diff options
Diffstat (limited to 'doc/man3/SSL_CTX_set_mode.pod')
-rw-r--r-- | doc/man3/SSL_CTX_set_mode.pod | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_mode.pod b/doc/man3/SSL_CTX_set_mode.pod new file mode 100644 index 000000000000..8f8edcf05420 --- /dev/null +++ b/doc/man3/SSL_CTX_set_mode.pod @@ -0,0 +1,138 @@ +=pod + +=head1 NAME + +SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); + long SSL_CTX_clear_mode(SSL_CTX *ctx, long mode); + long SSL_set_mode(SSL *ssl, long mode); + long SSL_clear_mode(SSL *ssl, long mode); + + long SSL_CTX_get_mode(SSL_CTX *ctx); + long SSL_get_mode(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>. +Options already set before are not cleared. +SSL_CTX_clear_mode() removes the mode set via bitmask in B<mode> from B<ctx>. + +SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>. +Options already set before are not cleared. +SSL_clear_mode() removes the mode set via bitmask in B<mode> from B<ssl>. + +SSL_CTX_get_mode() returns the mode set for B<ctx>. + +SSL_get_mode() returns the mode set for B<ssl>. + +=head1 NOTES + +The following mode changes are available: + +=over 4 + +=item SSL_MODE_ENABLE_PARTIAL_WRITE + +Allow SSL_write_ex(..., n, &r) to return with 0 < r < n (i.e. report success +when just a single record has been written). This works in a similar way for +SSL_write(). When not set (the default), SSL_write_ex() or SSL_write() will only +report success once the complete chunk was written. Once SSL_write_ex() or +SSL_write() returns successful, B<r> bytes have been written and the next call +to SSL_write_ex() or SSL_write() must only send the n-r bytes left, imitating +the behaviour of write(). + +=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + +Make it possible to retry SSL_write_ex() or SSL_write() with changed buffer +location (the buffer contents must stay the same). This is not the default to +avoid the misconception that non-blocking SSL_write() behaves like +non-blocking write(). + +=item SSL_MODE_AUTO_RETRY + +During normal operations, non-application data records might need to be sent or +received that the application is not aware of. +If a non-application data record was processed, +L<SSL_read_ex(3)> and L<SSL_read(3)> can return with a failure and indicate the +need to retry with B<SSL_ERROR_WANT_READ>. +If such a non-application data record was processed, the flag +B<SSL_MODE_AUTO_RETRY> causes it to try to process the next record instead of +returning. + +In a non-blocking environment applications must be prepared to handle +incomplete read/write operations. +Setting B<SSL_MODE_AUTO_RETRY> for a non-blocking B<BIO> will process +non-application data records until either no more data is available or +an application data record has been processed. + +In a blocking environment, applications are not always prepared to +deal with the functions returning intermediate reports such as retry +requests, and setting the B<SSL_MODE_AUTO_RETRY> flag will cause the functions +to only return after successfully processing an application data record or a +failure. + +Turning off B<SSL_MODE_AUTO_RETRY> can be useful with blocking B<BIO>s in case +they are used in combination with something like select() or poll(). +Otherwise the call to SSL_read() or SSL_read_ex() might hang when a +non-application record was sent and no application data was sent. + +=item SSL_MODE_RELEASE_BUFFERS + +When we no longer need a read buffer or a write buffer for a given SSL, +then release the memory we were using to hold it. +Using this flag can +save around 34k per idle SSL connection. +This flag has no effect on SSL v2 connections, or on DTLS connections. + +=item SSL_MODE_SEND_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set only by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + +DO NOT ENABLE THIS if your application attempts a normal handshake. +Only use this in explicit fallback retries, following the guidance +in draft-ietf-tls-downgrade-scsv-00. + +=item SSL_MODE_ASYNC + +Enable asynchronous processing. TLS I/O operations may indicate a retry with +SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is +used to perform cryptographic operations. See L<SSL_get_error(3)>. + +=back + +All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by +default since 1.1.1. + +=head1 RETURN VALUES + +SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask +after adding B<mode>. + +SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_read_ex(3)>, L<SSL_read(3)>, L<SSL_write_ex(3)> or +L<SSL_write(3)>, L<SSL_get_error(3)> + +=head1 HISTORY + +SSL_MODE_ASYNC was first added to OpenSSL 1.1.0. + +=head1 COPYRIGHT + +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut |