diff options
author | Rich Salz <rsalz@akamai.com> | 2014-07-03 12:35:40 -0400 |
---|---|---|
committer | Rich Salz <rsalz@akamai.com> | 2014-07-03 12:35:40 -0400 |
commit | 85dcce7c634d97944cadfb65243ce13b38c81372 (patch) | |
tree | 99c358977be34fa420609a1b47c148e55dd681d6 /doc/ssl | |
parent | 2ed29615cb0e58338f16f6c6264a51cefd3e4f44 (diff) |
Merge branch 'rsalz-docfixes'
(cherry picked from commit b5071dc2f67d7667ab3cbbe50a30342f999b896a)
Conflicts:
doc/apps/s_client.pod
doc/apps/verify.pod
doc/apps/x509v3_config.pod
doc/crypto/ASN1_generate_nconf.pod
doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
doc/ssl/SSL_CONF_cmd.pod
doc/ssl/SSL_CONF_cmd_argv.pod
doc/ssl/SSL_CTX_set_cert_cb.pod
doc/ssl/SSL_CTX_set_security_level.pod
Diffstat (limited to 'doc/ssl')
-rw-r--r-- | doc/ssl/SSL_CIPHER_get_name.pod | 15 | ||||
-rw-r--r-- | doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod | 47 | ||||
-rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 438 | ||||
-rw-r--r-- | doc/ssl/SSL_CONF_cmd_argv.pod | 42 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_add_session.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_cert_cb.pod | 68 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_client_CA_list.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_client_cert_cb.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 2 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_security_level.pod | 164 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod | 182 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 6 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_set_verify.pod | 4 | ||||
-rw-r--r-- | doc/ssl/SSL_get_version.pod | 14 | ||||
-rw-r--r-- | doc/ssl/d2i_SSL_SESSION.pod | 10 |
15 files changed, 982 insertions, 16 deletions
diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod index eb772b55de..2e113be606 100644 --- a/doc/ssl/SSL_CIPHER_get_name.pod +++ b/doc/ssl/SSL_CIPHER_get_name.pod @@ -23,8 +23,12 @@ SSL_CIPHER_get_bits() returns the number of secret bits used for B<cipher>. If B<alg_bits> is not NULL, it contains the number of bits processed by the chosen algorithm. If B<cipher> is NULL, 0 is returned. -SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently -"SSLv2", "SSLv3", or "TLSv1". If B<cipher> is NULL, "(NONE)" is returned. +SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol +version that first defined the cipher. +This is currently B<SSLv2> or B<TLSv1/SSLv3>. +In some cases it should possibly return "TLSv1.2" but does not; +use SSL_CIPHER_description() instead. +If B<cipher> is NULL, "(NONE)" is returned. SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B<buf> of length B<len> provided. B<len> must be at least @@ -52,7 +56,8 @@ Textual representation of the cipher name. =item <protocol version> -Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3. +Protocol version: B<SSLv2>, B<SSLv3>, B<TLSv1.2>. The TLSv1.0 ciphers are +flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx=<key exchange> @@ -91,6 +96,10 @@ Some examples for the output of SSL_CIPHER_description(): RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export +A comp[lete list can be retrieved by invoking the following command: + + openssl ciphers -v ALL + =head1 BUGS If SSL_CIPHER_description() is called with B<cipher> being NULL, the diff --git a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod new file mode 100644 index 0000000000..4fc8f06d9e --- /dev/null +++ b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + +SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); + void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); + +=head1 DESCRIPTION + +SSL_CONF_CTX_set_ssl_ctx() sets the context associated with B<cctx> to the +B<SSL_CTX> structure B<ctx>. Any previos B<SSL> or B<SSL_CTX> associated with +B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to +B<ctx>. + +SSL_CONF_CTX_set_ssl() sets the context associated with B<cctx> to the +B<SSL> structure B<ssl>. Any previos B<SSL> or B<SSL_CTX> associated with +B<cctx> is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to +B<ssl>. + +=head1 NOTES + +The context need not be set or it can be set to B<NULL> in which case only +syntax checking of commands is performed, where possible. + +=head1 RETURN VALUES + +SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. + +=head1 SEE ALSO + +L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, +L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, +L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, +L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>, +L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.2 + +=cut diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod new file mode 100644 index 0000000000..2a4019c871 --- /dev/null +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -0,0 +1,438 @@ +=pod + +=head1 NAME + +SSL_CONF_cmd - send configuration command + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); + int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); + int SSL_CONF_finish(SSL_CONF_CTX *cctx); + +=head1 DESCRIPTION + +The function SSL_CONF_cmd() performs configuration operation B<cmd> with +optional parameter B<value> on B<ctx>. Its purpose is to simplify application +configuration of B<SSL_CTX> or B<SSL> structures by providing a common +framework for command line options or configuration files. + +SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to. + +The function SSL_CONF_finish() must be called after