SSL_CTX_set_options.pod (89837) | SSL_CTX_set_options.pod (100936) |
---|---|
1=pod 2 3=head1 NAME 4 5SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options 6 7=head1 SYNOPSIS 8 --- 21 unchanged lines hidden (view full) --- 30 31The behaviour of the SSL library can be changed by setting several options. 32The options are coded as bitmasks and can be combined by a logical B<or> 33operation (|). Options can only be added but can never be reset. 34 35SSL_CTX_set_options() and SSL_set_options() affect the (external) 36protocol behaviour of the SSL library. The (internal) behaviour of 37the API can be changed by using the similar | 1=pod 2 3=head1 NAME 4 5SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options 6 7=head1 SYNOPSIS 8 --- 21 unchanged lines hidden (view full) --- 30 31The behaviour of the SSL library can be changed by setting several options. 32The options are coded as bitmasks and can be combined by a logical B<or> 33operation (|). Options can only be added but can never be reset. 34 35SSL_CTX_set_options() and SSL_set_options() affect the (external) 36protocol behaviour of the SSL library. The (internal) behaviour of 37the API can be changed by using the similar |
38L<SSL_CTX_set_modes(3)|SSL_CTX_set_modes(3)> and SSL_set_modes() functions. | 38L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
39 40During a handshake, the option settings of the SSL object are used. When 41a new SSL object is created from a context using SSL_new(), the current 42option setting is copied. Changes to B<ctx> do not affect already created 43SSL objects. SSL_clear() does not affect the settings. 44 45The following B<bug workaround> options are available: 46 --- 60 unchanged lines hidden (view full) --- 107During the client key exchange, the client must send the same information 108about acceptable SSL/TLS protocol levels as during the first hello. Some 109clients violate this rule by adapting to the server's answer. (Example: 110the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server 111only understands up to SSLv3. In this case the client must still use the 112same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect 113to the server's answer and violate the version rollback protection.) 114 | 39 40During a handshake, the option settings of the SSL object are used. When 41a new SSL object is created from a context using SSL_new(), the current 42option setting is copied. Changes to B<ctx> do not affect already created 43SSL objects. SSL_clear() does not affect the settings. 44 45The following B<bug workaround> options are available: 46 --- 60 unchanged lines hidden (view full) --- 107During the client key exchange, the client must send the same information 108about acceptable SSL/TLS protocol levels as during the first hello. Some 109clients violate this rule by adapting to the server's answer. (Example: 110the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server 111only understands up to SSLv3. In this case the client must still use the 112same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect 113to the server's answer and violate the version rollback protection.) 114 |
115=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 116 117Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol 118vulnerability affecting CBC ciphers, which cannot be handled by some 119broken SSL implementations. This option has no effect for connections 120using other ciphers. 121 |
|
115=item SSL_OP_ALL 116 117All of the above bug workarounds. 118 119=back 120 | 122=item SSL_OP_ALL 123 124All of the above bug workarounds. 125 126=back 127 |
121It is save and recommended to use SSL_OP_ALL to enable the bug workaround 122options. | 128It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround 129options if compatibility with somewhat broken implementations is 130desired. |
123 124The following B<modifying> options are available: 125 126=over 4 127 128=item SSL_OP_SINGLE_DH_USE 129 130Always create a new key when using temporary/ephemeral DH parameters --- 63 unchanged lines hidden (view full) --- 194L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, 195L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, 196L<dhparam(1)|dhparam(1)> 197 198=head1 HISTORY 199 200SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. 201 | 131 132The following B<modifying> options are available: 133 134=over 4 135 136=item SSL_OP_SINGLE_DH_USE 137 138Always create a new key when using temporary/ephemeral DH parameters --- 63 unchanged lines hidden (view full) --- 202L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, 203L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, 204L<dhparam(1)|dhparam(1)> 205 206=head1 HISTORY 207 208SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. 209 |
210B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. 211Versions up to OpenSSL 0.9.6c do not include the countermeasure that 212can be disabled with this option (in OpenSSL 0.9.6d, it was always 213enabled). 214 |
|
202=cut | 215=cut |