]>
Commit | Line | Data |
---|---|---|
7b9cb4a2 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
730f5752 | 5 | SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options |
7b9cb4a2 LJ |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
11 | long SSL_CTX_set_options(SSL_CTX *ctx, long options); | |
12 | long SSL_set_options(SSL *ssl, long options); | |
13 | ||
a88c73b4 DSH |
14 | long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
15 | long SSL_clear_options(SSL *ssl, long options); | |
16 | ||
7b9cb4a2 LJ |
17 | long SSL_CTX_get_options(SSL_CTX *ctx); |
18 | long SSL_get_options(SSL *ssl); | |
19 | ||
a88c73b4 DSH |
20 | long SSL_get_secure_renegotiation_support(SSL *ssl); |
21 | ||
7b9cb4a2 LJ |
22 | =head1 DESCRIPTION |
23 | ||
a88c73b4 DSH |
24 | Note: all these functions are implemented using macros. |
25 | ||
7b9cb4a2 | 26 | SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. |
37f599bc | 27 | Options already set before are not cleared! |
7b9cb4a2 LJ |
28 | |
29 | SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. | |
37f599bc | 30 | Options already set before are not cleared! |
7b9cb4a2 | 31 | |
a88c73b4 DSH |
32 | SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
33 | to B<ctx>. | |
34 | ||
35 | SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. | |
36 | ||
7b9cb4a2 LJ |
37 | SSL_CTX_get_options() returns the options set for B<ctx>. |
38 | ||
39 | SSL_get_options() returns the options set for B<ssl>. | |
40 | ||
a88c73b4 DSH |
41 | SSL_get_secure_renegotiation_support() indicates whether the peer supports |
42 | secure renegotiation. | |
43 | ||
7b9cb4a2 LJ |
44 | =head1 NOTES |
45 | ||
46 | The behaviour of the SSL library can be changed by setting several options. | |
47 | The options are coded as bitmasks and can be combined by a logical B<or> | |
a88c73b4 | 48 | operation (|). |
7b9cb4a2 | 49 | |
37f599bc LJ |
50 | SSL_CTX_set_options() and SSL_set_options() affect the (external) |
51 | protocol behaviour of the SSL library. The (internal) behaviour of | |
52 | the API can be changed by using the similar | |
2edcb4ac | 53 | L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
37f599bc LJ |
54 | |
55 | During a handshake, the option settings of the SSL object are used. When | |
7b9cb4a2 LJ |
56 | a new SSL object is created from a context using SSL_new(), the current |
57 | option setting is copied. Changes to B<ctx> do not affect already created | |
58 | SSL objects. SSL_clear() does not affect the settings. | |
59 | ||
60 | The following B<bug workaround> options are available: | |
61 | ||
62 | =over 4 | |
63 | ||
64 | =item SSL_OP_MICROSOFT_SESS_ID_BUG | |
65 | ||
66 | www.microsoft.com - when talking SSLv2, if session-id reuse is | |
67 | performed, the session-id passed back in the server-finished message | |
68 | is different from the one decided upon. | |
69 | ||
70 | =item SSL_OP_NETSCAPE_CHALLENGE_BUG | |
71 | ||
72 | Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte | |
73 | challenge but then appears to only use 16 bytes when generating the | |
74 | encryption keys. Using 16 bytes is ok but it should be ok to use 32. | |
75 | According to the SSLv3 spec, one should use 32 bytes for the challenge | |
52d160d8 | 76 | when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
7b9cb4a2 LJ |
77 | this breaks this server so 16 bytes is the way to go. |
78 | ||
79 | =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
80 | ||
346601bc | 81 | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. |
7b9cb4a2 LJ |
82 | |
83 | =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
84 | ||
85 | ... | |
86 | ||
87 | =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
88 | ||
89 | ... | |
90 | ||
91 | =item SSL_OP_MSIE_SSLV2_RSA_PADDING | |
92 | ||
72dce768 | 93 | As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect. |
7b9cb4a2 LJ |
94 | |
95 | =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
96 | ||
97 | ... | |
98 | ||
99 | =item SSL_OP_TLS_D5_BUG | |
100 | ||
101 | ... | |
