]>
Commit | Line | Data |
---|---|---|
3db935a9 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
1722496f | 5 | SSL_CONF_cmd_value_type, |
3db935a9 DSH |
6 | SSL_CONF_cmd - send configuration command |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
11 | ||
8b3efb53 RS |
12 | int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value); |
13 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option); | |
3db935a9 DSH |
14 | |
15 | =head1 DESCRIPTION | |
16 | ||
8b3efb53 | 17 | The function SSL_CONF_cmd() performs configuration operation B<option> with |
3db935a9 DSH |
18 | optional parameter B<value> on B<ctx>. Its purpose is to simplify application |
19 | configuration of B<SSL_CTX> or B<SSL> structures by providing a common | |
13cfb043 DSH |
20 | framework for command line options or configuration files. |
21 | ||
8b3efb53 | 22 | SSL_CONF_cmd_value_type() returns the type of value that B<option> refers to. |
ec2f7e56 | 23 | |
13cfb043 DSH |
24 | =head1 SUPPORTED COMMAND LINE COMMANDS |
25 | ||
8b3efb53 | 26 | Currently supported B<option> names for command lines (i.e. when the |
6c014da0 TC |
27 | flag B<SSL_CONF_FLAG_CMDLINE> is set) are listed below. Note: all B<option> |
28 | names are case sensitive. Unless otherwise stated commands can be used by | |
13cfb043 DSH |
29 | both clients and servers and the B<value> parameter is not used. The default |
30 | prefix for command line commands is B<-> and that is reflected below. | |
31 | ||
32 | =over 4 | |
33 | ||
8b3efb53 | 34 | =item B<-bugs> |
13cfb043 | 35 | |
8b3efb53 | 36 | Various bug workarounds are set, same as setting B<SSL_OP_ALL>. |
13cfb043 | 37 | |
8b3efb53 | 38 | =item B<-no_comp> |
13cfb043 | 39 | |
8b3efb53 RS |
40 | Disables support for SSL/TLS compression, same as setting |
41 | B<SSL_OP_NO_COMPRESSION>. | |
42 | As of OpenSSL 1.1.0, compression is off by default. | |
13cfb043 | 43 | |
8b3efb53 | 44 | =item B<-comp> |
322755cc | 45 | |
8b3efb53 RS |
46 | Enables support for SSL/TLS compression, same as clearing |
47 | B<SSL_OP_NO_COMPRESSION>. | |
48 | This command was introduced in OpenSSL 1.1.0. | |
49 | As of OpenSSL 1.1.0, compression is off by default. | |
13cfb043 | 50 | |
8b3efb53 | 51 | =item B<-no_ticket> |
13cfb043 | 52 | |
8b3efb53 | 53 | Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. |
13cfb043 | 54 | |
8b3efb53 | 55 | =item B<-serverpref> |
47f7cf05 | 56 | |
8b3efb53 RS |
57 | Use server and not client preference order when determining which cipher suite, |
58 | signature algorithm or elliptic curve to use for an incoming connection. | |
59 | Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
47f7cf05 | 60 | |
55373bfd RS |
61 | =item B<-client_renegotiation> |
62 | ||
63 | Allows servers to accept client-initiated renegotiation. Equivalent to | |
64 | setting B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION>. | |
65 | Only used by servers. | |
66 | ||
5d374691 | 67 | =item B<-legacy_renegotiation> |
dfa1f547 | 68 | |
55373bfd | 69 | Permits the use of unsafe legacy renegotiation. Equivalent to setting |
8b3efb53 | 70 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. |
47f7cf05 | 71 | |
8b3efb53 | 72 | =item B<-no_renegotiation> |
47f7cf05 | 73 | |
8b3efb53 RS |
74 | Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting |
75 | B<SSL_OP_NO_RENEGOTIATION>. | |
47f7cf05 | 76 | |
8b3efb53 | 77 | =item B<-no_resumption_on_reneg> |
13cfb043 | 78 | |
55373bfd | 79 | Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only used by servers. |
13cfb043 | 80 | |
8b3efb53 | 81 | =item B<-legacy_server_connect>, B<-no_legacy_server_connect> |
13cfb043 | 82 | |
55373bfd | 83 | Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL |
8b3efb53 | 84 | clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. |
13cfb043 | 85 | |
8b3efb53 | 86 | =item B<-prioritize_chacha> |
13cfb043 | 87 | |
8b3efb53 RS |
88 | Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of |
89 | its preference list. This usually indicates a client without AES hardware | |
90 | acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. | |
91 | Only used by servers. Requires B<-serverpref>. | |
9d2674cd | 92 | |
8b3efb53 | 93 | =item B<-allow_no_dhe_kex> |
9d2674cd | 94 | |
8b3efb53 RS |
95 | In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means |
96 | that there will be no forward secrecy for the resumed session. | |
9d2674cd | 97 | |
8b3efb53 | 98 | =item B<-strict> |
ec2f7e56 | 99 | |
55373bfd | 100 | Enables strict mode protocol handling. Equivalent to setting |
8b3efb53 | 101 | B<SSL_CERT_FLAG_TLS_STRICT>. |
ec2f7e56 | 102 | |
8b3efb53 | 103 | =item B<-sigalgs> I<algs> |
ec2f7e56 | 104 | |
8b3efb53 RS |
105 | This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. |
