]>
Commit | Line | Data |
---|---|---|
1 | =pod | |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | SSL_CONF_cmd_value_type, | |
6 | SSL_CONF_cmd - send configuration command | |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
10 | #include <openssl/ssl.h> | |
11 | ||
12 | int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value); | |
13 | int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option); | |
14 | ||
15 | =head1 DESCRIPTION | |
16 | ||
17 | The function SSL_CONF_cmd() performs configuration operation B<option> with | |
18 | optional parameter B<value> on B<ctx>. Its purpose is to simplify application | |
19 | configuration of B<SSL_CTX> or B<SSL> structures by providing a common | |
20 | framework for command line options or configuration files. | |
21 | ||
22 | SSL_CONF_cmd_value_type() returns the type of value that B<option> refers to. | |
23 | ||
24 | =head1 SUPPORTED COMMAND LINE COMMANDS | |
25 | ||
26 | Currently supported B<option> names for command lines (i.e. when the | |
27 | flag B<SSL_CONF_FLAG_CMDLINE> is set) are listed below. Note: all B<option> | |
28 | names are case sensitive. Unless otherwise stated commands can be used by | |
29 | both clients and servers and the B<value> parameter is not used. The default | |
30 | prefix for command line commands is B<-> and that is reflected below. | |
31 | ||
32 | =over 4 | |
33 | ||
34 | =item B<-bugs> | |
35 | ||
36 | Various bug workarounds are set, same as setting B<SSL_OP_ALL>. | |
37 | ||
38 | =item B<-no_comp> | |
39 | ||
40 | Disables support for SSL/TLS compression, same as setting | |
41 | B<SSL_OP_NO_COMPRESSION>. | |
42 | As of OpenSSL 1.1.0, compression is off by default. | |
43 | ||
44 | =item B<-comp> | |
45 | ||
46 | Enables support for SSL/TLS compression, same as clearing | |
47 | B<SSL_OP_NO_COMPRESSION>. | |
48 | This command was introduced in OpenSSL 1.1.0. | |
49 | As of OpenSSL 1.1.0, compression is off by default. TLS compression can only be | |
50 | used in security level 1 or lower. From OpenSSL 3.2.0 and above the default | |
51 | security level is 2, so this option will have no effect without also changing | |
52 | the security level. See L<SSL_CTX_set_security_level(3)>. | |
53 | ||
54 | =item B<-no_ticket> | |
55 | ||
56 | Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. | |
57 | ||
58 | =item B<-serverpref> | |
59 | ||
60 | Use server and not client preference order when determining which cipher suite, | |
61 | signature algorithm or elliptic curve to use for an incoming connection. | |
62 | Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
63 | ||
64 | =item B<-client_renegotiation> | |
65 | ||
66 | Allows servers to accept client-initiated renegotiation. Equivalent to | |
67 | setting B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION>. | |
68 | Only used by servers. | |
69 | ||
70 | =item B<-legacy_renegotiation> | |
71 | ||
72 | Permits the use of unsafe legacy renegotiation. Equivalent to setting | |
73 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. | |
74 | ||
75 | =item B<-no_renegotiation> | |
76 | ||
77 | Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting | |
78 | B<SSL_OP_NO_RENEGOTIATION>. | |
79 | ||
80 | =item B<-no_resumption_on_reneg> | |
81 | ||
82 | Sets B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION>. Only used by servers. | |
83 | ||
84 | =item B<-legacy_server_connect>, B<-no_legacy_server_connect> | |
85 | ||
86 | Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL | |
87 | clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. | |
88 | ||
89 | =item B<-prioritize_chacha> | |
90 | ||
91 | Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of | |
92 | its preference list. This usually indicates a client without AES hardware | |
93 | acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. | |
94 | Only used by servers. Requires B<-serverpref>. | |
95 | ||
96 | =item B<-allow_no_dhe_kex> | |
97 | ||
98 | In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means | |
99 | that there will be no forward secrecy for the resumed session. | |
100 | ||
101 | =item B<-prefer_no_dhe_kex> | |
102 | ||
103 | In TLSv1.3, on resumption let the server prefer a non-(ec)dhe based key | |
104 | exchange mode over an (ec)dhe based one. Requires B<-allow_no_dhe_kex>. | |
105 | Equivalent to B<SSL_OP_PREFER_NO_DHE_KEX>. Only used by servers. | |
106 | ||
107 | =item B<-strict> | |
108 | ||
109 | Enables strict mode protocol handling. Equivalent to setting | |
110 | B<SSL_CERT_FLAG_TLS_STRICT>. | |
111 | ||
112 | =item B<-sigalgs> I<algs> | |
113 | ||
114 | This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. | |
115 | For clients this value is used directly for the supported signature | |
116 | algorithms extension. For servers it is used to determine which signature | |
117 | algorithms to support. | |
118 | ||
119 | The B<algs> argument should be a colon separated list of signature | |
120 | algorithms in order of decreasing preference of the form B<algorithm+hash> | |
121 | or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and | |
122 | B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>, | |
123 | B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case | |
124 | sensitive. B<signature_scheme> is one of the signature schemes defined in | |
125 | TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, | |
126 | B<ed25519>, or B<rsa_pss_pss_sha256>. | |
127 | ||
128 | If this option is not set then all signature algorithms supported by the | |
129 | OpenSSL library are permissible. | |
130 | ||
131 | Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by | |
132 | using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> | |
133 | identifiers) are ignored in TLSv1.3 and will not be negotiated. | |
134 | ||
135 | =item B<-client_sigalgs> I<algs> | |
136 | ||
137 | This sets the supported signature algorithms associated with client | |
138 | authentication for TLSv1.2 and TLSv1.3. For servers the B<algs> is used | |
139 | in the B<signature_algorithms> field of a B<CertificateRequest> message. | |
140 | For clients it is used to determine which signature algorithm to use with | |
141 | the client certificate. If a server does not request a certificate this | |
142 | option has no effect. | |
143 | ||
144 | The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the | |
145 | value set for B<-sigalgs> will be used instead. | |
146 | ||
147 | =item B<-groups> I<groups> | |
148 | ||
149 | This sets the supported groups. For clients, the groups are sent using | |
150 | the supported groups extension. For servers, it is used to determine which | |
151 | group to use. This setting affects groups used for signatures (in TLSv1.2 | |
152 | and earlier) and key exchange. The first group listed will also be used | |
153 | for the B<key_share> sent by a client in a TLSv1.3 B<ClientHello>. | |
154 | ||
155 | The B<groups> argument is a colon separated list of groups. The group can | |
156 | be either the B<NIST> name (e.g. B<P-256>), some other commonly used name | |
157 | where applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name | |
158 | (e.g. B<prime256v1>). Group names are case sensitive. The list should be | |
159 | in order of preference with the most preferred group first. | |
160 | ||
161 | Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, | |
162 | B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, | |
163 | B<ffdhe8192>. | |
164 | ||
165 | =item B<-curves> I<groups> | |
166 | ||
167 | This is a synonym for the B<-groups> command. | |
168 | ||
169 | =item B<-named_curve> I<curve> | |
170 | ||
171 | This sets the temporary curve used for ephemeral ECDH modes. Only used | |
172 | by servers. | |
173 | ||
174 | =item B<-tx_cert_comp> | |
175 | ||
176 | Enables support for sending TLSv1.3 compressed certificates. | |
177 | ||
178 | =item B<-no_tx_cert_comp> | |
179 | ||
180 | Disables support for sending TLSv1.3 compressed certificates. | |
181 | ||
182 | =item B<-rx_cert_comp> | |
183 | ||
184 | Enables support for receiving TLSv1.3 compressed certificates. | |
185 | ||
186 | =item B<-no_rx_cert_comp> | |
187 | ||
188 | Disables support for receiving TLSv1.3 compressed certificates. | |
189 | ||
190 | =item B<-comp> | |
191 | ||
192 | The B<groups> argument is a curve name or the special value B<auto> which | |
193 | picks an appropriate curve based on client and server preferences. The | |
194 | curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name | |
195 | (e.g. B<prime256v1>). Curve names are case sensitive. | |
196 | ||
197 | =item B<-cipher> I<ciphers> | |
198 | ||
199 | Sets the TLSv1.2 and below ciphersuite list to B<ciphers>. This list will be | |
200 | combined with any configured TLSv1.3 ciphersuites. Note: syntax checking | |
201 | of B<ciphers> is currently not performed unless a B<SSL> or B<SSL_CTX> | |
202 | structure is associated with B<ctx>. | |
203 | ||
204 | =item B<-ciphersuites> I<1.3ciphers> | |
205 | ||
206 | Sets the available ciphersuites for TLSv1.3 to value. This is a | |
207 | colon-separated list of TLSv1.3 ciphersuite names in order of preference. This | |
208 | list will be combined any configured TLSv1.2 and below ciphersuites. | |
209 | See L<openssl-ciphers(1)> for more information. | |
210 | ||
211 | =item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot> | |
212 | ||
213 | Sets the minimum and maximum supported protocol. | |
214 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
215 | B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> | |
216 | for no limit. | |
217 | If either the lower or upper bound is not specified then only the other bound | |
218 | applies, if specified. | |
219 | If your application supports both TLS and DTLS you can specify any of these | |
220 | options twice, once with a bound for TLS and again with an appropriate bound | |
221 | for DTLS. | |
222 | To restrict the supported protocol versions use these commands rather than the | |
223 | deprecated alternative commands below. | |
224 | ||
225 | =item B<-record_padding> I<padding> | |
226 | ||
227 | Attempts to pad TLSv1.3 records so that they are a multiple of B<padding> | |
228 | in length on send. A B<padding> of 0 or 1 turns off padding. Otherwise, | |
229 | the B<padding> must be >1 or <=16384. | |
230 | ||
231 | =item B<-debug_broken_protocol> | |
232 | ||
233 | Ignored. | |
234 | ||
235 | =item B<-no_middlebox> | |
236 | ||
237 | Turn off "middlebox compatibility", as described below. | |
238 | ||
239 | =back | |
240 | ||
241 | =head2 Additional Options | |
242 | ||
243 | The following options are accepted by SSL_CONF_cmd(), but are not | |
244 | processed by the OpenSSL commands. | |
245 | ||
246 | =over 4 | |
247 | ||
248 | =item B<-cert> I<file> | |
249 | ||
250 | Attempts to use B<file> as the certificate for the appropriate context. It | |
251 | currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> | |
252 | structure is set or SSL_use_certificate_file() with filetype PEM if an | |
253 | B<SSL> structure is set. This option is only supported if certificate | |
254 | operations are permitted. | |
255 | ||
256 | =item B<-key> I<file> | |
257 | ||
258 | Attempts to use B<file> as the private key for the appropriate context. This | |
259 | option is only supported if certificate operations are permitted. Note: | |
260 | if no B<-key> option is set then a private key is not loaded unless the | |
261 | flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. | |
262 | ||
263 | =item B<-dhparam> I<file> | |
264 | ||
265 | Attempts to use B<file> as the set of temporary DH parameters for | |
266 | the appropriate context. This option is only supported if certificate | |
267 | operations are permitted. | |
268 | ||
269 | =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> | |
270 | ||
271 | Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by | |
272 | setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, | |
273 | B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3> | |
274 | respectively. These options are deprecated, use B<-min_protocol> and | |
275 | B<-max_protocol> instead. | |
276 | ||
277 | =item B<-anti_replay>, B<-no_anti_replay> | |
278 | ||
279 | Switches replay protection, on or off respectively. With replay protection on, | |
280 | OpenSSL will automatically detect if a session ticket has been used more than | |
281 | once, TLSv1.3 has been negotiated, and early data is enabled on the server. A | |
282 | full handshake is forced if a session ticket is used a second or subsequent | |
283 | time. Anti-Replay is on by default unless overridden by a configuration file and | |
284 | is only used by servers. Anti-replay measures are required for compliance with | |
285 | the TLSv1.3 specification. Some applications may be able to mitigate the replay | |
286 | risks in other ways and in such cases the built-in OpenSSL functionality is not | |
287 | required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>. | |
288 | ||
289 | =back | |
290 | ||
291 | =head1 SUPPORTED CONFIGURATION FILE COMMANDS | |
292 | ||
293 | Currently supported B<option> names for configuration files (i.e., when the | |
294 | flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file | |
295 | B<option> names are case insensitive so B<signaturealgorithms> is recognised | |
296 | as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names | |
297 | are also case insensitive. | |
298 | ||
299 | Note: the command prefix (if set) alters the recognised B<option> values. | |
300 | ||
301 | =over 4 | |
302 | ||
303 | =item B<CipherString> | |
304 | ||
305 | Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be | |
306 | combined with any configured TLSv1.3 ciphersuites. Note: syntax | |
307 | checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX> | |
308 | structure is associated with B<ctx>. | |
309 | ||
310 | =item B<Ciphersuites> | |
311 | ||
312 | Sets the available ciphersuites for TLSv1.3 to B<value>. This is a | |
313 | colon-separated list of TLSv1.3 ciphersuite names in order of preference. This | |
314 | list will be combined any configured TLSv1.2 and below ciphersuites. | |
315 | See L<openssl-ciphers(1)> for more information. | |
316 | ||
317 | =item B<Certificate> | |
318 | ||
319 | Attempts to use the file B<value> as the certificate for the appropriate | |
320 | context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX> | |
321 | structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL> | |
322 | structure is set. This option is only supported if certificate operations | |
323 | are permitted. | |
324 | ||
325 | =item B<PrivateKey> | |
326 | ||
327 | Attempts to use the file B<value> as the private key for the appropriate | |
328 | context. This option is only supported if certificate operations | |
329 | are permitted. Note: if no B<PrivateKey> option is set then a private key is | |
330 | not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. | |
331 | ||
332 | =item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath> | |
333 | ||
334 | These options indicate a file or directory used for building certificate | |
335 | chains or verifying certificate chains. These options are only supported | |
336 | if certificate operations are permitted. | |
337 | ||
338 | =item B<RequestCAFile> | |
339 | ||
340 | This option indicates a file containing a set of certificates in PEM form. | |
341 | The subject names of the certificates are sent to the peer in the | |
342 | B<certificate_authorities> extension for TLS 1.3 (in ClientHello or | |
343 | CertificateRequest) or in a certificate request for previous versions or | |
344 | TLS. | |
345 | ||
346 | =item B<ServerInfoFile> | |
347 | ||
348 | Attempts to use the file B<value> in the "serverinfo" extension using the | |
349 | function SSL_CTX_use_serverinfo_file. | |
350 | ||
351 | =item B<DHParameters> | |
352 | ||
353 | Attempts to use the file B<value> as the set of temporary DH parameters for | |
354 | the appropriate context. This option is only supported if certificate | |
355 | operations are permitted. | |
356 | ||
357 | =item B<RecordPadding> | |
358 | ||
359 | Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in | |
360 | length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the | |
361 | B<value> must be >1 or <=16384. | |
362 | ||
363 | =item B<SignatureAlgorithms> | |
364 | ||
365 | This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. | |
366 | For clients this | |
367 | value is used directly for the supported signature algorithms extension. For | |
368 | servers it is used to determine which signature algorithms to support. | |
369 | ||
370 | The B<value> argument should be a colon separated list of signature algorithms | |
371 | in order of decreasing preference of the form B<algorithm+hash> or | |
372 | B<signature_scheme>. B<algorithm> | |
373 | is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm | |
374 | OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. | |
375 | Note: algorithm and hash names are case sensitive. | |
376 | B<signature_scheme> is one of the signature schemes defined in TLSv1.3, | |
377 | specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>, | |
378 | or B<rsa_pss_pss_sha256>. | |
379 | ||
380 | If this option is not set then all signature algorithms supported by the | |
381 | OpenSSL library are permissible. | |
382 | ||
383 | Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by | |
384 | using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> | |
385 | identifiers) are ignored in TLSv1.3 and will not be negotiated. | |
386 | ||
387 | =item B<ClientSignatureAlgorithms> | |
388 | ||
389 | This sets the supported signature algorithms associated with client | |
390 | authentication for TLSv1.2 and TLSv1.3. | |
391 | For servers the value is used in the | |
392 | B<signature_algorithms> field of a B<CertificateRequest> message. | |
393 | For clients it is | |
394 | used to determine which signature algorithm to use with the client certificate. | |
395 | If a server does not request a certificate this option has no effect. | |
396 | ||
397 | The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then | |
398 | the value set for B<SignatureAlgorithms> will be used instead. | |
399 | ||
400 | =item B<Groups> | |
401 | ||
402 | This sets the supported groups. For clients, the groups are | |
403 | sent using the supported groups extension. For servers, it is used | |
404 | to determine which group to use. This setting affects groups used for | |
405 | signatures (in TLSv1.2 and earlier) and key exchange. The first group listed | |
406 | will also be used for the B<key_share> sent by a client in a TLSv1.3 | |
407 | B<ClientHello>. | |
408 | ||
