diff options
| author | Jacques Vidrine <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
|---|---|---|
| committer | Jacques Vidrine <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
| commit | 4f20a5a274060dda2bff055829db303415e2dd57 (patch) | |
| tree | f3c141823975717e132c7687cf833f6378cc87d4 /crypto/openssl/doc/ssl/SSL_CTX_set_options.pod | |
| parent | c1803d783676ddc1f7655e0a58c00f35ec8c4f45 (diff) | |
Notes
Diffstat (limited to 'crypto/openssl/doc/ssl/SSL_CTX_set_options.pod')
| -rw-r--r-- | crypto/openssl/doc/ssl/SSL_CTX_set_options.pod | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod index 5842a31fa438..5c07e53f66f7 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -35,7 +35,7 @@ operation (|). Options can only be added but can never be reset. SSL_CTX_set_options() and SSL_set_options() affect the (external) protocol behaviour of the SSL library. The (internal) behaviour of the API can be changed by using the similar -L<SSL_CTX_set_modes(3)|SSL_CTX_set_modes(3)> and SSL_set_modes() functions. +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions. During a handshake, the option settings of the SSL object are used. When a new SSL object is created from a context using SSL_new(), the current @@ -112,14 +112,22 @@ only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) +=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + +Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol +vulnerability affecting CBC ciphers, which cannot be handled by some +broken SSL implementations. This option has no effect for connections +using other ciphers. + =item SSL_OP_ALL All of the above bug workarounds. =back -It is save and recommended to use SSL_OP_ALL to enable the bug workaround -options. +It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround +options if compatibility with somewhat broken implementations is +desired. The following B<modifying> options are available: @@ -199,4 +207,9 @@ L<dhparam(1)|dhparam(1)> SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. +B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. +Versions up to OpenSSL 0.9.6c do not include the countermeasure that +can be disabled with this option (in OpenSSL 0.9.6d, it was always +enabled). + =cut |