106 | For clients this value is used directly for the supported signature | |
107 | algorithms extension. For servers it is used to determine which signature | |
108 | algorithms to support. | |
109 | ||
110 | The B<algs> argument should be a colon separated list of signature | |
111 | algorithms in order of decreasing preference of the form B<algorithm+hash> | |
112 | or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and | |
113 | B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>, | |
114 | B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case | |
115 | sensitive. B<signature_scheme> is one of the signature schemes defined in | |
116 | TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, | |
117 | B<ed25519>, or B<rsa_pss_pss_sha256>. | |
ec2f7e56 | 118 | |
8b3efb53 RS |
119 | If this option is not set then all signature algorithms supported by the |
120 | OpenSSL library are permissible. | |
c557f921 | 121 | |
8b3efb53 RS |
122 | Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by |
123 | using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> | |
124 | identifiers) are ignored in TLSv1.3 and will not be negotiated. | |
c557f921 | 125 | |
8b3efb53 | 126 | =item B<-client_sigalgs> I<algs> |
c649d10d | 127 | |
8b3efb53 RS |
128 | This sets the supported signature algorithms associated with client |
129 | authentication for TLSv1.2 and TLSv1.3. For servers the B<algs> is used | |
130 | in the B<signature_algorithms> field of a B<CertificateRequest> message. | |
131 | For clients it is used to determine which signature algorithm to use with | |
132 | the client certificate. If a server does not request a certificate this | |
133 | option has no effect. | |
c649d10d | 134 | |
8b3efb53 RS |
135 | The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the |
136 | value set for B<-sigalgs> will be used instead. | |
db0f35dd | 137 | |
8b3efb53 | 138 | =item B<-groups> I<groups> |
db0f35dd | 139 | |
8b3efb53 RS |
140 | This sets the supported groups. For clients, the groups are sent using |
141 | the supported groups extension. For servers, it is used to determine which | |
142 | group to use. This setting affects groups used for signatures (in TLSv1.2 | |
143 | and earlier) and key exchange. The first group listed will also be used | |
144 | for the B<key_share> sent by a client in a TLSv1.3 B<ClientHello>. | |
7946ab33 | 145 | |
8b3efb53 RS |
146 | The B<groups> argument is a colon separated list of groups. The group can |
147 | be either the B<NIST> name (e.g. B<P-256>), some other commonly used name | |
148 | where applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name | |
8c1cbc72 | 149 | (e.g. B<prime256v1>). Group names are case sensitive. The list should be |
8b3efb53 | 150 | in order of preference with the most preferred group first. |
7946ab33 | 151 | |
8b3efb53 RS |
152 | Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, |
153 | B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, | |
154 | B<ffdhe8192>. | |
13cfb043 | 155 | |
8b3efb53 | 156 | =item B<-curves> I<groups> |
13cfb043 | 157 | |
8b3efb53 | 158 | This is a synonym for the B<-groups> command. |
13cfb043 | 159 | |
8b3efb53 | 160 | =item B<-named_curve> I<curve> |
13cfb043 | 161 | |
8b3efb53 RS |
162 | This sets the temporary curve used for ephemeral ECDH modes. Only used |
163 | by servers. | |
13cfb043 | 164 | |
8b3efb53 RS |
165 | The B<groups> argument is a curve name or the special value B<auto> which |
166 | picks an appropriate curve based on client and server preferences. The | |
167 | curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name | |
8c1cbc72 | 168 | (e.g. B<prime256v1>). Curve names are case sensitive. |
cc5a9ba4 | 169 | |
8b3efb53 | 170 | =item B<-cipher> I<ciphers> |
cc5a9ba4 | 171 | |
8b3efb53 RS |
172 | Sets the TLSv1.2 and below ciphersuite list to B<ciphers>. This list will be |
173 | combined with any configured TLSv1.3 ciphersuites. Note: syntax checking | |
174 | of B<ciphers> is currently not performed unless a B<SSL> or B<SSL_CTX> | |
175 | structure is associated with B<ctx>. | |
13cfb043 | 176 | |
8b3efb53 | 177 | =item B<-ciphersuites> I<1.3ciphers> |
13cfb043 | 178 | |
8b3efb53 RS |
179 | Sets the available ciphersuites for TLSv1.3 to value. This is a |
180 | colon-separated list of TLSv1.3 ciphersuite names in order of preference. This | |
181 | list will be combined any configured TLSv1.2 and below ciphersuites. | |
182 | See L<openssl-ciphers(1)> for more information. | |
13cfb043 | 183 | |
8b3efb53 | 184 | =item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot> |
13cfb043 | 185 | |
77174598 VD |
186 | Sets the minimum and maximum supported protocol. |
187 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
188 | B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> | |
189 | for no limit. | |
190 | If either the lower or upper bound is not specified then only the other bound | |
191 | applies, if specified. | |
192 | If your application supports both TLS and DTLS you can specify any of these | |
193 | options twice, once with a bound for TLS and again with an appropriate bound | |
194 | for DTLS. | |
195 | To restrict the supported protocol versions use these commands rather than the | |
196 | deprecated alternative commands below. | |
13cfb043 | 197 | |
8b3efb53 | 198 | =item B<-record_padding> I<padding> |
e1c7871d | 199 | |
8b3efb53 RS |
200 | Attempts to pad TLSv1.3 records so that they are a multiple of B<padding> |
201 | in length on send. A B<padding> of 0 or 1 turns off padding. Otherwise, | |
202 | the B<padding> must be >1 or <=16384. | |
e1c7871d | 203 | |
8b3efb53 | 204 | =item B<-debug_broken_protocol> |
f0ef019d | 205 | |
03e16083 RS |
206 | Ignored. |
207 | ||
8b3efb53 | 208 | =item B<-no_middlebox> |
f0ef019d | 209 | |
03e16083 RS |
210 | Turn off "middlebox compatibility", as described below. |
211 | ||
8b3efb53 | 212 | =back |
13cfb043 | 213 | |
8b3efb53 | 214 | =head2 Additional Options |
13cfb043 | 215 | |
8b3efb53 RS |
216 | The following options are accepted by SSL_CONF_cmd(), but are not |
217 | processed by the OpenSSL commands. | |
13cfb043 | 218 | |
8b3efb53 | 219 | =over 4 |
13cfb043 | 220 | |
8b3efb53 | 221 | =item B<-cert> I<file> |
4e2bd9cb | 222 | |
8b3efb53 RS |
223 | Attempts to use B<file> as the certificate for the appropriate context. It |
224 | currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> | |
225 | structure is set or SSL_use_certificate_file() with filetype PEM if an | |
226 | B<SSL> structure is set. This option is only supported if certificate | |
227 | operations are permitted. | |
4e2bd9cb | 228 | |
8b3efb53 | 229 | =item B<-key> I<file> |
13cfb043 | 230 | |
8b3efb53 RS |
231 | Attempts to use B<file> as the private key for the appropriate context. This |
232 | option is only supported if certificate operations are permitted. Note: | |
233 | if no B<-key> option is set then a private key is not loaded unless the | |
234 | flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. | |
235 | ||
236 | =item B<-dhparam> I<file> | |
237 | ||
238 | Attempts to use B<file> as the set of temporary DH parameters for | |
239 | the appropriate context. This option is only supported if certificate | |
240 | operations are permitted. | |
241 | ||
242 | =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> | |
243 | ||
244 | Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by | |
245 | setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, | |
246 | B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> | |
247 | respectively. These options are deprecated, use B<-min_protocol> and | |
248 | B<-max_protocol> instead. | |
13cfb043 | 249 | |
3bb5e5b0 MC |
250 | =item B<-anti_replay>, B<-no_anti_replay> |
251 | ||
252 | Switches replay protection, on or off respectively. With replay protection on, | |
253 | OpenSSL will automatically detect if a session ticket has been used more than | |
254 | once, TLSv1.3 has been negotiated, and early data is enabled on the server. A | |
255 | full handshake is forced if a session ticket is used a second or subsequent | |
256 | time. Anti-Replay is on by default unless overridden by a configuration file and | |
257 | is only used by servers. Anti-replay measures are required for compliance with | |
258 | the TLSv1.3 specification. Some applications may be able to mitigate the replay | |
259 | risks in other ways and in such cases the built-in OpenSSL functionality is not | |
260 | required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>. | |
261 | ||
13cfb043 | 262 | =back |
3db935a9 DSH |
263 | |
264 | =head1 SUPPORTED CONFIGURATION FILE COMMANDS | |
265 | ||
8b3efb53 | 266 | Currently supported B<option> names for configuration files (i.e., when the |
3db935a9 | 267 | flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file |
8b3efb53 | 268 | B<option> names are case insensitive so B<signaturealgorithms> is recognised |
c7b7984a | 269 | as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names |
3db935a9 DSH |
270 | are also case insensitive. |
271 | ||
8b3efb53 | 272 | Note: the command prefix (if set) alters the recognised B<option> values. |
3db935a9 DSH |
273 | |
274 | =over 4 | |
275 | ||
65f2a565 | 276 | =item B<CipherString> |
3db935a9 | 277 | |
9d2674cd MC |
278 | Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be |
279 | combined with any configured TLSv1.3 ciphersuites. Note: syntax | |