409 | The B<value> argument is a colon separated list of groups. The group can be | |
410 | either the B<NIST> name (e.g. B<P-256>), some other commonly used name where | |
411 | applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name | |
412 | (e.g. B<prime256v1>). Group names are case sensitive. The list should be in | |
413 | order of preference with the most preferred group first. | |
414 | ||
415 | Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>, | |
416 | B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>, | |
417 | B<ffdhe8192>. | |
418 | ||
419 | =item B<Curves> | |
420 | ||
421 | This is a synonym for the "Groups" command. | |
422 | ||
423 | =item B<MinProtocol> | |
424 | ||
425 | This sets the minimum supported SSL, TLS or DTLS version. | |
426 | ||
427 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
428 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. | |
429 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
430 | apply only to DTLS-based contexts. | |
431 | The command can be repeated with one instance setting a TLS bound, and the | |
432 | other setting a DTLS bound. | |
433 | The value B<None> applies to both types of contexts and disables the limits. | |
434 | ||
435 | =item B<MaxProtocol> | |
436 | ||
437 | This sets the maximum supported SSL, TLS or DTLS version. | |
438 | ||
439 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
440 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. | |
441 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
442 | apply only to DTLS-based contexts. | |
443 | The command can be repeated with one instance setting a TLS bound, and the | |
444 | other setting a DTLS bound. | |
445 | The value B<None> applies to both types of contexts and disables the limits. | |
446 | ||
447 | =item B<Protocol> | |
448 | ||
449 | This can be used to enable or disable certain versions of the SSL, | |
450 | TLS or DTLS protocol. | |
451 | ||
452 | The B<value> argument is a comma separated list of supported protocols | |
453 | to enable or disable. | |
454 | If a protocol is preceded by B<-> that version is disabled. | |
455 | ||
456 | All protocol versions are enabled by default. | |
457 | You need to disable at least one protocol version for this setting have any | |
458 | effect. | |
459 | Only enabling some protocol versions does not disable the other protocol | |
460 | versions. | |
461 | ||
462 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
463 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. | |
464 | The special value B<ALL> refers to all supported versions. | |
465 | ||
466 | This can't enable protocols that are disabled using B<MinProtocol> | |
467 | or B<MaxProtocol>, but can disable protocols that are still allowed | |
468 | by them. | |
469 | ||
470 | The B<Protocol> command is fragile and deprecated; do not use it. | |
471 | Use B<MinProtocol> and B<MaxProtocol> instead. | |
472 | If you do use B<Protocol>, make sure that the resulting range of enabled | |
473 | protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make | |
474 | sure to also leave TLS 1.1 enabled. | |
475 | ||
476 | =item B<Options> | |
477 | ||
478 | The B<value> argument is a comma separated list of various flags to set. | |
479 | If a flag string is preceded B<-> it is disabled. | |
480 | See the L<SSL_CTX_set_options(3)> function for more details of | |
481 | individual options. | |
482 | ||
483 | Each option is listed below. Where an operation is enabled by default | |
484 | the B<-flag> syntax is needed to disable it. | |
485 | ||
486 | B<SessionTicket>: session ticket support, enabled by default. Inverse of | |
487 | B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting | |
488 | B<SSL_OP_NO_TICKET>. | |
489 | ||
490 | B<Compression>: SSL/TLS compression support, disabled by default. Inverse | |
491 | of B<SSL_OP_NO_COMPRESSION>. | |
492 | ||
493 | B<EmptyFragments>: use empty fragments as a countermeasure against a | |
494 | SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It | |
495 | is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>. | |
496 | ||
497 | B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>. | |
498 | ||
499 | B<DHSingle>: enable single use DH keys, set by default. Inverse of | |
500 | B<SSL_OP_DH_SINGLE>. Only used by servers. | |
501 | ||
502 | B<ECDHSingle>: enable single use ECDH keys, set by default. Inverse of | |
503 | B<SSL_OP_ECDH_SINGLE>. Only used by servers. | |
504 | ||
505 | B<ServerPreference>: use server and not client preference order when | |
506 | determining which cipher suite, signature algorithm or elliptic curve | |
507 | to use for an incoming connection. Equivalent to | |
