1SSL_CONF_CMD(3)                     OpenSSL                    SSL_CONF_CMD(3)
2
3
4

NAME

6       SSL_CONF_cmd_value_type, SSL_CONF_cmd - send configuration command
7

SYNOPSIS

9        #include <openssl/ssl.h>
10
11        int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
12        int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
13

DESCRIPTION

15       The function SSL_CONF_cmd() performs configuration operation cmd with
16       optional parameter value on ctx. Its purpose is to simplify application
17       configuration of SSL_CTX or SSL structures by providing a common
18       framework for command line options or configuration files.
19
20       SSL_CONF_cmd_value_type() returns the type of value that cmd refers to.
21

SUPPORTED COMMAND LINE COMMANDS

23       Currently supported cmd names for command lines (i.e. when the flag
24       SSL_CONF_CMDLINE is set) are listed below. Note: all cmd names are case
25       sensitive. Unless otherwise stated commands can be used by both clients
26       and servers and the value parameter is not used. The default prefix for
27       command line commands is - and that is reflected below.
28
29       -sigalgs
30           This sets the supported signature algorithms for TLSv1.2 and
31           TLSv1.3.  For clients this value is used directly for the supported
32           signature algorithms extension. For servers it is used to determine
33           which signature algorithms to support.
34
35           The value argument should be a colon separated list of signature
36           algorithms in order of decreasing preference of the form
37           algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
38           ECDSA and hash is a supported algorithm OID short name such as
39           SHA1, SHA224, SHA256, SHA384 of SHA512.  Note: algorithm and hash
40           names are case sensitive.  signature_scheme is one of the signature
41           schemes defined in TLSv1.3, specified using the IETF name, e.g.,
42           ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
43
44           If this option is not set then all signature algorithms supported
45           by the OpenSSL library are permissible.
46
47           Note: algorithms which specify a PKCS#1 v1.5 signature scheme
48           (either by using RSA as the algorithm or by using one of the
49           rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
50           negotiated.
51
52       -client_sigalgs
53           This sets the supported signature algorithms associated with client
54           authentication for TLSv1.2 and TLSv1.3.  For servers the value is
55           used in the signature_algorithms field of a CertificateRequest
56           message.  For clients it is used to determine which signature
57           algorithm to use with the client certificate.  If a server does not
58           request a certificate this option has no effect.
59
60           The syntax of value is identical to -sigalgs. If not set then the
61           value set for -sigalgs will be used instead.
62
63       -groups
64           This sets the supported groups. For clients, the groups are sent
65           using the supported groups extension. For servers, it is used to
66           determine which group to use. This setting affects groups used for
67           signatures (in TLSv1.2 and earlier) and key exchange. The first
68           group listed will also be used for the key_share sent by a client
69           in a TLSv1.3 ClientHello.
70
71           The value argument is a colon separated list of groups. The group
72           can be either the NIST name (e.g. P-256), some other commonly used
73           name where applicable (e.g. X25519) or an OpenSSL OID name (e.g.
74           prime256v1). Group names are case sensitive. The list should be in
75           order of preference with the most preferred group first.
76
77       -curves
78           This is a synonym for the "-groups" command.
79
80       -named_curve
81           This sets the temporary curve used for ephemeral ECDH modes. Only
82           used by servers
83
84           The value argument is a curve name or the special value auto which
85           picks an appropriate curve based on client and server preferences.
86           The curve can be either the NIST name (e.g. P-256) or an OpenSSL
87           OID name (e.g. prime256v1). Curve names are case sensitive.
88
89       -cipher
90           Sets the TLSv1.2 and below ciphersuite list to value. This list
91           will be combined with any configured TLSv1.3 ciphersuites. Note:
92           syntax checking of value is currently not performed unless a SSL or
93           SSL_CTX structure is associated with cctx.
94
95       -ciphersuites
96           Sets the available ciphersuites for TLSv1.3 to value. This is a
97           simple colon (":") separated list of TLSv1.3 ciphersuite names in
98           order of preference. This list will be combined any configured
99           TLSv1.2 and below ciphersuites.  See ciphers(1) for more
100           information.
101
102       -cert
103           Attempts to use the file value as the certificate for the
104           appropriate context. It currently uses
105           SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
106           or SSL_use_certificate_file() with filetype PEM if an SSL structure
