diff options
Diffstat (limited to 'secure/lib/libssl/man/SSL_CTX_set_options.3')
| -rw-r--r-- | secure/lib/libssl/man/SSL_CTX_set_options.3 | 75 |
1 files changed, 33 insertions, 42 deletions
diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libssl/man/SSL_CTX_set_options.3 index 2fe105bde2829..a9de47964b7d4 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_options.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_options.3 @@ -1,15 +1,7 @@ -.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.37 +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -25,11 +17,11 @@ .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to -.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' -.\" expand to `' in nroff, nothing in troff, for use with C<>. -.tr \(*W-|\(bv\*(Tr +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- @@ -48,22 +40,25 @@ . ds R" '' 'br\} .\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.if \nF \{\ +.ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.hy 0 -.if n .na +.el \{\ +. de IX +.. +.\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -129,31 +124,27 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_options 3" -.TH SSL_CTX_set_options 3 "2010-03-24" "0.9.8n" "OpenSSL" +.TH SSL_CTX_set_options 3 "2010-11-16" "0.9.8p" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh .SH "NAME" SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support \- manipulate SSL options .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include <openssl/ssl.h> -.Ve -.PP -.Vb 2 +\& \& long SSL_CTX_set_options(SSL_CTX *ctx, long options); \& long SSL_set_options(SSL *ssl, long options); -.Ve -.PP -.Vb 2 +\& \& long SSL_CTX_clear_options(SSL_CTX *ctx, long options); \& long SSL_clear_options(SSL *ssl, long options); -.Ve -.PP -.Vb 2 +\& \& long SSL_CTX_get_options(SSL_CTX *ctx); \& long SSL_get_options(SSL *ssl); -.Ve -.PP -.Vb 1 +\& \& long SSL_get_secure_renegotiation_support(SSL *ssl); .Ve .SH "DESCRIPTION" @@ -219,8 +210,8 @@ via SSLv3. The cipher list changes.... .Sp \&\s-1NEW\s0 \s-1INFORMATION\s0. Try connecting with a cipher list of just \&\s-1DES\-CBC\-SHA:RC4\-MD5\s0. For some weird reason, each new connection uses -\&\s-1RC4\-MD5\s0, but a re-connect tries to use \s-1DES\-CBC\-SHA\s0. So netscape, when -doing a re\-connect, always takes the first cipher in the cipher list. +\&\s-1RC4\-MD5\s0, but a re-connect tries to use DES-CBC-SHA. So netscape, when +doing a re-connect, always takes the first cipher in the cipher list. .IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4 .IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG" \&... @@ -271,7 +262,7 @@ Always create a new key when using temporary/ephemeral \s-1DH\s0 parameters (see \fISSL_CTX_set_tmp_dh_callback\fR\|(3)). This option must be used to prevent small subgroup attacks, when the \s-1DH\s0 parameters were not generated using \*(L"strong\*(R" primes -(e.g. when using DSA\-parameters, see \fIdhparam\fR\|(1)). +(e.g. when using DSA-parameters, see \fIdhparam\fR\|(1)). If \*(L"strong\*(R" primes were used, it is not strictly necessary to generate a new \s-1DH\s0 key during each handshake but it is also recommended. \&\fB\s-1SSL_OP_SINGLE_DH_USE\s0\fR should therefore be enabled whenever @@ -286,7 +277,7 @@ with restricted \s-1RSA\s0 keylength). By setting this option, ephemeral \&\s-1RSA\s0 keys are always used. This option breaks compatibility with the \&\s-1SSL/TLS\s0 specifications and may lead to interoperability problems with clients and should therefore never be used. Ciphers with \s-1EDH\s0 (ephemeral -Diffie\-Hellman) key exchange should be used instead. +Diffie-Hellman) key exchange should be used instead. .IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE" When choosing a cipher, use the server's preferences instead of the client @@ -304,7 +295,7 @@ will send its list of preferences to the client and the client chooses. .IX Item "SSL_OP_NETSCAPE_CA_DN_BUG" If we accept a netscape connection, demand a client cert, have a non-self-signed \s-1CA\s0 which does not have its \s-1CA\s0 in netscape, and the -browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta +browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta .IP "\s-1SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG\s0" 4 .IX Item "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG" \&... @@ -355,10 +346,10 @@ renegotiation is referred to as \fIunpatched\fR. .PP The following sections describe the operations permitted by OpenSSL's secure renegotiation implementation. -.Sh "Patched client and server" +.SS "Patched client and server" .IX Subsection "Patched client and server" Connections and renegotiation are always permitted by OpenSSL implementations. -.Sh "Unpatched client and patched OpenSSL server" +.SS "Unpatched client and patched OpenSSL server" .IX Subsection "Unpatched client and patched OpenSSL server" The initial connection suceeds but client renegotiation is denied by the server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal @@ -378,7 +369,7 @@ a \fBno_renegotiation\fR alert as fatal and respond with a fatal \&\fBhandshake_failure\fR alert. This is because the OpenSSL \s-1API\s0 currently has no provision to indicate to an application that a renegotiation attempt was refused. -.Sh "Patched OpenSSL client and unpatched server." +.SS "Patched OpenSSL client and unpatched server." .IX Subsection "Patched OpenSSL client and unpatched server." If the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR or \&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then initial connections |