The branch master has been updated via 03e16083ff526d6d38de519620747aabbfc69b83 (commit) via 8b3efb53027dd4f7d51b7ca9dd9658f02d6f1b1a (commit) from c98eab85b8a6c5d49353a229ac1d2f4cd0b84682 (commit)
- Log ----------------------------------------------------------------- commit 03e16083ff526d6d38de519620747aabbfc69b83 Author: Rich Salz <rs...@akamai.com> Date: Fri Jan 24 12:33:05 2020 -0500 Fix "ts" no-XXX options, document two TLS options Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10191) commit 8b3efb53027dd4f7d51b7ca9dd9658f02d6f1b1a Author: Rich Salz <rs...@akamai.com> Date: Sat Oct 12 17:45:56 2019 -0400 Update the SSL/TLS connection options Refactor common flags for SSL/TLS connection options. Update SSL_CONF_cmd.pod to match ordering. Rewrite much of the documentation. Fixes #10160 Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10191) ----------------------------------------------------------------------- Summary of changes: doc/man1/openssl-s_server.pod.in | 19 ++- doc/man1/openssl-ts.pod.in | 7 +- doc/man3/SSL_CONF_cmd.pod | 327 ++++++++++++++++++++------------------- doc/perlvars.pm | 17 +- 4 files changed, 194 insertions(+), 176 deletions(-) diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 78119281db..b31d4f6a2c 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -41,6 +41,7 @@ B<openssl> B<s_server> [B<-no_resume_ephemeral>] [B<-www>] [B<-WWW>] +[B<-http_server_binmode>] [B<-servername>] [B<-servername_fatal>] [B<-cert2> I<infile>] @@ -88,7 +89,6 @@ B<openssl> B<s_server> [B<-no_comp>] [B<-comp>] [B<-no_ticket>] -[B<-num_tickets>] [B<-serverpref>] [B<-legacy_renegotiation>] [B<-no_renegotiation>] @@ -125,16 +125,17 @@ B<openssl> B<s_server> [B<-use_srtp> I<val>] [B<-alpn> I<val>] [B<-keylogfile> I<outfile>] -[B<-max_early_data> I<int>] [B<-recv_max_early_data> I<int>] +[B<-max_early_data> I<int>] [B<-early_data>] [B<-stateless>] [B<-anti_replay>] [B<-no_anti_replay>] -[B<-http_server_binmode>] +[B<-num_tickets>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_s_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} @@ -371,6 +372,11 @@ In addition, the special URL C</stats> will return status information like the B<-www> option. Neither of these options can be used in conjunction with B<-early_data>. +=item B<-http_server_binmode> + +When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested +by the client in binary mode. + =item B<-id_prefix> I<val> Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful @@ -641,15 +647,12 @@ has been negotiated, and early data is enabled on the server. A full handshake is forced if a session ticket is used a second or subsequent time. Any early data that was sent will be rejected. -=item B<-http_server_binmode> - -When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested -by the client in binary mode. - {- $OpenSSL::safe::opt_name_item -} {- $OpenSSL::safe::opt_version_item -} +{- $OpenSSL::safe::opt_s_item -} + {- $OpenSSL::safe::opt_x_item -} {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index b9e911827d..f115f45072 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -50,7 +50,9 @@ B<-verify> [B<-queryfile> I<request.tsq>] [B<-in> I<response.tsr>] [B<-token_in>] -{- $OpenSSL::safe::opt_trust_synopsis -} +[B<-CAfile> I<file>] +[B<-CApath> I<dir>] +[B<-CAstore> I<uri>] {- $OpenSSL::safe::opt_v_synopsis -} =for openssl ifdef engine @@ -330,8 +332,9 @@ certificate. This file must contain the TSA signing certificate and all intermediate CA certificates unless the response includes them. (Optional) -{- $OpenSSL::safe::opt_trust_item -} +=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri> +See L<openssl(1)/Trusted Certificate Options> for details. At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified. {- $OpenSSL::safe::opt_v_item -} diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index ea1f1e8503..1f2e7b8ebb 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -9,222 +9,233 @@ SSL_CONF_cmd - send configuration command #include <openssl/ssl.h> - int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); - int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); + int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value); + int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option); =head1 DESCRIPTION -The function SSL_CONF_cmd() performs configuration operation B<cmd> with +The function SSL_CONF_cmd() performs configuration operation B<option> with optional parameter B<value> on B<ctx>. Its purpose is to simplify application configuration of B<SSL_CTX> or B<SSL> structures by providing a common framework for command line options or configuration files. -SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to. +SSL_CONF_cmd_value_type() returns the type of value that B<option> refers to. =head1 SUPPORTED COMMAND LINE COMMANDS -Currently supported B<cmd> names for command lines (i.e. when the -flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names +Currently supported B<option> names for command lines (i.e. when the +flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<option> names