107           is set. This option is only supported if certificate operations are
108           permitted.
109
110       -key
111           Attempts to use the file value as the private key for the
112           appropriate context. This option is only supported if certificate
113           operations are permitted. Note: if no -key option is set then a
114           private key is not loaded unless the flag
115           SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
116
117       -dhparam
118           Attempts to use the file value as the set of temporary DH
119           parameters for the appropriate context. This option is only
120           supported if certificate operations are permitted.
121
122       -record_padding
123           Attempts to pad TLSv1.3 records so that they are a multiple of
124           value in length on send. A value of 0 or 1 turns off padding.
125           Otherwise, the value must be >1 or <=16384.
126
127       -no_renegotiation
128           Disables all attempts at renegotiation in TLSv1.2 and earlier, same
129           as setting SSL_OP_NO_RENEGOTIATION.
130
131       -min_protocol, -max_protocol
132           Sets the minimum and maximum supported protocol.  Currently
133           supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2,
134           TLSv1.3 for TLS; DTLSv1, DTLSv1.2 for DTLS, and None for no limit.
135           If either the lower or upper bound is not specified then only the
136           other bound applies, if specified.  If your application supports
137           both TLS and DTLS you can specify any of these options twice, once
138           with a bound for TLS and again with an appropriate bound for DTLS.
139           To restrict the supported protocol versions use these commands
140           rather than the deprecated alternative commands below.
141
142       -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
143           Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or
144           TLSv1.3 by setting the corresponding options SSL_OP_NO_SSLv3,
145           SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 and
146           SSL_OP_NO_TLSv1_3 respectively. These options are deprecated,
147           instead use -min_protocol and -max_protocol.
148
149       -bugs
150           Various bug workarounds are set, same as setting SSL_OP_ALL.
151
152       -comp
153           Enables support for SSL/TLS compression, same as clearing
154           SSL_OP_NO_COMPRESSION.  This command was introduced in OpenSSL
155           1.1.0.  As of OpenSSL 1.1.0, compression is off by default.
156
157       -no_comp
158           Disables support for SSL/TLS compression, same as setting
159           SSL_OP_NO_COMPRESSION.  As of OpenSSL 1.1.0, compression is off by
160           default.
161
162       -no_ticket
163           Disables support for session tickets, same as setting
164           SSL_OP_NO_TICKET.
165
166       -serverpref
167           Use server and not client preference order when determining which
168           cipher suite, signature algorithm or elliptic curve to use for an
169           incoming connection.  Equivalent to
170           SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
171
172       -prioritize_chacha
173           Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at
174           the top of its preference list. This usually indicates a client
175           without AES hardware acceleration (e.g. mobile) is in use.
176           Equivalent to SSL_OP_PRIORITIZE_CHACHA.  Only used by servers.
177           Requires -serverpref.
178
179       -no_resumption_on_reneg
180           set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used
181           by servers.
182
183       -legacyrenegotiation
184           permits the use of unsafe legacy renegotiation. Equivalent to
185           setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
186
187       -legacy_server_connect, -no_legacy_server_connect
188           permits or prohibits the use of unsafe legacy renegotiation for
189           OpenSSL clients only. Equivalent to setting or clearing
190           SSL_OP_LEGACY_SERVER_CONNECT.  Set by default.
191
192       -allow_no_dhe_kex
193           In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
194           resumption. This means that there will be no forward secrecy for
195           the resumed session.
196
197       -strict
198           enables strict mode protocol handling. Equivalent to setting
199           SSL_CERT_FLAG_TLS_STRICT.
200
201       -anti_replay, -no_anti_replay
202           Switches replay protection, on or off respectively. With replay
203           protection on, OpenSSL will automatically detect if a session
204           ticket has been used more than once, TLSv1.3 has been negotiated,
205           and early data is enabled on the server. A full handshake is forced
206           if a session ticket is used a second or subsequent time. Anti-
207           Replay is on by default unless overridden by a configuration file
208           and is only used by servers. Anti-replay measures are required for
209           compliance with the TLSv1.3 specification. Some applications may be
210           able to mitigate the replay risks in other ways and in such cases
211           the built-in OpenSSL functionality is not required. Switching off
212           anti-replay is equivalent to SSL_OP_NO_ANTI_REPLAY.
213

