From: Todd Short Date: Thu, 5 Aug 2021 20:29:37 +0000 (-0400) Subject: Add missing SSL_OP flags X-Git-Tag: openssl-3.0.0~124 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73dadb9300bc54ac871209843faf797721f7ab88;p=thirdparty%2Fopenssl.git Add missing SSL_OP flags Add missing SSL_OP flags. Correct the list of flags set by SSL_OP_ALL. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16236) --- diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index df47e4dd03..836b587e97 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -67,12 +67,6 @@ The following B options are available: Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. -=item SSL_OP_DISABLE_TLSEXT_CA_NAMES - -Disable TLS Extension CA Names. You may want to disable it for security reasons -or for compatibility with some Windows TLS implementations crashing when this -extension is larger than 1024 bytes. - =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol @@ -80,6 +74,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. +=item SSL_OP_CRYPTOPRO_TLSEXT_BUG + +Make server add server-hello extension from early version of cryptopro draft, +when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro +CSP 3.x. + =item SSL_OP_TLSEXT_PADDING Adds a padding extension to ensure the ClientHello size is never between @@ -100,6 +100,17 @@ The following B options are available: =over 4 +=item SSL_OP_ALLOW_CLIENT_RENEGOTIATION + +Client-initiated renegotiation is disabled by default. To allow it, use the +this option to enable it. + +=item SSL_OP_DISABLE_TLSEXT_CA_NAMES + +Disable TLS Extension CA Names. You may want to disable it for security reasons +or for compatibility with some Windows TLS implementations crashing when this +extension is larger than 1024 bytes. + =item SSL_OP_TLS_ROLLBACK_BUG Disable version rollback attack detection. @@ -137,7 +148,9 @@ handshake). This option is not needed for clients. =item SSL_OP_NO_COMPRESSION -Do not use compression even if it is supported. +Do not use compression even if it is supported. This option is set by default. +To switch it off use SSL_clear_options(). A future version of OpenSSL may not +set this by default. =item SSL_OP_NO_QUERY_MTU @@ -243,6 +256,11 @@ those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere in the server cipher list; but still allows other clients to use AES and other ciphers. Requires B. +=item SSL_OP_CISCO_ANYCONNECT + +Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1 +connection. Only available when using the deprecated DTLSv1_client_method() API. + =item SSL_OP_ENABLE_MIDDLEBOX_COMPAT If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This