]>
Commit | Line | Data |
---|---|---|
7b9cb4a2 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
57ce7b61 VD |
5 | SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, |
6 | SSL_clear_options, SSL_CTX_get_options, SSL_get_options, | |
7 | SSL_get_secure_renegotiation_support - manipulate SSL options | |
7b9cb4a2 LJ |
8 | |
9 | =head1 SYNOPSIS | |
10 | ||
11 | #include <openssl/ssl.h> | |
12 | ||
13 | long SSL_CTX_set_options(SSL_CTX *ctx, long options); | |
14 | long SSL_set_options(SSL *ssl, long options); | |
15 | ||
4db82571 DSH |
16 | long SSL_CTX_clear_options(SSL_CTX *ctx, long options); |
17 | long SSL_clear_options(SSL *ssl, long options); | |
18 | ||
7b9cb4a2 LJ |
19 | long SSL_CTX_get_options(SSL_CTX *ctx); |
20 | long SSL_get_options(SSL *ssl); | |
21 | ||
4db82571 DSH |
22 | long SSL_get_secure_renegotiation_support(SSL *ssl); |
23 | ||
7b9cb4a2 LJ |
24 | =head1 DESCRIPTION |
25 | ||
26 | SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>. | |
37f599bc | 27 | Options already set before are not cleared! |
7b9cb4a2 LJ |
28 | |
29 | SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>. | |
37f599bc | 30 | Options already set before are not cleared! |
7b9cb4a2 | 31 | |
4db82571 DSH |
32 | SSL_CTX_clear_options() clears the options set via bitmask in B<options> |
33 | to B<ctx>. | |
34 | ||
35 | SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>. | |
36 | ||
7b9cb4a2 LJ |
37 | SSL_CTX_get_options() returns the options set for B<ctx>. |
38 | ||
39 | SSL_get_options() returns the options set for B<ssl>. | |
40 | ||
4db82571 DSH |
41 | SSL_get_secure_renegotiation_support() indicates whether the peer supports |
42 | secure renegotiation. | |
8106cb8b | 43 | Note, this is implemented via a macro. |
4db82571 | 44 | |
7b9cb4a2 LJ |
45 | =head1 NOTES |
46 | ||
47 | The behaviour of the SSL library can be changed by setting several options. | |
762a44de | 48 | The options are coded as bitmasks and can be combined by a bitwise B<or> |
4db82571 | 49 | operation (|). |
7b9cb4a2 | 50 | |
37f599bc LJ |
51 | SSL_CTX_set_options() and SSL_set_options() affect the (external) |
52 | protocol behaviour of the SSL library. The (internal) behaviour of | |
53 | the API can be changed by using the similar | |
9b86974e | 54 | L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions. |
37f599bc LJ |
55 | |
56 | During a handshake, the option settings of the SSL object are used. When | |
7b9cb4a2 LJ |
57 | a new SSL object is created from a context using SSL_new(), the current |
58 | option setting is copied. Changes to B<ctx> do not affect already created | |
59 | SSL objects. SSL_clear() does not affect the settings. | |
60 | ||
61 | The following B<bug workaround> options are available: | |
62 | ||
63 | =over 4 | |
64 | ||
dece3209 | 65 | =item SSL_OP_SAFARI_ECDHE_ECDSA_BUG |
7b9cb4a2 | 66 | |
dece3209 RS |
67 | Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. |
68 | OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. | |
7b9cb4a2 | 69 | |
c21506ba BM |
70 | =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
71 | ||
72 | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol | |
73 | vulnerability affecting CBC ciphers, which cannot be handled by some | |
74 | broken SSL implementations. This option has no effect for connections | |
75 | using other ciphers. | |
76 | ||
01f2f18f DSH |
77 | =item SSL_OP_TLSEXT_PADDING |
78 | ||
79 | Adds a padding extension to ensure the ClientHello size is never between | |
80 | 256 and 511 bytes in length. This is needed as a workaround for some | |
81 | implementations. | |
82 | ||
7b9cb4a2 LJ |
83 | =item SSL_OP_ALL |
84 | ||
edb79c3a JS |
85 | All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as |
86 | mentioned below. | |
7b9cb4a2 LJ |
87 | |
88 | =back | |
89 | ||
c21506ba BM |
90 | It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround |
91 | options if compatibility with somewhat broken implementations is | |
92 | desired. | |
7b9cb4a2 LJ |
93 | |
94 | The following B<modifying> options are available: | |
95 | ||
96 | =over 4 | |
97 | ||
06da6e49 LJ |
98 | =item SSL_OP_TLS_ROLLBACK_BUG |
99 | ||
100 | Disable version rollback attack detection. | |
101 | ||
102 | During the client key exchange, the client must send the same information | |
103 | about acceptable SSL/TLS protocol levels as during the first hello. Some | |
104 | clients violate this rule by adapting to the server's answer. (Example: | |
105 | the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server | |
