summaryrefslogtreecommitdiffstats
path: root/doc/ssl/SSL_CTX_new.pod
diff options
context:
space:
mode:
Diffstat (limited to 'doc/ssl/SSL_CTX_new.pod')
-rw-r--r--doc/ssl/SSL_CTX_new.pod85
1 files changed, 60 insertions, 25 deletions
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 2c2120a647..136f97b366 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -2,7 +2,15 @@
=head1 NAME
-SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method - create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions
+SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method,
+TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method,
+TLSv1_1_server_method, TLSv1_1_client_method, TLS_method,
+TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method,
+SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method,
+DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method,
+DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method -
+create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled
+functions
=head1 SYNOPSIS
@@ -50,37 +58,46 @@ SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_metho
=head1 DESCRIPTION
-SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish TLS/SSL or DTLS enabled connections.
+SSL_CTX_new() creates a new B<SSL_CTX> object as framework to
+establish TLS/SSL or DTLS enabled connections.
=head1 NOTES
The SSL_CTX object uses B<method> as connection method.
-The methods exist in a generic type (for client and server use), a server only type, and a client only type.
+The methods exist in a generic type (for client and server use), a server only
+type, and a client only type.
B<method> can be of the following types:
=over 4
=item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()
-An SSL connection established with these methods will only understand the SSLv3 protocol.
-A client will send out a SSLv3 client hello messages and will indicate that it supports SSLv3.
-A server will only understand SSLv3 client hello message and only support the SSLv3 protocol.
+An SSL connection established with these methods will only understand
+the SSLv3 protocol.
+A client will send out a SSLv3 client hello messages and will
+indicate that it supports SSLv3.
+A server will only understand SSLv3 client hello message and only
+support the SSLv3 protocol.
=item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()
-A TLS connection established with these methods will only understand the TLS 1.0 protocol.
+A TLS connection established with these methods will only understand
+the TLS 1.0 protocol.
=item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()
-A TLS connection established with these methods will only understand the TLS 1.1 protocol.
+A TLS connection established with these methods will only understand
+the TLS 1.1 protocol.
=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
-A TLS connection established with these methods will only understand the TLS 1.2 protocol.
+A TLS connection established with these methods will only understand
+the TLS 1.2 protocol.
=item TLS_method(), TLS_server_method(), TLS_client_method()
-A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+A TLS/SSL connection established with these methods may understand
+the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
If extensions are required (for example server name)
a client will send out TLSv1 client hello messages including extensions and
@@ -96,28 +113,42 @@ those functions instead.
=item DTLS_method(), DTLS_server_method(), DTLS_client_method()
-A DTLS connection established with those methods understands all supported DTLS protocols.
+A DTLS connection established with those methods understands all
+supported DTLS protocols.
Currently supported protocols are DTLS 1.0 and DTLS 1.2.
=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
-A DTLS connection established with these methods will only understand the DTLS 1.0 protocol.
+A DTLS connection established with these methods will only understand
+the DTLS 1.0 protocol.
=item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()
-A DTLS connection established with these methods will only understand the DTLS 1.2 protocol.
+A DTLS connection established with these methods will only understand
+the DTLS 1.2 protocol.
=back
-TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(), DTLS_server_method() and DTLS_client_method() are the version flexible methods.
-All other methods only support 1 specific protocol version.
-It's recommended to use those methods instead of the version specific methods.
-
-If you want to limit the supported protocols for the version flexible methods you can use SSL_CTX_set_min_proto_version(), SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and SSL_set_max_proto_version() functions.
-They can also be limited using by using an option like SSL_OP_NO_SSLv3 of the SSL_CTX_set_options() or SSL_set_options() functions, but that's not recommended.
-Using these functions it is possible to choose e.g. TLS_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLS v1, TLS v1.1 or TLS v1.2.
-
-SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to its default values.
+TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(),
+DTLS_server_method() and DTLS_client_method() are the version
+flexible methods.
+All other methods only support one specific protocol version.
+Use these methods instead of the other version specific methods.
+
+If you want to limit the supported protocols for the version flexible
+methods you can use SSL_CTX_set_min_proto_version(),
+SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
+SSL_set_max_proto_version() functions.
+They can also be limited using by using an option like SSL_OP_NO_SSLv3
+of the SSL_CTX_set_options() or SSL_set_options() functions, but
+that's not recommended.
+Using these functions it is possible to choose e.g. TLS_server_method()
+and be able to negotiate with all possible clients, but to only
+allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
+
+SSL_CTX_new() initializes the list of ciphers, the session cache
+setting, the callbacks, the keys and certificates and the options
+to its default values.
=head1 RETURN VALUES
@@ -138,9 +169,13 @@ The return value points to an allocated SSL_CTX object.
=head1 HISTORY
-SSLv3
-SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in OpenSSL 1.1.0.
-SSLv23_method, SSLv23_server_method and SSLv23_client_method were deprecated and TLS_method, TLS_server_method and TLS_client_method were introduced in OpenSSL 1.1.0.
+Support for SSLv2 and the corresponding SSLv2_method(),
+SSLv2_server_method() and SSLv2_client_method() functions where
+removed in OpenSSL 1.1.0.
+
+SSLv23_method(), SSLv23_server_method() and SSLv23_client_method()
+were deprecated and the preferred TLS_method(), TLS_server_method()
+and TLS_client_method() functions were introduced in OpenSSL 1.1.0.
=head1 SEE ALSO
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-12 13:30:27 +0000