SSL_CTX_set_tmp_rsa_callback.3 (206048) | SSL_CTX_set_tmp_rsa_callback.3 (215698) |
---|---|
1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.37 | 1.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) |
2.\" 3.\" Standard preamble: 4.\" ======================================================================== | 2.\" 3.\" Standard preamble: 4.\" ======================================================================== |
5.de Sh \" Subsection heading 6.br 7.if t .Sp 8.ne 5 9.PP 10\fB\\$1\fR 11.PP 12.. | |
13.de Sp \" Vertical space (when we can't use .PP) 14.if t .sp .5v 15.if n .sp 16.. 17.de Vb \" Begin verbatim text 18.ft CW 19.nf 20.ne \\$1 21.. 22.de Ve \" End verbatim text 23.ft R 24.fi 25.. 26.\" Set up some character translations and predefined strings. \*(-- will 27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left | 5.de Sp \" Vertical space (when we can't use .PP) 6.if t .sp .5v 7.if n .sp 8.. 9.de Vb \" Begin verbatim text 10.ft CW 11.nf 12.ne \\$1 13.. 14.de Ve \" End verbatim text 15.ft R 16.fi 17.. 18.\" Set up some character translations and predefined strings. \*(-- will 19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
28.\" double quote, and \*(R" will give a right double quote. | will give a 29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to 30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' 31.\" expand to `' in nroff, nothing in troff, for use with C<>. 32.tr \(*W-|\(bv\*(Tr | 20.\" double quote, and \*(R" will give a right double quote. \*(C+ will 21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and 22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, 23.\" nothing in troff, for use with C<>. 24.tr \(*W- |
33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 34.ie n \{\ 35. ds -- \(*W- 36. ds PI pi 37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 39. ds L" "" 40. ds R" "" 41. ds C` "" 42. ds C' "" 43'br\} 44.el\{\ 45. ds -- \|\(em\| 46. ds PI \(*p 47. ds L" `` 48. ds R" '' 49'br\} 50.\" | 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 26.ie n \{\ 27. ds -- \(*W- 28. ds PI pi 29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 31. ds L" "" 32. ds R" "" 33. ds C` "" 34. ds C' "" 35'br\} 36.el\{\ 37. ds -- \|\(em\| 38. ds PI \(*p 39. ds L" `` 40. ds R" '' 41'br\} 42.\" |
43.\" Escape single quotes in literal strings from groff's Unicode transform. 44.ie \n(.g .ds Aq \(aq 45.el .ds Aq ' 46.\" |
|
51.\" If the F register is turned on, we'll generate index entries on stderr for | 47.\" If the F register is turned on, we'll generate index entries on stderr for |
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index | 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
53.\" entries marked with X<> in POD. Of course, you'll have to process the 54.\" output yourself in some meaningful fashion. | 49.\" entries marked with X<> in POD. Of course, you'll have to process the 50.\" output yourself in some meaningful fashion. |
55.if \nF \{\ | 51.ie \nF \{\ |
56. de IX 57. tm Index:\\$1\t\\n%\t"\\$2" 58.. 59. nr % 0 60. rr F 61.\} | 52. de IX 53. tm Index:\\$1\t\\n%\t"\\$2" 54.. 55. nr % 0 56. rr F 57.\} |
58.el \{\ 59. de IX 60.. 61.\} |
|
62.\" | 62.\" |
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes 64.\" way too many mistakes in technical documents. 65.hy 0 66.if n .na 67.\" | |
