SSL_CTX_set_options.pod

Timestamp:

Mar 3, 2022 7:17:34 PM (3 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

150325

Message:

libs/openssl-3.0.1: started applying and adjusting our OpenSSL changes to 3.0.1. bugref:10128

Location:

trunk/src/libs/openssl-3.0.1

Files:

: 2 edited

. (modified) (1 prop)
doc/man3/SSL_CTX_set_options.pod (modified) (16 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/src/libs/openssl-3.0.1

Property svn:mergeinfo

old	new
12	12	/vendor/openssl/1.1.1c:131722-131725
13	13	/vendor/openssl/1.1.1k:145841-145843
	14	/vendor/openssl/3.0.1:150323-150324
	15	/vendor/openssl/current:147554-150322

trunk/src/libs/openssl-3.0.1/doc/man3/SSL_CTX_set_options.pod

-              r91772
+              r94082
  #include <openssl/ssl.h>
  long SSL_CTX_set_options(SSL_CTX *ctx, long options);
  long SSL_set_options(SSL *ssl, long options);
  long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
  long SSL_clear_options(SSL *ssl, long options);
  long SSL_CTX_get_options(SSL_CTX *ctx);
  long SSL_get_options(SSL *ssl);
+ uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options);
+ uint64_t SSL_set_options(SSL *ssl, uint64_t options);
+ uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options);
+ uint64_t SSL_clear_options(SSL *ssl, uint64_t options);
+ uint64_t SSL_CTX_get_options(const SSL_CTX *ctx);
+ uint64_t SSL_get_options(const SSL *ssl);
  long SSL_get_secure_renegotiation_support(SSL *ssl);
 …
 =head1 DESCRIPTION
 SSL_CTX_set_options() adds the options set via bit mask in B<options> to B<ctx>.
+SSL_CTX_set_options() adds the options set via bit-mask in B<options> to B<ctx>.
 Options already set before are not cleared!
 SSL_set_options() adds the options set via bit mask in B<options> to B<ssl>.
+SSL_set_options() adds the options set via bit-mask in B<options> to B<ssl>.
 Options already set before are not cleared!
 SSL_CTX_clear_options() clears the options set via bit mask in B<options>
+SSL_CTX_clear_options() clears the options set via bit-mask in B<options>
 to B<ctx>.
 SSL_clear_options() clears the options set via bit mask in B<options> to B<ssl>.
+SSL_clear_options() clears the options set via bit-mask in B<options> to B<ssl>.
 SSL_CTX_get_options() returns the options set for B<ctx>.
 …
 The behaviour of the SSL library can be changed by setting several options.
 The options are coded as bit masks and can be combined by a bitwise B<or>
+The options are coded as bit-masks and can be combined by a bitwise B<or>
 operation (|).
 …
 =over 4
+=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+=item SSL_OP_CRYPTOPRO_TLSEXT_BUG
+Add server-hello extension from the early version of cryptopro draft
+when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro
+CSP 3.x.
 =item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 …
 using other ciphers.
+=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
 =item SSL_OP_TLSEXT_PADDING
 …
 =item SSL_OP_ALL
+All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
+mentioned below.
+All of the above bug workarounds.
 =back
 …
 =over 4
+=item SSL_OP_TLS_ROLLBACK_BUG
+Disable version rollback attack detection.
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
+=item SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+Client-initiated renegotiation is disabled by default. Use
+this option to enable it.
+=item SSL_OP_ALLOW_NO_DHE_KEX
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
+servers. See the B<SECURE RENEGOTIATION> section for more details.
 =item SSL_OP_CIPHER_SERVER_PREFERENCE
 …
 preferences. When set, the SSL/TLS server will choose following its
 own preferences.
+=item SSL_OP_CISCO_ANYCONNECT
+Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
+connection. Only available when using the deprecated DTLSv1_client_method() API.
+=item SSL_OP_CLEANSE_PLAINTEXT
+By default TLS connections keep a copy of received plaintext
+application data in a static buffer until it is overwritten by the
+next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT
+deciphered application data is cleansed by calling OPENSSL_cleanse(3)
+after passing data to the application. Data is also cleansed when
+releasing the connection (e.g. L<SSL_free(3)>).
+Since OpenSSL only cleanses internal buffers, the application is still
+responsible for cleansing all other buffers. Most notably, this
+applies to buffers passed to functions like L<SSL_read(3)>,
+L<SSL_peek(3)> but also like L<SSL_write(3)>.
+=item SSL_OP_COOKIE_EXCHANGE
+Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
+DTLS connections.
+=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.
+=item SSL_OP_ENABLE_KTLS
+Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must
+have been compiled with support for it, and it must be supported by the
+negotiated ciphersuites and extensions. The specific ciphersuites and extensions
+that are supported may vary by platform and kernel version.
+The kernel TLS data-path implements the record layer, and the encryption
