]>
Commit | Line | Data |
---|---|---|
3db935a9 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
c952780c | 5 | SSL_CONF_cmd_value_type, SSL_CONF_finish, |
3db935a9 DSH |
6 | SSL_CONF_cmd - send configuration command |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
11 | ||
12 | int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); | |
ec2f7e56 DSH |
13 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); |
14 | int SSL_CONF_finish(SSL_CONF_CTX *cctx); | |
3db935a9 DSH |
15 | |
16 | =head1 DESCRIPTION | |
17 | ||
18 | The function SSL_CONF_cmd() performs configuration operation B<cmd> with | |
19 | optional parameter B<value> on B<ctx>. Its purpose is to simplify application | |
20 | configuration of B<SSL_CTX> or B<SSL> structures by providing a common | |
13cfb043 DSH |
21 | framework for command line options or configuration files. |
22 | ||
ec2f7e56 DSH |
23 | SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to. |
24 | ||
25 | The function SSL_CONF_finish() must be called after all configuration | |
26 | operations have been completed. It is used to finalise any operations | |
27 | or to process defaults. | |
28 | ||
13cfb043 DSH |
29 | =head1 SUPPORTED COMMAND LINE COMMANDS |
30 | ||
31 | Currently supported B<cmd> names for command lines (i.e. when the | |
32 | flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names | |
4b64e0cb | 33 | are case sensitive. Unless otherwise stated commands can be used by |
13cfb043 DSH |
34 | both clients and servers and the B<value> parameter is not used. The default |
35 | prefix for command line commands is B<-> and that is reflected below. | |
36 | ||
37 | =over 4 | |
38 | ||
39 | =item B<-sigalgs> | |
40 | ||
41 | This sets the supported signature algorithms for TLS v1.2. For clients this | |
42 | value is used directly for the supported signature algorithms extension. For | |
43 | servers it is used to determine which signature algorithms to support. | |
44 | ||
45 | The B<value> argument should be a colon separated list of signature algorithms | |
46 | in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> | |
47 | is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm | |
48 | OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. | |
49 | Note: algorithm and hash names are case sensitive. | |
50 | ||
51 | If this option is not set then all signature algorithms supported by the | |
52 | OpenSSL library are permissible. | |
53 | ||
54 | =item B<-client_sigalgs> | |
55 | ||
56 | This sets the supported signature algorithms associated with client | |
57 | authentication for TLS v1.2. For servers the value is used in the supported | |
58 | signature algorithms field of a certificate request. For clients it is | |
59 | used to determine which signature algorithm to with the client certificate. | |
60 | If a server does not request a certificate this option has no effect. | |
61 | ||
62 | The syntax of B<value> is identical to B<-sigalgs>. If not set then | |
63 | the value set for B<-sigalgs> will be used instead. | |
64 | ||
65 | =item B<-curves> | |
66 | ||
65f2a565 DSH |
67 | This sets the supported elliptic curves. For clients the curves are |
68 | sent using the supported curves extension. For servers it is used | |
13cfb043 DSH |
69 | to determine which curve to use. This setting affects curves used for both |
70 | signatures and key exchange, if applicable. | |
71 | ||
72 | The B<value> argument is a colon separated list of curves. The curve can be | |
73 | either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g | |
74 | B<prime256v1>). Curve names are case sensitive. | |
75 | ||
76 | =item B<-named_curve> | |
77 | ||
7946ab33 | 78 | This sets the temporary curve used for ephemeral ECDH modes. Only used by |
13cfb043 DSH |
79 | servers |
80 | ||
81 | The B<value> argument is a curve name or the special value B<auto> which | |
82 | picks an appropriate curve based on client and server preferences. The curve | |
83 | can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name | |
84 | (e.g B<prime256v1>). Curve names are case sensitive. | |
85 | ||
86 | =item B<-cipher> | |
87 | ||
88 | Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is | |
7946ab33 | 89 | currently not performed unless a B<SSL> or B<SSL_CTX> structure is |
13cfb043 DSH |
90 | associated with B<cctx>. |
91 | ||
ec2f7e56 DSH |
92 | =item B<-cert> |
93 | ||
94 | Attempts to use the file B<value> as the certificate for the appropriate | |