508 | B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. | |
509 | ||
510 | B<PrioritizeChaCha>: prioritizes ChaCha ciphers when the client has a | |
511 | ChaCha20 cipher at the top of its preference list. This usually indicates | |
512 | a mobile client is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>. | |
513 | Only used by servers. | |
514 | ||
515 | B<NoResumptionOnRenegotiation>: set | |
516 | B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers. | |
517 | ||
518 | B<NoRenegotiation>: disables all attempts at renegotiation in TLSv1.2 and | |
519 | earlier, same as setting B<SSL_OP_NO_RENEGOTIATION>. | |
520 | ||
521 | B<UnsafeLegacyRenegotiation>: permits the use of unsafe legacy renegotiation. | |
522 | Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. | |
523 | ||
524 | B<UnsafeLegacyServerConnect>: permits the use of unsafe legacy renegotiation | |
525 | for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. | |
526 | ||
527 | B<EncryptThenMac>: use encrypt-then-mac extension, enabled by | |
528 | default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is, | |
529 | B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>. | |
530 | ||
531 | B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on | |
532 | resumption. This means that there will be no forward secrecy for the resumed | |
533 | session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>. | |
534 | ||
535 | B<PreferNoDHEKEX>: In TLSv1.3, on resumption let the server prefer a | |
536 | non-(ec)dhe based key exchange mode over an (ec)dhe based one. Requires | |
537 | B<AllowNoDHEKEX>. Equivalent to B<SSL_OP_PREFER_NO_DHE_KEX>. Only used by | |
538 | servers. | |
539 | ||
540 | B<MiddleboxCompat>: If set then dummy Change Cipher Spec (CCS) messages are sent | |
541 | in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that | |
542 | middleboxes that do not understand TLSv1.3 will not drop the connection. This | |
543 | option is set by default. A future version of OpenSSL may not set this by | |
544 | default. Equivalent to B<SSL_OP_ENABLE_MIDDLEBOX_COMPAT>. | |
545 | ||
546 | B<AntiReplay>: If set then OpenSSL will automatically detect if a session ticket | |
547 | has been used more than once, TLSv1.3 has been negotiated, and early data is | |
548 | enabled on the server. A full handshake is forced if a session ticket is used a | |
549 | second or subsequent time. This option is set by default and is only used by | |
550 | servers. Anti-replay measures are required to comply with the TLSv1.3 | |
551 | specification. Some applications may be able to mitigate the replay risks in | |
552 | other ways and in such cases the built-in OpenSSL functionality is not required. | |
553 | Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. | |
554 | ||
555 | B<ExtendedMasterSecret>: use extended master secret extension, enabled by | |
556 | default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is, | |
557 | B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>. | |
558 | ||
559 | B<CANames>: use CA names extension, enabled by | |
560 | default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is, | |
561 | B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>. | |
562 | ||
563 | B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported | |
564 | by the negotiated ciphersuites and extensions. Equivalent to | |
565 | B<SSL_OP_ENABLE_KTLS>. | |
566 | ||
567 | B<StrictCertCheck>: Enable strict certificate checking. Equivalent to | |
568 | setting B<SSL_CERT_FLAG_TLS_STRICT> with SSL_CTX_set_cert_flags(). | |
569 | ||
570 | B<TxCertificateCompression>: support sending compressed certificates, enabled by | |
571 | default. Inverse of B<SSL_OP_NO_TX_CERTIFICATE_COMPRESSION>: that is, | |
572 | B<-TxCertificateCompression> is the same as setting B<SSL_OP_NO_TX_CERTIFICATE_COMPRESSION>. | |
573 | ||
574 | B<RxCertificateCompression>: support receiving compressed certificates, enabled by | |
575 | default. Inverse of B<SSL_OP_NO_RX_CERTIFICATE_COMPRESSION>: that is, | |
576 | B<-RxCertificateCompression> is the same as setting B<SSL_OP_NO_RX_CERTIFICATE_COMPRESSION>. | |
577 | ||
578 | B<KTLSTxZerocopySendfile>: use the zerocopy TX mode of sendfile(), which gives | |
579 | a performance boost when used with KTLS hardware offload. Note that invalid TLS | |
580 | records might be transmitted if the file is changed while being sent. This | |
581 | option has no effect if B<KTLS> is not enabled. Equivalent to | |
582 | B<SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE>. This option only applies to Linux. | |
583 | KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and | |
584 | always runs in this mode. | |
585 | ||
