[thirdparty/openssl.git] / doc / man3 / SSL_CTX_set_options.pod

=pod

=head1 NAME

SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options,
SSL_clear_options, SSL_CTX_get_options, SSL_get_options,
SSL_get_secure_renegotiation_support - manipulate SSL options

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 long SSL_CTX_set_options(SSL_CTX *ctx, long options);
 long SSL_set_options(SSL *ssl, long options);

 long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
 long SSL_clear_options(SSL *ssl, long options);

 long SSL_CTX_get_options(SSL_CTX *ctx);
 long SSL_get_options(SSL *ssl);

 long SSL_get_secure_renegotiation_support(SSL *ssl);

=head1 DESCRIPTION

SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
Options already set before are not cleared!

SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
Options already set before are not cleared!

SSL_CTX_clear_options() clears the options set via bitmask in B<options>
to B<ctx>.

SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.

SSL_CTX_get_options() returns the options set for B<ctx>.

SSL_get_options() returns the options set for B<ssl>.

SSL_get_secure_renegotiation_support() indicates whether the peer supports
secure renegotiation.
Note, this is implemented via a macro.

=head1 NOTES

The behaviour of the SSL library can be changed by setting several options.
The options are coded as bitmasks and can be combined by a bitwise B<or>
operation (|).

SSL_CTX_set_options() and SSL_set_options() affect the (external)
protocol behaviour of the SSL library. The (internal) behaviour of
the API can be changed by using the similar
L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions.

During a handshake, the option settings of the SSL object are used. When
a new SSL object is created from a context using SSL_new(), the current
option setting is copied. Changes to B<ctx> do not affect already created
SSL objects. SSL_clear() does not affect the settings.

The following B<bug workaround> options are available:

=over 4

=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.

=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
vulnerability affecting CBC ciphers, which cannot be handled by some
broken SSL implementations.  This option has no effect for connections
using other ciphers.

=item SSL_OP_TLSEXT_PADDING

Adds a padding extension to ensure the ClientHello size is never between
256 and 511 bytes in length. This is needed as a workaround for some
implementations.

=item SSL_OP_ALL

All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
mentioned below.

=back

It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround
options if compatibility with somewhat broken implementations is
desired.

The following B<modifying> options are available:

=over 4

=item SSL_OP_TLS_ROLLBACK_BUG

Disable version rollback attack detection.

During the client key exchange, the client must send the same information
about acceptable SSL/TLS protocol levels as during the first hello. Some
clients violate this rule by adapting to the server's answer. (Example:
the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)

=item SSL_OP_CIPHER_SERVER_PREFERENCE

When choosing a cipher, use the server's preferences instead of the client
preferences. When not set, the SSL server will always follow the clients
preferences. When set, the SSL/TLS server will choose following its
own preferences.

=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2

These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
respectively.
As of OpenSSL 1.1.0, these options are deprecated, use
L<SSL_CTX_set_min_proto_version(3)> and
L<SSL_CTX_set_max_proto_version(3)> instead.

=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

When performing renegotiation as a server, always start a new session
(i.e., session resumption requests are only accepted in the initial
handshake). This option is not needed for clients.

=item SSL_OP_NO_COMPRESSION

Do not use compression even if it is supported.

=item SSL_OP_NO_QUERY_MTU

Do not query the MTU. Only affects DTLS connections.

=item SSL_OP_COOKIE_EXCHANGE

Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
DTLS connections.

=item SSL_OP_NO_TICKET

Normally clients and servers will, where possible, transparently make use
of RFC4507bis tickets for stateless session resumption.

If this option is set this functionality is disabled and tickets will
not be used by clients or servers.

=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
servers. See the B<SECURE RENEGOTIATION> section for more details.

=item SSL_OP_LEGACY_SERVER_CONNECT

Allow legacy insecure renegotiation between OpenSSL and unpatched servers
B<only>: this option is currently set by default. See the
B<SECURE RENEGOTIATION> section for more details.

