[thirdparty/openssl.git] / doc / ssl / SSL_CONF_cmd.pod

=pod

=head1 NAME

SSL_CONF_cmd - send configuration command

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);

=head1 DESCRIPTION

The function SSL_CONF_cmd() performs configuration operation B<cmd> with
optional parameter B<value> on B<ctx>. Its purpose is to simplify application
configuration of B<SSL_CTX> or B<SSL> structures by providing a common
framework for configuration files or command line options.

=head1 SUPPORTED CONFIGURATION FILE COMMANDS

Currently supported B<cmd> names for configuration files (i.e. when the
flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
B<cmd> names and are case insensitive so B<signaturealgorithms> is recognised
as well as B<SignatureAlgorithms>. Unless otherwise states the B<value> names
are also case insensitive.

Note: the command prefix (if set) alters the recognised B<cmd> values.

=over 4

=item B<CipherSuite>

Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
currently not performed unless a B<SSL> or B<SSL_CTX> structure is 
associated with B<cctx>.

=item B<SignatureAlgorithms>

This sets the supported signature algorithms for TLS v1.2. For clients this
value is used directly for the supported signature algorithms extension. For
servers it is used to determine which signature algorithms to support.

The B<value> argument should be a colon separated list of signature algorithms
in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
Note: algorithm and hash names are case sensitive.

If this option is not set then all signature algorithms supported by the
OpenSSL library are permissible.

=item B<ClientSignatureAlgorithms>

This sets the supported signature algorithms associated with client
authentication for TLS v1.2. For servers the value is used in the supported
signature algorithms field of a certificate request. For clients it is
used to determine which signature algorithm to use for the client certificate.

The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
the value set for B<SignatureAlgorithms> will be used instead.

=item B<Curves>

This sets the supported elliptic curves. For servers the curves are
sent using the supported curves extension to TLS. For clients the it is used
to determine which curve to use. This affects curves used for both signatures
and key exchange.

The B<value> argument is a colon separated list of curves. The curve can be
either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
B<prime256v1>). Curve names are case sensitive.

=item B<ECDHParameters>

This sets the temporary curve used for ephemeral ECDH modes.

The B<value> argument is a curve name or the special value B<Automatic> which
automatically picks an appropriate curve based on client and server
preferences. The curve can be either the B<NIST> name (e.g. B<P-256>) or an
OpenSSL OID name (e.g B<prime256v1>). Curve names are case sensitive.

=item B<Protocol>

The supported versions of the SSL or TLS protocol.

The B<value> argument is a comma separated list of supported protocols to
enable or disable. If an protocol is preceded by B<-> that version is disabled.
All versions are enabled by default, though applications may choose to
explicitly disable some version. Currently supported protocol
values are B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The
special value B<ALL> refers to all supported versions.

=item B<Options>

The B<value> argument is a comma separated list of various flags to set.
If a flag string is preceded B<-> it is disabled. See the
B<SSL_CTX_set_options> function for more details of individual options.

Each option is listed below. Where an operation is enabled by default
the B<-flag> syntax is needed to disable it.

B<SessionTicket>: session ticket support, enabled by default. Inverse of
B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
B<SSL_OP_NO_TICKET>.

B<Compression>: SSL/TLS compression support, enabled by default. Inverse
of B<SSL_OP_NO_COMPRESSION>.

B<EmptyFragments>: use empty fragments as a countermeasure against a
SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.

B<Bugs> enable various bug workarounds. Same as B<SSL_OP_ALL>.

B<DHSingle> enable single use DH keys, set by default. Inverse of
B<SSL_OP_DH_SINGLE>. Only used by servers.

B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of
B<SSL_OP_ECDH_SINGLE>. Only used by servers.

B<ServerPreference> use server and not client preference order when
determining which cipher suite, signature algorithm or elliptic curve
to use for an incoming connection.  Equivalent to
B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.

B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.

B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.

=back

=head1 SUPPORTED COMMAND LINE COMMANDS

Currently supported B<cmd> names for command lines (i.e. when the
flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
and are case sensitive. Unless otherwise stated the B<value> parameter is
noh used. The default prefix for command line commands is B<-> and that is
reflected below.

=over 4

=item B<-sigalgs>

Sets the supported signature algorithms to B<value>. Equivalent to the
B<SignatureAlgorithms> file command.

=item B<-client_sigalgs>

Sets the supported client signature algorithms to B<value>. Equivalent to the
B<ClientSignatureAlgorithms> file command.

=item B<-curves>

Sets supported elliptic curves to B<value>. Equivalent to B<Curves> file
command.

=item B<-named_curve>

Sets supported ECDH parameters to B<value>. For automatic curve selection
B<value> should be set to B<auto>, otherwise the command is identical to
the B<ECDHParameters> file command.

=item B<-cipher>

Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
currently not performed unless a B<SSL> or B<SSL_CTX> structure is 
associated with B<cctx>.

=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>

Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 
by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
B<SSL_OP_NO_TLS1> B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.

=item B<-bugs>

Various bug workarounds are set, same as setting B<SSL_OP_ALL>.

=item B<-no_comp>

Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.

=item B<-no_ticket>

Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.

=item B<-serverpref>

Use server and not client preference order when determining which cipher suite,
signature algorithm or elliptic curve to use for an incoming connection.
Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.

=item B<-legacyrenegotiation>

permits the use of unsafe legacy renegotiation. Equivalent to setting
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.

=item B<-legacy_server_connect>, B<-no_legacy_server_connect>

permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.

=item B<-strict>

enables strict mode protocol handling. Equivalent to setting
B<SSL_CERT_FLAG_TLS_STRICT>.

=item B<-debug_broken_protocol>

disables various checks and permits several kinds of broken protocol behaviour
for testing purposes: it should B<NEVER> be used in anything other than a test
environment. Only supported if OpenSSL is configured with
B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.

=back

=head1 NOTES

The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls:

 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
 SSL_CONF_cmd(ctx, userparam, uservalue);

it will disable SSLv2 support by default but the user can override it. If 
however the call sequence is:

 SSL_CONF_cmd(ctx, userparam, uservalue);
 SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");

SSLv2 is B<always> disabled and attempt to override this by the user are
ignored.

By checking the return code of SSL_CTX_cmd() it is possible to query if a
given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
mixed with additional application specific operations.

For example an application might call SSL_CTX_cmd() and if it returns
-2 (unrecognised command) continue with processing of application specific
commands.

Applications can also use SSL_CTX_cmd() to process command lines though the
utility function SSL_CTX_cmd_argv() is normally used instead. One way
to do this is to check for an initial prefix ("-", "--" or "--ssl-" for example)
on a command argument and pass the rest to B<cmd>. The following argument
is passed to B<value> (which may be NULL).

In this case if the return value is positive then it is used to skip that
number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
returned then B<cmd> is not recognised and application specific arguments
can be checked instead. If -3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error occurred and
this can be reported back to the user.

=head1 EXAMPLES

Set supported signature algorithms:

 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");

Enable all protocols except SSLv3 and SSLv2:

 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");

Only enable TLSv1.2:

 SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");

Disable TLS session tickets:

 SSL_CONF_cmd(ctx, "Options", "-SessionTicket");

Set supported curves to P-256, P-384:

 SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");

Set automatic support for any elliptic curve for key exchange:

 SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");

=head1 RETURN VALUES

SSL_CONF_cmd() return 1 if the value of B<cmd> is recognised and B<value> is
B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
returns the number of arguments processed. This is useful when processing
command lines.

A return value of -2 means B<cmd> is not recognised.

A return value of -3 means B<cmd> is recognised and the command requires a
value but B<value> is NULL.

A return code of 0 indicates that both B<cmd> and B<value> are valid but an
error occurred attempting to perform the operation: for example due to an
error in the syntax of B<value> in this case the error queue may provide
additional information.