586 | B<IgnoreUnexpectedEOF>: Equivalent to B<SSL_OP_IGNORE_UNEXPECTED_EOF>. | |
587 | You should only enable this option if the protocol running over TLS can detect | |
588 | a truncation attack itself, and that the application is checking for that | |
589 | truncation attack. | |
590 | ||
591 | =item B<VerifyMode> | |
592 | ||
593 | The B<value> argument is a comma separated list of flags to set. | |
594 | ||
595 | B<Peer> enables peer verification: for clients only. | |
596 | ||
597 | B<Request> requests but does not require a certificate from the client. | |
598 | Servers only. | |
599 | ||
600 | B<Require> requests and requires a certificate from the client: an error | |
601 | occurs if the client does not present a certificate. Servers only. | |
602 | ||
603 | B<Once> requests a certificate from a client only on the initial connection: | |
604 | not when renegotiating. Servers only. | |
605 | ||
606 | B<RequestPostHandshake> configures the connection to support requests but does | |
607 | not require a certificate from the client post-handshake. A certificate will | |
608 | not be requested during the initial handshake. The server application must | |
609 | provide a mechanism to request a certificate post-handshake. Servers only. | |
610 | TLSv1.3 only. | |
611 | ||
612 | B<RequiresPostHandshake> configures the connection to support requests and | |
613 | requires a certificate from the client post-handshake: an error occurs if the | |
614 | client does not present a certificate. A certificate will not be requested | |
615 | during the initial handshake. The server application must provide a mechanism | |
616 | to request a certificate post-handshake. Servers only. TLSv1.3 only. | |
617 | ||
618 | =item B<ClientCAFile>, B<ClientCAPath> | |
619 | ||
620 | A file or directory of certificates in PEM format whose names are used as the | |
621 | set of acceptable names for client CAs. Servers only. This option is only | |
622 | supported if certificate operations are permitted. | |
623 | ||
624 | =back | |
625 | ||
626 | =head1 SUPPORTED COMMAND TYPES | |
627 | ||
628 | The function SSL_CONF_cmd_value_type() currently returns one of the following | |
629 | types: | |
630 | ||
631 | =over 4 | |
632 | ||
633 | =item B<SSL_CONF_TYPE_UNKNOWN> | |
634 | ||
635 | The B<option> string is unrecognised, this return value can be use to flag | |
636 | syntax errors. | |
637 | ||
638 | =item B<SSL_CONF_TYPE_STRING> | |
639 | ||
640 | The value is a string without any specific structure. | |
641 | ||
642 | =item B<SSL_CONF_TYPE_FILE> | |
643 | ||
644 | The value is a filename. | |
645 | ||
646 | =item B<SSL_CONF_TYPE_DIR> | |
647 | ||
648 | The value is a directory name. | |
649 | ||
650 | =item B<SSL_CONF_TYPE_NONE> | |
651 | ||
652 | The value string is not used e.g. a command line option which doesn't take an | |
653 | argument. | |
654 | ||
655 | =back | |
656 | ||
657 | =head1 NOTES | |
658 | ||
659 | The order of operations is significant. This can be used to set either defaults | |
660 | or values which cannot be overridden. For example if an application calls: | |
661 | ||
662 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); | |
663 | SSL_CONF_cmd(ctx, userparam, uservalue); | |
664 | ||
665 | it will disable SSLv3 support by default but the user can override it. If | |
666 | however the call sequence is: | |
667 | ||
668 | SSL_CONF_cmd(ctx, userparam, uservalue); | |
669 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); | |
670 | ||
671 | SSLv3 is B<always> disabled and attempt to override this by the user are | |
672 | ignored. | |
673 | ||
674 | By checking the return code of SSL_CONF_cmd() it is possible to query if a | |
675 | given B<option> is recognised, this is useful if SSL_CONF_cmd() values are | |
676 | mixed with additional application specific operations. | |
677 | ||
678 | For example an application might call SSL_CONF_cmd() and if it returns | |
679 | -2 (unrecognised command) continue with processing of application specific | |
680 | commands. | |
681 | ||
682 | Applications can also use SSL_CONF_cmd() to process command lines though the | |
683 | utility function SSL_CONF_cmd_argv() is normally used instead. One way | |
684 | to do this is to set the prefix to an appropriate value using | |
685 | SSL_CONF_CTX_set1_prefix(), pass the current argument to B<option> and the | |
686 | following argument to B<value> (which may be NULL). | |
687 | ||
688 | In this case if the return value is positive then it is used to skip that | |
689 | number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is | |
690 | returned then B<option> is not recognised and application specific arguments | |
