]>
Commit | Line | Data |
---|---|---|
7b9cb4a2 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
57ce7b61 VD |
5 | SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, |
6 | SSL_clear_options, SSL_CTX_get_options, SSL_get_options, | |
7 | SSL_get_secure_renegotiation_support - manipulate SSL options | |
7b9cb4a2 LJ |
8 | |
9 | =head1 SYNOPSIS | |
10 | ||
11 | #include <openssl/ssl.h> | |
12 | ||
13 | long SSL_CTX_set_options(SSL_CTX *ctx, long options); | |
14 | long SSL_set_options(SSL *ssl, long options); | |
15 | ||
4db82571 DSH |
16 | long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
17 | long SSL_clear_options(SSL *ssl, long options); | |
18 | ||
7b9cb4a2 LJ |
19 | long SSL_CTX_get_options(SSL_CTX *ctx); |
20 | long SSL_get_options(SSL *ssl); | |
21 | ||
4db82571 DSH |
22 | long SSL_get_secure_renegotiation_support(SSL *ssl); |
23 | ||
7b9cb4a2 LJ |
24 | =head1 DESCRIPTION |
25 | ||
26 | SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. | |
37f599bc | 27 | Options already set before are not cleared! |
7b9cb4a2 LJ |
28 | |
29 | SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. | |
37f599bc | 30 | Options already set before are not cleared! |
7b9cb4a2 | 31 | |
4db82571 DSH |
32 | SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
33 | to B<ctx>. | |
34 | ||
35 | SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. | |
36 | ||
7b9cb4a2 LJ |
37 | SSL_CTX_get_options() returns the options set for B<ctx>. |
38 | ||
39 | SSL_get_options() returns the options set for B<ssl>. | |
40 | ||
4db82571 DSH |
41 | SSL_get_secure_renegotiation_support() indicates whether the peer supports |
42 | secure renegotiation. | |
8106cb8b | 43 | Note, this is implemented via a macro. |
4db82571 | 44 | |
7b9cb4a2 LJ |
45 | =head1 NOTES |
46 | ||
47 | The behaviour of the SSL library can be changed by setting several options. | |
762a44de | 48 | The options are coded as bitmasks and can be combined by a bitwise B<or> |
4db82571 | 49 | operation (|). |
7b9cb4a2 | 50 | |
37f599bc LJ |
51 | SSL_CTX_set_options() and SSL_set_options() affect the (external) |
52 | protocol behaviour of the SSL library. The (internal) behaviour of | |
53 | the API can be changed by using the similar | |
9b86974e | 54 | L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
37f599bc LJ |
55 | |
56 | During a handshake, the option settings of the SSL object are used. When | |
7b9cb4a2 LJ |
57 | a new SSL object is created from a context using SSL_new(), the current |
58 | option setting is copied. Changes to B<ctx> do not affect already created | |
59 | SSL objects. SSL_clear() does not affect the settings. | |
60 | ||
61 | The following B<bug workaround> options are available: | |
62 | ||
63 | =over 4 | |
64 | ||
dece3209 | 65 | =item SSL_OP_SAFARI_ECDHE_ECDSA_BUG |
7b9cb4a2 | 66 | |
dece3209 RS |
67 | Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. |
68 | OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. | |
7b9cb4a2 | 69 | |
c21506ba BM |
70 | =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
71 | ||
72 | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol | |
73 | vulnerability affecting CBC ciphers, which cannot be handled by some | |
74 | broken SSL implementations. This option has no effect for connections | |
75 | using other ciphers. | |
76 | ||
01f2f18f DSH |
77 | =item SSL_OP_TLSEXT_PADDING |
78 | ||
79 | Adds a padding extension to ensure the ClientHello size is never between | |
80 | 256 and 511 bytes in length. This is needed as a workaround for some | |
81 | implementations. | |
82 | ||
7b9cb4a2 LJ |
83 | =item SSL_OP_ALL |
84 | ||
edb79c3a JS |
85 | All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as |
86 | mentioned below. | |
7b9cb4a2 LJ |
87 | |
88 | =back | |
89 | ||
c21506ba BM |
90 | It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround |
91 | options if compatibility with somewhat broken implementations is | |
92 | desired. | |
7b9cb4a2 LJ |
93 | |
94 | The following B<modifying> options are available: | |
95 | ||
96 | =over 4 | |
97 | ||
06da6e49 LJ |
98 | =item SSL_OP_TLS_ROLLBACK_BUG |
99 | ||
100 | Disable version rollback attack detection. | |
101 | ||
102 | During the client key exchange, the client must send the same information | |
103 | about acceptable SSL/TLS protocol levels as during the first hello. Some | |
104 | clients violate this rule by adapting to the server's answer. (Example: | |
105 | the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server | |
106 | only understands up to SSLv3. In this case the client must still use the | |
107 | same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect | |
108 | to the server's answer and violate the version rollback protection.) | |
109 | ||
1b65ce7d LJ |
110 | =item SSL_OP_CIPHER_SERVER_PREFERENCE |
111 | ||
112 | When choosing a cipher, use the server's preferences instead of the client | |