are case sensitive. Unless otherwise stated commands can be used by both clients and servers and the B<value> parameter is not used. The default prefix for command line commands is B<-> and that is reflected below. =over 4 -=item B<-sigalgs> +=item B<-bugs> -This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. -For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. +Various bug workarounds are set, same as setting B<SSL_OP_ALL>. -The B<value> argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form B<algorithm+hash> or -B<signature_scheme>. B<algorithm> -is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm -OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. -Note: algorithm and hash names are case sensitive. -B<signature_scheme> is one of the signature schemes defined in TLSv1.3, -specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>, -or B<rsa_pss_pss_sha256>. +=item B<-no_comp> -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. +Disables support for SSL/TLS compression, same as setting +B<SSL_OP_NO_COMPRESSION>. +As of OpenSSL 1.1.0, compression is off by default. -Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by -using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> -identifiers) are ignored in TLSv1.3 and will not be negotiated. +=item B<-comp> -=item B<-client_sigalgs> +Enables support for SSL/TLS compression, same as clearing +B<SSL_OP_NO_COMPRESSION>. +This command was introduced in OpenSSL 1.1.0. +As of OpenSSL 1.1.0, compression is off by default. -This sets the supported signature algorithms associated with client -authentication for TLSv1.2 and TLSv1.3. -For servers the value is used in the -B<signature_algorithms> field of a B<CertificateRequest> message. -For clients it is -used to determine which signature algorithm to use with the client certificate. -If a server does not request a certificate this option has no effect. +=item B<-no_ticket> -The syntax of B<value> is identical to B<-sigalgs>. If not set then -the value set for B<-sigalgs> will be used instead. +Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. -=item B<-groups> +=item B<-serverpref> -This sets the supported groups. For clients, the groups are -sent using the supported groups extension. For servers, it is used -to determine which group to use. This setting affects groups used for -signatures (in TLSv1.2 and earlier) and key exchange. The first group listed -will also be used for the B<key_share> sent by a client in a TLSv1.3 -B<ClientHello>. +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. -The B<value> argument is a colon separated list of groups. The group can be -either the B<NIST> name (e.g. B<P-256>), some other commonly used name where -applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name -(e.g B<prime256v1>). Group names are case sensitive. The list should be in -order of preference with the most preferred group first. +=item B<-legacyrenegotiation> -Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, -B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, -B<ffdhe8192>. +permits the use of unsafe legacy renegotiation. Equivalent to setting +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. -=item B<-curves> +=item B<-no_renegotiation> -This is a synonym for the "-groups" command. +Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +B<SSL_OP_NO_RENEGOTIATION>. -=item B<-named_curve> +=item B<-no_resumption_on_reneg> -This sets the temporary curve used for ephemeral ECDH modes. Only used by -servers +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. -The B<value> argument is a curve name or the special value B<auto> which -picks an appropriate curve based on client and server preferences. The curve -can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name -(e.g B<prime256v1>). Curve names are case sensitive. +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> -=item B<-cipher> +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. -Sets the TLSv1.2 and below ciphersuite list to B<value>. This list will be -combined with any configured TLSv1.3 ciphersuites. Note: syntax checking -of B<value> is currently not performed unless a B<SSL> or B<SSL_CTX> structure is -associated with B<cctx>. +=item B<-prioritize_chacha> -=item B<-ciphersuites> +Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of +its preference list. This usually indicates a client without AES hardware +acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. +Only used by servers. Requires B<-serverpref>. -Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon -(":") separated list of TLSv1.3 ciphersuite names in order of preference. This -list will be combined any configured TLSv1.2 and below ciphersuites. -See L<openssl-ciphers(1)> for more information. +=item B<-allow_no_dhe_kex> +In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. -=item B<-cert> +=item B<-strict> -Attempts to use the file B<value> as the certificate for the appropriate -context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> -structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> -structure is set. This option is only supported if certificate operations -are permitted. +enables strict mode protocol handling. Equivalent to setting +B<SSL_CERT_FLAG_TLS_STRICT>. -=item B<-key> +=item B<-sigalgs> I<algs> -Attempts to use the file B<value> as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded unless the flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. +This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. +For clients this value is used directly for the supported signature +algorithms extension. For servers it is used to determine which signature +algorithms to support. + +The B<algs> argument should be a colon separated list of signature +algorithms in order of decreasing preference of the form B<algorithm+hash> +or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and +B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>, +B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case +sensitive. B<signature_scheme> is one of the signature schemes defined in +TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, +B<ed25519>, or B<rsa_pss_pss_sha256>. -=item B<-dhparam> +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. -Attempts to use the file B<value> as the set of temporary DH parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. +Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by +using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> +identifiers) are ignored in TLSv1.3 and will not be negotiated. -=item B<-record_padding> +=item B<-client_sigalgs> I<algs> -Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in -length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the -B<value> must be >1 or <=16384. +This sets the supported signature algorithms associated with client +authentication for TLSv1.2 and TLSv1.3. For servers the B<algs> is used +in the B<signature_algorithms> field of a B<CertificateRequest> message. +For clients it is used to determine which signature algorithm to use with +the client certificate. If a server does not request a certificate this +option has no effect. -=item B<-no_renegotiation> +The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the +value set for B<-sigalgs> will be used instead. -Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting -B<SSL_OP_NO_RENEGOTIATION>. +=item B<-groups> I<groups> -=item B<-min_protocol>, B<-max_protocol> +This sets the supported groups. For clients, the groups are sent using +the supported groups extension. For servers, it is used to determine which +group to use. This setting affects groups used for signatures (in TLSv1.2 +and earlier) and key exchange. The first group listed will also be used +for the B<key_share> sent by a client in a TLSv1.3 B<ClientHello>. -Sets the minimum and maximum supported protocol. -Currently supported protocol values are B<SSLv3>, B<TLSv1>, -B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, -and B<None> for no limit. -If either bound is not specified then only the other bound applies, -if specified. -To restrict the supported protocol versions use these commands rather -than the deprecated alternative commands below. +The B<groups> argument is a colon separated list of groups. The group can +be either the B<NIST> name (e.g. B<P-256>), some other commonly used name +where applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name +(e.g B<prime256v1>). Group names are case sensitive. The list should be +in order of preference with the most preferred group first. -=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> +Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, +B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, +B<ffdhe8192>. -Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by -setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, -B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> -respectively. These options are deprecated, instead use B<-min_protocol> and -B<-max_protocol>. +=item B<-curves> I<groups> -=item B<-bugs> +This is a synonym for the B<-groups> command. -Various bug workarounds are set, same as setting B<SSL_OP_ALL>. +=item B<-named_curve> I<curve> -=item B<-comp> +This sets the temporary curve used for ephemeral ECDH modes. Only used +by servers. -Enables support for SSL/TLS compression, same as clearing -B<SSL_OP_NO_COMPRESSION>. -This command was introduced in OpenSSL 1.1.0. -As of OpenSSL 1.1.0, compression is off by default. +The B<groups> argument is a curve name or the special value B<auto> which +picks an appropriate curve based on client and server preferences. The +curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. -=item B<-no_comp> +=item B<-cipher> I<ciphers> -Disables support for SSL/TLS compression, same as setting -B<SSL_OP_NO_COMPRESSION>. -As of OpenSSL 1.1.0, compression is off by default. +Sets the TLSv1.2 and below ciphersuite list to B<ciphers>. This list will be +combined with any configured TLSv1.3 ciphersuites. Note: syntax checking +of B<ciphers> is currently