]>
Commit | Line | Data |
---|---|---|
7b9cb4a2 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
57ce7b61 VD |
5 | SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, |
6 | SSL_clear_options, SSL_CTX_get_options, SSL_get_options, | |
7 | SSL_get_secure_renegotiation_support - manipulate SSL options | |
7b9cb4a2 LJ |
8 | |
9 | =head1 SYNOPSIS | |
10 | ||
11 | #include <openssl/ssl.h> | |
12 | ||
13 | long SSL_CTX_set_options(SSL_CTX *ctx, long options); | |
14 | long SSL_set_options(SSL *ssl, long options); | |
15 | ||
4db82571 DSH |
16 | long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
17 | long SSL_clear_options(SSL *ssl, long options); | |
18 | ||
7b9cb4a2 LJ |
19 | long SSL_CTX_get_options(SSL_CTX *ctx); |
20 | long SSL_get_options(SSL *ssl); | |
21 | ||
4db82571 DSH |
22 | long SSL_get_secure_renegotiation_support(SSL *ssl); |
23 | ||
7b9cb4a2 LJ |
24 | =head1 DESCRIPTION |
25 | ||
26 | SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. | |
37f599bc | 27 | Options already set before are not cleared! |
7b9cb4a2 LJ |
28 | |
29 | SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. | |
37f599bc | 30 | Options already set before are not cleared! |
7b9cb4a2 | 31 | |
4db82571 DSH |
32 | SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
33 | to B<ctx>. | |
34 | ||
35 | SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. | |
36 | ||
7b9cb4a2 LJ |
37 | SSL_CTX_get_options() returns the options set for B<ctx>. |
38 | ||
39 | SSL_get_options() returns the options set for B<ssl>. | |
40 | ||
4db82571 DSH |
41 | SSL_get_secure_renegotiation_support() indicates whether the peer supports |
42 | secure renegotiation. | |
8106cb8b | 43 | Note, this is implemented via a macro. |
4db82571 | 44 | |
7b9cb4a2 LJ |
45 | =head1 NOTES |
46 | ||
47 | The behaviour of the SSL library can be changed by setting several options. | |
762a44de | 48 | The options are coded as bitmasks and can be combined by a bitwise B<or> |
4db82571 | 49 | operation (|). |
7b9cb4a2 | 50 | |
37f599bc LJ |
51 | SSL_CTX_set_options() and SSL_set_options() affect the (external) |
52 | protocol behaviour of the SSL library. The (internal) behaviour of | |
53 | the API can be changed by using the similar | |
9b86974e | 54 | L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
37f599bc LJ |
55 | |
56 | During a handshake, the option settings of the SSL object are used. When | |
7b9cb4a2 LJ |
57 | a new SSL object is created from a context using SSL_new(), the current |
58 | option setting is copied. Changes to B<ctx> do not affect already created | |
59 | SSL objects. SSL_clear() does not affect the settings. | |
60 | ||
61 | The following B<bug workaround> options are available: | |
62 | ||
63 | =over 4 | |
64 | ||
7b9cb4a2 LJ |
65 | =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
66 | ||
67 | ... | |
68 | ||
69 | =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
70 | ||
71 | ... | |
72 | ||
dece3209 | 73 | =item SSL_OP_SAFARI_ECDHE_ECDSA_BUG |
7b9cb4a2 | 74 | |
dece3209 RS |
75 | Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. |
76 | OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. | |
7b9cb4a2 LJ |
77 | |
78 | =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
79 | ||
80 | ... | |
81 | ||
82 | =item SSL_OP_TLS_D5_BUG | |
83 | ||
84 | ... | |
85 | ||
c21506ba BM |
86 | =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
87 | ||
88 | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol | |
89 | vulnerability affecting CBC ciphers, which cannot be handled by some | |
90 | broken SSL implementations. This option has no effect for connections | |
91 | using other ciphers. | |
92 | ||
01f2f18f DSH |
93 | =item SSL_OP_TLSEXT_PADDING |
94 | ||
95 | Adds a padding extension to ensure the ClientHello size is never between | |
96 | 256 and 511 bytes in length. This is needed as a workaround for some | |
97 | implementations. | |
98 | ||
7b9cb4a2 LJ |
99 | =item SSL_OP_ALL |
100 | ||
101 | All of the above bug workarounds. | |
102 | ||
103 | =back | |
104 | ||
c21506ba BM |
105 | It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround |
106 | options if compatibility with somewhat broken implementations is | |
107 | desired. | |
7b9cb4a2 LJ |
108 | |
109 | The following B<modifying> options are available: | |
110 | ||
111 | =over 4 | |
112 | ||
06da6e49 LJ |
113 | =item SSL_OP_TLS_ROLLBACK_BUG |
114 | ||
115 | Disable version rollback attack detection. | |
116 | ||
117 | During the client key exchange, the client must send the same information | |
118 | about acceptable SSL/TLS protocol levels as during the first hello. Some | |
119 | clients violate this rule by adapting to the server's answer. (Example: | |