106 | only understands up to SSLv3. In this case the client must still use the | |
107 | same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect | |
108 | to the server's answer and violate the version rollback protection.) | |
109 | ||
1b65ce7d LJ |
110 | =item SSL_OP_CIPHER_SERVER_PREFERENCE |
111 | ||
112 | When choosing a cipher, use the server's preferences instead of the client | |
113 | preferences. When not set, the SSL server will always follow the clients | |
87d9cafa MC |
114 | preferences. When set, the SSL/TLS server will choose following its |
115 | own preferences. | |
1b65ce7d | 116 | |
57ce7b61 | 117 | =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, |
582a17d6 | 118 | SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 |
7b9cb4a2 | 119 | |
582a17d6 | 120 | These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol |
57ce7b61 VD |
121 | versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, |
122 | respectively. | |
123 | As of OpenSSL 1.1.0, these options are deprecated, use | |
124 | L<SSL_CTX_set_min_proto_version(3)> and | |
125 | L<SSL_CTX_set_max_proto_version(3)> instead. | |
7b9cb4a2 | 126 | |
51008ffc BM |
127 | =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
128 | ||
129 | When performing renegotiation as a server, always start a new session | |
130 | (i.e., session resumption requests are only accepted in the initial | |
4db82571 | 131 | handshake). This option is not needed for clients. |
51008ffc | 132 | |
edb79c3a JS |
133 | =item SSL_OP_NO_COMPRESSION |
134 | ||
135 | Do not use compression even if it is supported. | |
136 | ||
137 | =item SSL_OP_NO_QUERY_MTU | |
138 | ||
139 | Do not query the MTU. Only affects DTLS connections. | |
140 | ||
141 | =item SSL_OP_COOKIE_EXCHANGE | |
142 | ||
143 | Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects | |
144 | DTLS connections. | |
145 | ||
f3fef74b DSH |
146 | =item SSL_OP_NO_TICKET |
147 | ||
41145c35 MC |
148 | SSL/TLS supports two mechanisms for resuming sessions: session ids and stateless |
149 | session tickets. | |
150 | ||
151 | When using session ids a copy of the session information is | |
152 | cached on the server and a unique id is sent to the client. When the client | |
153 | wishes to resume it provides the unique id so that the server can retrieve the | |
154 | session information from its cache. | |
155 | ||
156 | When using stateless session tickets the server uses a session ticket encryption | |
157 | key to encrypt the session information. This encrypted data is sent to the | |
158 | client as a "ticket". When the client wishes to resume it sends the encrypted | |
159 | data back to the server. The server uses its key to decrypt the data and resume | |
160 | the session. In this way the server can operate statelessly - no session | |
161 | information needs to be cached locally. | |
162 | ||
163 | The TLSv1.3 protocol only supports tickets and does not directly support session | |
164 | ids. However OpenSSL allows two modes of ticket operation in TLSv1.3: stateful | |
165 | and stateless. Stateless tickets work the same way as in TLSv1.2 and below. | |
166 | Stateful tickets mimic the session id behaviour available in TLSv1.2 and below. | |
167 | The session information is cached on the server and the session id is wrapped up | |
168 | in a ticket and sent back to the client. When the client wishes to resume, it | |
169 | presents a ticket in the same way as for stateless tickets. The server can then | |
170 | extract the session id from the ticket and retrieve the session information from | |
171 | its cache. | |
172 | ||
173 | By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will | |
174 | cause stateless tickets to not be issued. In TLSv1.2 and below this means no | |
175 | ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be | |
176 | sent. This is a server-side option only. | |
177 | ||
178 | In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from | |
179 | being sent by calling L<SSL_CTX_set_num_tickets(3)> or | |
180 | L<SSL_set_num_tickets(3)>. | |
394159da | 181 | |
69582a59 | 182 | =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
4db82571 | 183 | |
69582a59 DSH |
184 | Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
185 | servers. See the B<SECURE RENEGOTIATION> section for more details. | |
186 | ||
187 | =item SSL_OP_LEGACY_SERVER_CONNECT | |
188 | ||
189 | Allow legacy insecure renegotiation between OpenSSL and unpatched servers | |