all configuration +operations have been completed. It is used to finalise any operations +or to process defaults. + +=head1 SUPPORTED COMMAND LINE COMMANDS + +Currently supported B<cmd> names for command lines (i.e. when the +flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names +are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the B<value> parameter is not used. The default +prefix for command line commands is B<-> and that is reflected below. + +=over 4 + +=item B<-sigalgs> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B<value> argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> +is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm +OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<-client_sigalgs> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. +If a server does not request a certificate this option has no effect. + +The syntax of B<value> is identical to B<-sigalgs>. If not set then +the value set for B<-sigalgs> will be used instead. + +=item B<-curves> + +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B<value> argument is a colon separated list of curves. The curve can be +either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g +B<prime256v1>). Curve names are case sensitive. + +=item B<-named_curve> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B<value> argument is a curve name or the special value B<auto> which +picks an appropriate curve based on client and server preferences. The curve +can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. + +=item B<-cipher> + +Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is +currently not performed unless a B<SSL> or B<SSL_CTX> structure is +associated with B<cctx>. + +=item B<-cert> + +Attempts to use the file B<value> as the certificate for the appropriate +context. It currently uses SSL_CTX_use_cerificate_chain_file if an B<SSL_CTX> +structure is set or SSL_use_certifcate_file with filetype PEM if an B<SSL> +structure is set. This option is only supported if certificate operations +are permitted. + +=item B<-key> + +Attempts to use the file B<value> as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B<-key> option is set then a private key is +not loaded: it does not currently use the B<-cert> file. + +=item B<-dhparam> + +Attempts to use the file B<value> as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>, +B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. + +=item B<-bugs> + +Various bug workarounds are set, same as setting B<SSL_OP_ALL>. + +=item B<-no_comp> + +Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>. + +=item B<-no_ticket> + +Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. + +=item B<-serverpref> + +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. + +=item B<-no_resumption_on_reneg> + +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. + +=item B<-legacyrenegotiation> + +permits the use of unsafe legacy renegotiation. Equivalent to setting +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. + +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> + +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. + +=item B<-strict> + +enables strict mode protocol handling. Equivalent to setting +B<SSL_CERT_FLAG_TLS_STRICT>. + +=item B<-debug_broken_protocol> + +disables various checks and permits several kinds of broken protocol behaviour +for testing purposes: it should B<NEVER> be used in anything other than a test +environment. Only supported if OpenSSL is configured with +B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. + +=back + +=head1 SUPPORTED CONFIGURATION FILE COMMANDS + +Currently supported B<cmd> names for configuration files (i.e. when the +flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file +B<cmd> names are case insensitive so B<signaturealgorithms> is recognised +as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names +are also case insensitive. + +Note: the command prefix (if set) alters the recognised B<cmd> values. + +=over 4 + +=item B<CipherString> + +Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is +currently not performed unless an B<SSL> or B<SSL_CTX> structure is +associated with B<cctx>. + +=item B<Certificate> + +Attempts to use the file B<value> as the certificate for the appropriate +context. It currently uses SSL_CTX_use_cerificate_chain_file if an B<SSL_CTX> +structure is set or SSL_use_certifcate_file with filetype PEM if an B<SSL> +structure is set. This option is only supported if certificate operations +are permitted. + +=item B<PrivateKey> + +Attempts to use the file B<value> as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no B<-key> option is set then a private key is +not loaded: it does not currently use the B<Certificate> file. + +=item B<ServerInfoFile> + +Attempts to use the file B<value> in the "serverinfo" extension using the +function SSL_CTX_use_serverinfo_file. + +=item B<DHParameters> + +Attempts to use the file B<value> as the set of temporary DH parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. + +=item B<SignatureAlgorithms> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B<value> argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> +is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm +OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<ClientSignatureAlgorithms> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. + +The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then +the value set for B<SignatureAlgorithms> will be used