SUPPORTED CONFIGURATION FILE COMMANDS

215       Currently supported cmd names for configuration files (i.e. when the
216       flag SSL_CONF_FLAG_FILE is set) are listed below. All configuration
217       file cmd names are case insensitive so signaturealgorithms is
218       recognised as well as SignatureAlgorithms. Unless otherwise stated the
219       value names are also case insensitive.
220
221       Note: the command prefix (if set) alters the recognised cmd values.
222
223       CipherString
224           Sets the ciphersuite list for TLSv1.2 and below to value. This list
225           will be combined with any configured TLSv1.3 ciphersuites. Note:
226           syntax checking of value is currently not performed unless an SSL
227           or SSL_CTX structure is associated with cctx.
228
229       Ciphersuites
230           Sets the available ciphersuites for TLSv1.3 to value. This is a
231           simple colon (":") separated list of TLSv1.3 ciphersuite names in
232           order of preference. This list will be combined any configured
233           TLSv1.2 and below ciphersuites.  See ciphers(1) for more
234           information.
235
236       Certificate
237           Attempts to use the file value as the certificate for the
238           appropriate context. It currently uses
239           SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
240           or SSL_use_certificate_file() with filetype PEM if an SSL structure
241           is set. This option is only supported if certificate operations are
242           permitted.
243
244       PrivateKey
245           Attempts to use the file value as the private key for the
246           appropriate context. This option is only supported if certificate
247           operations are permitted. Note: if no PrivateKey option is set then
248           a private key is not loaded unless the
249           SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
250
251       ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath
252           These options indicate a file or directory used for building
253           certificate chains or verifying certificate chains. These options
254           are only supported if certificate operations are permitted.
255
256       RequestCAFile
257           This option indicates a file containing a set of certificates in
258           PEM form.  The subject names of the certificates are sent to the
259           peer in the certificate_authorities extension for TLS 1.3 (in
260           ClientHello or CertificateRequest) or in a certificate request for
261           previous versions or TLS.
262
263       ServerInfoFile
264           Attempts to use the file value in the "serverinfo" extension using
265           the function SSL_CTX_use_serverinfo_file.
266
267       DHParameters
268           Attempts to use the file value as the set of temporary DH
269           parameters for the appropriate context. This option is only
270           supported if certificate operations are permitted.
271
272       RecordPadding
273           Attempts to pad TLSv1.3 records so that they are a multiple of
274           value in length on send. A value of 0 or 1 turns off padding.
275           Otherwise, the value must be >1 or <=16384.
276
277       SignatureAlgorithms
278           This sets the supported signature algorithms for TLSv1.2 and
279           TLSv1.3.  For clients this value is used directly for the supported
280           signature algorithms extension. For servers it is used to determine
281           which signature algorithms to support.
282
283           The value argument should be a colon separated list of signature
284           algorithms in order of decreasing preference of the form
285           algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
286           ECDSA and hash is a supported algorithm OID short name such as
287           SHA1, SHA224, SHA256, SHA384 of SHA512.  Note: algorithm and hash
288           names are case sensitive.  signature_scheme is one of the signature
289           schemes defined in TLSv1.3, specified using the IETF name, e.g.,
290           ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
291
292           If this option is not set then all signature algorithms supported
293           by the OpenSSL library are permissible.
294
295           Note: algorithms which specify a PKCS#1 v1.5 signature scheme
296           (either by using RSA as the algorithm or by using one of the
297           rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
298           negotiated.
299
300       ClientSignatureAlgorithms
301           This sets the supported signature algorithms associated with client
302           authentication for TLSv1.2 and TLSv1.3.  For servers the value is
303           used in the signature_algorithms field of a CertificateRequest
304           message.  For clients it is used to determine which signature
305           algorithm to use with the client certificate.  If a server does not
306           request a certificate this option has no effect.
307
308           The syntax of value is identical to SignatureAlgorithms. If not set
309           then the value set for SignatureAlgorithms will be used instead.
310
311       Groups
312           This sets the supported groups. For clients, the groups are sent
313           using the supported groups extension. For servers, it is used to
314           determine which group to use. This setting affects groups used for
315           signatures (in TLSv1.2 and earlier) and key exchange. The first
316           group listed will also be used for the key_share sent by a client
317           in a TLSv1.3 ClientHello.
318
319           The value argument is a colon separated list of groups. The group
320           can be either the NIST name (e.g. P-256), some other commonly used
