diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 4b0da5a25bbd4fd23d5fa0d117822e15d18e8677..32476acfc365a541f3b52a34b0a00fe34f145cff 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -54,7 +54,8 @@ SSL servers. In addition to the options below the B utility also supports the common and client only options documented in the -B section in L. +in the L +manual page. =over 4 diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 7e7b541650bf5227da2f5ac7884ded18673b6712..2a08ee25e0d8b911296432ecb01c95851d75b612 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -66,7 +66,8 @@ for connections on a given port using SSL/TLS. In addition to the options below the B utility also supports the common and server only options documented in the -B section in L. +L manual +page. =over 4 diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index 0df74d2e4ea65906b1e1889e3e8bd2cb3cadf331..90446ebfe6600d1bfc68c1022f7b09c00d5484ff 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -15,7 +15,119 @@ SSL_CONF_cmd - send configuration command The function SSL_CONF_cmd() performs configuration operation B with optional parameter B on B. Its purpose is to simplify application configuration of B or B structures by providing a common -framework for configuration files or command line options. +framework for command line options or configuration files. + +=head1 SUPPORTED COMMAND LINE COMMANDS + +Currently supported B names for command lines (i.e. when the +flag B is set) are listed below. Note: all B names +and are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the B parameter is not used. The default +prefix for command line commands is B<-> and that is reflected below. + +=over 4 + +=item B<-sigalgs> + +This sets the supported signature algorithms for TLS v1.2. For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. + +The B argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form B. B +is one of B, B or B and B is a supported algorithm +OID short name such as B, B, B, B of B. +Note: algorithm and hash names are case sensitive. + +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. + +=item B<-client_sigalgs> + +This sets the supported signature algorithms associated with client +authentication for TLS v1.2. For servers the value is used in the supported +signature algorithms field of a certificate request. For clients it is +used to determine which signature algorithm to with the client certificate. +If a server does not request a certificate this option has no effect. + +The syntax of B is identical to B<-sigalgs>. If not set then +the value set for B<-sigalgs> will be used instead. + +=item B<-curves> + +This sets the supported elliptic curves. For servers the curves are +sent using the supported curves extension for TLS v1.2. For clients it is used +to determine which curve to use. This setting affects curves used for both +signatures and key exchange, if applicable. + +The B argument is a colon separated list of curves. The curve can be +either the B name (e.g. B) or an OpenSSL OID name (e.g +B). Curve names are case sensitive. + +=item B<-named_curve> + +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers + +The B argument is a curve name or the special value B which +picks an appropriate curve based on client and server preferences. The curve +can be either the B name (e.g. B) or an OpenSSL OID name +(e.g B). Curve names are case sensitive. + +=item B<-cipher> + +Sets the cipher suite list to B. Note: syntax checking of B is +currently not performed unless a B or B structure is +associated with B. + +=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> + +Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 +by setting the corresponding options B, B, +B, B and B respectively. + +=item B<-bugs> + +Various bug workarounds are set, same as setting B. + +=item B<-no_comp> + +Disables support for SSL/TLS compression, same as setting B. + +=item B<-no_ticket> + +Disables support for session tickets, same as setting B. + +=item B<-serverpref> + +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to B. Only used by servers. + +=item B<-legacyrenegotiation> + +permits the use of unsafe legacy renegotiation. Equivalent to setting +B. + +=item B<-legacy_server_connect>, B<-no_legacy_server_connect> + +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing B. +Set by default. + +=item B<-strict> + +enables strict mode protocol handling. Equivalent to setting +B. + +=item B<-debug_broken_protocol> + +disables various checks and permits several kinds of broken protocol behaviour +for testing purposes: it should B be used in anything other than a test +environment. Only supported if OpenSSL is configured with +B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. + +=back =head1 SUPPORTED CONFIGURATION FILE COMMANDS @@ -73,7 +185,8 @@ B). Curve names are case sensitive. =item B -This sets the temporary curve used for ephemeral ECDH modes. +This sets the temporary curve used for ephemeral ECDH modes. Only used by +servers The B argument is a curve name or the special value B which picks an appropriate curve based on client and server preferences. The curve @@ -133,92 +246,6 @@ Set by default. =back -=head1 SUPPORTED COMMAND LINE COMMANDS - -Currently supported B names for command lines (i.e. when the -flag B is set) are listed below. Note: all B names -and are case sensitive. Unless otherwise stated the B parameter is -not used. The default prefix for command line commands is B<-> and that is -reflected below. - -=over 4 - -=item B<-sigalgs> - -Sets the supported signature algorithms to B. Equivalent to the -B file command. - -=item B<-client_sigalgs> - -Sets the supported client signature algorithms to B. Equivalent to the -B file command. - -=item B<-curves> - -Sets supported elliptic curves to B. Equivalent to B file -command. - -=item B<-named_curve> - -Sets supported ECDH parameters to B. For automatic curve selection -B should be set to B, otherwise the command is identical to -the B file command. - -=item B<-cipher> - -Sets the cipher suite list to B. Note: syntax checking of B is -currently not performed unless a B or B structure is -associated with B. - -=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - -Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B, B, -B, B and B respectively. - -=item B<-bugs> - -Various bug workarounds are set, same as setting B. - -=item B<-no_comp> - -Disables support for SSL/TLS compression, same as setting B. - -=item B<-no_ticket> - -Disables support for session tickets, same as setting B. - -=item B<-serverpref> - -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B. Only used by servers. - -=item B<-legacyrenegotiation> - -permits the use of unsafe legacy renegotiation. Equivalent to setting -B. - -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> - -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B. -Set by default. - -=item B<-strict> - -enables strict mode protocol handling. Equivalent to setting -B. - -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. - -=back - =head1 NOTES The order of operations is significant. This can be used to set either defaults