113 | preferences. When not set, the SSL server will always follow the clients | |
87d9cafa MC |
114 | preferences. When set, the SSL/TLS server will choose following its |
115 | own preferences. | |
1b65ce7d | 116 | |
57ce7b61 | 117 | =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, |
582a17d6 | 118 | SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 |
7b9cb4a2 | 119 | |
582a17d6 | 120 | These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol |
57ce7b61 VD |
121 | versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, |
122 | respectively. | |
123 | As of OpenSSL 1.1.0, these options are deprecated, use | |
124 | L<SSL_CTX_set_min_proto_version(3)> and | |
125 | L<SSL_CTX_set_max_proto_version(3)> instead. | |
7b9cb4a2 | 126 | |
51008ffc BM |
127 | =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
128 | ||
129 | When performing renegotiation as a server, always start a new session | |
130 | (i.e., session resumption requests are only accepted in the initial | |
4db82571 | 131 | handshake). This option is not needed for clients. |
51008ffc | 132 | |
edb79c3a JS |
133 | =item SSL_OP_NO_COMPRESSION |
134 | ||
135 | Do not use compression even if it is supported. | |
136 | ||
137 | =item SSL_OP_NO_QUERY_MTU | |
138 | ||
139 | Do not query the MTU. Only affects DTLS connections. | |
140 | ||
141 | =item SSL_OP_COOKIE_EXCHANGE | |
142 | ||
143 | Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects | |
144 | DTLS connections. | |
145 | ||
f3fef74b DSH |
146 | =item SSL_OP_NO_TICKET |
147 | ||
148 | Normally clients and servers will, where possible, transparently make use | |
149 | of RFC4507bis tickets for stateless session resumption. | |
150 | ||
151 | If this option is set this functionality is disabled and tickets will | |
152 | not be used by clients or servers. | |
153 | ||
69582a59 | 154 | =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
4db82571 | 155 | |
69582a59 DSH |
156 | Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
157 | servers. See the B<SECURE RENEGOTIATION> section for more details. | |
158 | ||
159 | =item SSL_OP_LEGACY_SERVER_CONNECT | |
160 | ||
161 | Allow legacy insecure renegotiation between OpenSSL and unpatched servers | |
162 | B<only>: this option is currently set by default. See the | |
163 | B<SECURE RENEGOTIATION> section for more details. | |
4db82571 | 164 | |
cde6145b DW |
165 | =item SSL_OP_NO_ENCRYPT_THEN_MAC |
166 | ||
167 | Normally clients and servers will transparently attempt to negotiate the | |
168 | RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. | |
169 | ||
170 | If this option is set, Encrypt-then-MAC is disabled. Clients will not | |
171 | propose, and servers will not accept the extension. | |
172 | ||
db0f35dd TS |
173 | =item SSL_OP_NO_RENEGOTIATION |
174 | ||
175 | Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest | |
176 | messages, and ignore renegotiation requests via ClientHello. | |
177 | ||
4e2bd9cb MC |
178 | =item SSL_OP_ALLOW_NO_DHE_KEX |
179 | ||
180 | In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means | |
181 | that there will be no forward secrecy for the resumed session. | |
182 | ||
e1c7871d TS |
183 | =item SSL_OP_PRIORITIZE_CHACHA |
184 | ||
185 | When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize | |
186 | ChaCha20-Poly1305 ciphers to the top of the server cipher list if a | |
187 | ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps | |
188 | those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere | |
189 | in the server cipher list; but still allows other clients to use AES and other | |
190 | ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>. | |
191 | ||
7b9cb4a2 LJ |
192 | =back |
193 | ||
edb79c3a JS |
194 | The following options no longer have any effect but their identifiers are |
195 | retained for compatibility purposes: | |
196 | ||
197 | =over 4 | |
198 | ||
199 | =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
200 | ||
201 | =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
202 | ||
203 | =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
204 | ||
205 | =item SSL_OP_TLS_D5_BUG | |
206 | ||
207 | =item SSL_OP_TLS_BLOCK_PADDING_BUG | |
208 | ||
209 | =item SSL_OP_MSIE_SSLV2_RSA_PADDING | |
210 | ||
211 | =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
212 | ||
213 | =item SSL_OP_MICROSOFT_SESS_ID_BUG | |
214 | ||
215 | =item SSL_OP_NETSCAPE_CHALLENGE_BUG | |
216 | ||
217 | =item SSL_OP_PKCS1_CHECK_1 | |
218 | ||
219 | =item SSL_OP_PKCS1_CHECK_2 | |
220 | ||
221 | =item SSL_OP_SINGLE_DH_USE | |
222 | ||
223 | =item SSL_OP_SINGLE_ECDH_USE | |
224 | ||
225 | =item SSL_OP_EPHEMERAL_RSA | |
226 | ||
227 | =back | |
228 | ||
4db82571 DSH |
229 | =head1 SECURE RENEGOTIATION |
230 | ||
a528d4f0 | 231 | OpenSSL always attempts to use secure renegotiation as |
f9595988 DSH |
232 | described in RFC5746. This counters the prefix attack described in |
233 | CVE-2009-3555 and elsewhere. | |
4db82571 DSH |