fc1d88f0 RS |
95 | context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> |
96 | structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> | |
ec2f7e56 DSH |
97 | structure is set. This option is only supported if certificate operations |
98 | are permitted. | |
99 | ||
100 | =item B<-key> | |
101 | ||
102 | Attempts to use the file B<value> as the private key for the appropriate | |
103 | context. This option is only supported if certificate operations | |
104 | are permitted. Note: if no B<-key> option is set then a private key is | |
2011b169 | 105 | not loaded unless the flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. |
ec2f7e56 | 106 | |
c557f921 DSH |
107 | =item B<-dhparam> |
108 | ||
109 | Attempts to use the file B<value> as the set of temporary DH parameters for | |
110 | the appropriate context. This option is only supported if certificate | |
111 | operations are permitted. | |
112 | ||
c649d10d TS |
113 | =item B<-record_padding> |
114 | ||
115 | Attempts to pad TLS 1.3 records so that they are a multiple of B<value> in | |
116 | length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the | |
117 | B<value> must be >1 or <=16384. | |
118 | ||
7946ab33 KR |
119 | =item B<-min_protocol>, B<-max_protocol> |
120 | ||
121 | Sets the minimum and maximum supported protocol. | |
57ce7b61 | 122 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, |
869e978c KR |
123 | B<TLSv1.1>, B<TLSv1.2> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, |
124 | and B<None> for no limit. | |
57ce7b61 VD |
125 | If the either bound is not specified then only the other bound applies, |
126 | if specified. | |
127 | To restrict the supported protocol versions use these commands rather | |
128 | than the deprecated alternative commands below. | |
7946ab33 | 129 | |
582a17d6 | 130 | =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> |
13cfb043 | 131 | |
582a17d6 MC |
132 | Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by |
133 | setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, | |
134 | B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> | |
135 | respectively. These options are deprecated, instead use B<-min_protocol> and | |
136 | B<-max_protocol>. | |
13cfb043 DSH |
137 | |
138 | =item B<-bugs> | |
139 | ||
140 | Various bug workarounds are set, same as setting B<SSL_OP_ALL>. | |
141 | ||
dc5744cb | 142 | =item B<-comp> |
13cfb043 | 143 | |
cc5a9ba4 VD |
144 | Enables support for SSL/TLS compression, same as clearing |
145 | B<SSL_OP_NO_COMPRESSION>. | |
146 | This command was introduced in OpenSSL 1.1.0. | |
147 | As of OpenSSL 1.1.0, compression is off by default. | |
148 | ||
149 | =item B<-no_comp> | |
150 | ||
151 | Disables support for SSL/TLS compression, same as setting | |
152 | B<SSL_OP_NO_COMPRESSION>. | |
153 | As of OpenSSL 1.1.0, compression is off by default. | |
13cfb043 DSH |
154 | |
155 | =item B<-no_ticket> | |
156 | ||
157 | Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. | |
158 | ||
159 | =item B<-serverpref> | |
160 | ||
161 | Use server and not client preference order when determining which cipher suite, | |
162 | signature algorithm or elliptic curve to use for an incoming connection. | |
163 | Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
164 | ||
f0ef019d DSH |
165 | =item B<-no_resumption_on_reneg> |
166 | ||
167 | set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. | |
168 | ||
13cfb043 DSH |
169 | =item B<-legacyrenegotiation> |
170 | ||
171 | permits the use of unsafe legacy renegotiation. Equivalent to setting | |
172 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. | |
173 | ||
174 | =item B<-legacy_server_connect>, B<-no_legacy_server_connect> | |
175 | ||
176 | permits or prohibits the use of unsafe legacy renegotiation for OpenSSL | |
177 | clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. | |
178 | Set by default. | |
179 | ||
180 | =item B<-strict> | |
181 | ||
182 | enables strict mode protocol handling. Equivalent to setting | |
183 | B<SSL_CERT_FLAG_TLS_STRICT>. | |
184 | ||
13cfb043 | 185 | =back |
3db935a9 DSH |
186 | |
187 | =head1 SUPPORTED CONFIGURATION FILE COMMANDS | |
188 | ||
189 | Currently supported B<cmd> names for configuration files (i.e. when the | |
190 | flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file | |
854dfcd8 | 191 | B<cmd> names are case insensitive so B<signaturealgorithms> is recognised |
c7b7984a | 192 | as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names |