280 | checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX> | |
8b3efb53 | 281 | structure is associated with B<ctx>. |
9d2674cd MC |
282 | |
283 | =item B<Ciphersuites> | |
284 | ||
8b3efb53 RS |
285 | Sets the available ciphersuites for TLSv1.3 to B<value>. This is a |
286 | colon-separated list of TLSv1.3 ciphersuite names in order of preference. This | |
9d2674cd | 287 | list will be combined any configured TLSv1.2 and below ciphersuites. |
1903a9b7 | 288 | See L<openssl-ciphers(1)> for more information. |
3db935a9 | 289 | |
ec2f7e56 DSH |
290 | =item B<Certificate> |
291 | ||
292 | Attempts to use the file B<value> as the certificate for the appropriate | |
fc1d88f0 RS |
293 | context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> |
294 | structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> | |
ec2f7e56 DSH |
295 | structure is set. This option is only supported if certificate operations |
296 | are permitted. | |
297 | ||
298 | =item B<PrivateKey> | |
299 | ||
300 | Attempts to use the file B<value> as the private key for the appropriate | |
301 | context. This option is only supported if certificate operations | |
2011b169 DSH |
302 | are permitted. Note: if no B<PrivateKey> option is set then a private key is |
303 | not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. | |
ec2f7e56 | 304 | |
429261d0 DSH |
305 | =item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath> |
306 | ||
307 | These options indicate a file or directory used for building certificate | |
308 | chains or verifying certificate chains. These options are only supported | |
309 | if certificate operations are permitted. | |
310 | ||
5a185729 DSH |
311 | =item B<RequestCAFile> |
312 | ||
313 | This option indicates a file containing a set of certificates in PEM form. | |
314 | The subject names of the certificates are sent to the peer in the | |
315 | B<certificate_authorities> extension for TLS 1.3 (in ClientHello or | |
316 | CertificateRequest) or in a certificate request for previous versions or | |
317 | TLS. | |
318 | ||
5b7f36e8 DSH |
319 | =item B<ServerInfoFile> |
320 | ||
321 | Attempts to use the file B<value> in the "serverinfo" extension using the | |
322 | function SSL_CTX_use_serverinfo_file. | |
323 | ||
c557f921 DSH |
324 | =item B<DHParameters> |
325 | ||
326 | Attempts to use the file B<value> as the set of temporary DH parameters for | |
327 | the appropriate context. This option is only supported if certificate | |
328 | operations are permitted. | |
329 | ||
c649d10d TS |
330 | =item B<RecordPadding> |
331 | ||
322755cc | 332 | Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in |
c649d10d TS |
333 | length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the |
334 | B<value> must be >1 or <=16384. | |
335 | ||
3db935a9 DSH |
336 | =item B<SignatureAlgorithms> |
337 | ||
322755cc HK |
338 | This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. |
339 | For clients this | |
3db935a9 DSH |
340 | value is used directly for the supported signature algorithms extension. For |
341 | servers it is used to determine which signature algorithms to support. | |
342 | ||
343 | The B<value> argument should be a colon separated list of signature algorithms | |
322755cc HK |
344 | in order of decreasing preference of the form B<algorithm+hash> or |
345 | B<signature_scheme>. B<algorithm> | |
3db935a9 DSH |
346 | is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm |
347 | OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. | |
348 | Note: algorithm and hash names are case sensitive. | |
322755cc HK |
349 | B<signature_scheme> is one of the signature schemes defined in TLSv1.3, |
350 | specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>, | |
351 | or B<rsa_pss_pss_sha256>. | |
3db935a9 DSH |
352 | |
353 | If this option is not set then all signature algorithms supported by the | |
354 | OpenSSL library are permissible. | |
355 | ||
322755cc HK |
356 | Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by |
357 | using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> | |
358 | identifiers) are ignored in TLSv1.3 and will not be negotiated. | |
359 | ||
3db935a9 DSH |
360 | =item B<ClientSignatureAlgorithms> |
361 | ||
362 | This sets the supported signature algorithms associated with client | |
322755cc HK |
363 | authentication for TLSv1.2 and TLSv1.3. |
364 | For servers the value is used in the | |
365 | B<signature_algorithms> field of a B<CertificateRequest> message. | |
366 | For clients it is | |
367 | used to determine which signature algorithm to use with the client certificate. | |
368 | If a server does not request a certificate this option has no effect. | |
