168651Skris=pod 268651Skris 368651Skris=head1 NAME 468651Skris 572613SkrisSSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs 668651Skris 768651Skris=head1 SYNOPSIS 868651Skris 968651Skris #include <openssl/ssl.h> 1068651Skris 1168651Skris int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); 1268651Skris int SSL_set_cipher_list(SSL *ssl, const char *str); 1368651Skris 1468651Skris=head1 DESCRIPTION 1568651Skris 1668651SkrisSSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx> 1768651Skrisusing the control string B<str>. The format of the string is described 1868651Skrisin L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all 1968651SkrisB<ssl> objects created from B<ctx>. 2068651Skris 2168651SkrisSSL_set_cipher_list() sets the list of ciphers only for B<ssl>. 2268651Skris 2368651Skris=head1 NOTES 2468651Skris 2568651SkrisThe control string B<str> should be universally usable and not depend 2668651Skrison details of the library configuration (ciphers compiled in). Thus no 2768651Skrissyntax checking takes place. Items that are not recognized, because the 2868651Skriscorresponding ciphers are not compiled in or because they are mistyped, 2968651Skrisare simply ignored. Failure is only flagged if no ciphers could be collected 3068651Skrisat all. 3168651Skris 3268651SkrisIt should be noted, that inclusion of a cipher to be used into the list is 3368651Skrisa necessary condition. On the client side, the inclusion into the list is 3468651Skrisalso sufficient. On the server side, additional restrictions apply. All ciphers 3568651Skrishave additional requirements. ADH ciphers don't need a certificate, but 3668651SkrisDH-parameters must have been set. All other ciphers need a corresponding 3789837Skriscertificate and key. 3868651Skris 3989837SkrisA RSA cipher can only be chosen, when a RSA certificate is available. 4089837SkrisRSA export ciphers with a keylength of 512 bits for the RSA key require 4189837Skrisa temporary 512 bit RSA key, as typically the supplied key has a length 4289837Skrisof 1024 bit (see 4389837SkrisL<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). 4489837SkrisRSA ciphers using EDH need a certificate and key and additional DH-parameters 4589837Skris(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). 4689837Skris 4789837SkrisA DSA cipher can only be chosen, when a DSA certificate is available. 4889837SkrisDSA ciphers always use DH key exchange and therefore need DH-parameters 4989837Skris(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). 5089837Skris 5189837SkrisWhen these conditions are not met for any cipher in the list (e.g. a 5289837Skrisclient only supports export RSA ciphers with a asymmetric key length 5389837Skrisof 512 bits and the server is not configured to use temporary RSA 5489837Skriskeys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated 5589837Skrisand the handshake will fail. 5689837Skris 5768651Skris=head1 RETURN VALUES 5868651Skris 5968651SkrisSSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher 6068651Skriscould be selected and 0 on complete failure. 6168651Skris 6268651Skris=head1 SEE ALSO 6368651Skris 6468651SkrisL<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, 6572613SkrisL<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, 6689837SkrisL<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, 6789837SkrisL<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, 6868651SkrisL<ciphers(1)|ciphers(1)> 6968651Skris 7068651Skris=cut 71