102 | ||
103 | =item SSL_OP_TLS_BLOCK_PADDING_BUG | |
104 | ||
105 | ... | |
106 | ||
c21506ba BM |
107 | =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
108 | ||
109 | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol | |
110 | vulnerability affecting CBC ciphers, which cannot be handled by some | |
111 | broken SSL implementations. This option has no effect for connections | |
112 | using other ciphers. | |
113 | ||
7b9cb4a2 LJ |
114 | =item SSL_OP_ALL |
115 | ||
116 | All of the above bug workarounds. | |
117 | ||
118 | =back | |
119 | ||
c21506ba BM |
120 | It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround |
121 | options if compatibility with somewhat broken implementations is | |
122 | desired. | |
7b9cb4a2 LJ |
123 | |
124 | The following B<modifying> options are available: | |
125 | ||
126 | =over 4 | |
127 | ||
06da6e49 LJ |
128 | =item SSL_OP_TLS_ROLLBACK_BUG |
129 | ||
130 | Disable version rollback attack detection. | |
131 | ||
132 | During the client key exchange, the client must send the same information | |
133 | about acceptable SSL/TLS protocol levels as during the first hello. Some | |
134 | clients violate this rule by adapting to the server's answer. (Example: | |
135 | the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server | |
136 | only understands up to SSLv3. In this case the client must still use the | |
137 | same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect | |
138 | to the server's answer and violate the version rollback protection.) | |
139 | ||
7b9cb4a2 LJ |
140 | =item SSL_OP_SINGLE_DH_USE |
141 | ||
37f599bc | 142 | Always create a new key when using temporary/ephemeral DH parameters |
4db48ec0 | 143 | (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
37f599bc LJ |
144 | This option must be used to prevent small subgroup attacks, when |
145 | the DH parameters were not generated using "strong" primes | |
146 | (e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>). | |
147 | If "strong" primes were used, it is not strictly necessary to generate | |
3b80e3aa | 148 | a new DH key during each handshake but it is also recommended. |
51008ffc | 149 | B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever |
37f599bc | 150 | temporary/ephemeral DH parameters are used. |
7b9cb4a2 LJ |
151 | |
152 | =item SSL_OP_EPHEMERAL_RSA | |
153 | ||
37f599bc | 154 | Always use ephemeral (temporary) RSA key when doing RSA operations |
4db48ec0 | 155 | (see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). |
37f599bc LJ |
156 | According to the specifications this is only done, when a RSA key |
157 | can only be used for signature operations (namely under export ciphers | |
158 | with restricted RSA keylength). By setting this option, ephemeral | |
159 | RSA keys are always used. This option breaks compatibility with the | |
160 | SSL/TLS specifications and may lead to interoperability problems with | |
161 | clients and should therefore never be used. Ciphers with EDH (ephemeral | |
162 | Diffie-Hellman) key exchange should be used instead. | |
7b9cb4a2 | 163 | |
1b65ce7d LJ |
164 | =item SSL_OP_CIPHER_SERVER_PREFERENCE |
165 | ||
166 | When choosing a cipher, use the server's preferences instead of the client | |
167 | preferences. When not set, the SSL server will always follow the clients | |
168 | preferences. When set, the SSLv3/TLSv1 server will choose following its | |
52d160d8 | 169 | own preferences. Because of the different protocol, for SSLv2 the server |
e27a2596 | 170 | will send its list of preferences to the client and the client chooses. |
1b65ce7d | 171 | |
7b9cb4a2 LJ |
172 | =item SSL_OP_PKCS1_CHECK_1 |
173 | ||
174 | ... | |
175 | ||
176 | =item SSL_OP_PKCS1_CHECK_2 | |
177 | ||
178 | ... | |
179 | ||
180 | =item SSL_OP_NETSCAPE_CA_DN_BUG | |
181 | ||
182 | If we accept a netscape connection, demand a client cert, have a | |
d177e618 | 183 | non-self-signed CA which does not have its CA in netscape, and the |
7b9cb4a2 LJ |
184 | browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta |
185 | ||
7b9cb4a2 LJ |
186 | =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
187 | ||
188 | ... | |
189 | ||
190 | =item SSL_OP_NO_SSLv2 | |
191 | ||
192 | Do not use the SSLv2 protocol. | |
193 | ||
194 | =item SSL_OP_NO_SSLv3 | |
195 | ||
196 | Do not use the SSLv3 protocol. | |
197 | ||
198 | =item SSL_OP_NO_TLSv1 | |
199 | ||
200 | Do not use the TLSv1 protocol. | |
201 | ||
51008ffc BM |
202 | =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
203 | ||
204 | When performing renegotiation as a server, always start a new session | |
205 | (i.e., session resumption requests are only accepted in the initial | |
a88c73b4 | 206 | handshake). This option is not needed for clients. |
51008ffc | 207 | |
f3fef74b DSH |
208 | =item SSL_OP_NO_TICKET |
209 | ||
210 | Normally clients and servers will, where possible, transparently make use | |
211 | of RFC4507bis tickets for stateless session resumption. | |
212 | ||
213 | If this option is set this functionality is disabled and tickets will | |
214 | not be used by clients or servers. | |
215 | ||
4f3d52fe | 216 | =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
a88c73b4 | 217 | |
4f3d52fe DSH |
218 | Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
219 | servers. See the B<SECURE RENEGOTIATION> section for more details. | |
220 | ||
221 | =item SSL_OP_LEGACY_SERVER_CONNECT | |
222 | ||
223 | Allow legacy insecure renegotiation between OpenSSL and unpatched servers | |
224 | B<only>: this option is currently set by default. See the | |
225 | B<SECURE RENEGOTIATION> section for more details. | |
a88c73b4 | 226 | |
7b9cb4a2 LJ |
227 | =back |
228 | ||
a88c73b4 DSH |
229 | =head1 SECURE RENEGOTIATION |
230 | ||
730f5752 | 231 | OpenSSL 0.9.8m and later always attempts to use secure renegotiation as |
81d87a2a DSH |
232 | described in RFC5746. This counters the prefix attack described in |
233 | CVE-2009-3555 and elsewhere. | |
a88c73b4 | 234 | |
98923880 | 235 | The deprecated and highly broken SSLv2 protocol does not support |
5a6ae115 DSH |
236 | renegotiation at all: its use is B<strongly> discouraged. |
237 | ||
a88c73b4 DSH |
238 | This attack has far reaching consequences which application writers should be |
239 | aware of. In the description below an implementation supporting secure | |
240 | renegotiation is referred to as I<patched>. A server not supporting secure | |
241 | renegotiation is referred to as I<unpatched>. | |
242 | ||
5a6ae115 DSH |
243 | The following sections describe the operations permitted by OpenSSL's secure |
244 | renegotiation implementation. | |
245 | ||
5e5df40b | 246 | =head2 Patched client and server |
a88c73b4 | 247 | |
5a6ae115 | 248 | Connections and renegotiation are always permitted by OpenSSL implementations. |
a88c73b4 | 249 | |
5a6ae115 | 250 | =head2 Unpatched client and patched OpenSSL server |
730f5752 | 251 | |
5a6ae115 DSH |
252 | The initial connection suceeds but client renegotiation is denied by the |
253 | server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal | |
5e5df40b DSH |
254 | B<handshake_failure> alert in SSL v3.0. |
255 | ||
5a6ae115 DSH |
256 | If the patched OpenSSL server attempts to renegotiate a fatal |
257 | B<handshake_failure> alert is sent. This is because the server code may be | |
258 | unaware of the unpatched nature of the client. | |
5e5df40b DSH |
259 | |
260 | If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then | |
261 | renegotiation B<always> succeeds. | |
262 | ||
263 | B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are | |
264 | unpatched) will result in the connection hanging if it receives a | |
265 | B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard | |
266 | a B<no_renegotiation> alert as fatal and respond with a fatal | |
5a6ae115 DSH |
267 | B<handshake_failure> alert. This is because the OpenSSL API currently has |
268 | no provision to indicate to an application that a renegotiation attempt | |
269 | was refused. | |