3db935a9 DSH |
369 | |
370 | The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then | |
371 | the value set for B<SignatureAlgorithms> will be used instead. | |
372 | ||
47f7cf05 | 373 | =item B<Groups> |
3db935a9 | 374 | |
47f7cf05 MC |
375 | This sets the supported groups. For clients, the groups are |
376 | sent using the supported groups extension. For servers, it is used | |
322755cc HK |
377 | to determine which group to use. This setting affects groups used for |
378 | signatures (in TLSv1.2 and earlier) and key exchange. The first group listed | |
379 | will also be used for the B<key_share> sent by a client in a TLSv1.3 | |
380 | B<ClientHello>. | |
3db935a9 | 381 | |
47f7cf05 MC |
382 | The B<value> argument is a colon separated list of groups. The group can be |
383 | either the B<NIST> name (e.g. B<P-256>), some other commonly used name where | |
dfa1f547 | 384 | applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name |
8c1cbc72 | 385 | (e.g. B<prime256v1>). Group names are case sensitive. The list should be in |
dfa1f547 | 386 | order of preference with the most preferred group first. |
387 | ||
388 | Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, | |
389 | B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, | |
390 | B<ffdhe8192>. | |
47f7cf05 MC |
391 | |
392 | =item B<Curves> | |
393 | ||
394 | This is a synonym for the "Groups" command. | |
3db935a9 | 395 | |
7946ab33 KR |
396 | =item B<MinProtocol> |
397 | ||
398 | This sets the minimum supported SSL, TLS or DTLS version. | |
399 | ||
57ce7b61 | 400 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
322755cc | 401 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
77174598 VD |
402 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds |
403 | apply only to DTLS-based contexts. | |
404 | The command can be repeated with one instance setting a TLS bound, and the | |
405 | other setting a DTLS bound. | |
406 | The value B<None> applies to both types of contexts and disables the limits. | |
7946ab33 KR |
407 | |
408 | =item B<MaxProtocol> | |
409 | ||
410 | This sets the maximum supported SSL, TLS or DTLS version. | |
411 | ||
57ce7b61 | 412 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
322755cc | 413 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
77174598 VD |
414 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds |
415 | apply only to DTLS-based contexts. | |
416 | The command can be repeated with one instance setting a TLS bound, and the | |
417 | other setting a DTLS bound. | |
418 | The value B<None> applies to both types of contexts and disables the limits. | |
7946ab33 | 419 | |
3db935a9 DSH |
420 | =item B<Protocol> |
421 | ||
57ce7b61 VD |
422 | This can be used to enable or disable certain versions of the SSL, |
423 | TLS or DTLS protocol. | |
7946ab33 | 424 | |
57ce7b61 VD |
425 | The B<value> argument is a comma separated list of supported protocols |
426 | to enable or disable. | |
7946ab33 KR |
427 | If a protocol is preceded by B<-> that version is disabled. |
428 | ||
429 | All protocol versions are enabled by default. | |
57ce7b61 VD |
430 | You need to disable at least one protocol version for this setting have any |
431 | effect. | |
432 | Only enabling some protocol versions does not disable the other protocol | |
433 | versions. | |
7946ab33 | 434 | |
57ce7b61 | 435 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
322755cc | 436 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
7946ab33 | 437 | The special value B<ALL> refers to all supported versions. |
3db935a9 | 438 | |
57ce7b61 VD |
439 | This can't enable protocols that are disabled using B<MinProtocol> |
440 | or B<MaxProtocol>, but can disable protocols that are still allowed | |
441 | by them. | |
7946ab33 KR |
442 | |
443 | The B<Protocol> command is fragile and deprecated; do not use it. | |
444 | Use B<MinProtocol> and B<MaxProtocol> instead. | |
57ce7b61 VD |
445 | If you do use B<Protocol>, make sure that the resulting range of enabled |
446 | protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make | |
447 | sure to also leave TLS 1.1 enabled. | |
3db935a9 DSH |
448 | |
449 | =item B<Options> | |
450 | ||
451 | The B<value> argument is a comma separated list of various flags to set. | |
8106cb8b VD |
452 | If a flag string is preceded B<-> it is disabled. |
453 | See the L<SSL_CTX_set_options(3)> function for more details of | |
454 | individual options. | |
3db935a9 DSH |
455 | |
456 | Each option is listed below. Where an operation is enabled by default | |
457 | the B<-flag> syntax is needed to disable it. | |
458 | ||
459 | B<SessionTicket>: session ticket support, enabled by default. Inverse of | |