120 | the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server | |
121 | only understands up to SSLv3. In this case the client must still use the | |
122 | same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect | |
123 | to the server's answer and violate the version rollback protection.) | |
124 | ||
7b9cb4a2 LJ |
125 | =item SSL_OP_SINGLE_DH_USE |
126 | ||
37f599bc | 127 | Always create a new key when using temporary/ephemeral DH parameters |
9b86974e | 128 | (see L<SSL_CTX_set_tmp_dh_callback(3)>). |
37f599bc LJ |
129 | This option must be used to prevent small subgroup attacks, when |
130 | the DH parameters were not generated using "strong" primes | |
9b86974e | 131 | (e.g. when using DSA-parameters, see L<dhparam(1)>). |
37f599bc | 132 | If "strong" primes were used, it is not strictly necessary to generate |
3b80e3aa | 133 | a new DH key during each handshake but it is also recommended. |
51008ffc | 134 | B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever |
37f599bc | 135 | temporary/ephemeral DH parameters are used. |
7b9cb4a2 LJ |
136 | |
137 | =item SSL_OP_EPHEMERAL_RSA | |
138 | ||
ce325c60 | 139 | This option is no longer implemented and is treated as no op. |
7b9cb4a2 | 140 | |
1b65ce7d LJ |
141 | =item SSL_OP_CIPHER_SERVER_PREFERENCE |
142 | ||
143 | When choosing a cipher, use the server's preferences instead of the client | |
144 | preferences. When not set, the SSL server will always follow the clients | |
87d9cafa MC |
145 | preferences. When set, the SSL/TLS server will choose following its |
146 | own preferences. | |
1b65ce7d | 147 | |
7b9cb4a2 LJ |
148 | =item SSL_OP_PKCS1_CHECK_1 |
149 | ||
150 | ... | |
151 | ||
152 | =item SSL_OP_PKCS1_CHECK_2 | |
153 | ||
154 | ... | |
155 | ||
7b9cb4a2 | 156 | |
57ce7b61 VD |
157 | =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, |
158 | SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 | |
7b9cb4a2 | 159 | |
57ce7b61 VD |
160 | These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2 protocol |
161 | versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, | |
162 | respectively. | |
163 | As of OpenSSL 1.1.0, these options are deprecated, use | |
164 | L<SSL_CTX_set_min_proto_version(3)> and | |
165 | L<SSL_CTX_set_max_proto_version(3)> instead. | |
7b9cb4a2 | 166 | |
51008ffc BM |
167 | =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
168 | ||
169 | When performing renegotiation as a server, always start a new session | |
170 | (i.e., session resumption requests are only accepted in the initial | |
4db82571 | 171 | handshake). This option is not needed for clients. |
51008ffc | 172 | |
f3fef74b DSH |
173 | =item SSL_OP_NO_TICKET |
174 | ||
175 | Normally clients and servers will, where possible, transparently make use | |
176 | of RFC4507bis tickets for stateless session resumption. | |
177 | ||
178 | If this option is set this functionality is disabled and tickets will | |
179 | not be used by clients or servers. | |
180 | ||
69582a59 | 181 | =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
4db82571 | 182 | |
69582a59 DSH |
183 | Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
184 | servers. See the B<SECURE RENEGOTIATION> section for more details. | |
185 | ||
186 | =item SSL_OP_LEGACY_SERVER_CONNECT | |
187 | ||
188 | Allow legacy insecure renegotiation between OpenSSL and unpatched servers | |
189 | B<only>: this option is currently set by default. See the | |
190 | B<SECURE RENEGOTIATION> section for more details. | |
4db82571 | 191 | |
619c589b DW |
192 | =item SSL_OP_NO_ENCRYPT_THEN_MAC |
193 | ||
194 | Normally clients and servers will transparently attempt to negotiate the | |
195 | RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. | |
196 | ||
197 | If this option is set, Encrypt-then-MAC is disabled. Clients will not | |
198 | propose, and servers will not accept the extension. | |
199 | ||
6e127fdd MC |
200 | =item SSL_OP_NO_RENEGOTIATION |
201 | ||
202 | Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest | |
203 | messages, and ignore renegotiation requests via ClientHello. | |
204 | ||
7b9cb4a2 LJ |
205 | =back |
206 | ||
4db82571 DSH |
207 | =head1 SECURE RENEGOTIATION |
208 | ||
a528d4f0 | 209 | OpenSSL always attempts to use secure renegotiation as |
f9595988 DSH |
210 | described in RFC5746. This counters the prefix attack described in |
211 | CVE-2009-3555 and elsewhere. | |
4db82571 DSH |
212 | |
213 | This attack has far reaching consequences which application writers should be | |
214 | aware of. In the description below an implementation supporting secure | |
215 | renegotiation is referred to as I<patched>. A server not supporting secure | |