190 | B<only>: this option is currently set by default. See the | |
191 | B<SECURE RENEGOTIATION> section for more details. | |
4db82571 | 192 | |
cde6145b DW |
193 | =item SSL_OP_NO_ENCRYPT_THEN_MAC |
194 | ||
195 | Normally clients and servers will transparently attempt to negotiate the | |
196 | RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. | |
197 | ||
198 | If this option is set, Encrypt-then-MAC is disabled. Clients will not | |
199 | propose, and servers will not accept the extension. | |
200 | ||
db0f35dd TS |
201 | =item SSL_OP_NO_RENEGOTIATION |
202 | ||
203 | Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest | |
204 | messages, and ignore renegotiation requests via ClientHello. | |
205 | ||
4e2bd9cb MC |
206 | =item SSL_OP_ALLOW_NO_DHE_KEX |
207 | ||
208 | In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means | |
209 | that there will be no forward secrecy for the resumed session. | |
210 | ||
e1c7871d TS |
211 | =item SSL_OP_PRIORITIZE_CHACHA |
212 | ||
213 | When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize | |
214 | ChaCha20-Poly1305 ciphers to the top of the server cipher list if a | |
215 | ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps | |
216 | those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere | |
217 | in the server cipher list; but still allows other clients to use AES and other | |
218 | ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>. | |
219 | ||
22da44fc MC |
220 | =item SSL_OP_ENABLE_MIDDLEBOX_COMPAT |
221 | ||
222 | If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This | |
223 | has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that | |
224 | do not understand TLSv1.3 will not drop the connection. Regardless of whether | |
225 | this option is set or not CCS messages received from the peer will always be | |
226 | ignored in TLSv1.3. This option is set by default. To switch it off use | |
227 | SSL_clear_options(). A future version of OpenSSL may not set this by default. | |
228 | ||
dc7a3543 MC |
229 | =item SSL_OP_NO_ANTI_REPLAY |
230 | ||
231 | By default, when a server is configured for early data (i.e., max_early_data > 0), | |
232 | OpenSSL will switch on replay protection. See L<SSL_read_early_data(3)> for a | |
233 | description of the replay protection feature. Anti-replay measures are required | |
234 | to comply with the TLSv1.3 specification. Some applications may be able to | |
235 | mitigate the replay risks in other ways and in such cases the built in OpenSSL | |
236 | functionality is not required. Those applications can turn this feature off by | |
237 | setting this option. This is a server-side opton only. It is ignored by | |
238 | clients. | |
239 | ||
7b9cb4a2 LJ |
240 | =back |
241 | ||
edb79c3a JS |
242 | The following options no longer have any effect but their identifiers are |
243 | retained for compatibility purposes: | |
244 | ||
245 | =over 4 | |
246 | ||
247 | =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | |
248 | ||
249 | =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | |
250 | ||
251 | =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG | |
252 | ||
253 | =item SSL_OP_TLS_D5_BUG | |
254 | ||
255 | =item SSL_OP_TLS_BLOCK_PADDING_BUG | |
256 | ||
257 | =item SSL_OP_MSIE_SSLV2_RSA_PADDING | |
258 | ||
259 | =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | |
260 | ||
261 | =item SSL_OP_MICROSOFT_SESS_ID_BUG | |
262 | ||
263 | =item SSL_OP_NETSCAPE_CHALLENGE_BUG | |
264 | ||
265 | =item SSL_OP_PKCS1_CHECK_1 | |
266 | ||
267 | =item SSL_OP_PKCS1_CHECK_2 | |
268 | ||
269 | =item SSL_OP_SINGLE_DH_USE | |
270 | ||
271 | =item SSL_OP_SINGLE_ECDH_USE | |
272 | ||
273 | =item SSL_OP_EPHEMERAL_RSA | |
274 | ||
275 | =back | |
276 | ||
4db82571 DSH |
277 | =head1 SECURE RENEGOTIATION |
278 | ||
a528d4f0 | 279 | OpenSSL always attempts to use secure renegotiation as |
f9595988 DSH |
280 | described in RFC5746. This counters the prefix attack described in |
281 | CVE-2009-3555 and elsewhere. | |
4db82571 DSH |
282 | |
283 | This attack has far reaching consequences which application writers should be | |
284 | aware of. In the description below an implementation supporting secure | |
285 | renegotiation is referred to as I<patched>. A server not supporting secure | |
286 | renegotiation is referred to as I<unpatched>. | |
287 | ||
9fb6fd34 DSH |
288 | The following sections describe the operations permitted by OpenSSL's secure |
289 | renegotiation implementation. | |
290 | ||
99b36a8c | 291 | =head2 Patched client and server |