instead. + +=item B<Curves> + +This sets the supported elliptic curves. For clients the curves are +sent using the supported curves extension. For servers it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B<value> argument is a colon separated list of curves. The curve can be +either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g +B<prime256v1>). Curve names are case sensitive. + +=item B<ECDHParameters> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B<value> argument is a curve name or the special value B<Automatic> which +picks an appropriate curve based on client and server preferences. The curve +can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. + +=item B<Protocol> + +The supported versions of the SSL or TLS protocol. + +The B<value> argument is a comma separated list of supported protocols to +enable or disable. If an protocol is preceded by B<-> that version is disabled. +All versions are enabled by default, though applications may choose to +explicitly disable some. Currently supported protocol values are B<SSLv2>, +B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The special value B<ALL> refers +to all supported versions. + +=item B<Options> + +The B<value> argument is a comma separated list of various flags to set. +If a flag string is preceded B<-> it is disabled. See the +B<SSL_CTX_set_options> function for more details of individual options. + +Each option is listed below. Where an operation is enabled by default +the B<-flag> syntax is needed to disable it. + +B<SessionTicket>: session ticket support, enabled by default. Inverse of +B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting +B<SSL_OP_NO_TICKET>. + +B<Compression>: SSL/TLS compression support, enabled by default. Inverse +of B<SSL_OP_NO_COMPRESSION>. + +B<EmptyFragments>: use empty fragments as a countermeasure against a +SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It +is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. + +B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. + +B<DHSingle>: enable single use DH keys, set by default. Inverse of +B<SSL_OP_DH_SINGLE>. Only used by servers. + +B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of +B<SSL_OP_ECDH_SINGLE>. Only used by servers. + +B<ServerPreference> use server and not client preference order when +determining which cipher suite, signature algorithm or elliptic curve +to use for an incoming connection. Equivalent to +B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. + +B<NoResumptionOnRenegotiation> set +B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. + +B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation. +Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. + +B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation +for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. + +=back + +=head1 SUPPORTED COMMAND TYPES + +The function SSL_CONF_cmd_value_type() currently returns one of the following +types: + +=over 4 + +=item B<SSL_CONF_TYPE_UNKNOWN> + +The B<cmd> string is unrecognised, this return value can be use to flag +syntax errors. + +=item B<SSL_CONF_TYPE_STRING> + +The value is a string without any specific structure. + +=item B<SSL_CONF_TYPE_FILE> + +The value is a file name. + +=item B<SSL_CONF_TYPE_DIR> + +The value is a directory name. + +=back + +=head1 NOTES + +The order of operations is significant. This can be used to set either defaults +or values which cannot be overridden. For example if an application calls: + + SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + SSL_CONF_cmd(ctx, userparam, uservalue); + +it will disable SSLv2 support by default but the user can override it. If +however the call sequence is: + + SSL_CONF_cmd(ctx, userparam, uservalue); + SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); + +SSLv2 is B<always> disabled and attempt to override this by the user are +ignored. + +By checking the return code of SSL_CTX_cmd() it is possible to query if a +given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are +mixed with additional application specific operations. + +For example an application might call SSL_CTX_cmd() and if it returns +-2 (unrecognised command) continue with processing of application specific +commands. + +Applications can also use SSL_CTX_cmd() to process command lines though the +utility function SSL_CTX_cmd_argv() is normally used instead. One way +to do this is to set the prefix to an appropriate value using +SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the +following argument to B<value> (which may be NULL). + +In this case if the return value is positive then it is used to skip that +number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is +returned then B<cmd> is not recognised and application specific arguments +can be checked instead. If -3 is returned a required argument is missing +and an error is indicated. If 0 is returned some other error occurred and +this can be reported back to the user. + +The function SSL_CONF_cmd_value_type() can be used by applications to +check for the existence of a command or to perform additional syntax +checking or translation of the command value. For example if the return +value is B<SSL_CONF_TYPE_FILE> an application could translate a relative +pathname to an absolute pathname. + +=head1 EXAMPLES + +Set supported signature algorithms: + + SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); + +Enable all protocols except SSLv3 and SSLv2: + + SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); + +Only enable TLSv1.2: + + SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); + +Disable TLS session tickets: + + SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); + +Set supported curves to P-256, P-384: + + SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); + +Set automatic support for any elliptic curve for key exchange: + + SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); + +=head1 RETURN VALUES + +SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is +B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it +returns the number of arguments processed. This is useful when processing +command lines. + +A return value of -2 means B<cmd> is not recognised. + +A return value of -3 means B<cmd> is recognised and the command requires a +value but B<value> is NULL. + +A return code of 0 indicates that both B<cmd> and B<value> are valid but an +error occurred attempting to perform the operation: for example due to an +error in the syntax of B<value> in this case the error queue may provide +additional information. + +SSL_CONF_finish() returns 1 for success and 0 for failure. + +=head1 SEE ALSO + +L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, +L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, +L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, +L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, +L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)> + +=head1 HISTORY + +SSL_CONF_cmd() was first added to OpenSSL 1.0.2 + +=cut diff --git a/doc/ssl/SSL_CONF_cmd_argv.pod b/doc/ssl/SSL_CONF_cmd_argv.pod new file mode 100644 index 0000000000..246eaa5bd3 --- /dev/null +++ b/doc/ssl/SSL_CONF_cmd_argv.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +SSL_CONF_cmd_argv - SSL configuration command line processing. + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); + +=head1 DESCRIPTION + +The function SSL_CONF_cmd_argv() processes at most two command line +arguments from B<pargv> and B<pargc>. The values of B<pargv> and B<pargc> +are updated to reflect the number of command options procesed. The B<pargc> +argument can be set to B<NULL> is it is not used. + +=head1 RETURN VALUES + +SSL_CONF_cmd_argv() returns the number of command arguments processed: 0, 1, 2 +or a negative error code. + +If -2 is returned then an argument for a command is missing. + +If -1 is returned the command is recognised but couldn't be processed due +to an error: for example a syntax error in the argument. + +=head1 SEE ALSO + +L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>, +L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>, +L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>, +L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>, +L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.2 + +=cut diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod index 82676b26b2..050b44e3fd 100644 --- a/doc/ssl/SSL_CTX_add_session.pod +++ b/doc/ssl/SSL_CTX_add_session.pod @@ -41,7 +41,7 @@ If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE flag then the internal cache will not be populated automatically by new sessions negotiated by the SSL/TLS implementation, even though the internal cache will be searched automatically for session-resume requests (the -latter can be surpressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the +latter can be suppressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the application can use SSL_CTX_add_session() directly to have full control over the sessions that can be resumed if desired. diff --git a/doc/ssl/SSL_CTX_set_cert_cb.pod b/doc/ssl/SSL_CTX_set_cert_cb.pod new file mode 100644 index 0000000000..141d828f5b --- /dev/null +++ b/doc/ssl/SSL_CTX_set_cert_cb.pod @@ -0,0 +1,68 @@ +=pod + +=head1 NAME + +SSL_CTX_set_cert_cb, SSL_set_cert_cb - handle certificate callback function + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg); + void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg); + + int (*cert_cb)(SSL *ssl, void *arg); + +=head1 DESCRIPTION + +SSL_CTX_set_cert_cb() and SSL_set_cert_cb() sets the B<cert_cb()> callback, +B<arg> value is pointer which is passed to the application callback. + +When B<cert_cb()> is NULL, no callback function is used. + +cert_cb() is the application defined callback. It is called before a +certificate will be used by a client or server. The callback can then inspect +the passed B<ssl> structure and set or clear any appropriate certificates. If +the callback is successful it B<MUST> return 1 even if no certificates have +been set. A zero is returned on error which will abort the handshake with a +fatal internal error alert. A negative return value will suspend the handshake +and the handshake function will return immediately. +L<SSL_get_error(3)|SSL_get_error(3)> will return SSL_ERROR_WANT_X509_LOOKUP to +indicate, that the handshake was suspended. The next call to the handshake +function will again lead to the call of cert_cb(). It is the job of the +cert_cb() to store information about the state of the last call, +if required to continue. + +=head1 NOTES + +An application will typically call SSL_use_certificate() and +SSL_use_PrivateKey() to set the end entity certificate and private key. +It can add intermediate and optionally the root CA certificates using +SSL_add1_chain_cert(). + +It might also call SSL_certs_clear() to delete any certificates associated +with the B<SSL> object. + +The certificate callback functionality supercedes the (largely broken) +functionality provided by the old client certificate callback interface. +It is B<always> called even is a certificate is already set so the callback +can modify or delete the existing certificate. + +A more advanced callback might examine the handshake parameters and set +whatever chain is appropriate. For example a legacy client supporting only +TLS v1.0 might receive a certificate chain signed using SHA1 whereas a +TLS v1.2 client which advertises support for SHA256 could receive a chain +using SHA256. + +Normal server sanity checks are performed on any certificates set +by the callback. So if an EC chain is set for a curve the client does not +support it will B<not> be used. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_use_certificate(3)|SSL_use_certificate(3)>, +L<SSL_add1_chain_cert(3)|SSL_add1_chain_cert(3)>, +L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, +L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)> + +=cut diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 5e6613335c..bdf7bd0b6e 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -35,7 +35,7 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. =head1 NOTES When a TLS/SSL server requests a client certificate (see -B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which +B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept certificates, to the client. This list must explicitly be set using SSL_CTX_set_client_CA_list() for diff --git a/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/doc/ssl/SSL_CTX_set_client_cert_cb.pod index 3465b5c7bb..d0df69a9bc 100644 --- a/doc/ssl/SSL_CTX_set_client_cert_cb.pod +++ b/doc/ssl/SSL_CTX_set_client_cert_cb.pod @@ -29,7 +29,7 @@ using the B<x509> and B<pkey> arguments and "1" must be returned. The certificate will be installed into B<ssl>, see the NOTES and BUGS sections. If no certificate should be set, "0" has to be returned and no certificate will be sent. A negative return value will suspend the handshake and the -handshake function will return immediatly. L<SSL_get_error(3)|SSL_get_error(3)> +handshake function will return immediately. L<SSL_get_error(3)|SSL_get_error(3)> will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was suspended. The next call to the handshake function will again lead to the call of client_cert_cb(). It is the job of the client_cert_cb() to store information diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index e1899ee0c1..a2a570b610 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -251,7 +251,7 @@ Connections and renegotiation are always permitted by OpenSSL implementations. =head2 Unpatched client and patched OpenSSL server -The initial connection suceeds but client renegotiation is denied by the +The initial connection succeeds but client renegotiation is denied by the server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal B<handshake_failure> alert in SSL v3.0. diff --git a/doc/ssl/SSL_CTX_set_security_level.pod b/doc/ssl/SSL_CTX_set_security_level.pod new file mode 100644 index 0000000000..d7d1429b25 --- /dev/null +++ b/doc/ssl/SSL_CTX_set_security_level.pod @@ -0,0 +1,164 @@ +=pod + +=head1 NAME + +SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, SSL_get_security_level, SSL_CTX_set_security_callback, SSL_set_security_callback, SSL_CTX_get_security_callback, SSL_get_security_callback, SSL_CTX_set0_security_ex_data, SSL_set0_security_ex_data, SSL_CTX_get0_security_ex_data, SSL_get0_security_ex_data - SSL/TLS security framework + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); + void SSL_set_security_level(SSL *s, int level); + + int SSL_CTX_get_security_level(const SSL_CTX *ctx); + int SSL_get_security_level(const SSL *s); + + void SSL_CTX_set_security_callback(SSL_CTX *ctx, + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); + + void SSL_set_security_callback(SSL *s, + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); + + int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); + int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); + + void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex); + void SSL_set0_security_ex_data(SSL *s, void *ex); + + void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx); + void *SSL_get0_security_ex_data(const SSL *s); + +=head1 DESCRIPTION + +The functions SSL_CTX_set_security_level() and SSL_set_security_level() set +the security level to B<level>. If not set the libary default security level +is used. + +The functions SSL_CTX_get_security_level() and SSL_get_security_level() +retrieve the current security level. + +SSL_CTX_set_security_callback(), SSL_set_security_callback(), +SSL_CTX_get_security_callback() and SSL_get_security_callback() get or set +the security callback associated with B<ctx> or B<s>. If not set a default +security callback is used. The meaning of the parameters and the behaviour +of the default callbacks is described below. + +SSL_CTX_set0_security_ex_data(), SSL_set0_security_ex_data(), +SSL_CTX_get0_security_ex_data() and SSL_get0_security_ex_data() set the +extra data pointer passed to the B<ex> parameter of the callback. This +value is passed to the callback verbatim and can be set to any convenient +application specific value. + +=head1 DEFAULT CALLBACK BEHAVIOUR + +If an application doesn't set it's own security callback the default +callback is used. It is intended to provide sane defaults. The meaning +of each level is described below. + +=over 4 + +=item B<Level 0> + +Everything is perm |