216 | renegotiation is referred to as I<unpatched>. | |
217 | ||
9fb6fd34 DSH |
218 | The following sections describe the operations permitted by OpenSSL's secure |
219 | renegotiation implementation. | |
220 | ||
99b36a8c | 221 | =head2 Patched client and server |
4db82571 | 222 | |
9fb6fd34 | 223 | Connections and renegotiation are always permitted by OpenSSL implementations. |
4db82571 | 224 | |
9fb6fd34 | 225 | =head2 Unpatched client and patched OpenSSL server |
b5c002d5 | 226 | |
fc1d88f0 | 227 | The initial connection succeeds but client renegotiation is denied by the |
9fb6fd34 | 228 | server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal |
99b36a8c DSH |
229 | B<handshake_failure> alert in SSL v3.0. |
230 | ||
9fb6fd34 DSH |
231 | If the patched OpenSSL server attempts to renegotiate a fatal |
232 | B<handshake_failure> alert is sent. This is because the server code may be | |
233 | unaware of the unpatched nature of the client. | |
99b36a8c DSH |
234 | |
235 | If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then | |
236 | renegotiation B<always> succeeds. | |
237 | ||
9fb6fd34 | 238 | =head2 Patched OpenSSL client and unpatched server. |
99b36a8c | 239 | |
69582a59 DSH |
240 | If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or |
241 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections | |
c2c49969 | 242 | and renegotiation between patched OpenSSL clients and unpatched servers |
69582a59 DSH |
243 | succeeds. If neither option is set then initial connections to unpatched |
244 | servers will fail. | |
c2c49969 | 245 | |
69582a59 DSH |
246 | The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even |
247 | though it has security implications: otherwise it would be impossible to | |
248 | connect to unpatched servers (i.e. all of them initially) and this is clearly | |
249 | not acceptable. Renegotiation is permitted because this does not add any | |
250 | additional security issues: during an attack clients do not see any | |
251 | renegotiations anyway. | |
99b36a8c DSH |
252 | |
253 | As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will | |
254 | B<not> be set by default in a future version of OpenSSL. | |
255 | ||
9fb6fd34 DSH |
256 | OpenSSL client applications wishing to ensure they can connect to unpatched |
257 | servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> | |
99b36a8c | 258 | |
9fb6fd34 DSH |
259 | OpenSSL client applications that want to ensure they can B<not> connect to |
260 | unpatched servers (and thus avoid any security issues) should always B<clear> | |
99b36a8c DSH |
261 | B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or |
262 | SSL_clear_options(). | |
4db82571 | 263 | |
69582a59 DSH |
264 | The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and |
265 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that | |
266 | B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure | |
267 | renegotiation between OpenSSL clients and unpatched servers B<only>, while | |
268 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections | |
269 | and renegotiation between OpenSSL and unpatched clients or servers. | |
4db82571 | 270 | |
7b9cb4a2 LJ |
271 | =head1 RETURN VALUES |
272 | ||
273 | SSL_CTX_set_options() and SSL_set_options() return the new options bitmask | |
274 | after adding B<options>. | |
275 | ||
4db82571 DSH |
276 | SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
277 | after clearing B<options>. | |
278 | ||
7b9cb4a2 LJ |
279 | SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
280 | ||
4db82571 DSH |
281 | SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
282 | secure renegotiation and 0 if it does not. | |
283 | ||
7b9cb4a2 LJ |
284 | =head1 SEE ALSO |
285 | ||
9b86974e RS |
286 | L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>, |
287 | L<SSL_CTX_set_tmp_dh_callback(3)>, | |
7946ab33 | 288 | L<SSL_CTX_set_min_proto_version(3)>, |
9b86974e | 289 | L<dhparam(1)> |
7b9cb4a2 LJ |
290 | |
291 | =head1 HISTORY | |
292 | ||
a528d4f0 RS |
293 | The attempt to always try to use secure renegotiation was added in |
294 | Openssl 0.9.8m. | |
4db82571 | 295 | |
6e127fdd MC |
296 | B<SSL_OP_NO_RENEGOTIATION> was added in OpenSSL 1.1.0h. |
297 | ||
e2f92610 RS |
298 | =head1 COPYRIGHT |
299 | ||
300 | Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. | |
301 | ||
302 | Licensed under the OpenSSL license (the "License"). You may not use | |
303 | this file except in compliance with the License. You can obtain a copy | |
304 | in the file LICENSE in the source distribution or at | |
305 | L<https://www.openssl.org/source/license.html>. | |
306 | ||
307 | =cut |