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 69.\" Fear. Run. Save yourself. No user-serviceable parts. 70. \" fudge factors for nroff and troff 71.if n \{\ 72. ds #H 0 73. ds #V .8m 74. ds #F .3m 75. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 124. ds Th \o'LP' 125. ds ae ae 126. ds Ae AE 127.\} 128.rm #[ #] #H #V #F C 129.\" ======================================================================== 130.\" 131.IX Title "SSL_CTX_set_tmp_rsa_callback 3" | 63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 64.\" Fear. Run. Save yourself. No user-serviceable parts. 65. \" fudge factors for nroff and troff 66.if n \{\ 67. ds #H 0 68. ds #V .8m 69. ds #F .3m 70. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 119. ds Th \o'LP' 120. ds ae ae 121. ds Ae AE 122.\} 123.rm #[ #] #H #V #F C 124.\" ======================================================================== 125.\" 126.IX Title "SSL_CTX_set_tmp_rsa_callback 3" |
132.TH SSL_CTX_set_tmp_rsa_callback 3 "2010-03-24" "0.9.8n" "OpenSSL" | 127.TH SSL_CTX_set_tmp_rsa_callback 3 "2010-11-16" "0.9.8p" "OpenSSL" 128.\" For nroff, turn off justification. Always turn off hyphenation; it makes 129.\" way too many mistakes in technical documents. 130.if n .ad l 131.nh |
133.SH "NAME" 134SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa \- handle RSA keys for ephemeral key exchange 135.SH "SYNOPSIS" 136.IX Header "SYNOPSIS" 137.Vb 1 138\& #include <openssl/ssl.h> | 132.SH "NAME" 133SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa \- handle RSA keys for ephemeral key exchange 134.SH "SYNOPSIS" 135.IX Header "SYNOPSIS" 136.Vb 1 137\& #include <openssl/ssl.h> |
139.Ve 140.PP 141.Vb 4 | 138\& |
142\& void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 143\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 144\& long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa); 145\& long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx); | 139\& void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, 140\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 141\& long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa); 142\& long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx); |
146.Ve 147.PP 148.Vb 4 | 143\& |
149\& void SSL_set_tmp_rsa_callback(SSL_CTX *ctx, 150\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 151\& long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) 152\& long SSL_need_tmp_rsa(SSL *ssl) | 144\& void SSL_set_tmp_rsa_callback(SSL_CTX *ctx, 145\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); 146\& long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) 147\& long SSL_need_tmp_rsa(SSL *ssl) |
153.Ve 154.PP 155.Vb 1 | 148\& |
156\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength); 157.Ve 158.SH "DESCRIPTION" 159.IX Header "DESCRIPTION" 160\&\fISSL_CTX_set_tmp_rsa_callback()\fR sets the callback function for \fBctx\fR to be 161used when a temporary/ephemeral \s-1RSA\s0 key is required to \fBtmp_rsa_callback\fR. 162The callback is inherited by all \s-1SSL\s0 objects newly created from \fBctx\fR 163with <\fISSL_new\fR\|(3)|\fISSL_new\fR\|(3)>. Already created \s-1SSL\s0 objects are not affected. --- 35 unchanged lines hidden (view full) --- 199used for signing only. The downside is that creating a \s-1RSA\s0 key is 200computationally expensive. 201.PP 202Additionally, the use of ephemeral \s-1RSA\s0 key exchange is only allowed in 203the \s-1TLS\s0 standard, when the \s-1RSA\s0 key can be used for signing only, that is 204for export ciphers. Using ephemeral \s-1RSA\s0 key exchange for other purposes 205violates the standard and can break interoperability with clients. 206It is therefore strongly recommended to not use ephemeral \s-1RSA\s0 key | 149\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength); 150.Ve 151.SH "DESCRIPTION" 152.IX Header "DESCRIPTION" 153\&\fISSL_CTX_set_tmp_rsa_callback()\fR sets the callback function for \fBctx\fR to be 154used when a temporary/ephemeral \s-1RSA\s0 key is required to \fBtmp_rsa_callback\fR. 155The callback is inherited by all \s-1SSL\s0 objects newly created from \fBctx\fR 156with <\fISSL_new\fR\|(3)|\fISSL_new\fR\|(3)>. Already created \s-1SSL\s0 objects are not affected. --- 35 unchanged lines hidden (view full) --- 192used for signing only. The downside is that creating a \s-1RSA\s0 key is 193computationally expensive. 194.PP 195Additionally, the use of ephemeral \s-1RSA\s0 key exchange is only allowed in 196the \s-1TLS\s0 standard, when the \s-1RSA\s0 key can be used for signing only, that is 197for export ciphers. Using ephemeral \s-1RSA\s0 key exchange for other purposes 198violates the standard and can break interoperability with clients. 199It is therefore strongly recommended to not use ephemeral \s-1RSA\s0 key |
