diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-11-20 01:01:33 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-11-20 01:01:33 +0000 |
commit | 13cfb043439c8e4b5b96cec42003a8d15e9387fd (patch) | |
tree | 0359ce18130947e32261a19cd71d26bf13c2001c | |
parent | 22b5d7c80b9e65c7b16277f81f7b22ff91ac4974 (diff) | |
download | openssl-13cfb043439c8e4b5b96cec42003a8d15e9387fd.tar.gz |
reorganise SSL_CONF_cmd manual page and update some links
-rw-r--r-- | doc/apps/s_client.pod | 3 | ||||
-rw-r--r-- | doc/apps/s_server.pod | 3 | ||||
-rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 203 |
3 files changed, 119 insertions, 90 deletions
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 4b0da5a25b..32476acfc3 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -54,7 +54,8 @@ SSL servers. In addition to the options below the B<s_client> utility also supports the common and client only options documented in the -B<SUPPORTED COMMAND LINE OPTIONS> section in L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>. +in the L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> +manual page. =over 4 diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 7e7b541650..2a08ee25e0 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -66,7 +66,8 @@ for connections on a given port using SSL/TLS. In addition to the options below the B<s_server> utility also supports the common and server only options documented in the -B<SUPPORTED COMMAND LINE OPTIONS> section in L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>. +L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)/SUPPORTED COMMAND LINE COMMANDS> manual +page. =over 4 diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index 0df74d2e4e..90446ebfe6 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -15,7 +15,119 @@ SSL_CONF_cmd - send configuration command The function SSL_CONF_cmd() performs configuration operation B<cmd> with optional parameter B<value> on B<ctx>. Its purpose is to simplify application configuration of B<SSL_CTX> or B<SSL> structures by providing a common -framework for configuration files or command line options. +framework for command line options or configuration files. + +=head1 SUPPORTED COMMAND LINE COMMANDS + +Currently supported B<cmd> names for command lines (i.e. when the +flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names +and are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the B<value> parameter is not used. The default +prefix for command line commands is B<-> and that is reflected below. + +=over 4 + +=item B<-sigalgs> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B<value> argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B<algorithm+hash>. B<algorithm> +is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm +OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<-client_sigalgs> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. +If a server does not request a certificate this option has no effect. + +The syntax of B<value> is identical to B<-sigalgs>. If not set then +the value set for B<-sigalgs> will be used instead. + +=item B<-curves> + +This sets the supported elliptic curves. For servers the curves are +sent using the supported curves extension for TLS v1.2. For clients it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B<value> argument is a colon separated list of curves. The curve can be +either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g +B<prime256v1>). Curve names are case sensitive. + +=item B<-named_curve> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B<value> argument is a curve name or the special value B<auto> which +picks an appropriate curve based on client and server preferences. The curve +can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name +(e.g B<prime256v1>). Curve names are case sensitive. + +=item B<-cipher> + +Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is +currently not performed unless a B<SSL> or B<SSL_CTX> structure is +associated with B<cctx>. + +=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>, +B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. + +=item B<-bugs> + +Various bug workarounds are set, same as setting B<SSL_OP_ALL>. + +=item B<-no_comp> + +Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>. + +=item B<-no_ticket> + +Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. + +=item B<-serverpref> + +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. + +=item B<-legacyrenegotiation> + +permits the use of unsafe legacy renegotiation. Equivalent to setting +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. + +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> + +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. +Set by default. + +=item B<-strict> + +enables strict mode protocol handling. Equivalent to setting +B<SSL_CERT_FLAG_TLS_STRICT>. + +=item B<-debug_broken_protocol> + +disables various checks and permits several kinds of broken protocol behaviour +for testing purposes: it should B<NEVER> be used in anything other than a test +environment. Only supported if OpenSSL is configured with +B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. + +=back =head1 SUPPORTED CONFIGURATION FILE COMMANDS @@ -73,7 +185,8 @@ B<prime256v1>). Curve names are case sensitive. =item B<ECDHParameters> -This sets the temporary curve used for ephemeral ECDH modes. +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers The B<value> argument is a curve name or the special value B<Automatic> which picks an appropriate curve based on client and server preferences. The curve @@ -133,92 +246,6 @@ Set by default. =back -=head1 SUPPORTED COMMAND LINE COMMANDS - -Currently supported B<cmd> names for command lines (i.e. when the -flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names -and are case sensitive. Unless otherwise stated the B<value> parameter is -not used. The default prefix for command line commands is B<-> and that is -reflected below. - -=over 4 - -=item B<-sigalgs> - -Sets the supported signature algorithms to B<value>. Equivalent to the -B<SignatureAlgorithms> file command. - -=item B<-client_sigalgs> - -Sets the supported client signature algorithms to B<value>. Equivalent to the -B<ClientSignatureAlgorithms> file command. - -=item B<-curves> - -Sets supported elliptic curves to B<value>. Equivalent to B<Curves> file -command. - -=item B<-named_curve> - -Sets supported ECDH parameters to B<value>. For automatic curve selection -B<value> should be set to B<auto>, otherwise the command is identical to -the B<ECDHParameters> file command. - -=item B<-cipher> - -Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is -currently not performed unless a B<SSL> or B<SSL_CTX> structure is -associated with B<cctx>. - -=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - -Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B<SSL_OP_NO_SSL2>, B<SSL_OP_NO_SSL3>, -B<SSL_OP_NO_TLS1>, B<SSL_OP_NO_TLS1_1> and B<SSL_OP_NO_TLS1_2> respectively. - -=item B<-bugs> - -Various bug workarounds are set, same as setting B<SSL_OP_ALL>. - -=item B<-no_comp> - -Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>. - -=item B<-no_ticket> - -Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>. - -=item B<-serverpref> - -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers. - -=item B<-legacyrenegotiation> - -permits the use of unsafe legacy renegotiation. Equivalent to setting -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>. - -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> - -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>. -Set by default. - -=item B<-strict> - -enables strict mode protocol handling. Equivalent to setting -B<SSL_CERT_FLAG_TLS_STRICT>. - -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B<NEVER> be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. - -=back - =head1 NOTES The order of operations is significant. This can be used to set either defaults |