=item SSL_OP_NO_ENCRYPT_THEN_MAC

Normally clients and servers will transparently attempt to negotiate the
RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.

If this option is set, Encrypt-then-MAC is disabled. Clients will not
propose, and servers will not accept the extension.

=item SSL_OP_NO_RENEGOTIATION

Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
messages, and ignore renegotiation requests via ClientHello.

=back

The following options no longer have any effect but their identifiers are
retained for compatibility purposes:

=over 4

=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG

=item SSL_OP_TLS_D5_BUG

=item SSL_OP_TLS_BLOCK_PADDING_BUG

=item SSL_OP_MSIE_SSLV2_RSA_PADDING

=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG

=item SSL_OP_MICROSOFT_SESS_ID_BUG

=item SSL_OP_NETSCAPE_CHALLENGE_BUG

=item SSL_OP_PKCS1_CHECK_1

=item SSL_OP_PKCS1_CHECK_2

=item SSL_OP_SINGLE_DH_USE

=item SSL_OP_SINGLE_ECDH_USE

=item SSL_OP_EPHEMERAL_RSA

=back

=head1 SECURE RENEGOTIATION

OpenSSL always attempts to use secure renegotiation as
described in RFC5746. This counters the prefix attack described in
CVE-2009-3555 and elsewhere.

This attack has far reaching consequences which application writers should be
aware of. In the description below an implementation supporting secure
renegotiation is referred to as I<patched>. A server not supporting secure
renegotiation is referred to as I<unpatched>.

The following sections describe the operations permitted by OpenSSL's secure
renegotiation implementation.

=head2 Patched client and server

Connections and renegotiation are always permitted by OpenSSL implementations.

=head2 Unpatched client and patched OpenSSL server

The initial connection succeeds but client renegotiation is denied by the
server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
B<handshake_failure> alert in SSL v3.0.

If the patched OpenSSL server attempts to renegotiate a fatal
B<handshake_failure> alert is sent. This is because the server code may be
unaware of the unpatched nature of the client.

If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
renegotiation B<always> succeeds.

=head2 Patched OpenSSL client and unpatched server.

If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
and renegotiation between patched OpenSSL clients and unpatched servers
succeeds. If neither option is set then initial connections to unpatched
servers will fail.

The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
though it has security implications: otherwise it would be impossible to
connect to unpatched servers (i.e. all of them initially) and this is clearly
not acceptable. Renegotiation is permitted because this does not add any
additional security issues: during an attack clients do not see any
renegotiations anyway.

As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
B<not> be set by default in a future version of OpenSSL.

OpenSSL client applications wishing to ensure they can connect to unpatched
servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>

OpenSSL client applications that want to ensure they can B<not> connect to
unpatched servers (and thus avoid any security issues) should always B<clear>
B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
SSL_clear_options().

The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
renegotiation between OpenSSL clients and unpatched servers B<only>, while
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
and renegotiation between OpenSSL and unpatched clients or servers.

=head1 RETURN VALUES

SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
after adding B<options>.

SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
after clearing B<options>.

SSL_CTX_get_options() and SSL_get_options() return the current bitmask.

SSL_get_secure_renegotiation_support() returns 1 is the peer supports
secure renegotiation and 0 if it does not.

=head1 SEE ALSO

L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_CTX_set_min_proto_version(3)>,
L<dhparam(1)>

=head1 HISTORY

The attempt to always try to use secure renegotiation was added in
Openssl 0.9.8m.

