1SSL_CONF_CMD(3)                     OpenSSL                    SSL_CONF_CMD(3)
2
3
4

NAME

6       SSL_CONF_cmd_value_type, SSL_CONF_cmd - send configuration command
7

SYNOPSIS

9        #include <openssl/ssl.h>
10
11        int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
12        int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
13

DESCRIPTION

15       The function SSL_CONF_cmd() performs configuration operation cmd with
16       optional parameter value on ctx. Its purpose is to simplify application
17       configuration of SSL_CTX or SSL structures by providing a common
18       framework for command line options or configuration files.
19
20       SSL_CONF_cmd_value_type() returns the type of value that cmd refers to.
21

SUPPORTED COMMAND LINE COMMANDS

23       Currently supported cmd names for command lines (i.e. when the flag
24       SSL_CONF_CMDLINE is set) are listed below. Note: all cmd names are case
25       sensitive. Unless otherwise stated commands can be used by both clients
26       and servers and the value parameter is not used. The default prefix for
27       command line commands is - and that is reflected below.
28
29       -sigalgs
30           This sets the supported signature algorithms for TLSv1.2 and
31           TLSv1.3.  For clients this value is used directly for the supported
32           signature algorithms extension. For servers it is used to determine
33           which signature algorithms to support.
34
35           The value argument should be a colon separated list of signature
36           algorithms in order of decreasing preference of the form
37           algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
38           ECDSA and hash is a supported algorithm OID short name such as
39           SHA1, SHA224, SHA256, SHA384 of SHA512.  Note: algorithm and hash
40           names are case sensitive.  signature_scheme is one of the signature
41           schemes defined in TLSv1.3, specified using the IETF name, e.g.,
42           ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
43
44           If this option is not set then all signature algorithms supported
45           by the OpenSSL library are permissible.
46
47           Note: algorithms which specify a PKCS#1 v1.5 signature scheme
48           (either by using RSA as the algorithm or by using one of the
49           rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
50           negotiated.
51
52       -client_sigalgs
53           This sets the supported signature algorithms associated with client
54           authentication for TLSv1.2 and TLSv1.3.  For servers the value is
55           used in the signature_algorithms field of a CertificateRequest
56           message.  For clients it is used to determine which signature
57           algorithm to use with the client certificate.  If a server does not
58           request a certificate this option has no effect.
59
60           The syntax of value is identical to -sigalgs. If not set then the
61           value set for -sigalgs will be used instead.
62
63       -groups
64           This sets the supported groups. For clients, the groups are sent
65           using the supported groups extension. For servers, it is used to
66           determine which group to use. This setting affects groups used for
67           signatures (in TLSv1.2 and earlier) and key exchange. The first
68           group listed will also be used for the key_share sent by a client
69           in a TLSv1.3 ClientHello.
70
71           The value argument is a colon separated list of groups. The group
72           can be either the NIST name (e.g. P-256), some other commonly used
73           name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
74           prime256v1). Group names are case sensitive. The list should be in
75           order of preference with the most preferred group first.
76
77       -curves
78           This is a synonym for the "-groups" command.
79
80       -named_curve
81           This sets the temporary curve used for ephemeral ECDH modes. Only
82           used by servers
83
84           The value argument is a curve name or the special value auto which
85           picks an appropriate curve based on client and server preferences.
86           The curve can be either the NIST name (e.g. P-256) or an OpenSSL
87           OID name (e.g prime256v1). Curve names are case sensitive.
88
89       -cipher
90           Sets the TLSv1.2 and below ciphersuite list to value. This list
91           will be combined with any configured TLSv1.3 ciphersuites. Note:
92           syntax checking of value is currently not performed unless a SSL or
93           SSL_CTX structure is associated with cctx.
94
95       -ciphersuites
96           Sets the available ciphersuites for TLSv1.3 to value. This is a
97           simple colon (":") separated list of TLSv1.3 ciphersuite names in
98           order of preference. This list will be combined any configured
99           TLSv1.2 and below ciphersuites.  See ciphers(1) for more
100           information.
101
102       -cert
103           Attempts to use the file value as the certificate for the
104           appropriate context. It currently uses
105           SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
