]>
Commit | Line | Data |
---|---|---|
7b9cb4a2 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b5c002d5 | 5 | SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options |
7b9cb4a2 LJ |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
11 | long SSL_CTX_set_options(SSL_CTX *ctx, long options); | |
12 | long SSL_set_options(SSL *ssl, long options); | |
13 | ||
4db82571 DSH |
14 | long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
15 | long SSL_clear_options(SSL *ssl, long options); | |
16 | ||
7b9cb4a2 LJ |
17 | long SSL_CTX_get_options(SSL_CTX *ctx); |
18 | long SSL_get_options(SSL *ssl); | |
19 | ||
4db82571 DSH |
20 | long SSL_get_secure_renegotiation_support(SSL *ssl); |
21 | ||
7b9cb4a2 LJ |
22 | =head1 DESCRIPTION |
23 | ||
4db82571 DSH |
24 | Note: all these functions are implemented using macros. |
25 | ||
7b9cb4a2 | 26 | SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. |
37f599bc | 27 | Options already set before are not cleared! |
7b9cb4a2 LJ |
28 | |
29 | SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. | |
37f599bc | 30 | Options already set before are not cleared! |
7b9cb4a2 | 31 | |
4db82571 DSH |
32 | SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
33 | to B<ctx>. | |
34 | ||
35 | SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. | |
36 | ||
7b9cb4a2 LJ |
37 | SSL_CTX_get_options() returns the options set for B<ctx>. |
38 | ||
39 | SSL_get_options() returns the options set for B<ssl>. | |
40 | ||
4db82571 DSH |
41 | SSL_get_secure_renegotiation_support() indicates whether the peer supports |
42 | secure renegotiation. | |
43 | ||
7b9cb4a2 LJ |
44 | =head1 NOTES |
45 | ||
46 | The behaviour of the SSL library can be changed by setting several options. | |
47 | The options are coded as bitmasks and can be combined by a logical B<or> | |
4db82571 | 48 | operation (|). |
7b9cb4a2 | 49 | |
37f599bc LJ |
50 | SSL_CTX_set_options() and SSL_set_options() affect the (external) |
51 | protocol behaviour of the SSL library. The (internal) behaviour of | |
52 | the API can be changed by using the similar | |
2edcb4ac | 53 | L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
37f599bc LJ |
54 | |
55 | During a handshake, the option settings of the SSL object are used. When | |
7b9cb4a2 LJ |
56 | a new SSL object is created from a context using SSL_new(), the current |
57 | option setting is copied. Changes to B<ctx> do not affect already created | |
58 | SSL objects. SSL_clear() does not affect the settings. | |
59 | ||
60 | The following B<bug workaround> options are available: | |
61 | ||
62 | =over 4 | |
63 | ||
64 | =item SSL_OP_MICROSOFT_SESS_ID_BUG | |
65 | ||
66 | www.microsoft.com - when talking SSLv2, if session-id reuse is | |
67 | performed, the session-id passed back in the server-finished message | |
68 | is different from the one decided upon. | |
69 | ||
70 | =item SSL_OP_NETSCAPE_CHALLENGE_BUG | |
71 | ||
72 | Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte | |
73 | challenge but then appears to only use 16 bytes when generating the | |
74 | encryption keys. Using 16 bytes is ok but it should be ok to use 32. | |
75 | According to the SSLv3 spec, one should use 32 bytes for the challenge | |
52d160d8 | 76 | when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
7b9cb4a2 LJ |
77 | this breaks this server so 16 bytes is the way to go. |
78 | ||
79 | =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
80 | ||
81 | ssl3.netscape.com:443, first a connection is established with RC4-MD5. | |
82 | If it is then resumed, we end up using DES-CBC3-SHA. It should be | |
83 | RC4-MD5 according to 7.6.1.3, 'cipher_suite'. | |
84 | ||
85 | Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. | |
86 | It only really shows up when connecting via SSLv2/v3 then reconnecting | |
87 | via SSLv3. The cipher list changes.... | |
88 | ||
89 | NEW INFORMATION. Try connecting with a cipher list of just | |
90 | DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses | |
91 | RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when | |
92 | doing a re-connect, always takes the first cipher in the cipher list. | |
93 | ||
94 | =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
95 | ||
96 | ... | |
97 | ||
98 | =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
99 | ||
100 | ... | |
101 | ||
102 | =item SSL_OP_MSIE_SSLV2_RSA_PADDING | |
103 | ||
72dce768 | 104 | As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect. |
7b9cb4a2 LJ |
105 | |
106 | =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
107 | ||
108 | ... | |
109 | ||
110 | =item SSL_OP_TLS_D5_BUG | |
111 | ||
112 | ... | |
113 | ||
114 | =item SSL_OP_TLS_BLOCK_PADDING_BUG | |
115 | ||
116 | ... | |
117 | ||
c21506ba BM |
118 | =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
119 | ||
120 | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol | |
121 | vulnerability affecting CBC ciphers, which cannot be handled by some | |
122 | broken SSL implementations. This option has no effect for connections | |
123 | using other ciphers. | |