=head1 COPYRIGHT

Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
7b9cb4a2 LJ	1	=pod
	2
	3	=head1 NAME
	4
57ce7b61 VD	5	SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options,
	6	SSL_clear_options, SSL_CTX_get_options, SSL_get_options,
	7	SSL_get_secure_renegotiation_support - manipulate SSL options
7b9cb4a2 LJ	8
	9	=head1 SYNOPSIS
	10
	11	#include <openssl/ssl.h>
	12
	13	long SSL_CTX_set_options(SSL_CTX *ctx, long options);
	14	long SSL_set_options(SSL *ssl, long options);
	15
4db82571 DSH	16	long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
	17	long SSL_clear_options(SSL *ssl, long options);
	18
7b9cb4a2 LJ	19	long SSL_CTX_get_options(SSL_CTX *ctx);
	20	long SSL_get_options(SSL *ssl);
	21
4db82571 DSH	22	long SSL_get_secure_renegotiation_support(SSL *ssl);
4db82571 DSH	23
7b9cb4a2 LJ	24	=head1 DESCRIPTION
	25
	26	SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
37f599bc	27	Options already set before are not cleared!
7b9cb4a2 LJ	28
7b9cb4a2 LJ	29	SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
37f599bc	30	Options already set before are not cleared!
7b9cb4a2	31
4db82571 DSH	32	SSL_CTX_clear_options() clears the options set via bitmask in B<options>
	33	to B<ctx>.
	34
	35	SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
	36
7b9cb4a2 LJ	37	SSL_CTX_get_options() returns the options set for B<ctx>.
	38
	39	SSL_get_options() returns the options set for B<ssl>.
	40
4db82571 DSH	41	SSL_get_secure_renegotiation_support() indicates whether the peer supports
4db82571 DSH	42	secure renegotiation.
8106cb8b	43	Note, this is implemented via a macro.
4db82571	44
7b9cb4a2 LJ	45	=head1 NOTES
	46
	47	The behaviour of the SSL library can be changed by setting several options.
762a44de	48	The options are coded as bitmasks and can be combined by a bitwise B<or>
4db82571	49	operation (\|).
7b9cb4a2	50
37f599bc LJ	51	SSL_CTX_set_options() and SSL_set_options() affect the (external)
	52	protocol behaviour of the SSL library. The (internal) behaviour of
	53	the API can be changed by using the similar
9b86974e	54	L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions.
37f599bc LJ	55
37f599bc LJ	56	During a handshake, the option settings of the SSL object are used. When
7b9cb4a2 LJ	57	a new SSL object is created from a context using SSL_new(), the current
	58	option setting is copied. Changes to B<ctx> do not affect already created
	59	SSL objects. SSL_clear() does not affect the settings.
	60
	61	The following B<bug workaround> options are available:
	62
	63	=over 4
	64
dece3209	65	=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
7b9cb4a2	66
dece3209 RS	67	Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
dece3209 RS	68	OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
7b9cb4a2	69
c21506ba BM	70	=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
	71
	72	Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
	73	vulnerability affecting CBC ciphers, which cannot be handled by some
	74	broken SSL implementations. This option has no effect for connections
	75	using other ciphers.
	76
01f2f18f DSH	77	=item SSL_OP_TLSEXT_PADDING
	78
	79	Adds a padding extension to ensure the ClientHello size is never between
	80	256 and 511 bytes in length. This is needed as a workaround for some
	81	implementations.
	82
7b9cb4a2 LJ	83	=item SSL_OP_ALL
7b9cb4a2 LJ	84
edb79c3a JS	85	All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
edb79c3a JS	86	mentioned below.
7b9cb4a2 LJ	87
	88	=back
	89
c21506ba BM	90	It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround
	91	options if compatibility with somewhat broken implementations is
	92	desired.
7b9cb4a2 LJ	93
	94	The following B<modifying> options are available:
	95
	96	=over 4
	97
06da6e49 LJ	98	=item SSL_OP_TLS_ROLLBACK_BUG
	99
	100	Disable version rollback attack detection.
	101
	102	During the client key exchange, the client must send the same information
	103	about acceptable SSL/TLS protocol levels as during the first hello. Some
	104	clients violate this rule by adapting to the server's answer. (Example:
	105	the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
	106	only understands up to SSLv3. In this case the client must still use the
	107	same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
	108	to the server's answer and violate the version rollback protection.)
	109
1b65ce7d LJ	110	=item SSL_OP_CIPHER_SERVER_PREFERENCE
	111
	112	When choosing a cipher, use the server's preferences instead of the client
	113	preferences. When not set, the SSL server will always follow the clients
87d9cafa MC	114	preferences. When set, the SSL/TLS server will choose following its
87d9cafa MC	115	own preferences.
1b65ce7d	116
57ce7b61	117	=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
582a17d6	118	SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
7b9cb4a2	119
582a17d6	120	These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
57ce7b61 VD	121	versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
	122	respectively.
	123	As of OpenSSL 1.1.0, these options are deprecated, use
	124	L<SSL_CTX_set_min_proto_version(3)> and
	125	L<SSL_CTX_set_max_proto_version(3)> instead.
7b9cb4a2	126
51008ffc BM	127	=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
	128
	129	When performing renegotiation as a server, always start a new session
	130	(i.e., session resumption requests are only accepted in the initial
4db82571	131	handshake). This option is not needed for clients.
51008ffc	132
edb79c3a JS	133	=item SSL_OP_NO_COMPRESSION
	134
	135	Do not use compression even if it is supported.
	136
	137	=item SSL_OP_NO_QUERY_MTU
	138
	139	Do not query the MTU. Only affects DTLS connections.
	140
	141	=item SSL_OP_COOKIE_EXCHANGE
	142
	143	Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
	144	DTLS connections.
	145
f3fef74b DSH	146	=item SSL_OP_NO_TICKET
	147
	148	Normally clients and servers will, where possible, transparently make use
	149	of RFC4507bis tickets for stateless session resumption.
	150
	151	If this option is set this functionality is disabled and tickets will
	152	not be used by clients or servers.
	153
69582a59	154	=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
4db82571	155
69582a59 DSH	156	Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
	157	servers. See the B<SECURE RENEGOTIATION> section for more details.
	158
	159	=item SSL_OP_LEGACY_SERVER_CONNECT
	160
	161	Allow legacy insecure renegotiation between OpenSSL and unpatched servers
	162	B<only>: this option is currently set by default. See the
	163	B<SECURE RENEGOTIATION> section for more details.
4db82571	164
cde6145b DW	165	=item SSL_OP_NO_ENCRYPT_THEN_MAC
	166
	167	Normally clients and servers will transparently attempt to negotiate the
	168	RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
	169
	170	If this option is set, Encrypt-then-MAC is disabled. Clients will not
	171	propose, and servers will not accept the extension.
	172
db0f35dd TS	173	=item SSL_OP_NO_RENEGOTIATION
	174
	175	Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
	176	messages, and ignore renegotiation requests via ClientHello.
	177
7b9cb4a2 LJ	178	=back
7b9cb4a2 LJ	179
edb79c3a JS	180	The following options no longer have any effect but their identifiers are
	181	retained for compatibility purposes:
	182
	183	=over 4
	184
	185	=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
	186
	187	=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
	188
	189	=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
	190
	191	=item SSL_OP_TLS_D5_BUG
	192
	193	=item SSL_OP_TLS_BLOCK_PADDING_BUG
	194
	195	=item SSL_OP_MSIE_SSLV2_RSA_PADDING
	196
	197	=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
	198
	199	=item SSL_OP_MICROSOFT_SESS_ID_BUG
	200
	201	=item SSL_OP_NETSCAPE_CHALLENGE_BUG
	202
	203	=item SSL_OP_PKCS1_CHECK_1
	204
	205	=item SSL_OP_PKCS1_CHECK_2
	206
	207	=item SSL_OP_SINGLE_DH_USE
	208
	209	=item SSL_OP_SINGLE_ECDH_USE
	210
	211	=item SSL_OP_EPHEMERAL_RSA
	212
	213	=back
	214
4db82571 DSH	215	=head1 SECURE RENEGOTIATION
4db82571 DSH	216
a528d4f0	217	OpenSSL always attempts to use secure renegotiation as
f9595988 DSH	218	described in RFC5746. This counters the prefix attack described in
f9595988 DSH	219	CVE-2009-3555 and elsewhere.
4db82571 DSH	220
	221	This attack has far reaching consequences which application writers should be
	222	aware of. In the description below an implementation supporting secure