+algorithm. The kernel will utilize the best hardware
+available for encryption. Using the kernel data-path should reduce the memory
+footprint of OpenSSL because no buffering is required. Also, the throughput
+should improve because data copy is avoided when user data is encrypted into
+kernel memory instead of the usual encrypt then copy to kernel.
+Kernel TLS might not support all the features of OpenSSL. For instance,
+renegotiation, and setting the maximum fragment size is not possible as of
+Linux 4.20.
+Note that with kernel TLS enabled some cryptographic operations are performed
+by the kernel directly and not via any available OpenSSL Providers. This might
+be undesirable if, for example, the application requires all cryptographic
+operations to be performed by the FIPS provider.
+=item SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This
+has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that
+do not understand TLSv1.3 will not drop the connection. Regardless of whether
+this option is set or not CCS messages received from the peer will always be
+ignored in TLSv1.3. This option is set by default. To switch it off use
+SSL_clear_options(). A future version of OpenSSL may not set this by default.
+=item SSL_OP_IGNORE_UNEXPECTED_EOF
+Some TLS implementations do not send the mandatory close_notify alert on
+shutdown. If the application tries to wait for the close_notify alert but the
+peer closes the connection without sending it, an error is generated. When this
+option is enabled the peer does not need to send the close_notify alert and a
+closed connection will be treated as if the close_notify alert was received.
+You should only enable this option if the protocol running over TLS
+can detect a truncation attack itself, and that the application is checking for
+that truncation attack.
+For more information on shutting down a connection, see L<SSL_shutdown(3)>.
+=item SSL_OP_LEGACY_SERVER_CONNECT
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+B<only>. See the B<SECURE RENEGOTIATION> section for more details.
+=item SSL_OP_NO_ANTI_REPLAY
+By default, when a server is configured for early data (i.e., max_early_data > 0),
+OpenSSL will switch on replay protection. See L<SSL_read_early_data(3)> for a
+description of the replay protection feature. Anti-replay measures are required
+to comply with the TLSv1.3 specification. Some applications may be able to
+mitigate the replay risks in other ways and in such cases the built in OpenSSL
+functionality is not required. Those applications can turn this feature off by
+setting this option. This is a server-side opton only. It is ignored by
+clients.
+=item SSL_OP_NO_COMPRESSION
+Do not use compression even if it is supported. This option is set by default.
+To switch it off use SSL_clear_options().
+=item SSL_OP_NO_ENCRYPT_THEN_MAC
+Normally clients and servers will transparently attempt to negotiate the
+RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
+If this option is set, Encrypt-then-MAC is disabled. Clients will not
+propose, and servers will not accept the extension.
+=item SSL_OP_NO_EXTENDED_MASTER_SECRET
+Normally clients and servers will transparently attempt to negotiate the
+RFC7627 Extended Master Secret option on TLS and DTLS connection.
+If this option is set, Extended Master Secret is disabled. Clients will
+not propose, and servers will not accept the extension.
+=item SSL_OP_NO_QUERY_MTU
+Do not query the MTU. Only affects DTLS connections.
+=item SSL_OP_NO_RENEGOTIATION
+Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
+messages, and ignore renegotiation requests via ClientHello.
+=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+When performing renegotiation as a server, always start a new session
+(i.e., session resumption requests are only accepted in the initial
+handshake). This option is not needed for clients.
 =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
 …
 L<SSL_CTX_set_min_proto_version(3)> and
 L<SSL_CTX_set_max_proto_version(3)> instead.
-=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-When performing renegotiation as a server, always start a new session
-(i.e., session resumption requests are only accepted in the initial
-handshake). This option is not needed for clients.
-=item SSL_OP_NO_COMPRESSION
-Do not use compression even if it is supported.
-=item SSL_OP_NO_QUERY_MTU
-Do not query the MTU. Only affects DTLS connections.
-=item SSL_OP_COOKIE_EXCHANGE
-Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
-DTLS connections.
 =item SSL_OP_NO_TICKET
 …
 L<SSL_set_num_tickets(3)>.
-=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
-servers. See the B<SECURE RENEGOTIATION> section for more details.
-=item SSL_OP_LEGACY_SERVER_CONNECT
-Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-B<only>: this option is currently set by default. See the
-B<SECURE RENEGOTIATION> section for more details.
-=item SSL_OP_NO_ENCRYPT_THEN_MAC
-Normally clients and servers will transparently attempt to negotiate the
-RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
-If this option is set, Encrypt-then-MAC is disabled. Clients will not
-propose, and servers will not accept the extension.
-=item SSL_OP_NO_RENEGOTIATION
-Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
-messages, and ignore renegotiation requests via ClientHello.
-=item SSL_OP_ALLOW_NO_DHE_KEX
-In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
-that there will be no forward secrecy for the resumed session.
 =item SSL_OP_PRIORITIZE_CHACHA
 …
 ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>.
+=item SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This
+has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that
+do not understand TLSv1.3 will not drop the connection. Regardless of whether
+this option is set or not CCS messages received from the peer will always be
+ignored in TLSv1.3. This option is set by default. To switch it off use
+SSL_clear_options(). A future version of OpenSSL may not set this by default.
+=item SSL_OP_NO_ANTI_REPLAY
+By default, when a server is configured for early data (i.e., max_early_data > 0),
+OpenSSL will switch on replay protection. See L<SSL_read_early_data(3)> for a
+description of the replay protection feature. Anti-replay measures are required
+to comply with the TLSv1.3 specification. Some applications may be able to
+mitigate the replay risks in other ways and in such cases the built in OpenSSL
+functionality is not required. Those applications can turn this feature off by
+setting this option. This is a server-side opton only. It is ignored by
+clients.
+=item SSL_OP_TLS_ROLLBACK_BUG
+Disable version rollback attack detection.
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello. Some
+clients violate this rule by adapting to the server's answer. (Example:
+the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+only understands up to SSLv3. In this case the client must still use the
+same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
+to the server's answer and violate the version rollback protection.)
 =back
 …
 renegotiation B<always> succeeds.
 =head2 Patched OpenSSL client and unpatched server.
+=head2 Patched OpenSSL client and unpatched server
 If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
 …
 servers will fail.
+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
+though it has security implications: otherwise it would be impossible to
+connect to unpatched servers (i.e. all of them initially) and this is clearly
+not acceptable. Renegotiation is permitted because this does not add any
+additional security issues: during an attack clients do not see any
+renegotiations anyway.
+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
+B<not> be set by default in a future version of OpenSSL.
+Setting the option B<SSL_OP_LEGACY_SERVER_CONNECT> has security implications;
+clients that are willing to connect to servers that do not implement
+RFC 5746 secure renegotiation are subject to attacks such as
+CVE-2009-3555.
 OpenSSL client applications wishing to ensure they can connect to unpatched
 …
 =head1 RETURN VALUES
 SSL_CTX_set_options() and SSL_set_options() return the new options bit mask
+SSL_CTX_set_options() and SSL_set_options() return the new options bit-mask
 after adding B<options>.
 SSL_CTX_clear_options() and SSL_clear_options() return the new options bit mask
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bit-mask
 after clearing B<options>.
 SSL_CTX_get_options() and SSL_get_options() return the current bit mask.
+SSL_CTX_get_options() and SSL_get_options() return the current bit-mask.
 SSL_get_secure_renegotiation_support() returns 1 is the peer supports
 …
 =head1 SEE ALSO
 L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>,
+L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>, L<SSL_shutdown(3)>
 L<SSL_CTX_set_tmp_dh_callback(3)>,
 L<SSL_CTX_set_min_proto_version(3)>,
 L<dhparam(1)>
+L<openssl-dhparam(1)>
 =head1 HISTORY
 …
 were added in OpenSSL 1.1.1.
+The B<SSL_OP_NO_EXTENDED_MASTER_SECRET> and B<SSL_OP_IGNORE_UNEXPECTED_EOF>
+options were added in OpenSSL 3.0.
+The B<SSL_OP_> constants and the corresponding parameter and return values
+of the affected functions were changed to C<uint64_t> type in OpenSSL 3.0.
+For that reason it is no longer possible use the B<SSL_OP_> macro values
+in preprocessor C<#if> conditions. However it is still possible to test
+whether these macros are defined or not.
 =head1 COPYRIGHT
 Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
 Licensed under the OpenSSL license (the "License").  You may not use
+Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
 in the file LICENSE in the source distribution or at

Note: See TracChangeset for help on using the changeset viewer.

Changeset 94082 in vbox for trunk/src/libs/openssl-3.0.1/doc/man3/SSL_CTX_set_options.pod

Legend:

trunk/src/libs/openssl-3.0.1

trunk/src/libs/openssl-3.0.1/doc/man3/SSL_CTX_set_options.pod

Download in other formats: