Update the documentation for the new SSL_OP_ALLOW_NO_DHE_KEX option (4e2bd9cb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

doc/man1/s_client.pod

+1 −0

+1 −0

+9 −0

Original line number	Diff line number	Diff line
		@@ -186,6 +186,11 @@ permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
		clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
		Set by default.

		=item B<-allow_no_dhe_kex>

		In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
		that there will be no forward secrecy for the resumed session.

		=item B<-strict>

		enables strict mode protocol handling. Equivalent to setting
		@@ -399,6 +404,10 @@ B<EncryptThenMac>: use encrypt-then-mac extension, enabled by
		default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,
		B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.

		B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
		resumption. This means that there will be no forward secrecy for the resumed
		session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>.

		=item B<VerifyMode>

		The B<value> argument is a comma separated list of flags to set.

+5 −0

Original line number	Diff line number	Diff line
		@@ -175,6 +175,11 @@ propose, and servers will not accept the extension.
		Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
		messages, and ignore renegotiation requests via ClientHello.

		=item SSL_OP_ALLOW_NO_DHE_KEX

		In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
		that there will be no forward secrecy for the resumed session.

		=back

		The following options no longer have any effect but their identifiers are