not performed unless a B<SSL> or B<SSL_CTX> +structure is associated with B<ctx>. -=item B<-no_ticket> +=item B<-ciphersuites> I<1.3ciphers> -Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. +Sets the available ciphersuites for TLSv1.3 to value. This is a +colon-separated list of TLSv1.3 ciphersuite names in order of preference. This +list will be combined any configured TLSv1.2 and below ciphersuites. +See L<openssl-ciphers(1)> for more information. -=item B<-serverpref> +=item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot> -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. +Sets the minimum and maximum supported protocol. Currently supported +protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> +for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> for no limit. +If either bound is not specified then only the other bound applies, +if specified. To restrict the supported protocol versions use these +commands rather than the deprecated alternative commands below. -=item B<-prioritize_chacha> +=item B<-record_padding> I<padding> -Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of -its preference list. This usually indicates a client without AES hardware -acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. -Only used by servers. Requires B<-serverpref>. +Attempts to pad TLSv1.3 records so that they are a multiple of B<padding> +in length on send. A B<padding> of 0 or 1 turns off padding. Otherwise, +the B<padding> must be >1 or <=16384. -=item B<-no_resumption_on_reneg> +=item B<-debug_broken_protocol> -set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. +Ignored. -=item B<-legacyrenegotiation> +=item B<-no_middlebox> -permits the use of unsafe legacy renegotiation. Equivalent to setting -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. +Turn off "middlebox compatibility", as described below. -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> +=back -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. -Set by default. +=head2 Additional Options -=item B<-allow_no_dhe_kex> +The following options are accepted by SSL_CONF_cmd(), but are not +processed by the OpenSSL commands. -In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means -that there will be no forward secrecy for the resumed session. +=over 4 -=item B<-strict> +=item B<-cert> I<file> -enables strict mode protocol handling. Equivalent to setting -B<SSL_CERT_FLAG_TLS_STRICT>. +Attempts to use B<file> as the certificate for the appropriate context. It +currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> +structure is set or SSL_use_certificate_file() with filetype PEM if an +B<SSL> structure is set. This option is only supported if certificate +operations are permitted. + +=item B<-key> I<file> + +Attempts to use B<file> as the private key for the appropriate context. This +option is only supported if certificate operations are permitted. Note: +if no B<-key> option is set then a private key is not loaded unless the +flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. + +=item B<-dhparam> I<file> + +Attempts to use B<file> as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> + +Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by +setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, +B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> +respectively. These options are deprecated, use B<-min_protocol> and +B<-max_protocol> instead. =item B<-anti_replay>, B<-no_anti_replay> @@ -242,13 +253,13 @@ required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>. =head1 SUPPORTED CONFIGURATION FILE COMMANDS -Currently supported B<cmd> names for configuration files (i.e. when the +Currently supported B<option> names for configuration files (i.e., when the flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file -B<cmd> names are case insensitive so B<signaturealgorithms> is recognised +B<option> names are case insensitive so B<signaturealgorithms> is recognised as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names are also case insensitive. -Note: the command prefix (if set) alters the recognised B<cmd> values. +Note: the command prefix (if set) alters the recognised B<option> values. =over 4 @@ -257,12 +268,12 @@ Note: the command prefix (if set) alters the recognised B<cmd> values. Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be combined with any configured TLSv1.3 ciphersuites. Note: syntax checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX> -structure is associated with B<cctx>. +structure is associated with B<ctx>. =item B<Ciphersuites> -Sets the available ciphersuites for TLSv1.3 to B<value>. This is a simple colon -(":") separated list of TLSv1.3 ciphersuite names in order of preference. This +Sets the available ciphersuites for TLSv1.3 to B<value>. This is a +colon-separated list of TLSv1.3 ciphersuite names in order of preference. This list will be combined any configured TLSv1.2 and below ciphersuites. See L<openssl-ciphers(1)> for more information. @@ -540,7 +551,7 @@ types: =item B<SSL_CONF_TYPE_UNKNOWN> -The B<cmd> string is unrecognised, this return value can be use to flag +The B<option> string is unrecognised, this return value can be use to flag syntax errors. =item B<SSL_CONF_TYPE_STRING> @@ -580,7 +591,7 @@ SSLv3 is B<always> disabled and attempt to override this by the user are ignored. By checking the return code of SSL_CONF_cmd() it is possible to query if a -given B<cmd> is recognised, this is useful if SSL_CONF_cmd() values are +given B<option> is recognised, this is useful if SSL_CONF_cmd() values are mixed with additional application specific operations. For example an application might call SSL_CONF_cmd() and if it returns @@ -590,12 +601,12 @@ commands. Applications can also use SSL_CONF_cmd() to process command lines though the utility function SSL_CONF_cmd_argv() is normally used instead. One way to do this is to set the prefix to an appropriate value using -SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the +SSL_CONF_CTX_set1_prefix(), pass the current argument to B<option> and the following argument to B<value> (which may be NULL). In this case if the return value is positive then it is used to skip that number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is -returned then B<cmd> is not recognised and application specific arguments +returned then B<option> is not recognised and application specific arguments can be checked instead. If -3 is returned a required argument is missing and an error is indicated. If 0 is returned some other error occurred and this can be reported back to the user. @@ -608,17 +619,17 @@ pathname to an absolute pathname. =head1 RETURN VALUES -SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is -B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it +SSL_CONF_cmd() returns 1 if the value of B<option> is recognised and B<value> is +B<NOT> used and 2 if both B<option> and B<value> are used. In other words it returns the number of arguments processed. This is useful when processing command lines. -A return value of -2 means B<cmd> is not recognised. +A return value of -2 means B<option> is not recognised. -A return value of -3 means B<cmd> is recognised and the command requires a +A return value of -3 means B<option> is recognised and the command requires a value but B<value> is NULL. -A return code of 0 indicates that both B<cmd> and B<value> are valid but an +A return code of 0 indicates that both B<option> and B<value> are valid but an error occurred attempting to perform the operation: for example due to an error in the syntax of B<value> in this case the error queue may provide additional information. diff --git a/doc/perlvars.pm b/doc/perlvars.pm index c20f4aedaa..bae8b15e83 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -65,7 +65,7 @@ $OpenSSL::safe::opt_x_synopsis = "" $OpenSSL::safe::opt_x_item = "" . "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n" . "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n" -. "B<-xkeyform> B<DER>|B<PEM>>\n" +. "B<-xkeyform> B<DER>|B<PEM>\n" . "\n" . "Set extended certificate verification options.\n" . "See L<openssl(1)/Extended Verification Options> for details."; @@ -143,16 +143,17 @@ $OpenSSL::safe::opt_version_item = "\n" . "See L<openssl(1)/TLS Version Options>."; # SSL connection options. -# TODO options will probably be re-ordered. +# TODO # options will probably be re-ordered. $OpenSSL::safe::opt_s_synopsis = "" . "[B<-bugs>]\n" . "[B<-no_comp>]\n" +. "[B<-comp>]\n" . "[B<-no_ticket>]\n" . "[B<-serverpref>]\n" . "[B<-legacy_renegotiation>]\n" . "[B<-no_renegotiation>]\n" -. "[B<-legacy_server_connect>]\n" . "[B<-no_resumption_on_reneg>]\n" +. "[B<-legacy_server_connect>]\n" . "[B<-no_legacy_server_connect>]\n" . "[B<-allow_no_dhe_kex>]\n" . "[B<-prioritize_chacha>]\n" @@ -161,7 +162,7 @@ $OpenSSL::safe::opt_s_synopsis = "" . "[B<-client_sigalgs> I<algs>]\n" . "[B<-groups> I<groups>]\n" . "[B<-curves> I<curves>]\n" -. "[B<-named_curve> I<curves>]\n" +. "[B<-named_curve> I<curve>]\n" . "[B<-cipher> I<ciphers>]\n" . "[B<-ciphersuites> I<1.3ciphers>]\n" . "[B<-min_protocol> I<minprot>]\n" @@ -170,12 +171,12 @@ $OpenSSL::safe::opt_s_synopsis = "" . "[B<-debug_broken_protocol>]\n" . "[B<-no_middlebox>]"; $OpenSSL::safe::opt_s_item = "" -. "=item B<-bugs>, B<-no_comp>, B<-no_ticket>, B<-serverpref>," -. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-legacy_server_connect>,\n" -. "B<-no_resumption_on_reneg>, B<-no_legacy_server_connect>,\n" +. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n" +. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n" +. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n" . "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n" . "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n" -. "I<curves>, B<-named_curve> I<curves>, B<-cipher> I<ciphers>, B<-ciphersuites>\n" +. "I<curves>, B<-named_curve> I<curve>, B<-cipher> I<ciphers>, B<-ciphersuites>\n" . "I<1.3ciphers>, B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>,\n" . "B<-record_padding> I<padding>, B<-debug_broken_protocol>, B<-no_middlebox>\n" . "\n"