d81c 100644 --- a/secure/lib/libssl/man/SSL_get_default_timeout.3 +++ b/secure/lib/libssl/man/SSL_get_default_timeout.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_default_timeout 3" -.TH SSL_get_default_timeout 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_default_timeout 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_error.3 b/secure/lib/libssl/man/SSL_get_error.3 index 760af98..a70f963 100644 --- a/secure/lib/libssl/man/SSL_get_error.3 +++ b/secure/lib/libssl/man/SSL_get_error.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_error 3" -.TH SSL_get_error 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_error 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 index 71d554c..aa37340 100644 --- a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 +++ b/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_ex_data_X509_STORE_CTX_idx 3" -.TH SSL_get_ex_data_X509_STORE_CTX_idx 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_ex_data_X509_STORE_CTX_idx 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_get_ex_new_index.3 index 05d0625..03f00d5 100644 --- a/secure/lib/libssl/man/SSL_get_ex_new_index.3 +++ b/secure/lib/libssl/man/SSL_get_ex_new_index.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_ex_new_index 3" -.TH SSL_get_ex_new_index 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_ex_new_index 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_fd.3 b/secure/lib/libssl/man/SSL_get_fd.3 index bcaaa8e..e8c2050 100644 --- a/secure/lib/libssl/man/SSL_get_fd.3 +++ b/secure/lib/libssl/man/SSL_get_fd.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_fd 3" -.TH SSL_get_fd 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_fd 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 b/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 index 0303b84..368f567 100644 --- a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 +++ b/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_peer_cert_chain 3" -.TH SSL_get_peer_cert_chain 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_peer_cert_chain 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_peer_certificate.3 b/secure/lib/libssl/man/SSL_get_peer_certificate.3 index 5e9604f..086329e 100644 --- a/secure/lib/libssl/man/SSL_get_peer_certificate.3 +++ b/secure/lib/libssl/man/SSL_get_peer_certificate.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_peer_certificate 3" -.TH SSL_get_peer_certificate 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_peer_certificate 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_psk_identity.3 b/secure/lib/libssl/man/SSL_get_psk_identity.3 index 11c7d98..fdddcb5 100644 --- a/secure/lib/libssl/man/SSL_get_psk_identity.3 +++ b/secure/lib/libssl/man/SSL_get_psk_identity.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_psk_identity 3" -.TH SSL_get_psk_identity 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_psk_identity 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_rbio.3 b/secure/lib/libssl/man/SSL_get_rbio.3 index 34f5c88..073f5e4 100644 --- a/secure/lib/libssl/man/SSL_get_rbio.3 +++ b/secure/lib/libssl/man/SSL_get_rbio.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_rbio 3" -.TH SSL_get_rbio 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_rbio 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_session.3 b/secure/lib/libssl/man/SSL_get_session.3 index b8b14ab..38332de 100644 --- a/secure/lib/libssl/man/SSL_get_session.3 +++ b/secure/lib/libssl/man/SSL_get_session.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_session 3" -.TH SSL_get_session 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_session 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_verify_result.3 b/secure/lib/libssl/man/SSL_get_verify_result.3 index c31cbe7..51ac504 100644 --- a/secure/lib/libssl/man/SSL_get_verify_result.3 +++ b/secure/lib/libssl/man/SSL_get_verify_result.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_verify_result 3" -.TH SSL_get_verify_result 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_verify_result 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_get_version.3 b/secure/lib/libssl/man/SSL_get_version.3 index b0789e4..b0ccef6 100644 --- a/secure/lib/libssl/man/SSL_get_version.3 +++ b/secure/lib/libssl/man/SSL_get_version.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_get_version 3" -.TH SSL_get_version 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_get_version 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,11 +140,11 @@ SSL_get_version \- get the protocol version of a connection. .