=head1 SEE ALSO

L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>

=head1 HISTORY

SSL_CONF_cmd() was first added to OpenSSL 1.1.0

=cut
Commit	Line	Data
3db935a9 DSH	1	=pod
	2
	3	=head1 NAME
	4
	5	SSL_CONF_cmd - send configuration command
	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ssl.h>
	10
	11	int SSL_CONF_cmd(SSL_CONF_CTX cctx, const char cmd, const char *value);
	12
	13	=head1 DESCRIPTION
	14
	15	The function SSL_CONF_cmd() performs configuration operation B<cmd> with
	16	optional parameter B<value> on B<ctx>. Its purpose is to simplify application
	17	configuration of B<SSL_CTX> or B<SSL> structures by providing a common
	18	framework for configuration files or command line options.
	19
	20	=head1 SUPPORTED CONFIGURATION FILE COMMANDS
	21
	22	Currently supported B<cmd> names for configuration files (i.e. when the
	23	flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
	24	B<cmd> names and are case insensitive so B<signaturealgorithms> is recognised
	25	as well as B<SignatureAlgorithms>. Unless otherwise states the B<value> names
	26	are also case insensitive.
	27
	28	Note: the command prefix (if set) alters the recognised B<cmd> values.
	29
	30	=over 4
	31
	32	=item B<CipherSuite>
	33
	34	Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
	35	currently not performed unless a B<SSL> or B<SSL_CTX> structure is
	36	associated with B<cctx>.
	37
	38	=item B<SignatureAlgorithms>
	39
	40	This sets the supported signature algorithms for TLS v1.2. For clients this
	41	value is used directly for the supported signature algorithms extension. For
	42	servers it is used to determine which signature algorithms to support.
	43
	44	The B<value> argument should be a colon separated list of signature algorithms
	45	in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
	46	is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
	47	OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
	48	Note: algorithm and hash names are case sensitive.
	49
	50	If this option is not set then all signature algorithms supported by the
	51	OpenSSL library are permissible.
	52
	53	=item B<ClientSignatureAlgorithms>
	54
	55	This sets the supported signature algorithms associated with client
	56	authentication for TLS v1.2. For servers the value is used in the supported
	57	signature algorithms field of a certificate request. For clients it is
	58	used to determine which signature algorithm to use for the client certificate.
	59
	60	The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
	61	the value set for B<SignatureAlgorithms> will be used instead.
	62
	63	=item B<Curves>
	64
65	This sets the supported elliptic curves. For servers the curves are
66	sent using the supported curves extension to TLS. For clients the it is used
67	to determine which curve to use. This affects curves used for both signatures
68	and key exchange.
69
70	The B<value> argument is a colon separated list of curves. The curve can be
71	either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
72	B<prime256v1>). Curve names are case sensitive.
73
74	=item B<ECDHParameters>
75
76	This sets the temporary curve used for ephemeral ECDH modes.
77
78	The B<value> argument is a curve name or the special value B<Automatic> which
79	automatically picks an appropriate curve based on client and server
80	preferences. The curve can be either the B<NIST> name (e.g. B<P-256>) or an
81	OpenSSL OID name (e.g B<prime256v1>). Curve names are case sensitive.
82
83	=item B<Protocol>
84
85	The supported versions of the SSL or TLS protocol.
86
87	The B<value> argument is a comma separated list of supported protocols to
88	enable or disable. If an protocol is preceded by B<-> that version is disabled.
89	All versions are enabled by default, though applications may choose to
90	explicitly disable some version. Currently supported protocol
91	values are B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>. The
92	special value B<ALL> refers to all supported versions.
93
94	=item B<Options>
95
96	The B<value> argument is a comma separated list of various flags to set.
97	If a flag string is preceded B<-> it is disabled. See the
98	B<SSL_CTX_set_options> function for more details of individual options.
99
100	Each option is listed below. Where an operation is enabled by default
101	the B<-flag> syntax is needed to disable it.
102
103	B<SessionTicket>: session ticket support, enabled by default. Inverse of
104	B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
105	B<SSL_OP_NO_TICKET>.
106
107	B<Compression>: SSL/TLS compression support, enabled by default. Inverse
108	of B<SSL_OP_NO_COMPRESSION>.
109
110	B<EmptyFragments>: use empty fragments as a countermeasure against a
111	SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
112	is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
113
114	B<Bugs> enable various bug workarounds. Same as B<SSL_OP_ALL>.
115
116	B<DHSingle> enable single use DH keys, set by default. Inverse of
117	B<SSL_OP_DH_SINGLE>. Only used by servers.
118
119	B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of
120	B<SSL_OP_ECDH_SINGLE>. Only used by servers.
121
122	B<ServerPreference> use server and not client preference order when
123	determining which cipher suite, signature algorithm or elliptic curve
124	to use for an incoming connection. Equivalent to
125	B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
126
127	B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
128	Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
129
130	B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
131	for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
132	Set by default.
133
134	=back
135
136	=head1 SUPPORTED COMMAND LINE COMMANDS
137
138	Currently supported B<cmd> names for command lines (i.e. when the
139	flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
140	and are case sensitive. Unless otherwise stated the B<value> parameter is
141	noh used. The default prefix for command line commands is B<-> and that is
142	reflected below.
143
144	=over 4
145