106           or SSL_use_certificate_file() with filetype PEM if an SSL structure
107           is set. This option is only supported if certificate operations are
108           permitted.
109
110       -key
111           Attempts to use the file value as the private key for the
112           appropriate context. This option is only supported if certificate
113           operations are permitted. Note: if no -key option is set then a
114           private key is not loaded unless the flag
115           SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
116
117       -dhparam
118           Attempts to use the file value as the set of temporary DH
119           parameters for the appropriate context. This option is only
120           supported if certificate operations are permitted.
121
122       -record_padding
123           Attempts to pad TLSv1.3 records so that they are a multiple of
124           value in length on send. A value of 0 or 1 turns off padding.
125           Otherwise, the value must be >1 or <=16384.
126
127       -no_renegotiation
128           Disables all attempts at renegotiation in TLSv1.2 and earlier, same
129           as setting SSL_OP_NO_RENEGOTIATION.
130
131       -min_protocol, -max_protocol
132           Sets the minimum and maximum supported protocol.  Currently
133           supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2,
134           TLSv1.3 for TLS and DTLSv1, DTLSv1.2 for DTLS, and None for no
135           limit.  If either bound is not specified then only the other bound
136           applies, if specified.  To restrict the supported protocol versions
137           use these commands rather than the deprecated alternative commands
138           below.
139
140       -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
141           Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or
142           TLSv1.3 by setting the corresponding options SSL_OP_NO_SSLv3,
143           SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 and
144           SSL_OP_NO_TLSv1_3 respectively. These options are deprecated,
145           instead use -min_protocol and -max_protocol.
146
147       -bugs
148           Various bug workarounds are set, same as setting SSL_OP_ALL.
149
150       -comp
151           Enables support for SSL/TLS compression, same as clearing
152           SSL_OP_NO_COMPRESSION.  This command was introduced in OpenSSL
153           1.1.0.  As of OpenSSL 1.1.0, compression is off by default.
154
155       -no_comp
156           Disables support for SSL/TLS compression, same as setting
157           SSL_OP_NO_COMPRESSION.  As of OpenSSL 1.1.0, compression is off by
158           default.
159
160       -no_ticket
161           Disables support for session tickets, same as setting
162           SSL_OP_NO_TICKET.
163
164       -serverpref
165           Use server and not client preference order when determining which
166           cipher suite, signature algorithm or elliptic curve to use for an
167           incoming connection.  Equivalent to
168           SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
169
170       -prioritize_chacha
171           Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at
172           the top of its preference list. This usually indicates a client
173           without AES hardware acceleration (e.g. mobile) is in use.
174           Equivalent to SSL_OP_PRIORITIZE_CHACHA.  Only used by servers.
175           Requires -serverpref.
176
177       -no_resumption_on_reneg
178           set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used
179           by servers.
180
181       -legacyrenegotiation
182           permits the use of unsafe legacy renegotiation. Equivalent to
183           setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
184
185       -legacy_server_connect, -no_legacy_server_connect
186           permits or prohibits the use of unsafe legacy renegotiation for
187           OpenSSL clients only. Equivalent to setting or clearing
188           SSL_OP_LEGACY_SERVER_CONNECT.  Set by default.
189
190       -allow_no_dhe_kex
191           In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
192           resumption. This means that there will be no forward secrecy for
193           the resumed session.
194
195       -strict
196           enables strict mode protocol handling. Equivalent to setting
197           SSL_CERT_FLAG_TLS_STRICT.
198
199       -anti_replay, -no_anti_replay
200           Switches replay protection, on or off respectively. With replay
201           protection on, OpenSSL will automatically detect if a session
202           ticket has been used more than once, TLSv1.3 has been negotiated,
203           and early data is enabled on the server. A full handshake is forced
204           if a session ticket is used a second or subsequent time. Anti-
205           Replay is on by default unless overridden by a configuration file
206           and is only used by servers. Anti-replay measures are required for
207           compliance with the TLSv1.3 specification. Some applications may be
208           able to mitigate the replay risks in other ways and in such cases
209           the built-in OpenSSL functionality is not required. Switching off
210           anti-replay is equivalent to SSL_OP_NO_ANTI_REPLAY.
211

SUPPORTED CONFIGURATION FILE COMMANDS

213       Currently supported cmd names for configuration files (i.e. when the
214       flag SSL_CONF_FLAG_FILE is set) are listed below. All configuration
215       file cmd names are case insensitive so signaturealgorithms is
216       recognised as well as SignatureAlgorithms. Unless otherwise stated the
217       value names are also case insensitive.
218
219       Note: the command prefix (if set) alters the recognised cmd values.
220
221       CipherString
222           Sets the ciphersuite list for TLSv1.2 and below to value. This list
223           will be combined with any configured TLSv1.3 ciphersuites. Note:
224           syntax checking of value is currently not performed unless an SSL
225           or SSL_CTX structure is associated with cctx.
226
227       Ciphersuites
228           Sets the available ciphersuites for TLSv1.3 to value. This is a
229           simple colon (":") separated list of TLSv1.3 ciphersuite names in
230           order of preference. This list will be combined any configured
231           TLSv1.2 and below ciphersuites.  See ciphers(1) for more
232           information.
233
234       Certificate
235           Attempts to use the file value as the certificate for the
236           appropriate context. It currently uses
237           SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
238           or SSL_use_certificate_file() with filetype PEM if an SSL structure
239           is set. This option is only supported if certificate operations are
240           permitted.
241
242       PrivateKey
243           Attempts to use the file value as the private key for the
244           appropriate context. This option is only supported if certificate
245           operations are permitted. Note: if no PrivateKey option is set then
246           a private key is not loaded unless the
247           SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
248
249       ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath
250           These options indicate a file or directory used for building
251           certificate chains or verifying certificate chains. These options
252           are only supported if certificate operations are permitted.
253
254       RequestCAFile
255           This option indicates a file containing a set of certificates in
256           PEM form.  The subject names of the certificates are sent to the
257           peer in the certificate_authorities extension for TLS 1.3 (in
258           ClientHello or CertificateRequest) or in a certificate request for
259           previous versions or TLS.
260
261       ServerInfoFile
262           Attempts to use the file value in the "serverinfo" extension using
263           the function SSL_CTX_use_serverinfo_file.
264
265       DHParameters
266           Attempts to use the file value as the set of temporary DH
267           parameters for the appropriate context. This option is only
268           supported if certificate operations are permitted.
269
270       RecordPadding
271           Attempts to pad TLSv1.3 records so that they are a multiple of
272           value in length on send. A value of 0 or 1 turns off padding.
273           Otherwise, the value must be >1 or <=16384.
274
275       SignatureAlgorithms
276           This sets the supported signature algorithms for TLSv1.2 and
277           TLSv1.3.  For clients this value is used directly for the supported
278           signature algorithms extension. For servers it is used to determine
279           which signature algorithms to support.
280
281           The value argument should be a colon separated list of signature
282           algorithms in order of decreasing preference of the form
283           algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
284           ECDSA and hash is a supported algorithm OID short name such as
285           SHA1, SHA224, SHA256, SHA384 of SHA512.  Note: algorithm and hash
286           names are case sensitive.  signature_scheme is one of the signature
287           schemes defined in TLSv1.3, specified using the IETF name, e.g.,
288           ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
289
290           If this option is not set then all signature algorithms supported
291           by the OpenSSL library are permissible.
292
293           Note: algorithms which specify a PKCS#1 v1.5 signature scheme
294           (either by using RSA as the algorithm or by using one of the
295           rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
296           negotiated.
297
298       ClientSignatureAlgorithms
299           This sets the supported signature algorithms associated with client
300           authentication for TLSv1.2 and TLSv1.3.  For servers the value is
301           used in the signature_algorithms field of a CertificateRequest
302           message.  For clients it is used to determine which signature
303           algorithm to use with the client certificate.  If a server does not
304           request a certificate this option has no effect.
305
306           The syntax of value is identical to SignatureAlgorithms. If not set
307           then the value set for SignatureAlgorithms will be used instead.
308
309       Groups
310           This sets the supported groups. For clients, the groups are sent
311           using the supported groups extension. For servers, it is used to
312           determine which group to use. This setting affects groups used for
313           signatures (in TLSv1.2 and earlier) and key exchange. The first
314           group listed will also be used for the key_share sent by a client
315           in a TLSv1.3 ClientHello.
316
317           The value argument is a colon separated list of groups. The group
318           can be either the NIST name (e.g. P-256), some other commonly used
319           name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
320           prime256v1). Group names are case sensitive. The list should be in
321           order of preference with the most preferred group first.
322
323       Curves
324           This is a synonym for the "Groups" command.
325
326       MinProtocol
327           This sets the minimum supported SSL, TLS or DTLS version.
328
329           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
330           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The value None will disable
331           the limit.
332
333       MaxProtocol
334           This sets the maximum supported SSL, TLS or DTLS version.
335
336           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
337           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The value None will disable
338           the limit.
339
340       Protocol
341           This can be used to enable or disable certain versions of the SSL,
342           TLS or DTLS protocol.
343
344           The value argument is a comma separated list of supported protocols
345           to enable or disable.  If a protocol is preceded by - that version
346           is disabled.
347
348           All protocol versions are enabled by default.  You need to disable
349           at least one protocol version for this setting have any effect.
350           Only enabling some protocol versions does not disable the other
351           protocol versions.
352
353           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
354           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The special value ALL
355           refers to all supported versions.
356
357           This can't enable protocols that are disabled using MinProtocol or
358           MaxProtocol, but can disable protocols that are still allowed by
359           them.
360
361           The Protocol command is fragile and deprecated; do not use it.  Use
362           MinProtocol and MaxProtocol instead.  If you do use Protocol, make
363           sure that the resulting range of enabled protocols has no "holes",
364           e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also
365           leave TLS 1.1 enabled.
366
367       Options
368           The value argument is a comma separated list of various flags to
369           set.  If a flag string is preceded - it is disabled.  See the
370           SSL_CTX_set_options(3) function for more details of individual
371           options.
372
373           Each option is listed below. Where an operation is enabled by
374           default the -flag syntax is needed to disable it.
375
376           SessionTicket: session ticket support, enabled by default. Inverse
377           of SSL_OP_NO_TICKET: that is -SessionTicket is the same as setting
378           SSL_OP_NO_TICKET.
379
380           Compression: SSL/TLS compression support, enabled by default.
381           Inverse of SSL_OP_NO_COMPRESSION.
382
383           EmptyFragments: use empty fragments as a countermeasure against a
384           SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It is
385           set by default. Inverse of SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
386
387           Bugs: enable various bug workarounds. Same as SSL_OP_ALL.
388
389           DHSingle: enable single use DH keys, set by default. Inverse of
390           SSL_OP_DH_SINGLE. Only used by servers.
391
392           ECDHSingle: enable single use ECDH keys, set by default. Inverse of
393           SSL_OP_ECDH_SINGLE. Only used by servers.