4db82571 | 292 | |
9fb6fd34 | 293 | Connections and renegotiation are always permitted by OpenSSL implementations. |
4db82571 | 294 | |
9fb6fd34 | 295 | =head2 Unpatched client and patched OpenSSL server |
b5c002d5 | 296 | |
fc1d88f0 | 297 | The initial connection succeeds but client renegotiation is denied by the |
9fb6fd34 | 298 | server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal |
99b36a8c DSH |
299 | B<handshake_failure> alert in SSL v3.0. |
300 | ||
9fb6fd34 DSH |
301 | If the patched OpenSSL server attempts to renegotiate a fatal |
302 | B<handshake_failure> alert is sent. This is because the server code may be | |
303 | unaware of the unpatched nature of the client. | |
99b36a8c DSH |
304 | |
305 | If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then | |
306 | renegotiation B<always> succeeds. | |
307 | ||
9fb6fd34 | 308 | =head2 Patched OpenSSL client and unpatched server. |
99b36a8c | 309 | |
69582a59 DSH |
310 | If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or |
311 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections | |
c2c49969 | 312 | and renegotiation between patched OpenSSL clients and unpatched servers |
69582a59 DSH |
313 | succeeds. If neither option is set then initial connections to unpatched |
314 | servers will fail. | |
c2c49969 | 315 | |
69582a59 DSH |
316 | The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even |
317 | though it has security implications: otherwise it would be impossible to | |
318 | connect to unpatched servers (i.e. all of them initially) and this is clearly | |
319 | not acceptable. Renegotiation is permitted because this does not add any | |
320 | additional security issues: during an attack clients do not see any | |
321 | renegotiations anyway. | |
99b36a8c DSH |
322 | |
323 | As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will | |
324 | B<not> be set by default in a future version of OpenSSL. | |
325 | ||
9fb6fd34 DSH |
326 | OpenSSL client applications wishing to ensure they can connect to unpatched |
327 | servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> | |
99b36a8c | 328 | |
9fb6fd34 DSH |
329 | OpenSSL client applications that want to ensure they can B<not> connect to |
330 | unpatched servers (and thus avoid any security issues) should always B<clear> | |
99b36a8c DSH |
331 | B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or |
332 | SSL_clear_options(). | |
4db82571 | 333 | |
69582a59 DSH |
334 | The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and |
335 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that | |
336 | B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure | |
337 | renegotiation between OpenSSL clients and unpatched servers B<only>, while | |
338 | B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections | |
339 | and renegotiation between OpenSSL and unpatched clients or servers. | |
4db82571 | 340 | |
7b9cb4a2 LJ |
341 | =head1 RETURN VALUES |
342 | ||
343 | SSL_CTX_set_options() and SSL_set_options() return the new options bitmask | |
344 | after adding B<options>. | |
345 | ||
4db82571 DSH |
346 | SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask |
347 | after clearing B<options>. | |
348 | ||
7b9cb4a2 LJ |
349 | SSL_CTX_get_options() and SSL_get_options() return the current bitmask. |
350 | ||
4db82571 DSH |
351 | SSL_get_secure_renegotiation_support() returns 1 is the peer supports |
352 | secure renegotiation and 0 if it does not. | |
353 | ||
7b9cb4a2 LJ |
354 | =head1 SEE ALSO |
355 | ||
b97fdb57 | 356 | L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>, |
9b86974e | 357 | L<SSL_CTX_set_tmp_dh_callback(3)>, |
7946ab33 | 358 | L<SSL_CTX_set_min_proto_version(3)>, |
9b86974e | 359 | L<dhparam(1)> |
7b9cb4a2 LJ |
360 | |
361 | =head1 HISTORY | |
362 | ||
a528d4f0 RS |
363 | The attempt to always try to use secure renegotiation was added in |
364 | Openssl 0.9.8m. | |
4db82571 | 365 | |
c3f7971d CH |
366 | B<SSL_OP_PRIORITIZE_CHACHA> and B<SSL_OP_NO_RENEGOTIATION> were added in |
367 | OpenSSL 1.1.1. | |
e1c7871d | 368 | |
e2f92610 RS |
369 | =head1 COPYRIGHT |
370 | ||
48e5119a | 371 | Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
372 | |
373 | Licensed under the OpenSSL license (the "License"). You may not use | |
374 | this file except in compliance with the License. You can obtain a copy | |
375 | in the file LICENSE in the source distribution or at | |
376 | L<https://www.openssl.org/source/license.html>. | |
377 | ||
378 | =cut |