diff options
Diffstat (limited to 'doc/ssl/SSL_CTX_new.pod')
-rw-r--r-- | doc/ssl/SSL_CTX_new.pod | 85 |
1 files changed, 60 insertions, 25 deletions
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod index 2c2120a647..136f97b366 100644 --- a/doc/ssl/SSL_CTX_new.pod +++ b/doc/ssl/SSL_CTX_new.pod @@ -2,7 +2,15 @@ =head1 NAME -SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method - create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions +SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, +TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, +TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, +TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, +SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, +DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, +DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method - +create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled +functions =head1 SYNOPSIS @@ -50,37 +58,46 @@ SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_metho =head1 DESCRIPTION -SSL_CTX_new() creates a new B<SSL_CTX> object as framework to establish TLS/SSL or DTLS enabled connections. +SSL_CTX_new() creates a new B<SSL_CTX> object as framework to +establish TLS/SSL or DTLS enabled connections. =head1 NOTES The SSL_CTX object uses B<method> as connection method. -The methods exist in a generic type (for client and server use), a server only type, and a client only type. +The methods exist in a generic type (for client and server use), a server only +type, and a client only type. B<method> can be of the following types: =over 4 =item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method() -An SSL connection established with these methods will only understand the SSLv3 protocol. -A client will send out a SSLv3 client hello messages and will indicate that it supports SSLv3. -A server will only understand SSLv3 client hello message and only support the SSLv3 protocol. +An SSL connection established with these methods will only understand +the SSLv3 protocol. +A client will send out a SSLv3 client hello messages and will +indicate that it supports SSLv3. +A server will only understand SSLv3 client hello message and only +support the SSLv3 protocol. =item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method() -A TLS connection established with these methods will only understand the TLS 1.0 protocol. +A TLS connection established with these methods will only understand +the TLS 1.0 protocol. =item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method() -A TLS connection established with these methods will only understand the TLS 1.1 protocol. +A TLS connection established with these methods will only understand +the TLS 1.1 protocol. =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() -A TLS connection established with these methods will only understand the TLS 1.2 protocol. +A TLS connection established with these methods will only understand +the TLS 1.2 protocol. =item TLS_method(), TLS_server_method(), TLS_client_method() -A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. +A TLS/SSL connection established with these methods may understand +the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. If extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and @@ -96,28 +113,42 @@ those functions instead. =item DTLS_method(), DTLS_server_method(), DTLS_client_method() -A DTLS connection established with those methods understands all supported DTLS protocols. +A DTLS connection established with those methods understands all +supported DTLS protocols. Currently supported protocols are DTLS 1.0 and DTLS 1.2. =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() -A DTLS connection established with these methods will only understand the DTLS 1.0 protocol. +A DTLS connection established with these methods will only understand +the DTLS 1.0 protocol. =item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method() -A DTLS connection established with these methods will only understand the DTLS 1.2 protocol. +A DTLS connection established with these methods will only understand +the DTLS 1.2 protocol. =back -TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(), DTLS_server_method() and DTLS_client_method() are the version flexible methods. -All other methods only support 1 specific protocol version. -It's recommended to use those methods instead of the version specific methods. - -If you want to limit the supported protocols for the version flexible methods you can use SSL_CTX_set_min_proto_version(), SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and SSL_set_max_proto_version() functions. -They can also be limited using by using an option like SSL_OP_NO_SSLv3 of the SSL_CTX_set_options() or SSL_set_options() functions, but that's not recommended. -Using these functions it is possible to choose e.g. TLS_server_method() and be able to negotiate with all possible clients, but to only allow newer protocols like TLS v1, TLS v1.1 or TLS v1.2. - -SSL_CTX_new() initializes the list of ciphers, the session cache setting, the callbacks, the keys and certificates and the options to its default values. +TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(), +DTLS_server_method() and DTLS_client_method() are the version +flexible methods. +All other methods only support one specific protocol version. +Use these methods instead of the other version specific methods. + +If you want to limit the supported protocols for the version flexible +methods you can use SSL_CTX_set_min_proto_version(), +SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and +SSL_set_max_proto_version() functions. +They can also be limited using by using an option like SSL_OP_NO_SSLv3 +of the SSL_CTX_set_options() or SSL_set_options() functions, but +that's not recommended. +Using these functions it is possible to choose e.g. TLS_server_method() +and be able to negotiate with all possible clients, but to only +allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2. + +SSL_CTX_new() initializes the list of ciphers, the session cache +setting, the callbacks, the keys and certificates and the options +to its default values. =head1 RETURN VALUES @@ -138,9 +169,13 @@ The return value points to an allocated SSL_CTX object. =head1 HISTORY -SSLv3 -SSLv2_method, SSLv2_server_method and SSLv2_client_method where removed in OpenSSL 1.1.0. -SSLv23_method, SSLv23_server_method and SSLv23_client_method were deprecated and TLS_method, TLS_server_method and TLS_client_method were introduced in OpenSSL 1.1.0. +Support for SSLv2 and the corresponding SSLv2_method(), +SSLv2_server_method() and SSLv2_client_method() functions where +removed in OpenSSL 1.1.0. + +SSLv23_method(), SSLv23_server_method() and SSLv23_client_method() +were deprecated and the preferred TLS_method(), TLS_server_method() +and TLS_client_method() functions were introduced in OpenSSL 1.1.0. =head1 SEE ALSO |