diff options
author | Matt Caswell <matt@openssl.org> | 2016-10-21 17:39:33 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-11-02 13:08:21 +0000 |
commit | 582a17d662d123eafbb70c9eaaa140a2559b7cdb (patch) | |
tree | dbdc271e94609b3095b676a93bac0f242692a1e9 /doc | |
parent | ffd3d0ef34aac46c06379cc50d38c5c0324c3d4c (diff) |
Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.
This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/ciphers.pod | 6 | ||||
-rw-r--r-- | doc/man1/s_client.pod | 4 | ||||
-rw-r--r-- | doc/man1/s_server.pod | 6 | ||||
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 11 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_new.pod | 12 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_min_proto_version.pod | 4 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 4 |
7 files changed, 30 insertions, 17 deletions
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod index c392077653..30f572139c 100644 --- a/doc/man1/ciphers.pod +++ b/doc/man1/ciphers.pod @@ -15,6 +15,7 @@ B<openssl> B<ciphers> [B<-tls1>] [B<-tls1_1>] [B<-tls1_2>] +[B<-tls1_3>] [B<-s>] [B<-psk>] [B<-srp>] @@ -69,6 +70,11 @@ L<SSL_CIPHER_description(3)>. Like B<-v>, but include the official cipher suite values in hex. +=item B<-tls1_3> + +In combination with the B<-s> option, list the ciphers which would be used if +TLSv1.3 were negotiated. + =item B<-tls1_2> In combination with the B<-s> option, list the ciphers which would be used if diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 4a2a28021c..4f21ea4093 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -68,10 +68,12 @@ B<openssl> B<s_client> [B<-tls1>] [B<-tls1_1>] [B<-tls1_2>] +[B<-tls1_3>] [B<-no_ssl3>] [B<-no_tls1>] [B<-no_tls1_1>] [B<-no_tls1_2>] +[B<-no_tls1_3>] [B<-dtls>] [B<-dtls1>] [B<-dtls1_2>] @@ -336,7 +338,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> These options require or disable the use of the specified SSL or TLS protocols. By default B<s_client> will negotiate the highest mutually supported protocol diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index b0d7888730..b6c5659972 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -69,6 +69,9 @@ B<openssl> B<s_server> [B<-quiet>] [B<-ssl3>] [B<-tls1>] +[B<-tls1_1>] +[B<-tls1_2>] +[B<-tls1_3>] [B<-dtls>] [B<-dtls1>] [B<-dtls1_2>] @@ -81,6 +84,7 @@ B<openssl> B<s_server> [B<-no_tls1>] [B<-no_tls1_1>] [B<-no_tls1_2>] +[B<-no_tls1_3>] [B<-no_dhe>] [B<-bugs>] [B<-comp>] @@ -295,7 +299,7 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> These options require or disable the use of the specified SSL or TLS protocols. By default B<s_server> will negotiate the highest mutually supported protocol diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index d8c0e9b95d..60b80d39ee 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -121,12 +121,13 @@ if specified. To restrict the supported protocol versions use these commands rather than the deprecated alternative commands below. -=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> -Disables protocol support for SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2 by setting the -corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> -and B<SSL_OP_NO_TLSv1_2> respectively. -These options are deprecated, instead use B<-min_protocol> and B<-max_protocol>. +Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by +setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, +B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> +respectively. These options are deprecated, instead use B<-min_protocol> and +B<-max_protocol>. =item B<-bugs> diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index 29387d343f..512fca8de0 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -156,12 +156,12 @@ and be able to negotiate with all possible clients, but to only allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2. The list of protocols available can also be limited using the -B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> and -B<SSL_OP_NO_TLSv1_2> options of the L<SSL_CTX_set_options(3)> or -L<SSL_set_options(3)> functions, but this approach is not recommended. -Clients should avoid creating "holes" in the set of protocols they support. -When disabling a protocol, make sure that you also disable either all previous -or all subsequent protocol versions. +B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>, +B<SSL_OP_NO_TLSv1_3> and B<SSL_OP_NO_TLSv1_2> options of the +L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions, but this approach +is not recommended. Clients should avoid creating "holes" in the set of +protocols they support. When disabling a protocol, make sure that you also +disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling I<all> previous protocol versions, the effect is to also disable all subsequent protocol versions. diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod index 3e9fe80b70..5996d48fe3 100644 --- a/doc/man3/SSL_CTX_set_min_proto_version.pod +++ b/doc/man3/SSL_CTX_set_min_proto_version.pod @@ -29,8 +29,8 @@ versions down to the lowest version, or up to the highest version supported by the library, respectively. Currently supported versions are B<SSL3_VERSION>, B<TLS1_VERSION>, -B<TLS1_1_VERSION>, B<TLS1_2_VERSION> for TLS and B<DTLS1_VERSION>, -B<DTLS1_2_VERSION> for DTLS. +B<TLS1_1_VERSION>, B<TLS1_2_VERSION>, B<TLS1_3_VERSION> for TLS and +B<DTLS1_VERSION>, B<DTLS1_2_VERSION> for DTLS. =head1 RETURN VALUES diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 63609f3a31..921c812ef3 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -155,9 +155,9 @@ own preferences. =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, -SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 +SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 -These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2 protocol +These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, respectively. As of OpenSSL 1.1.0, these options are deprecated, use |