5e5df40b | 270 | |
5a6ae115 | 271 | =head2 Patched OpenSSL client and unpatched server. |
5e5df40b | 272 | |
4f3d52fe DSH |
273 | If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or |
274 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections | |
98923880 | 275 | and renegotiation between patched OpenSSL clients and unpatched servers |
4f3d52fe DSH |
276 | succeeds. If neither option is set then initial connections to unpatched |
277 | servers will fail. | |
98923880 | 278 | |
4f3d52fe DSH |
279 | The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even |
280 | though it has security implications: otherwise it would be impossible to | |
281 | connect to unpatched servers (i.e. all of them initially) and this is clearly | |
282 | not acceptable. Renegotiation is permitted because this does not add any | |
283 | additional security issues: during an attack clients do not see any | |
284 | renegotiations anyway. | |
5e5df40b DSH |
285 | |
286 | As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will | |
287 | B<not> be set by default in a future version of OpenSSL. | |
288 | ||
5a6ae115 DSH |
289 | OpenSSL client applications wishing to ensure they can connect to unpatched |
290 | servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> | |
5e5df40b | 291 | |
5a6ae115 DSH |
292 | OpenSSL client applications that want to ensure they can B<not> connect to |
293 | unpatched servers (and thus avoid any security issues) should always B<clear> | |
5e5df40b DSH |
294 | B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or |
295 | SSL_clear_options(). | |
a88c73b4 | 296 | |
4f3d52fe DSH |
297 | The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and |
298 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that | |
299 | B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure | |
300 | renegotiation between OpenSSL clients and unpatched servers B<only>, while | |
301 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections | |
302 | and renegotiation between OpenSSL and unpatched clients or servers. | |
a88c73b4 | 303 | |
7b9cb4a2 LJ |
304 | =head1 RETURN VALUES |
305 | ||
306 | SSL_CTX_set_options() and SSL_set_options() return the new options bitmask | |
307 | after adding B<options>. | |
308 | ||
a88c73b4 DSH |
309 | SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
310 | after clearing B<options>. | |
311 | ||
7b9cb4a2 LJ |
312 | SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
313 | ||
a88c73b4 DSH |
314 | SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
315 | secure renegotiation and 0 if it does not. | |
316 | ||
7b9cb4a2 LJ |
317 | =head1 SEE ALSO |
318 | ||
4db48ec0 LJ |
319 | L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>, |
320 | L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, | |
37f599bc LJ |
321 | L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, |
322 | L<dhparam(1)|dhparam(1)> | |
7b9cb4a2 LJ |
323 | |
324 | =head1 HISTORY | |
325 | ||
51008ffc BM |
326 | B<SSL_OP_CIPHER_SERVER_PREFERENCE> and |
327 | B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> have been added in | |
328 | OpenSSL 0.9.7. | |
1b65ce7d | 329 | |
51008ffc BM |
330 | B<SSL_OP_TLS_ROLLBACK_BUG> has been added in OpenSSL 0.9.6 and was automatically |
331 | enabled with B<SSL_OP_ALL>. As of 0.9.7, it is no longer included in B<SSL_OP_ALL> | |
3b80e3aa | 332 | and must be explicitly set. |
7b9cb4a2 | 333 | |
c21506ba BM |
334 | B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. |
335 | Versions up to OpenSSL 0.9.6c do not include the countermeasure that | |
336 | can be disabled with this option (in OpenSSL 0.9.6d, it was always | |
337 | enabled). | |
338 | ||
a88c73b4 DSH |
339 | SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL |
340 | 0.9.8m. | |
341 | ||
5e5df40b DSH |
342 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> |
343 | and the function SSL_get_secure_renegotiation_support() were first added in | |
344 | OpenSSL 0.9.8m. | |
a88c73b4 | 345 | |
7b9cb4a2 | 346 | =cut |