Make SSL{_CTX,}_{get,set,clear}_options functions (8106cb8b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

doc/ssl/SSL_CONF_cmd.pod

+5 −3

Original line number	Diff line number	Diff line
		@@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
		=item B<Options>

		The B<value> argument is a comma separated list of various flags to set.
		If a flag string is preceded B<-> it is disabled. See the
		B<SSL_CTX_set_options> function for more details of individual options.
		If a flag string is preceded B<-> it is disabled.
		See the L<SSL_CTX_set_options(3)> function for more details of
		individual options.

		Each option is listed below. Where an operation is enabled by default
		the B<-flag> syntax is needed to disable it.
		@@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
		L<SSL_CONF_CTX_set_flags(3)>,
		L<SSL_CONF_CTX_set1_prefix(3)>,
		L<SSL_CONF_CTX_set_ssl_ctx(3)>,
		L<SSL_CONF_cmd_argv(3)>
		L<SSL_CONF_cmd_argv(3)>,
		L<SSL_CTX_set_options(3)>

		=head1 HISTORY

+3 −3

Original line number	Diff line number	Diff line
		@@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
		methods you can use SSL_CTX_set_min_proto_version(),
		SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
		SSL_set_max_proto_version() functions.
		They can also be limited using by using an option like SSL_OP_NO_SSLv3
		of the SSL_CTX_set_options() or SSL_set_options() functions, but
		that's not recommended.
		They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
		via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
		but that's not recommended.
		Using these functions it is possible to choose e.g. TLS_server_method()
		and be able to negotiate with all possible clients, but to only
		allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.

+3 −2

Original line number	Diff line number	Diff line
		@@ -19,8 +19,9 @@ and maximum supported protocol version

		The functions set the minimum and maximum supported portocol versions
		for the B<ctx> or B<ssl>.
		This works in combination with the options set via SSL_CTX_set_options()
		that also make it possible to disable specific protocol versions.
		This works in combination with the options set via
		L<SSL_CTX_set_options(3)> that also make it possible to disable
		specific protocol versions.
		Use these functions instead of disabling specific protocol versions.

		Setting the minimum or maximum version to 0, will enable protocol

+1 −2

Original line number	Diff line number	Diff line
		@@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options

		=head1 DESCRIPTION

		Note: all these functions are implemented using macros.

		SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
		Options already set before are not cleared!

		@@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.

		SSL_get_secure_renegotiation_support() indicates whether the peer supports
		secure renegotiation.
		Note, this is implemented via a macro.

		=head1 NOTES

+10 −2

Original line number	Diff line number	Diff line
		@@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.

		=item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX ctx, void arg);

		=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
		=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);

		=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);

		=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);

		=item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);

		@@ -596,7 +600,11 @@ fresh handle for each connection.

		=item void B<SSL_set_msg_callback_arg>(SSL ctx, void arg);

		=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
		=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);

		=item unsigned long B<SSL_get_options>(SSL *ssl);

		=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);

		=item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);