460 | B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting | |
461 | B<SSL_OP_NO_TICKET>. | |
462 | ||
2cb52118 | 463 | B<Compression>: SSL/TLS compression support, disabled by default. Inverse |
3db935a9 DSH |
464 | of B<SSL_OP_NO_COMPRESSION>. |
465 | ||
466 | B<EmptyFragments>: use empty fragments as a countermeasure against a | |
467 | SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It | |
468 | is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. | |
469 | ||
c7b7984a | 470 | B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. |
3db935a9 | 471 | |
c7b7984a | 472 | B<DHSingle>: enable single use DH keys, set by default. Inverse of |
3db935a9 DSH |
473 | B<SSL_OP_DH_SINGLE>. Only used by servers. |
474 | ||
e1c7871d | 475 | B<ECDHSingle>: enable single use ECDH keys, set by default. Inverse of |
3db935a9 DSH |
476 | B<SSL_OP_ECDH_SINGLE>. Only used by servers. |
477 | ||
e1c7871d | 478 | B<ServerPreference>: use server and not client preference order when |
3db935a9 DSH |
479 | determining which cipher suite, signature algorithm or elliptic curve |
480 | to use for an incoming connection. Equivalent to | |
481 | B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
482 | ||
e1c7871d TS |
483 | B<PrioritizeChaCha>: prioritizes ChaCha ciphers when the client has a |
484 | ChaCha20 cipher at the top of its preference list. This usually indicates | |
485 | a mobile client is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. | |
486 | Only used by servers. | |
487 | ||
488 | B<NoResumptionOnRenegotiation>: set | |
f0ef019d DSH |
489 | B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. |
490 | ||
4ac5e43d HK |
491 | B<NoRenegotiation>: disables all attempts at renegotiation in TLSv1.2 and |
492 | earlier, same as setting B<SSL_OP_NO_RENEGOTIATION>. | |
493 | ||
e1c7871d | 494 | B<UnsafeLegacyRenegotiation>: permits the use of unsafe legacy renegotiation. |
3db935a9 DSH |
495 | Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. |
496 | ||
e1c7871d | 497 | B<UnsafeLegacyServerConnect>: permits the use of unsafe legacy renegotiation |
3db935a9 | 498 | for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. |
3db935a9 | 499 | |
b3618f44 EK |
500 | B<EncryptThenMac>: use encrypt-then-mac extension, enabled by |
501 | default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is, | |
502 | B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>. | |
4e2bd9cb MC |
503 | |
504 | B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on | |
505 | resumption. This means that there will be no forward secrecy for the resumed | |
506 | session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>. | |
b3618f44 | 507 | |
1c4b1545 MC |
508 | B<MiddleboxCompat>: If set then dummy Change Cipher Spec (CCS) messages are sent |
509 | in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that | |
510 | middleboxes that do not understand TLSv1.3 will not drop the connection. This | |
511 | option is set by default. A future version of OpenSSL may not set this by | |
512 | default. Equivalent to B<SSL_OP_ENABLE_MIDDLEBOX_COMPAT>. | |
513 | ||
3bb5e5b0 MC |
514 | B<AntiReplay>: If set then OpenSSL will automatically detect if a session ticket |
515 | has been used more than once, TLSv1.3 has been negotiated, and early data is | |
516 | enabled on the server. A full handshake is forced if a session ticket is used a | |
517 | second or subsequent time. This option is set by default and is only used by | |
518 | servers. Anti-replay measures are required to comply with the TLSv1.3 | |
519 | specification. Some applications may be able to mitigate the replay risks in | |
520 | other ways and in such cases the built-in OpenSSL functionality is not required. | |
521 | Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. | |
522 | ||
088dfa13 TS |
523 | B<ExtendedMasterSecret>: use extended master secret extension, enabled by |
524 | default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is, | |
525 | B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>. | |
526 | ||
90fc2c26 NM |
527 | B<CANames>: use CA names extension, enabled by |
528 | default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is, | |
529 | B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>. | |
530 | ||
6878f430 MC |
531 | B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported |
532 | by the negotiated ciphersuites and extensions. Equivalent to | |
533 | B<SSL_OP_ENABLE_KTLS>. | |
534 | ||
429261d0 DSH |
535 | =item B<VerifyMode> |
536 | ||
537 | The B<value> argument is a comma separated list of flags to set. | |
538 | ||
539 | B<Peer> enables peer verification: for clients only. | |
540 | ||
541 | B<Request> requests but does not require a certificate from the client. | |