124 | ||
7b9cb4a2 LJ |
125 | =item SSL_OP_ALL |
126 | ||
127 | All of the above bug workarounds. | |
128 | ||
129 | =back | |
130 | ||
c21506ba BM |
131 | It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround |
132 | options if compatibility with somewhat broken implementations is | |
133 | desired. | |
7b9cb4a2 LJ |
134 | |
135 | The following B<modifying> options are available: | |
136 | ||
137 | =over 4 | |
138 | ||
06da6e49 LJ |
139 | =item SSL_OP_TLS_ROLLBACK_BUG |
140 | ||
141 | Disable version rollback attack detection. | |
142 | ||
143 | During the client key exchange, the client must send the same information | |
144 | about acceptable SSL/TLS protocol levels as during the first hello. Some | |
145 | clients violate this rule by adapting to the server's answer. (Example: | |
146 | the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server | |
147 | only understands up to SSLv3. In this case the client must still use the | |
148 | same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect | |
149 | to the server's answer and violate the version rollback protection.) | |
150 | ||
7b9cb4a2 LJ |
151 | =item SSL_OP_SINGLE_DH_USE |
152 | ||
37f599bc | 153 | Always create a new key when using temporary/ephemeral DH parameters |
4db48ec0 | 154 | (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
37f599bc LJ |
155 | This option must be used to prevent small subgroup attacks, when |
156 | the DH parameters were not generated using "strong" primes | |
157 | (e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>). | |
158 | If "strong" primes were used, it is not strictly necessary to generate | |
3b80e3aa | 159 | a new DH key during each handshake but it is also recommended. |
51008ffc | 160 | B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever |
37f599bc | 161 | temporary/ephemeral DH parameters are used. |
7b9cb4a2 LJ |
162 | |
163 | =item SSL_OP_EPHEMERAL_RSA | |
164 | ||
37f599bc | 165 | Always use ephemeral (temporary) RSA key when doing RSA operations |
4db48ec0 | 166 | (see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). |
37f599bc LJ |
167 | According to the specifications this is only done, when a RSA key |
168 | can only be used for signature operations (namely under export ciphers | |
169 | with restricted RSA keylength). By setting this option, ephemeral | |
170 | RSA keys are always used. This option breaks compatibility with the | |
171 | SSL/TLS specifications and may lead to interoperability problems with | |
172 | clients and should therefore never be used. Ciphers with EDH (ephemeral | |
173 | Diffie-Hellman) key exchange should be used instead. | |
7b9cb4a2 | 174 | |
1b65ce7d LJ |
175 | =item SSL_OP_CIPHER_SERVER_PREFERENCE |
176 | ||
177 | When choosing a cipher, use the server's preferences instead of the client | |
178 | preferences. When not set, the SSL server will always follow the clients | |
179 | preferences. When set, the SSLv3/TLSv1 server will choose following its | |
52d160d8 | 180 | own preferences. Because of the different protocol, for SSLv2 the server |
e27a2596 | 181 | will send its list of preferences to the client and the client chooses. |
1b65ce7d | 182 | |
7b9cb4a2 LJ |
183 | =item SSL_OP_PKCS1_CHECK_1 |
184 | ||
185 | ... | |
186 | ||
187 | =item SSL_OP_PKCS1_CHECK_2 | |
188 | ||
189 | ... | |
190 | ||
191 | =item SSL_OP_NETSCAPE_CA_DN_BUG | |
192 | ||
193 | If we accept a netscape connection, demand a client cert, have a | |
d177e618 | 194 | non-self-signed CA which does not have its CA in netscape, and the |
7b9cb4a2 LJ |
195 | browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta |
196 | ||
7b9cb4a2 LJ |
197 | =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
198 | ||
199 | ... | |
200 | ||
201 | =item SSL_OP_NO_SSLv2 | |
202 | ||
203 | Do not use the SSLv2 protocol. | |
204 | ||
205 | =item SSL_OP_NO_SSLv3 | |
206 | ||
207 | Do not use the SSLv3 protocol. | |
208 | ||
209 | =item SSL_OP_NO_TLSv1 | |
210 | ||
211 | Do not use the TLSv1 protocol. | |
212 | ||
51008ffc BM |
213 | =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
214 | ||
215 | When performing renegotiation as a server, always start a new session | |
216 | (i.e., session resumption requests are only accepted in the initial | |
4db82571 | 217 | handshake). This option is not needed for clients. |
51008ffc | 218 | |
f3fef74b DSH |
219 | =item SSL_OP_NO_TICKET |
220 | ||
221 | Normally clients and servers will, where possible, transparently make use | |
222 | of RFC4507bis tickets for stateless session resumption. | |
223 | ||
224 | If this option is set this functionality is disabled and tickets will | |
225 | not be used by clients or servers. | |
226 | ||
99b36a8c | 227 | =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, SSL_OP_LEGACY_SERVER_CONNECT |
4db82571 DSH |
228 | |
229 | See the B<SECURE RENEGOTIATION> section for a discussion of the purpose of | |
99b36a8c | 230 | these options. |
4db82571 | 231 | |
7b9cb4a2 LJ |
232 | =back |
233 | ||
4db82571 DSH |
234 | =head1 SECURE RENEGOTIATION |
235 | ||