146	=item B<-sigalgs>
147
148	Sets the supported signature algorithms to B<value>. Equivalent to the
149	B<SignatureAlgorithms> file command.
150
151	=item B<-client_sigalgs>
152
153	Sets the supported client signature algorithms to B<value>. Equivalent to the
154	B<ClientSignatureAlgorithms> file command.
155
156	=item B<-curves>
157
158	Sets supported elliptic curves to B<value>. Equivalent to B<Curves> file
159	command.
160
161	=item B<-named_curve>
162
163	Sets supported ECDH parameters to B<value>. For automatic curve selection
164	B<value> should be set to B<auto>, otherwise the command is identical to
165	the B<ECDHParameters> file command.
166
167	=item B<-cipher>
168
169	Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
170	currently not performed unless a B<SSL> or B<SSL_CTX> structure is
171	associated with B<cctx>.
172
173	=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
174
175	Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2
176	by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>,
177	B<SSL_OP_NO_TLS1> B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively.
178
179	=item B<-bugs>
180
181	Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
182
183	=item B<-no_comp>
184
185	Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
186
187	=item B<-no_ticket>
188
189	Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
190
191	=item B<-serverpref>
192
193	Use server and not client preference order when determining which cipher suite,
194	signature algorithm or elliptic curve to use for an incoming connection.
195	Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
196
197	=item B<-legacyrenegotiation>
198
199	permits the use of unsafe legacy renegotiation. Equivalent to setting
200	B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
201
202	=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
203
204	permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
205	clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
206	Set by default.
207
208	=item B<-strict>
209
210	enables strict mode protocol handling. Equivalent to setting
211	B<SSL_CERT_FLAG_TLS_STRICT>.
212
213	=item B<-debug_broken_protocol>
214
215	disables various checks and permits several kinds of broken protocol behaviour
216	for testing purposes: it should B<NEVER> be used in anything other than a test
217	environment. Only supported if OpenSSL is configured with
218	B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.
219
220	=back
221
222	=head1 NOTES
223
224	The order of operations is significant. This can be used to set either defaults
225	or values which cannot be overridden. For example if an application calls:
226
227	SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
228	SSL_CONF_cmd(ctx, userparam, uservalue);
229
230	it will disable SSLv2 support by default but the user can override it. If
231	however the call sequence is:
232
233	SSL_CONF_cmd(ctx, userparam, uservalue);
234	SSL_CONF_cmd(ctx, "Protocol", "-SSLv2");
235
236	SSLv2 is B<always> disabled and attempt to override this by the user are
237	ignored.
238
239	By checking the return code of SSL_CTX_cmd() it is possible to query if a
240	given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
241	mixed with additional application specific operations.
242
243	For example an application might call SSL_CTX_cmd() and if it returns
244	-2 (unrecognised command) continue with processing of application specific
245	commands.
246
247	Applications can also use SSL_CTX_cmd() to process command lines though the
248	utility function SSL_CTX_cmd_argv() is normally used instead. One way
249	to do this is to check for an initial prefix ("-", "--" or "--ssl-" for example)
250	on a command argument and pass the rest to B<cmd>. The following argument
251	is passed to B<value> (which may be NULL).
252
253	In this case if the return value is positive then it is used to skip that
254	number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
255	returned then B<cmd> is not recognised and application specific arguments
256	can be checked instead. If -3 is returned a required argument is missing
257	and an error is indicated. If 0 is returned some other error occurred and
258	this can be reported back to the user.
259
260	=head1 EXAMPLES
261
262	Set supported signature algorithms:
263
264	SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
265
266	Enable all protocols except SSLv3 and SSLv2:
267
268	SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
269
270	Only enable TLSv1.2:
271
272	SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
273
274	Disable TLS session tickets:
275
276	SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
277
278	Set supported curves to P-256, P-384:
279
280	SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
281
282	Set automatic support for any elliptic curve for key exchange:
283
284	SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");
285
286	=head1 RETURN VALUES
287
288	SSL_CONF_cmd() return 1 if the value of B<cmd> is recognised and B<value> is
289	B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
290	returns the number of arguments processed. This is useful when processing
291	command lines.
292
293	A return value of -2 means B<cmd> is not recognised.
294
295	A return value of -3 means B<cmd> is recognised and the command requires a
296	value but B<value> is NULL.
297
298	A return code of 0 indicates that both B<cmd> and B<value> are valid but an
299	error occurred attempting to perform the operation: for example due to an
300	error in the syntax of B<value> in this case the error queue may provide
301	additional information.
302
303	=head1 SEE ALSO
304
305	L<SSL_CONF_CTX_new(3)\|SSL_CONF_CTX_new(3)>,
306	L<SSL_CONF_CTX_set_flags(3)\|SSL_CONF_CTX_set_flags(3)>,
307	L<SSL_CONF_CTX_set1_prefix(3)\|SSL_CONF_CTX_set1_prefix(3)>,
308	L<SSL_CONF_CTX_set_ssl_ctx(3)\|SSL_CONF_CTX_set_ssl_ctx(3)>,
309	L<SSL_CONF_cmd_argv(3)\|SSL_CONF_cmd_argv(3)>
310
311	=head1 HISTORY
312
313	SSL_CONF_cmd() was first added to OpenSSL 1.1.0
314
315	=cut