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_cipher_version()\fR returns the name of the protocol used for the +\&\fISSL_get_version()\fR returns the name of the protocol used for the connection \fBssl\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The following strings can occur: +The following strings can be returned: .IP "SSLv2" 4 .IX Item "SSLv2" The connection uses the SSLv2 protocol. @@ -153,7 +153,13 @@ The connection uses the SSLv2 protocol. The connection uses the SSLv3 protocol. .IP "TLSv1" 4 .IX Item "TLSv1" -The connection uses the TLSv1 protocol. +The connection uses the TLSv1.0 protocol. +.IP "TLSv1.1" 4 +.IX Item "TLSv1.1" +The connection uses the TLSv1.1 protocol. +.IP "TLSv1.2" 4 +.IX Item "TLSv1.2" +The connection uses the TLSv1.2 protocol. .IP "unknown" 4 .IX Item "unknown" This indicates that no version has been set (no connection established). diff --git a/secure/lib/libssl/man/SSL_library_init.3 b/secure/lib/libssl/man/SSL_library_init.3 index 80b04c1..3fa07d1 100644 --- a/secure/lib/libssl/man/SSL_library_init.3 +++ b/secure/lib/libssl/man/SSL_library_init.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_library_init 3" -.TH SSL_library_init 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_library_init 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_load_client_CA_file.3 b/secure/lib/libssl/man/SSL_load_client_CA_file.3 index 06baac98..aa70809 100644 --- a/secure/lib/libssl/man/SSL_load_client_CA_file.3 +++ b/secure/lib/libssl/man/SSL_load_client_CA_file.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_load_client_CA_file 3" -.TH SSL_load_client_CA_file 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_load_client_CA_file 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_new.3 b/secure/lib/libssl/man/SSL_new.3 index f3daedd..38fd212 100644 --- a/secure/lib/libssl/man/SSL_new.3 +++ b/secure/lib/libssl/man/SSL_new.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_new 3" -.TH SSL_new 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_new 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_pending.3 b/secure/lib/libssl/man/SSL_pending.3 index d4bc050..65ad186 100644 --- a/secure/lib/libssl/man/SSL_pending.3 +++ b/secure/lib/libssl/man/SSL_pending.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_pending 3" -.TH SSL_pending 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_pending 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_read.3 b/secure/lib/libssl/man/SSL_read.3 index 6411d54..cdd8d20 100644 --- a/secure/lib/libssl/man/SSL_read.3 +++ b/secure/lib/libssl/man/SSL_read.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_read 3" -.TH SSL_read 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_read 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_rstate_string.3 b/secure/lib/libssl/man/SSL_rstate_string.3 index 7235fd4..4c6523e 100644 --- a/secure/lib/libssl/man/SSL_rstate_string.3 +++ b/secure/lib/libssl/man/SSL_rstate_string.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_rstate_string 3" -.TH SSL_rstate_string 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_rstate_string 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_session_reused.3 b/secure/lib/libssl/man/SSL_session_reused.3 index 8999288..384c4ac 100644 --- a/secure/lib/libssl/man/SSL_session_reused.3 +++ b/secure/lib/libssl/man/SSL_session_reused.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_session_reused 3" -.TH SSL_session_reused 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_session_reused 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_bio.3 b/secure/lib/libssl/man/SSL_set_bio.3 index bc2090c..32b959f 100644 --- a/secure/lib/libssl/man/SSL_set_bio.3 +++ b/secure/lib/libssl/man/SSL_set_bio.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_bio 3" -.TH SSL_set_bio 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_bio 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_connect_state.3 b/secure/lib/libssl/man/SSL_set_connect_state.3 index 8eb30ec..718ba26 100644 --- a/secure/lib/libssl/man/SSL_set_connect_state.3 +++ b/secure/lib/libssl/man/SSL_set_connect_state.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_connect_state 3" -.TH SSL_set_connect_state 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_connect_state 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_fd.3 b/secure/lib/libssl/man/SSL_set_fd.3 index 6b2b138..d3e1756 100644 --- a/secure/lib/libssl/man/SSL_set_fd.3 +++ b/secure/lib/libssl/man/SSL_set_fd.