b5c002d5 | 236 | OpenSSL 0.9.8m and later always attempts to use secure renegotiation as |
4db82571 | 237 | described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This |
99b36a8c | 238 | counters the prefix attack described in CVE-2009-3555 and elsewhere. |
4db82571 DSH |
239 | |
240 | This attack has far reaching consequences which application writers should be | |
241 | aware of. In the description below an implementation supporting secure | |
242 | renegotiation is referred to as I<patched>. A server not supporting secure | |
243 | renegotiation is referred to as I<unpatched>. | |
244 | ||
99b36a8c | 245 | =head2 Patched client and server |
4db82571 | 246 | |
99b36a8c | 247 | Connections and renegotiation will always succeed. |
4db82571 | 248 | |
99b36a8c | 249 | =head2 Unpatched client and patched server |
b5c002d5 | 250 | |
99b36a8c DSH |
251 | The initial connection suceeds but client renegotiation is denied with a |
252 | B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal | |
253 | B<handshake_failure> alert in SSL v3.0. | |
254 | ||
255 | If the patched server attempts to renegotiate a fatal B<handshake_failure> | |
256 | alert is sent. This is because the server code may be unaware of the | |
257 | unpatched nature of the client. | |
258 | ||
259 | If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then | |
260 | renegotiation B<always> succeeds. | |
261 | ||
262 | B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are | |
263 | unpatched) will result in the connection hanging if it receives a | |
264 | B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard | |
265 | a B<no_renegotiation> alert as fatal and respond with a fatal | |
266 | B<handshake_failure> alert. | |
267 | ||
268 | =head2 Patched client and unpatched server. | |
269 | ||
270 | If the option B<SSL_OP_LEGACY_SERVER_CONNECT> is set then initial connections | |
271 | to unpatched servers succeed. This option is currently set by default even | |
272 | though it has security implications: otherwise it would be impossible to | |
273 | connect to unpatched servers i.e. all of them initially and this is clearly not | |
274 | acceptable. | |
275 | ||
276 | As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will | |
277 | B<not> be set by default in a future version of OpenSSL. | |
278 | ||
279 | Applications that want to ensure they can connect to unpatched servers should | |
280 | always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> | |
281 | ||
282 | Applications that want to ensure they can B<not> connect to unpatched servers | |
283 | (and thus avoid any security issues) should always B<clear> | |
284 | B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or | |
285 | SSL_clear_options(). | |
4db82571 DSH |
286 | |
287 | The function SSL_get_secure_renegotiation_support() indicates whether the peer | |
288 | supports secure renegotiation. | |
289 | ||
99b36a8c DSH |
290 | The deprecated and highly broken SSLv2 protocol does not support secure |
291 | renegotiation at all: its use is B<strongly> discouraged. | |
4db82571 | 292 | |
7b9cb4a2 LJ |
293 | =head1 RETURN VALUES |
294 | ||
295 | SSL_CTX_set_options() and SSL_set_options() return the new options bitmask | |
296 | after adding B<options>. | |
297 | ||
4db82571 DSH |
298 | SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
299 | after clearing B<options>. | |
300 | ||
7b9cb4a2 LJ |
301 | SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
302 | ||
4db82571 DSH |
303 | SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
304 | secure renegotiation and 0 if it does not. | |
305 | ||
7b9cb4a2 LJ |
306 | =head1 SEE ALSO |
307 | ||
4db48ec0 LJ |
308 | L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>, |
309 | L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, | |
37f599bc LJ |
310 | L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, |
311 | L<dhparam(1)|dhparam(1)> | |
7b9cb4a2 LJ |
312 | |
313 | =head1 HISTORY | |
314 | ||
51008ffc BM |
315 | B<SSL_OP_CIPHER_SERVER_PREFERENCE> and |
316 | B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> have been added in | |
317 | OpenSSL 0.9.7. | |
1b65ce7d | 318 | |
51008ffc BM |
319 | B<SSL_OP_TLS_ROLLBACK_BUG> has been added in OpenSSL 0.9.6 and was automatically |
320 | enabled with B<SSL_OP_ALL>. As of 0.9.7, it is no longer included in B<SSL_OP_ALL> | |
3b80e3aa | 321 | and must be explicitly set. |
7b9cb4a2 | 322 | |
c21506ba BM |
323 | B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS> has been added in OpenSSL 0.9.6e. |
324 | Versions up to OpenSSL 0.9.6c do not include the countermeasure that | |
325 | can be disabled with this option (in OpenSSL 0.9.6d, it was always | |
326 | enabled). | |
327 | ||
4db82571 DSH |
328 | SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL |
329 | 0.9.8m. | |
330 | ||
99b36a8c DSH |
331 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> |
332 | and the function SSL_get_secure_renegotiation_support() were first added in | |
333 | OpenSSL 0.9.8m. | |
4db82571 | 334 | |
7b9cb4a2 | 335 | =cut |