394
395           ServerPreference: use server and not client preference order when
396           determining which cipher suite, signature algorithm or elliptic
397           curve to use for an incoming connection.  Equivalent to
398           SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
399
400           PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a
401           ChaCha20 cipher at the top of its preference list. This usually
402           indicates a mobile client is in use. Equivalent to
403           SSL_OP_PRIORITIZE_CHACHA.  Only used by servers.
404
405           NoResumptionOnRenegotiation: set
406           SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by
407           servers.
408
409           NoRenegotiation: disables all attempts at renegotiation in TLSv1.2
410           and earlier, same as setting SSL_OP_NO_RENEGOTIATION.
411
412           UnsafeLegacyRenegotiation: permits the use of unsafe legacy
413           renegotiation.  Equivalent to
414           SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
415
416           UnsafeLegacyServerConnect: permits the use of unsafe legacy
417           renegotiation for OpenSSL clients only. Equivalent to
418           SSL_OP_LEGACY_SERVER_CONNECT.  Set by default.
419
420           EncryptThenMac: use encrypt-then-mac extension, enabled by default.
421           Inverse of SSL_OP_NO_ENCRYPT_THEN_MAC: that is, -EncryptThenMac is
422           the same as setting SSL_OP_NO_ENCRYPT_THEN_MAC.
423
424           AllowNoDHEKEX: In TLSv1.3 allow a non-(ec)dhe based key exchange
425           mode on resumption. This means that there will be no forward
426           secrecy for the resumed session. Equivalent to
427           SSL_OP_ALLOW_NO_DHE_KEX.
428
429           MiddleboxCompat: If set then dummy Change Cipher Spec (CCS)
430           messages are sent in TLSv1.3. This has the effect of making TLSv1.3
431           look more like TLSv1.2 so that middleboxes that do not understand
432           TLSv1.3 will not drop the connection. This option is set by
433           default. A future version of OpenSSL may not set this by default.
434           Equivalent to SSL_OP_ENABLE_MIDDLEBOX_COMPAT.
435
436           AntiReplay: If set then OpenSSL will automatically detect if a
437           session ticket has been used more than once, TLSv1.3 has been
438           negotiated, and early data is enabled on the server. A full
439           handshake is forced if a session ticket is used a second or
440           subsequent time. This option is set by default and is only used by
441           servers. Anti-replay measures are required to comply with the
442           TLSv1.3 specification. Some applications may be able to mitigate
443           the replay risks in other ways and in such cases the built-in
444           OpenSSL functionality is not required.  Disabling anti-replay is
445           equivalent to setting SSL_OP_NO_ANTI_REPLAY.
446
447       VerifyMode
448           The value argument is a comma separated list of flags to set.
449
450           Peer enables peer verification: for clients only.
451
452           Request requests but does not require a certificate from the
453           client.  Servers only.
454
455           Require requests and requires a certificate from the client: an
456           error occurs if the client does not present a certificate. Servers
457           only.
458
459           Once requests a certificate from a client only on the initial
460           connection: not when renegotiating. Servers only.
461
462           RequestPostHandshake configures the connection to support requests
463           but does not require a certificate from the client post-handshake.
464           A certificate will not be requested during the initial handshake.
465           The server application must provide a mechanism to request a
466           certificate post-handshake. Servers only.  TLSv1.3 only.
467
468           RequiresPostHandshake configures the connection to support requests
469           and requires a certificate from the client post-handshake: an error
470           occurs if the client does not present a certificate. A certificate
471           will not be requested during the initial handshake. The server
472           application must provide a mechanism to request a certificate post-
473           handshake. Servers only. TLSv1.3 only.
474
475       ClientCAFile, ClientCAPath
476           A file or directory of certificates in PEM format whose names are
477           used as the set of acceptable names for client CAs. Servers only.
478           This option is only supported if certificate operations are
479           permitted.
480