234 | |
235 | This attack has far reaching consequences which application writers should be | |
236 | aware of. In the description below an implementation supporting secure | |
237 | renegotiation is referred to as I<patched>. A server not supporting secure | |
238 | renegotiation is referred to as I<unpatched>. | |
239 | ||
9fb6fd34 DSH |
240 | The following sections describe the operations permitted by OpenSSL's secure |
241 | renegotiation implementation. | |
242 | ||
99b36a8c | 243 | =head2 Patched client and server |
4db82571 | 244 | |
9fb6fd34 | 245 | Connections and renegotiation are always permitted by OpenSSL implementations. |
4db82571 | 246 | |
9fb6fd34 | 247 | =head2 Unpatched client and patched OpenSSL server |
b5c002d5 | 248 | |
fc1d88f0 | 249 | The initial connection succeeds but client renegotiation is denied by the |
9fb6fd34 | 250 | server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal |
99b36a8c DSH |
251 | B<handshake_failure> alert in SSL v3.0. |
252 | ||
9fb6fd34 DSH |
253 | If the patched OpenSSL server attempts to renegotiate a fatal |
254 | B<handshake_failure> alert is sent. This is because the server code may be | |
255 | unaware of the unpatched nature of the client. | |
99b36a8c DSH |
256 | |
257 | If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then | |
258 | renegotiation B<always> succeeds. | |
259 | ||
9fb6fd34 | 260 | =head2 Patched OpenSSL client and unpatched server. |
99b36a8c | 261 | |
69582a59 DSH |
262 | If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or |
263 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections | |
c2c49969 | 264 | and renegotiation between patched OpenSSL clients and unpatched servers |
69582a59 DSH |
265 | succeeds. If neither option is set then initial connections to unpatched |
266 | servers will fail. | |
c2c49969 | 267 | |
69582a59 DSH |
268 | The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even |
269 | though it has security implications: otherwise it would be impossible to | |
270 | connect to unpatched servers (i.e. all of them initially) and this is clearly | |
271 | not acceptable. Renegotiation is permitted because this does not add any | |
272 | additional security issues: during an attack clients do not see any | |
273 | renegotiations anyway. | |
99b36a8c DSH |
274 | |
275 | As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will | |
276 | B<not> be set by default in a future version of OpenSSL. | |
277 | ||
9fb6fd34 DSH |
278 | OpenSSL client applications wishing to ensure they can connect to unpatched |
279 | servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> | |
99b36a8c | 280 | |
9fb6fd34 DSH |
281 | OpenSSL client applications that want to ensure they can B<not> connect to |
282 | unpatched servers (and thus avoid any security issues) should always B<clear> | |
99b36a8c DSH |
283 | B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or |
284 | SSL_clear_options(). | |
4db82571 | 285 | |
69582a59 DSH |
286 | The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and |
287 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that | |
288 | B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure | |
289 | renegotiation between OpenSSL clients and unpatched servers B<only>, while | |
290 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections | |
291 | and renegotiation between OpenSSL and unpatched clients or servers. | |
4db82571 | 292 | |
7b9cb4a2 LJ |
293 | =head1 RETURN VALUES |
294 | ||
295 | SSL_CTX_set_options() and SSL_set_options() return the new options bitmask | |
296 | after adding B<options>. | |
297 | ||
4db82571 DSH |
298 | SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
299 | after clearing B<options>. | |
300 | ||
7b9cb4a2 LJ |
301 | SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
302 | ||
4db82571 DSH |
303 | SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
304 | secure renegotiation and 0 if it does not. | |
305 | ||
7b9cb4a2 LJ |
306 | =head1 SEE ALSO |
307 | ||
b97fdb57 | 308 | L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>, |
9b86974e | 309 | L<SSL_CTX_set_tmp_dh_callback(3)>, |
7946ab33 | 310 | L<SSL_CTX_set_min_proto_version(3)>, |
9b86974e | 311 | L<dhparam(1)> |
7b9cb4a2 LJ |
312 | |
313 | =head1 HISTORY | |
314 | ||
a528d4f0 RS |
315 | The attempt to always try to use secure renegotiation was added in |
316 | Openssl 0.9.8m. | |
4db82571 | 317 | |
e1c7871d TS |
318 | B<SSL_OP_PRIORITIZE_CHACHA> was added in OpenSSL 1.1.1. |
319 | ||
e2f92610 RS |
320 | =head1 COPYRIGHT |
321 | ||
e1c7871d | 322 | Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
323 | |
324 | Licensed under the OpenSSL license (the "License"). You may not use | |
325 | this file except in compliance with the License. You can obtain a copy | |
326 | in the file LICENSE in the source distribution or at | |
327 | L<https://www.openssl.org/source/license.html>. | |
328 | ||
329 | =cut |