	223	renegotiation is referred to as I<patched>. A server not supporting secure
	224	renegotiation is referred to as I<unpatched>.
	225
9fb6fd34 DSH	226	The following sections describe the operations permitted by OpenSSL's secure
	227	renegotiation implementation.
	228
99b36a8c	229	=head2 Patched client and server
4db82571	230
9fb6fd34	231	Connections and renegotiation are always permitted by OpenSSL implementations.
4db82571	232
9fb6fd34	233	=head2 Unpatched client and patched OpenSSL server
b5c002d5	234
fc1d88f0	235	The initial connection succeeds but client renegotiation is denied by the
9fb6fd34	236	server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
99b36a8c DSH	237	B<handshake_failure> alert in SSL v3.0.
99b36a8c DSH	238
9fb6fd34 DSH	239	If the patched OpenSSL server attempts to renegotiate a fatal
	240	B<handshake_failure> alert is sent. This is because the server code may be
	241	unaware of the unpatched nature of the client.
99b36a8c DSH	242
	243	If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
	244	renegotiation B<always> succeeds.
	245
9fb6fd34	246	=head2 Patched OpenSSL client and unpatched server.
99b36a8c	247
69582a59 DSH	248	If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
69582a59 DSH	249	B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
c2c49969	250	and renegotiation between patched OpenSSL clients and unpatched servers
69582a59 DSH	251	succeeds. If neither option is set then initial connections to unpatched
69582a59 DSH	252	servers will fail.
c2c49969	253
69582a59 DSH	254	The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
	255	though it has security implications: otherwise it would be impossible to
	256	connect to unpatched servers (i.e. all of them initially) and this is clearly
	257	not acceptable. Renegotiation is permitted because this does not add any
	258	additional security issues: during an attack clients do not see any
	259	renegotiations anyway.
99b36a8c DSH	260
	261	As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
	262	B<not> be set by default in a future version of OpenSSL.
	263
9fb6fd34 DSH	264	OpenSSL client applications wishing to ensure they can connect to unpatched
9fb6fd34 DSH	265	servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
99b36a8c	266
9fb6fd34 DSH	267	OpenSSL client applications that want to ensure they can B<not> connect to
9fb6fd34 DSH	268	unpatched servers (and thus avoid any security issues) should always B<clear>
99b36a8c DSH	269	B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
99b36a8c DSH	270	SSL_clear_options().
4db82571	271
69582a59 DSH	272	The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
	273	B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
	274	B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
	275	renegotiation between OpenSSL clients and unpatched servers B<only>, while
	276	B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
	277	and renegotiation between OpenSSL and unpatched clients or servers.
4db82571	278
7b9cb4a2 LJ	279	=head1 RETURN VALUES
	280
	281	SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
	282	after adding B<options>.
	283
4db82571 DSH	284	SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
	285	after clearing B<options>.
	286
7b9cb4a2 LJ	287	SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
7b9cb4a2 LJ	288
4db82571 DSH	289	SSL_get_secure_renegotiation_support() returns 1 is the peer supports
	290	secure renegotiation and 0 if it does not.
	291
7b9cb4a2 LJ	292	=head1 SEE ALSO
7b9cb4a2 LJ	293
b97fdb57	294	L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>,
9b86974e	295	L<SSL_CTX_set_tmp_dh_callback(3)>,
7946ab33	296	L<SSL_CTX_set_min_proto_version(3)>,
9b86974e	297	L<dhparam(1)>
7b9cb4a2 LJ	298
	299	=head1 HISTORY
	300
a528d4f0 RS	301	The attempt to always try to use secure renegotiation was added in
a528d4f0 RS	302	Openssl 0.9.8m.
4db82571	303
e2f92610 RS	304	=head1 COPYRIGHT
	305
	306	Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
	307
	308	Licensed under the OpenSSL license (the "License"). You may not use
	309	this file except in compliance with the License. You can obtain a copy
	310	in the file LICENSE in the source distribution or at
	311	L<https://www.openssl.org/source/license.html>.
	312
	313	=cut