3db935a9 DSH |
193 | are also case insensitive. |
194 | ||
195 | Note: the command prefix (if set) alters the recognised B<cmd> values. | |
196 | ||
197 | =over 4 | |
198 | ||
65f2a565 | 199 | =item B<CipherString> |
3db935a9 DSH |
200 | |
201 | Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is | |
7946ab33 | 202 | currently not performed unless an B<SSL> or B<SSL_CTX> structure is |
3db935a9 DSH |
203 | associated with B<cctx>. |
204 | ||
ec2f7e56 DSH |
205 | =item B<Certificate> |
206 | ||
207 | Attempts to use the file B<value> as the certificate for the appropriate | |
fc1d88f0 RS |
208 | context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> |
209 | structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> | |
ec2f7e56 DSH |
210 | structure is set. This option is only supported if certificate operations |
211 | are permitted. | |
212 | ||
213 | =item B<PrivateKey> | |
214 | ||
215 | Attempts to use the file B<value> as the private key for the appropriate | |
216 | context. This option is only supported if certificate operations | |
2011b169 DSH |
217 | are permitted. Note: if no B<PrivateKey> option is set then a private key is |
218 | not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. | |
ec2f7e56 | 219 | |
429261d0 DSH |
220 | =item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath> |
221 | ||
222 | These options indicate a file or directory used for building certificate | |
223 | chains or verifying certificate chains. These options are only supported | |
224 | if certificate operations are permitted. | |
225 | ||
5a185729 DSH |
226 | =item B<RequestCAFile> |
227 | ||
228 | This option indicates a file containing a set of certificates in PEM form. | |
229 | The subject names of the certificates are sent to the peer in the | |
230 | B<certificate_authorities> extension for TLS 1.3 (in ClientHello or | |
231 | CertificateRequest) or in a certificate request for previous versions or | |
232 | TLS. | |
233 | ||
5b7f36e8 DSH |
234 | =item B<ServerInfoFile> |
235 | ||
236 | Attempts to use the file B<value> in the "serverinfo" extension using the | |
237 | function SSL_CTX_use_serverinfo_file. | |
238 | ||
c557f921 DSH |
239 | =item B<DHParameters> |
240 | ||
241 | Attempts to use the file B<value> as the set of temporary DH parameters for | |
242 | the appropriate context. This option is only supported if certificate | |
243 | operations are permitted. | |
244 | ||
c649d10d TS |
245 | =item B<RecordPadding> |
246 | ||
247 | Attempts to pad TLS 1.3 records so that they are a multiple of B<value> in | |
248 | length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the | |
249 | B<value> must be >1 or <=16384. | |
250 | ||
3db935a9 DSH |
251 | =item B<SignatureAlgorithms> |
252 | ||
253 | This sets the supported signature algorithms for TLS v1.2. For clients this | |
254 | value is used directly for the supported signature algorithms extension. For | |
255 | servers it is used to determine which signature algorithms to support. | |
256 | ||
257 | The B<value> argument should be a colon separated list of signature algorithms | |
258 | in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> | |
259 | is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm | |
260 | OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. | |
261 | Note: algorithm and hash names are case sensitive. | |
262 | ||
263 | If this option is not set then all signature algorithms supported by the | |
264 | OpenSSL library are permissible. | |
265 | ||
266 | =item B<ClientSignatureAlgorithms> | |
267 | ||
268 | This sets the supported signature algorithms associated with client | |
269 | authentication for TLS v1.2. For servers the value is used in the supported | |
270 | signature algorithms field of a certificate request. For clients it is | |
c7b7984a | 271 | used to determine which signature algorithm to with the client certificate. |
3db935a9 DSH |
272 | |
273 | The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then | |
274 | the value set for B<SignatureAlgorithms> will be used instead. | |
275 | ||
276 | =item B<Curves> | |
277 | ||
65f2a565 DSH |
278 | This sets the supported elliptic curves. For clients the curves are |
279 | sent using the supported curves extension. For servers it is used | |
c7b7984a DSH |
280 | to determine which curve to use. This setting affects curves used for both |
281 | signatures and key exchange, if applicable. | |
3db935a9 DSH |
282 | |
283 | The B<value> argument is a colon separated list of curves. The curve can be | |
284 | either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g | |
285 | B<prime256v1>). Curve names are case sensitive. | |
286 | ||
7946ab33 KR |
287 | =item B<MinProtocol> |
288 | ||
289 | This sets the minimum supported SSL, TLS or DTLS version. | |
290 | ||
57ce7b61 VD |
291 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
292 | B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. | |
869e978c | 293 | The value B<None> will disable the limit. |
7946ab33 KR |
294 | |
295 | =item B<MaxProtocol> | |
296 | ||
297 | This sets the maximum supported SSL, TLS or DTLS version. | |
298 | ||
57ce7b61 VD |
299 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
300 | B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. | |
869e978c | 301 | The value B<None> will disable the limit. |
7946ab33 | 302 | |
3db935a9 DSH |
303 | =item B<Protocol> |
304 | ||
57ce7b61 VD |
305 | This can be used to enable or disable certain versions of the SSL, |
306 | TLS or DTLS protocol. | |
7946ab33 | 307 | |
57ce7b61 VD |
308 | The B<value> argument is a comma separated list of supported protocols |
309 | to enable or disable. | |
7946ab33 KR |
310 | If a protocol is preceded by B<-> that version is disabled. |
311 | ||
312 | All protocol versions are enabled by default. | |
57ce7b61 VD |
313 | You need to disable at least one protocol version for this setting have any |
314 | effect. | |
315 | Only enabling some protocol versions does not disable the other protocol | |
316 | versions. | |
7946ab33 | 317 | |
57ce7b61 VD |
318 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
319 | B<TLSv1.2>, B<DTLSv1> and B<DTLSv1.2>. | |
7946ab33 | 320 | The special value B<ALL> refers to all supported versions. |
3db935a9 | 321 | |
57ce7b61 VD |
322 | This can't enable protocols that are disabled using B<MinProtocol> |
323 | or B<MaxProtocol>, but can disable protocols that are still allowed | |
324 | by them. | |
7946ab33 KR |
325 | |
326 | The B<Protocol> command is fragile and deprecated; do not use it. | |
327 | Use B<MinProtocol> and B<MaxProtocol> instead. | |
57ce7b61 VD |
328 | If you do use B<Protocol>, make sure that the resulting range of enabled |
329 | protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make | |
330 | sure to also leave TLS 1.1 enabled. | |
3db935a9 DSH |
331 | |
332 | =item B<Options> | |
333 | ||
334 | The B<value> argument is a comma separated list of various flags to set. | |
8106cb8b VD |
335 | If a flag string is preceded B<-> it is disabled. |
336 | See the L<SSL_CTX_set_options(3)> function for more details of | |
337 | individual options. | |
3db935a9 DSH |
338 | |
339 | Each option is listed below. Where an operation is enabled by default | |
340 | the B<-flag> syntax is needed to disable it. | |
341 | ||
342 | B<SessionTicket>: session ticket support, enabled by default. Inverse of | |
343 | B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting | |
344 | B<SSL_OP_NO_TICKET>. | |
345 | ||
346 | B<Compression>: SSL/TLS compression support, enabled by default. Inverse | |
347 | of B<SSL_OP_NO_COMPRESSION>. | |
348 | ||
349 | B<EmptyFragments>: use empty fragments as a countermeasure against a | |
350 | SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It | |
351 | is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. | |
352 | ||
c7b7984a | 353 | B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. |
3db935a9 | 354 | |
c7b7984a | 355 | B<DHSingle>: enable single use DH keys, set by default. Inverse of |
3db935a9 DSH |
356 | B<SSL_OP_DH_SINGLE>. Only used by servers. |
357 | ||
358 | B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of | |
359 | B<SSL_OP_ECDH_SINGLE>. Only used by servers. | |
360 | ||
361 | B<ServerPreference> use server and not client preference order when | |
362 | determining which cipher suite, signature algorithm or elliptic curve | |
363 | to use for an incoming connection. Equivalent to | |
364 | B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
365 | ||
f0ef019d DSH |
366 | B<NoResumptionOnRenegotiation> set |
367 | B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. | |
368 | ||
3db935a9 DSH |
369 | B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation. |
370 | Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. | |
371 | ||
372 | B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation | |
373 | for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. | |
374 | Set by default. | |
375 | ||
b3618f44 EK |
376 | B<EncryptThenMac>: use encrypt-then-mac extension, enabled by |
377 | default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is, | |
378 | B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>. | |
379 | ||
429261d0 DSH |
380 | =item B<VerifyMode> |
381 | ||
382 | The B<value> argument is a comma separated list of flags to set. | |
383 | ||
384 | B<Peer> enables peer verification: for clients only. | |
385 | ||
386 | B<Request> requests but does not require a certificate from the client. | |
387 | Servers only. | |
388 | ||
389 | B<Require> requests and requires a certificate from the client: an error | |
390 | occurs if the client does not present a certificate. Servers only. | |
391 | ||
392 | B<Once> requests a certificate from a client only on the initial connection: | |
393 | not when renegotiating. Servers only. | |
394 | ||
395 | =item B<ClientCAFile>, B<ClientCAPath> | |
396 | ||
397 | A file or directory of certificates in PEM format whose names are used as the | |
398 | set of acceptable names for client CAs. Servers only. This option is only | |
399 | supported if certificate operations are permitted. | |
400 | ||
3db935a9 DSH |
401 | =back |
402 | ||
ec2f7e56 DSH |
403 | =head1 SUPPORTED COMMAND TYPES |
404 | ||
405 | The function SSL_CONF_cmd_value_type() currently returns one of the following | |
406 | types: | |
407 | ||
408 | =over 4 | |
409 | ||
410 | =item B<SSL_CONF_TYPE_UNKNOWN> | |
411 | ||
412 | The B<cmd> string is unrecognised, this return value can be use to flag | |
413 | syntax errors. | |
414 | ||
415 | =item B<SSL_CONF_TYPE_STRING> | |
416 | ||
417 | The value is a string without any specific structure. | |
418 | ||
419 | =item B<SSL_CONF_TYPE_FILE> | |
420 | ||
421 | The value is a file name. | |
422 | ||
423 | =item B<SSL_CONF_TYPE_DIR> | |
424 | ||
425 | The value is a directory name. | |
426 | ||
656b2605 DSH |
427 | =item B<SSL_CONF_TYPE_NONE> |
428 | ||
429 | The value string is not used e.g. a command line option which doesn't take an | |
430 | argument. | |
431 | ||
fa9d77dc CR |
432 | =back |
433 | ||
3db935a9 DSH |
434 | =head1 NOTES |
435 | ||
436 | The order of operations is significant. This can be used to set either defaults | |
437 | or values which cannot be overridden. For example if an application calls: | |
438 | ||
87d9cafa | 439 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); |
3db935a9 DSH |
440 | SSL_CONF_cmd(ctx, userparam, uservalue); |
441 | ||
87d9cafa | 442 | it will disable SSLv3 support by default but the user can override it. If |
3db935a9 DSH |
443 | however the call sequence is: |
444 | ||
445 | SSL_CONF_cmd(ctx, userparam, uservalue); | |
87d9cafa | 446 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); |
3db935a9 | 447 | |
87d9cafa | 448 | SSLv3 is B<always> disabled and attempt to override this by the user are |
3db935a9 DSH |
449 | ignored. |
450 | ||
f5f85f75 JS |
451 | By checking the return code of SSL_CONF_cmd() it is possible to query if a |
452 | given B<cmd> is recognised, this is useful is SSL_CONF_cmd() values are | |
3db935a9 DSH |
453 | mixed with additional application specific operations. |
454 | ||
f5f85f75 | 455 | For example an application might call SSL_CONF_cmd() and if it returns |
3db935a9 DSH |
456 | -2 (unrecognised command) continue with processing of application specific |
457 | commands. | |
458 | ||
f5f85f75 JS |
459 | Applications can also use SSL_CONF_cmd() to process command lines though the |
460 | utility function SSL_CONF_cmd_argv() is normally used instead. One way | |
821244cf DSH |
461 | to do this is to set the prefix to an appropriate value using |
462 | SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the | |
463 | following argument to B<value> (which may be NULL). | |
3db935a9 DSH |
464 | |
465 | In this case if the return value is positive then it is used to skip that | |
f5f85f75 | 466 | number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is |
3db935a9 DSH |
467 | returned then B<cmd> is not recognised and application specific arguments |
468 | can be checked instead. If -3 is returned a required argument is missing | |
469 | and an error is indicated. If 0 is returned some other error occurred and | |
470 | this can be reported back to the user. | |
471 | ||
7946ab33 | 472 | The function SSL_CONF_cmd_value_type() can be used by applications to |
