Commit a6419d1e authored by Benjamin Kaduk's avatar Benjamin Kaduk
Browse files

Update documentation for SSL_set1_sigalgs() 



These functions can now take both "sig+hash" strings and
algorithm-specific identifiers like "rsa_pss_pss_sha256" that
indicate a particular entry from the TLS signature algorithm
registry.

Also clarify that only the "_list" form allows for the new-style names
(the non-"list" interfaces take sig and hasn NIDs, which cannot
access all of the new-style schemes).

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
parent fd5e1a8c

doc/man3/SSL_CTX_set1_sigalgs.pod

+5 −3
Original line number Diff line number Diff line
@@ -30,8 +30,10 @@ algorithms. 


SSL_CTX_set1_sigalgs_list() and SSL_set1_sigalgs_list() set the supported

signature algorithms for B<ctx> or B<ssl>. The B<str> parameter

must be a null terminated string consisting or a colon separated list of

public key algorithms and digests separated by B<+>.

must be a null terminated string consisting of a colon separated list of

elements, where each element is either a combination of a public key

algorithm and a digest separated by B<+>, or a TLS 1.3-style named

SignatureScheme such as rsa_pss_pss_sha256.



SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(),

SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set
@@ -77,7 +79,7 @@ example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and 
the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA".



The TLS 1.3 signature scheme names (such as "rsa_pss_sha256") can also

be used.

be used with the B<_list> forms of the API.



The use of MD5 as a digest is strongly discouraged due to security weaknesses.