691 | can be checked instead. If -3 is returned a required argument is missing | |
692 | and an error is indicated. If 0 is returned some other error occurred and | |
693 | this can be reported back to the user. | |
694 | ||
695 | The function SSL_CONF_cmd_value_type() can be used by applications to | |
696 | check for the existence of a command or to perform additional syntax | |
697 | checking or translation of the command value. For example if the return | |
698 | value is B<SSL_CONF_TYPE_FILE> an application could translate a relative | |
699 | pathname to an absolute pathname. | |
700 | ||
701 | =head1 RETURN VALUES | |
702 | ||
703 | SSL_CONF_cmd() returns 1 if the value of B<option> is recognised and B<value> is | |
704 | B<NOT> used and 2 if both B<option> and B<value> are used. In other words it | |
705 | returns the number of arguments processed. This is useful when processing | |
706 | command lines. | |
707 | ||
708 | A return value of -2 means B<option> is not recognised. | |
709 | ||
710 | A return value of -3 means B<option> is recognised and the command requires a | |
711 | value but B<value> is NULL. | |
712 | ||
713 | A return code of 0 indicates that both B<option> and B<value> are valid but an | |
714 | error occurred attempting to perform the operation: for example due to an | |
715 | error in the syntax of B<value> in this case the error queue may provide | |
716 | additional information. | |
717 | ||
718 | =head1 EXAMPLES | |
719 | ||
720 | Set supported signature algorithms: | |
721 | ||
722 | SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); | |
723 | ||
724 | There are various ways to select the supported protocols. | |
725 | ||
726 | This set the minimum protocol version to TLSv1, and so disables SSLv3. | |
727 | This is the recommended way to disable protocols. | |
728 | ||
729 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1"); | |
730 | ||
731 | The following also disables SSLv3: | |
732 | ||
733 | SSL_CONF_cmd(ctx, "Protocol", "-SSLv3"); | |
734 | ||
735 | The following will first enable all protocols, and then disable | |
736 | SSLv3. | |
737 | If no protocol versions were disabled before this has the same effect as | |
738 | "-SSLv3", but if some versions were disables this will re-enable them before | |
739 | disabling SSLv3. | |
740 | ||
741 | SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3"); | |
742 | ||
743 | Only enable TLSv1.2: | |
744 | ||
745 | SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2"); | |
746 | SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2"); | |
747 | ||
748 | This also only enables TLSv1.2: | |
749 | ||
750 | SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); | |
751 | ||
752 | Disable TLS session tickets: | |
753 | ||
754 | SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); | |
755 | ||
756 | Enable compression: | |
757 | ||
758 | SSL_CONF_cmd(ctx, "Options", "Compression"); | |
759 | ||
760 | Set supported curves to P-256, P-384: | |
761 | ||
762 | SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); | |
763 | ||
764 | =head1 SEE ALSO | |
765 | ||
766 | L<ssl(7)>, | |
767 | L<SSL_CONF_CTX_new(3)>, | |
768 | L<SSL_CONF_CTX_set_flags(3)>, | |
769 | L<SSL_CONF_CTX_set1_prefix(3)>, | |
770 | L<SSL_CONF_CTX_set_ssl_ctx(3)>, | |
771 | L<SSL_CONF_cmd_argv(3)>, | |
772 | L<SSL_CTX_set_options(3)> | |
773 | ||
774 | =head1 HISTORY | |
775 | ||
776 | The SSL_CONF_cmd() function was added in OpenSSL 1.0.2. | |
777 | ||
778 | The B<SSL_OP_NO_SSL2> option doesn't have effect since 1.1.0, but the macro | |
779 | is retained for backwards compatibility. | |
780 | ||
781 | The B<SSL_CONF_TYPE_NONE> was added in OpenSSL 1.1.0. In earlier versions of | |
782 | OpenSSL passing a command which didn't take an argument would return | |
783 | B<SSL_CONF_TYPE_UNKNOWN>. | |
784 | ||
785 | B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0. | |
786 | ||
787 | B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1. | |
788 | ||
789 | The B<UnsafeLegacyServerConnect> option is no longer set by default from | |
790 | OpenSSL 3.0. | |
791 | ||
792 | The B<TxCertificateCompression> and B<RxCertificateCompression> options were | |
793 | added in OpenSSL 3.2. | |
794 | ||
795 | B<PreferNoDHEKEX> was added in OpenSSL 3.3. | |
796 | ||
797 | =head1 COPYRIGHT | |
798 | ||
799 | Copyright 2012-2023 The OpenSSL Project Authors. All Rights Reserved. | |
800 | ||
801 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
802 | this file except in compliance with the License. You can obtain a copy | |
803 | in the file LICENSE in the source distribution or at | |
804 | L<https://www.openssl.org/source/license.html>. | |
805 | ||
806 | =cut |