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_fd 3" -.TH SSL_set_fd 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_fd 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_session.3 b/secure/lib/libssl/man/SSL_set_session.3 index 1611fa5..8a8bd10 100644 --- a/secure/lib/libssl/man/SSL_set_session.3 +++ b/secure/lib/libssl/man/SSL_set_session.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_session 3" -.TH SSL_set_session 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_session 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_shutdown.3 b/secure/lib/libssl/man/SSL_set_shutdown.3 index 9f23b54..fcad1df 100644 --- a/secure/lib/libssl/man/SSL_set_shutdown.3 +++ b/secure/lib/libssl/man/SSL_set_shutdown.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_shutdown 3" -.TH SSL_set_shutdown 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_shutdown 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_set_verify_result.3 b/secure/lib/libssl/man/SSL_set_verify_result.3 index b558d4e..fd19c3f 100644 --- a/secure/lib/libssl/man/SSL_set_verify_result.3 +++ b/secure/lib/libssl/man/SSL_set_verify_result.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_set_verify_result 3" -.TH SSL_set_verify_result 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_set_verify_result 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_shutdown.3 b/secure/lib/libssl/man/SSL_shutdown.3 index dbec86d..e7cb7bd 100644 --- a/secure/lib/libssl/man/SSL_shutdown.3 +++ b/secure/lib/libssl/man/SSL_shutdown.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_shutdown 3" -.TH SSL_shutdown 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_shutdown 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_state_string.3 b/secure/lib/libssl/man/SSL_state_string.3 index 4bd05ad..2b16a8d 100644 --- a/secure/lib/libssl/man/SSL_state_string.3 +++ b/secure/lib/libssl/man/SSL_state_string.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_state_string 3" -.TH SSL_state_string 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_state_string 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_want.3 b/secure/lib/libssl/man/SSL_want.3 index cd7dfd2..9350078 100644 --- a/secure/lib/libssl/man/SSL_want.3 +++ b/secure/lib/libssl/man/SSL_want.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_want 3" -.TH SSL_want 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_want 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/SSL_write.3 b/secure/lib/libssl/man/SSL_write.3 index cfaf21a..35ac546 100644 --- a/secure/lib/libssl/man/SSL_write.3 +++ b/secure/lib/libssl/man/SSL_write.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "SSL_write 3" -.TH SSL_write 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH SSL_write 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/secure/lib/libssl/man/d2i_SSL_SESSION.3 b/secure/lib/libssl/man/d2i_SSL_SESSION.3 index 68eaa3c..2a4b2f6 100644 --- a/secure/lib/libssl/man/d2i_SSL_SESSION.3 +++ b/secure/lib/libssl/man/d2i_SSL_SESSION.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "d2i_SSL_SESSION 3" -.TH d2i_SSL_SESSION 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH d2i_SSL_SESSION 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -175,6 +175,16 @@ known limit on the size of the created \s-1ASN1\s0 representation, so the necess amount of space should be obtained by first calling \fIi2d_SSL_SESSION()\fR with \&\fBpp=NULL\fR, and obtain the size needed, then allocate the memory and call \fIi2d_SSL_SESSION()\fR again. +Note that this will advance the value contained in \fB*pp\fR so it is necessary +to save a copy of the original allocation. +For example: + int i,j; + char *p, *temp; + i = i2d_SSL_SESSION(sess, \s-1NULL\s0); + p = temp = malloc(i); + j = i2d_SSL_SESSION(sess, &temp); + assert(i == j); + assert(p+i == temp); .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fId2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0 diff --git a/secure/lib/libssl/man/ssl.3 b/secure/lib/libssl/man/ssl.3 index 623022f..c5f83ae 100644 --- a/secure/lib/libssl/man/ssl.3 +++ b/secure/lib/libssl/man/ssl.3 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "ssl 3" -.TH ssl 3 "2014-06-05" "1.0.1h" "OpenSSL" +.TH ssl 3 "2014-08-06" "1.0.1i" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l |