SUPPORTED COMMAND TYPES

482       The function SSL_CONF_cmd_value_type() currently returns one of the
483       following types:
484
485       SSL_CONF_TYPE_UNKNOWN
486           The cmd string is unrecognised, this return value can be use to
487           flag syntax errors.
488
489       SSL_CONF_TYPE_STRING
490           The value is a string without any specific structure.
491
492       SSL_CONF_TYPE_FILE
493           The value is a file name.
494
495       SSL_CONF_TYPE_DIR
496           The value is a directory name.
497
498       SSL_CONF_TYPE_NONE
499           The value string is not used e.g. a command line option which
500           doesn't take an argument.
501

NOTES

503       The order of operations is significant. This can be used to set either
504       defaults or values which cannot be overridden. For example if an
505       application calls:
506
507        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
508        SSL_CONF_cmd(ctx, userparam, uservalue);
509
510       it will disable SSLv3 support by default but the user can override it.
511       If however the call sequence is:
512
513        SSL_CONF_cmd(ctx, userparam, uservalue);
514        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
515
516       SSLv3 is always disabled and attempt to override this by the user are
517       ignored.
518
519       By checking the return code of SSL_CONF_cmd() it is possible to query
520       if a given cmd is recognised, this is useful if SSL_CONF_cmd() values
521       are mixed with additional application specific operations.
522
523       For example an application might call SSL_CONF_cmd() and if it returns
524       -2 (unrecognised command) continue with processing of application
525       specific commands.
526
527       Applications can also use SSL_CONF_cmd() to process command lines
528       though the utility function SSL_CONF_cmd_argv() is normally used
529       instead. One way to do this is to set the prefix to an appropriate
530       value using SSL_CONF_CTX_set1_prefix(), pass the current argument to
531       cmd and the following argument to value (which may be NULL).
532
533       In this case if the return value is positive then it is used to skip
534       that number of arguments as they have been processed by SSL_CONF_cmd().
535       If -2 is returned then cmd is not recognised and application specific
536       arguments can be checked instead. If -3 is returned a required argument
537       is missing and an error is indicated. If 0 is returned some other error
538       occurred and this can be reported back to the user.
539
540       The function SSL_CONF_cmd_value_type() can be used by applications to
541       check for the existence of a command or to perform additional syntax
542       checking or translation of the command value. For example if the return
543       value is SSL_CONF_TYPE_FILE an application could translate a relative
544       pathname to an absolute pathname.
545

RETURN VALUES

547       SSL_CONF_cmd() returns 1 if the value of cmd is recognised and value is
548       NOT used and 2 if both cmd and value are used. In other words it
549       returns the number of arguments processed. This is useful when
550       processing command lines.
551
552       A return value of -2 means cmd is not recognised.
553
554       A return value of -3 means cmd is recognised and the command requires a
555       value but value is NULL.
556
557       A return code of 0 indicates that both cmd and value are valid but an
558       error occurred attempting to perform the operation: for example due to
559       an error in the syntax of value in this case the error queue may
560       provide additional information.
561

EXAMPLES

563       Set supported signature algorithms:
564
565        SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
566
567       There are various ways to select the supported protocols.
568
569       This set the minimum protocol version to TLSv1, and so disables SSLv3.
570       This is the recommended way to disable protocols.
571
572        SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
573
574       The following also disables SSLv3:
575
576        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
577
578       The following will first enable all protocols, and then disable SSLv3.
579       If no protocol versions were disabled before this has the same effect
580       as "-SSLv3", but if some versions were disables this will re-enable
581       them before disabling SSLv3.
582
583        SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
584
585       Only enable TLSv1.2:
586
587        SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
588        SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
589
590       This also only enables TLSv1.2:
591
592        SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
593
594       Disable TLS session tickets:
595
596        SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
597
598       Enable compression:
599
600        SSL_CONF_cmd(ctx, "Options", "Compression");
601
602       Set supported curves to P-256, P-384:
603
604        SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
605

SEE ALSO

607       SSL_CONF_CTX_new(3), SSL_CONF_CTX_set_flags(3),
608       SSL_CONF_CTX_set1_prefix(3), SSL_CONF_CTX_set_ssl_ctx(3),
609       SSL_CONF_cmd_argv(3), SSL_CTX_set_options(3)
610

HISTORY

612       The SSL_CONF_cmd() function was added in OpenSSL 1.0.2.
613
614       The SSL_OP_NO_SSL2 option doesn't have effect since 1.1.0, but the
615       macro is retained for backwards compatibility.
616
617       The SSL_CONF_TYPE_NONE was added in OpenSSL 1.1.0. In earlier versions
618       of OpenSSL passing a command which didn't take an argument would return
619       SSL_CONF_TYPE_UNKNOWN.
620
621       MinProtocol and MaxProtocol where added in OpenSSL 1.1.0.
622
623       AllowNoDHEKEX and PrioritizeChaCha were added in OpenSSL 1.1.1.
624
626       Copyright 2012-2019 The OpenSSL Project Authors. All Rights Reserved.
627
628       Licensed under the OpenSSL license (the "License").  You may not use
629       this file except in compliance with the License.  You can obtain a copy
630       in the file LICENSE in the source distribution or at
631       <https://www.openssl.org/source/license.html>.
632
633
634
6351.1.1c                            2019-05-28                   SSL_CONF_CMD(3)
Impressum