542 | Servers only. | |
543 | ||
544 | B<Require> requests and requires a certificate from the client: an error | |
545 | occurs if the client does not present a certificate. Servers only. | |
546 | ||
547 | B<Once> requests a certificate from a client only on the initial connection: | |
548 | not when renegotiating. Servers only. | |
549 | ||
9d75dce3 TS |
550 | B<RequestPostHandshake> configures the connection to support requests but does |
551 | not require a certificate from the client post-handshake. A certificate will | |
552 | not be requested during the initial handshake. The server application must | |
553 | provide a mechanism to request a certificate post-handshake. Servers only. | |
554 | TLSv1.3 only. | |
555 | ||
556 | B<RequiresPostHandshake> configures the connection to support requests and | |
557 | requires a certificate from the client post-handshake: an error occurs if the | |
558 | client does not present a certificate. A certificate will not be requested | |
559 | during the initial handshake. The server application must provide a mechanism | |
560 | to request a certificate post-handshake. Servers only. TLSv1.3 only. | |
561 | ||
429261d0 DSH |
562 | =item B<ClientCAFile>, B<ClientCAPath> |
563 | ||
564 | A file or directory of certificates in PEM format whose names are used as the | |
565 | set of acceptable names for client CAs. Servers only. This option is only | |
566 | supported if certificate operations are permitted. | |
567 | ||
3db935a9 DSH |
568 | =back |
569 | ||
ec2f7e56 DSH |
570 | =head1 SUPPORTED COMMAND TYPES |
571 | ||
572 | The function SSL_CONF_cmd_value_type() currently returns one of the following | |
573 | types: | |
574 | ||
575 | =over 4 | |
576 | ||
577 | =item B<SSL_CONF_TYPE_UNKNOWN> | |
578 | ||
8b3efb53 | 579 | The B<option> string is unrecognised, this return value can be use to flag |
ec2f7e56 DSH |
580 | syntax errors. |
581 | ||
582 | =item B<SSL_CONF_TYPE_STRING> | |
583 | ||
584 | The value is a string without any specific structure. | |
585 | ||
586 | =item B<SSL_CONF_TYPE_FILE> | |
587 | ||
9c0586d5 | 588 | The value is a filename. |
ec2f7e56 DSH |
589 | |
590 | =item B<SSL_CONF_TYPE_DIR> | |
591 | ||
592 | The value is a directory name. | |
593 | ||
656b2605 DSH |
594 | =item B<SSL_CONF_TYPE_NONE> |
595 | ||
596 | The value string is not used e.g. a command line option which doesn't take an | |
597 | argument. | |
598 | ||
fa9d77dc CR |
599 | =back |
600 | ||
3db935a9 DSH |
601 | =head1 NOTES |
602 | ||
603 | The order of operations is significant. This can be used to set either defaults | |
604 | or values which cannot be overridden. For example if an application calls: | |
605 | ||
87d9cafa | 606 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); |
3db935a9 DSH |
607 | SSL_CONF_cmd(ctx, userparam, uservalue); |
608 | ||
87d9cafa | 609 | it will disable SSLv3 support by default but the user can override it. If |
3db935a9 DSH |
610 | however the call sequence is: |
611 | ||
612 | SSL_CONF_cmd(ctx, userparam, uservalue); | |
87d9cafa | 613 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); |
3db935a9 | 614 | |
87d9cafa | 615 | SSLv3 is B<always> disabled and attempt to override this by the user are |
3db935a9 DSH |
616 | ignored. |
617 | ||
f5f85f75 | 618 | By checking the return code of SSL_CONF_cmd() it is possible to query if a |
8b3efb53 | 619 | given B<option> is recognised, this is useful if SSL_CONF_cmd() values are |
3db935a9 DSH |
620 | mixed with additional application specific operations. |
621 | ||
f5f85f75 | 622 | For example an application might call SSL_CONF_cmd() and if it returns |
3db935a9 DSH |
623 | -2 (unrecognised command) continue with processing of application specific |
624 | commands. | |
625 | ||
f5f85f75 JS |
626 | Applications can also use SSL_CONF_cmd() to process command lines though the |
627 | utility function SSL_CONF_cmd_argv() is normally used instead. One way | |
821244cf | 628 | to do this is to set the prefix to an appropriate value using |
8b3efb53 | 629 | SSL_CONF_CTX_set1_prefix(), pass the current argument to B<option> and the |
821244cf | 630 | following argument to B<value> (which may be NULL). |
3db935a9 DSH |
631 | |
632 | In this case if the return value is positive then it is used to skip that | |
f5f85f75 | 633 | number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is |
8b3efb53 | 634 | returned then B<option> is not recognised and application specific arguments |
3db935a9 DSH |
635 | can be checked instead. If -3 is returned a required argument is missing |
636 | and an error is indicated. If 0 is returned some other error occurred and | |
637 | this can be reported back to the user. | |
638 | ||
7946ab33 | 639 | The function SSL_CONF_cmd_value_type() can be used by applications to |
ec2f7e56 DSH |
640 | check for the existence of a command or to perform additional syntax |
641 | checking or translation of the command value. For example if the return | |
642 | value is B<SSL_CONF_TYPE_FILE> an application could translate a relative | |
643 | pathname to an absolute pathname. | |
644 | ||
4564e77a PY |
645 | =head1 RETURN VALUES |
646 | ||
8b3efb53 RS |
647 | SSL_CONF_cmd() returns 1 if the value of B<option> is recognised and B<value> is |
648 | B<NOT> used and 2 if both B<option> and B<value> are used. In other words it | |
4564e77a PY |
649 | returns the number of arguments processed. This is useful when processing |
650 | command lines. | |
651 | ||
8b3efb53 | 652 | A return value of -2 means B<option> is not recognised. |
4564e77a | 653 | |
8b3efb53 | 654 | A return value of -3 means B<option> is recognised and the command requires a |
4564e77a PY |
655 | value but B<value> is NULL. |
656 | ||
8b3efb53 | 657 | A return code of 0 indicates that both B<option> and B<value> are valid but an |
4564e77a PY |
658 | error occurred attempting to perform the operation: for example due to an |
659 | error in the syntax of B<value> in this case the error queue may provide | |
660 | additional information. | |
661 | ||
3db935a9 DSH |
662 | =head1 EXAMPLES |
663 | ||
664 | Set supported signature algorithms: | |
665 | ||
666 | SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); | |
667 | ||
24c2cd39 | 668 | There are various ways to select the supported protocols. |
7946ab33 KR |
669 | |
670 | This set the minimum protocol version to TLSv1, and so disables SSLv3. | |
671 | This is the recommended way to disable protocols. | |
672 | ||
673 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1"); | |
674 | ||
675 | The following also disables SSLv3: | |
676 | ||
677 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); | |
678 | ||
57ce7b61 VD |
679 | The following will first enable all protocols, and then disable |
680 | SSLv3. | |
681 | If no protocol versions were disabled before this has the same effect as | |
682 | "-SSLv3", but if some versions were disables this will re-enable them before | |
683 | disabling SSLv3. | |
3db935a9 | 684 | |
87d9cafa | 685 | SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); |
3db935a9 DSH |
686 | |
687 | Only enable TLSv1.2: | |
688 | ||
7946ab33 KR |
689 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2"); |
690 | SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2"); | |
691 | ||
692 | This also only enables TLSv1.2: | |
693 | ||
3db935a9 DSH |
694 | SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); |
695 | ||
696 | Disable TLS session tickets: | |
697 | ||
698 | SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); | |
699 | ||
dc5744cb EK |
700 | Enable compression: |
701 | ||
702 | SSL_CONF_cmd(ctx, "Options", "Compression"); | |
703 | ||
3db935a9 DSH |
704 | Set supported curves to P-256, P-384: |
705 | ||
706 | SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); | |
707 | ||
3db935a9 DSH |
708 | =head1 SEE ALSO |
709 | ||
98ca37e4 | 710 | L<ssl(7)>, |
9b86974e RS |
711 | L<SSL_CONF_CTX_new(3)>, |
712 | L<SSL_CONF_CTX_set_flags(3)>, | |
713 | L<SSL_CONF_CTX_set1_prefix(3)>, | |
714 | L<SSL_CONF_CTX_set_ssl_ctx(3)>, | |
8106cb8b VD |
715 | L<SSL_CONF_cmd_argv(3)>, |
716 | L<SSL_CTX_set_options(3)> | |
3db935a9 DSH |
717 | |
718 | =head1 HISTORY | |
719 | ||
fc5ecadd | 720 | The SSL_CONF_cmd() function was added in OpenSSL 1.0.2. |
3db935a9 | 721 | |
fc5ecadd DMSP |
722 | The B<SSL_OP_NO_SSL2> option doesn't have effect since 1.1.0, but the macro |
723 | is retained for backwards compatibility. | |
45f55f6a | 724 | |
fc5ecadd | 725 | The B<SSL_CONF_TYPE_NONE> was added in OpenSSL 1.1.0. In earlier versions of |
656b2605 DSH |
726 | OpenSSL passing a command which didn't take an argument would return |
727 | B<SSL_CONF_TYPE_UNKNOWN>. | |
728 | ||
7946ab33 KR |
729 | B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0. |
730 | ||
e1c7871d TS |
731 | B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1. |
732 | ||
3d4dd8f2 MC |
733 | The B<UnsafeLegacyServerConnect> option is no longer set by default from |
734 | OpenSSL 3.0. | |
735 | ||
e2f92610 RS |
736 | =head1 COPYRIGHT |
737 | ||
fecb3aae | 738 | Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 739 | |
4746f25a | 740 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
741 | this file except in compliance with the License. You can obtain a copy |
742 | in the file LICENSE in the source distribution or at | |
743 | L<https://www.openssl.org/source/license.html>. | |
744 | ||
745 | =cut |