ec2f7e56 DSH |
473 | check for the existence of a command or to perform additional syntax |
474 | checking or translation of the command value. For example if the return | |
475 | value is B<SSL_CONF_TYPE_FILE> an application could translate a relative | |
476 | pathname to an absolute pathname. | |
477 | ||
3db935a9 DSH |
478 | =head1 EXAMPLES |
479 | ||
480 | Set supported signature algorithms: | |
481 | ||
482 | SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); | |
483 | ||
24c2cd39 | 484 | There are various ways to select the supported protocols. |
7946ab33 KR |
485 | |
486 | This set the minimum protocol version to TLSv1, and so disables SSLv3. | |
487 | This is the recommended way to disable protocols. | |
488 | ||
489 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1"); | |
490 | ||
491 | The following also disables SSLv3: | |
492 | ||
493 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); | |
494 | ||
57ce7b61 VD |
495 | The following will first enable all protocols, and then disable |
496 | SSLv3. | |
497 | If no protocol versions were disabled before this has the same effect as | |
498 | "-SSLv3", but if some versions were disables this will re-enable them before | |
499 | disabling SSLv3. | |
3db935a9 | 500 | |
87d9cafa | 501 | SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); |
3db935a9 DSH |
502 | |
503 | Only enable TLSv1.2: | |
504 | ||
7946ab33 KR |
505 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2"); |
506 | SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2"); | |
507 | ||
508 | This also only enables TLSv1.2: | |
509 | ||
3db935a9 DSH |
510 | SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); |
511 | ||
512 | Disable TLS session tickets: | |
513 | ||
514 | SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); | |
515 | ||
dc5744cb EK |
516 | Enable compression: |
517 | ||
518 | SSL_CONF_cmd(ctx, "Options", "Compression"); | |
519 | ||
3db935a9 DSH |
520 | Set supported curves to P-256, P-384: |
521 | ||
522 | SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); | |
523 | ||
524 | Set automatic support for any elliptic curve for key exchange: | |
525 | ||
526 | SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); | |
527 | ||
528 | =head1 RETURN VALUES | |
529 | ||
4365e4aa | 530 | SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is |
3db935a9 DSH |
531 | B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it |
532 | returns the number of arguments processed. This is useful when processing | |
533 | command lines. | |
534 | ||
535 | A return value of -2 means B<cmd> is not recognised. | |
536 | ||
537 | A return value of -3 means B<cmd> is recognised and the command requires a | |
538 | value but B<value> is NULL. | |
539 | ||
540 | A return code of 0 indicates that both B<cmd> and B<value> are valid but an | |
541 | error occurred attempting to perform the operation: for example due to an | |
542 | error in the syntax of B<value> in this case the error queue may provide | |
543 | additional information. | |
544 | ||
ec2f7e56 DSH |
545 | SSL_CONF_finish() returns 1 for success and 0 for failure. |
546 | ||
3db935a9 DSH |
547 | =head1 SEE ALSO |
548 | ||
9b86974e RS |
549 | L<SSL_CONF_CTX_new(3)>, |
550 | L<SSL_CONF_CTX_set_flags(3)>, | |
551 | L<SSL_CONF_CTX_set1_prefix(3)>, | |
552 | L<SSL_CONF_CTX_set_ssl_ctx(3)>, | |
8106cb8b VD |
553 | L<SSL_CONF_cmd_argv(3)>, |
554 | L<SSL_CTX_set_options(3)> | |
3db935a9 DSH |
555 | |
556 | =head1 HISTORY | |
557 | ||
4365e4aa | 558 | SSL_CONF_cmd() was first added to OpenSSL 1.0.2 |
3db935a9 | 559 | |
57ce7b61 VD |
560 | B<SSL_OP_NO_SSL2> doesn't have effect since 1.1.0, but the macro is retained |
561 | for backwards compatibility. | |
45f55f6a | 562 | |
656b2605 DSH |
563 | B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of |
564 | OpenSSL passing a command which didn't take an argument would return | |
565 | B<SSL_CONF_TYPE_UNKNOWN>. | |
566 | ||
7946ab33 KR |
567 | B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0. |
568 | ||
e2f92610 RS |
569 | =head1 COPYRIGHT |
570 | ||
571 | Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. | |
572 | ||
573 | Licensed under the OpenSSL license (the "License"). You may not use | |
574 | this file except in compliance with the License. You can obtain a copy | |
575 | in the file LICENSE in the source distribution or at | |
576 | L<https://www.openssl.org/source/license.html>. | |
577 | ||
578 | =cut |