diff options
author | Rich Salz <rsalz@akamai.com> | 2021-05-06 12:56:35 -0400 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-05-17 10:53:30 +0200 |
commit | 55373bfd419ca010a15aac18c88c94827e2f3a92 (patch) | |
tree | 803860f6eae08da5688ae7c4b68e195e52851a23 /doc/man3 | |
parent | d7970dd963134534340ad00fa62cb1180daf5cb0 (diff) |
Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Add -client_renegotiation flag support. The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.
Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.
Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)
Diffstat (limited to 'doc/man3')
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 8da8f7f060..bbd622a687 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -58,9 +58,15 @@ Use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. +=item B<-client_renegotiation> + +Allows servers to accept client-initiated renegotiation. Equivalent to +setting B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION>. +Only used by servers. + =item B<-legacyrenegotiation> -permits the use of unsafe legacy renegotiation. Equivalent to setting +Permits the use of unsafe legacy renegotiation. Equivalent to setting B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. =item B<-no_renegotiation> @@ -70,13 +76,19 @@ B<SSL_OP_NO_RENEGOTIATION>. =item B<-no_resumption_on_reneg> -set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. +Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only used by servers. =item B<-legacy_server_connect>, B<-no_legacy_server_connect> -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. +=item B<-immediate_renegotiation> + +Try to do a renegotiation immediately after the handshake. +This is for debugging and has no option equivalent. +Ignored by the B<openssl s_client> command. + =item B<-prioritize_chacha> Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of @@ -91,7 +103,7 @@ that there will be no forward secrecy for the resumed session. =item B<-strict> -enables strict mode protocol handling. Equivalent to setting +Enables strict mode protocol handling. Equivalent to setting B<SSL_CERT_FLAG_TLS_STRICT>. =item B<-sigalgs> I<algs> |