207exchange and use \s-1EDH\s0 (Ephemeral Diffie\-Hellman) key exchange instead | 200exchange and use \s-1EDH\s0 (Ephemeral Diffie-Hellman) key exchange instead |
208in order to achieve forward secrecy (see 209\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3)). 210.PP 211On OpenSSL servers ephemeral \s-1RSA\s0 key exchange is therefore disabled by default 212and must be explicitly enabled using the \s-1SSL_OP_EPHEMERAL_RSA\s0 option of 213\&\fISSL_CTX_set_options\fR\|(3), violating the \s-1TLS/SSL\s0 214standard. When ephemeral \s-1RSA\s0 key exchange is required for export ciphers, 215it will automatically be used without this option! --- 18 unchanged lines hidden (view full) --- 234reuse. For demonstration purposes, two keys for 512 bits and 1024 bits 235respectively are generated. 236.PP 237.Vb 4 238\& ... 239\& /* Set up ephemeral RSA stuff */ 240\& RSA *rsa_512 = NULL; 241\& RSA *rsa_1024 = NULL; | 201in order to achieve forward secrecy (see 202\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3)). 203.PP 204On OpenSSL servers ephemeral \s-1RSA\s0 key exchange is therefore disabled by default 205and must be explicitly enabled using the \s-1SSL_OP_EPHEMERAL_RSA\s0 option of 206\&\fISSL_CTX_set_options\fR\|(3), violating the \s-1TLS/SSL\s0 207standard. When ephemeral \s-1RSA\s0 key exchange is required for export ciphers, 208it will automatically be used without this option! --- 18 unchanged lines hidden (view full) --- 227reuse. For demonstration purposes, two keys for 512 bits and 1024 bits 228respectively are generated. 229.PP 230.Vb 4 231\& ... 232\& /* Set up ephemeral RSA stuff */ 233\& RSA *rsa_512 = NULL; 234\& RSA *rsa_1024 = NULL; |
242.Ve 243.PP 244.Vb 3 | 235\& |
245\& rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL); 246\& if (rsa_512 == NULL) 247\& evaluate_error_queue(); | 236\& rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL); 237\& if (rsa_512 == NULL) 238\& evaluate_error_queue(); |
248.Ve 249.PP 250.Vb 3 | 239\& |
251\& rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL); 252\& if (rsa_1024 == NULL) 253\& evaluate_error_queue(); | 240\& rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL); 241\& if (rsa_1024 == NULL) 242\& evaluate_error_queue(); |
254.Ve 255.PP 256.Vb 1 | 243\& |
257\& ... | 244\& ... |
258.Ve 259.PP 260.Vb 3 | 245\& |
261\& RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength) 262\& { 263\& RSA *rsa_tmp=NULL; | 246\& RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength) 247\& { 248\& RSA *rsa_tmp=NULL; |
264.Ve 265.PP 266.Vb 24 | 249\& |
267\& switch (keylength) { 268\& case 512: 269\& if (rsa_512) 270\& rsa_tmp = rsa_512; 271\& else { /* generate on the fly, should not happen in this example */ 272\& rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL); 273\& rsa_512 = rsa_tmp; /* Remember for later reuse */ 274\& } --- 33 unchanged lines hidden --- | 250\& switch (keylength) { 251\& case 512: 252\& if (rsa_512) 253\& rsa_tmp = rsa_512; 254\& else { /* generate on the fly, should not happen in this example */ 255\& rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL); 256\& rsa_512 = rsa_tmp; /* Remember for later reuse */ 257\& } --- 33 unchanged lines hidden --- |