diff options
author | Nikolay Morozov <nmorozoff77@yandex.ru> | 2020-05-02 12:22:43 +0300 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2020-05-07 16:14:47 +0300 |
commit | 90fc2c26df23811be080093772b2161850385863 (patch) | |
tree | a372be0919b9ba64d7606b50a1297b8dabbc5371 /doc | |
parent | 2b5e12f5096e1fba7dd91a682f4c34759469c34b (diff) | |
download | openssl-90fc2c26df23811be080093772b2161850385863.tar.gz |
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11709)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man1/openssl-s_server.pod.in | 7 | ||||
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 4 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 8 |
3 files changed, 18 insertions, 1 deletions
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index fb8df53906..c9f4bfc11b 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -46,6 +46,7 @@ B<openssl> B<s_server> [B<-www>] [B<-WWW>] [B<-http_server_binmode>] +[B<-no_ca_names>] [B<-servername>] [B<-servername_fatal>] [B<-tlsextdebug>] @@ -411,6 +412,12 @@ Neither of these options can be used in conjunction with B<-early_data>. When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested by the client in binary mode. +=item B<-no_ca_names> + +Disable TLS Extension CA Names. You may want to disable it for security reasons +or for compatibility with some Windows TLS implementations crashing when this +extension is larger than 1024 bytes. + =item B<-id_prefix> I<val> Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 73c50da8f4..b060449390 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -507,6 +507,10 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is, B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>. +B<CANames>: use CA names extension, enabled by +default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is, +B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index dd89125db4..39cb2ec30e 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -67,6 +67,12 @@ The following B<bug workaround> options are available: Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. +=item SSL_OP_DISABLE_TLSEXT_CA_NAMES + +Disable TLS Extension CA Names. You may want to disable it for security reasons +or for compatibility with some Windows TLS implementations crashing when this +extension is larger than 1024 bytes. + =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol @@ -378,7 +384,7 @@ The B<SSL_OP_NO_EXTENDED_MASTER_SECRET> option was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |