diff options
author | Matt Caswell <matt@openssl.org> | 2018-02-21 17:23:11 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-03-14 10:15:50 +0000 |
commit | 9d2674cd232ab51f5ae7952a63a614b688145527 (patch) | |
tree | d2f99d6c79a452bdffd00b0908ff1ac3542416e0 /doc/man1 | |
parent | e54b3ccdbe42d614890fb43cee274e6b14e741dd (diff) |
Add documentation for TLSv1.3 ciphersuite configuration
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
Diffstat (limited to 'doc/man1')
-rw-r--r-- | doc/man1/ciphers.pod | 26 | ||||
-rw-r--r-- | doc/man1/s_client.pod | 19 | ||||
-rw-r--r-- | doc/man1/s_server.pod | 20 | ||||
-rw-r--r-- | doc/man1/s_time.pod | 19 |
4 files changed, 65 insertions, 19 deletions
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod index 129f76600f..eed5e64d3a 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -22,6 +22,7 @@ B<openssl> B<ciphers> [B<-srp>] [B<-stdname>] [B<-convert name>] +[B<-ciphersuites val>] [B<cipherlist>] =head1 DESCRIPTION @@ -105,10 +106,21 @@ Precede each cipher suite by its standard name. Convert a standard cipher B<name> to its OpenSSL name. +=item B<-ciphersuites val> + +Sets the list of TLSv1.3 ciphersuites. This list will be combined with any +TLSv1.2 and below ciphersuites that have been configured. The format for this +list is a simple colon (":") separated list of TLSv1.3 ciphersuite names. By +default this value is: + +"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" + =item B<cipherlist> -A cipher list to convert to a cipher preference list. If it is not included -then the default cipher list will be used. The format is described below. +A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher +preference list. This list will be combined with any TLSv1.3 ciphersuites that +have been configured. If it is not included then the default cipher list will be +used. The format is described below. =back @@ -705,11 +717,11 @@ Note: the CBC modes mentioned in this RFC are not supported. =head2 TLS v1.3 cipher suites - TLS_AES_128_GCM_SHA256 TLS13-AES-128-GCM-SHA256 - TLS_AES_256_GCM_SHA384 TLS13-AES-256-GCM-SHA384 - TLS_CHACHA20_POLY1305_SHA256 TLS13-CHACHA20-POLY1305-SHA256 - TLS_AES_128_CCM_SHA256 TLS13-AES-128-CCM-SHA256 - TLS_AES_128_CCM_8_SHA256 TLS13-AES-128-CCM-8-SHA256 + TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 + TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256 + TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 + TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 =head2 Older names used by OpenSSL diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index f101b33649..a06d3a6291 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -99,6 +99,7 @@ B<openssl> B<s_client> [B<-sigalgs sigalglist>] [B<-curves curvelist>] [B<-cipher cipherlist>] +[B<-ciphersuites val>] [B<-serverpref>] [B<-starttls protocol>] [B<-xmpphost hostname>] @@ -505,10 +506,20 @@ ultimately selected by the server. For a list of all curves, use: =item B<-cipher cipherlist> -This allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. See the B<ciphers> -command for more information. +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which ciphersuite is used it should +take the first supported cipher in the list sent by the client. See the +B<ciphers> command for more information. + +=item B<-ciphersuites val> + +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See the +B<ciphers> command for more information. The format for this list is a simple +colon (":") separated list of TLSv1.3 ciphersuite names. =item B<-starttls protocol> diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index ad04359efd..2f0f79ac78 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -113,6 +113,7 @@ B<openssl> B<s_server> [B<-curves val>] [B<-named_curve val>] [B<-cipher val>] +[B<-ciphersuites val>] [B<-dhparam infile>] [B<-record_padding val>] [B<-debug_broken_protocol>] @@ -533,12 +534,23 @@ For a list of all possible curves, use: =item B<-cipher val> -This allows the cipher list used by the server to be modified. When -the client sends a list of supported ciphers the first client cipher -also included in the server list is used. Because the client specifies -the preference order, the order of the server cipherlist irrelevant. See +This allows the list of TLSv1.2 and below ciphersuites used by the server to be +modified. This list is combined with any TLSv1.3 ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See the B<ciphers> command for more information. +=item B<-ciphersuites val> + +This allows the list of TLSv1.3 ciphersuites used by the server to be modified. +This list is combined with any TLSv1.2 and below ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See +the B<ciphers> command for more information. The format for this list is a +simple colon (":") separated list of TLSv1.3 ciphersuite names. + =item B<-dhparam infile> The DH parameter file to use. The ephemeral DH cipher suites generate keys diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod index ecdac17cc5..62a6788e70 100644 --- a/doc/man1/s_time.pod +++ b/doc/man1/s_time.pod @@ -25,6 +25,7 @@ B<openssl> B<s_time> [B<-ssl3>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-ciphersuites val>] =head1 DESCRIPTION @@ -128,10 +129,20 @@ option enables various workarounds. =item B<-cipher cipherlist> -This allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. -See the L<ciphers(1)> command for more information. +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See the +L<ciphers(1)> command for more information. + +=item B<-ciphersuites val> + +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See the +B<ciphers> command for more information. The format for this list is a simple +colon (":") separated list of TLSv1.3 ciphersuite names. =item B<-time length> |