321           name where applicable (e.g. X25519) or an OpenSSL OID name (e.g.
322           prime256v1). Group names are case sensitive. The list should be in
323           order of preference with the most preferred group first.
324
325       Curves
326           This is a synonym for the "Groups" command.
327
328       MinProtocol
329           This sets the minimum supported SSL, TLS or DTLS version.
330
331           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
332           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The SSL and TLS bounds
333           apply only to TLS-based contexts, while the DTLS bounds apply only
334           to DTLS-based contexts.  The command can be repeated with one
335           instance setting a TLS bound, and the other setting a DTLS bound.
336           The value None applies to both types of contexts and disables the
337           limits.
338
339       MaxProtocol
340           This sets the maximum supported SSL, TLS or DTLS version.
341
342           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
343           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The SSL and TLS bounds
344           apply only to TLS-based contexts, while the DTLS bounds apply only
345           to DTLS-based contexts.  The command can be repeated with one
346           instance setting a TLS bound, and the other setting a DTLS bound.
347           The value None applies to both types of contexts and disables the
348           limits.
349
350       Protocol
351           This can be used to enable or disable certain versions of the SSL,
352           TLS or DTLS protocol.
353
354           The value argument is a comma separated list of supported protocols
355           to enable or disable.  If a protocol is preceded by - that version
356           is disabled.
357
358           All protocol versions are enabled by default.  You need to disable
359           at least one protocol version for this setting have any effect.
360           Only enabling some protocol versions does not disable the other
361           protocol versions.
362
363           Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
364           TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2.  The special value ALL
365           refers to all supported versions.
366
367           This can't enable protocols that are disabled using MinProtocol or
368           MaxProtocol, but can disable protocols that are still allowed by
369           them.
370
371           The Protocol command is fragile and deprecated; do not use it.  Use
372           MinProtocol and MaxProtocol instead.  If you do use Protocol, make
373           sure that the resulting range of enabled protocols has no "holes",
374           e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also
375           leave TLS 1.1 enabled.
376
377       Options
378           The value argument is a comma separated list of various flags to
379           set.  If a flag string is preceded - it is disabled.  See the
380           SSL_CTX_set_options(3) function for more details of individual
381           options.
382
383           Each option is listed below. Where an operation is enabled by
384           default the -flag syntax is needed to disable it.
385
386           SessionTicket: session ticket support, enabled by default. Inverse
387           of SSL_OP_NO_TICKET: that is -SessionTicket is the same as setting
388           SSL_OP_NO_TICKET.
389
390           Compression: SSL/TLS compression support, disabled by default.
391           Inverse of SSL_OP_NO_COMPRESSION.
392
393           EmptyFragments: use empty fragments as a countermeasure against a
394           SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It is
395           set by default. Inverse of SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
396
397           Bugs: enable various bug workarounds. Same as SSL_OP_ALL.
398
399           DHSingle: enable single use DH keys, set by default. Inverse of
400           SSL_OP_DH_SINGLE. Only used by servers.
401
402           ECDHSingle: enable single use ECDH keys, set by default. Inverse of
403           SSL_OP_ECDH_SINGLE. Only used by servers.
404
405           ServerPreference: use server and not client preference order when
406           determining which cipher suite, signature algorithm or elliptic
407           curve to use for an incoming connection.  Equivalent to
408           SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
409
410           PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a
411           ChaCha20 cipher at the top of its preference list. This usually
412           indicates a mobile client is in use. Equivalent to
413           SSL_OP_PRIORITIZE_CHACHA.  Only used by servers.
414
415           NoResumptionOnRenegotiation: set
416           SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by
417           servers.
418
419           NoRenegotiation: disables all attempts at renegotiation in TLSv1.2
420           and earlier, same as setting SSL_OP_NO_RENEGOTIATION.
421
422           UnsafeLegacyRenegotiation: permits the use of unsafe legacy
423           renegotiation.  Equivalent to
424           SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
425
426           UnsafeLegacyServerConnect: permits the use of unsafe legacy
427           renegotiation for OpenSSL clients only. Equivalent to
428           SSL_OP_LEGACY_SERVER_CONNECT.  Set by default.
429
430           EncryptThenMac: use encrypt-then-mac extension, enabled by default.
431           Inverse of SSL_OP_NO_ENCRYPT_THEN_MAC: that is, -EncryptThenMac is
432           the same as setting SSL_OP_NO_ENCRYPT_THEN_MAC.
433
434           AllowNoDHEKEX: In TLSv1.3 allow a non-(ec)dhe based key exchange
435           mode on resumption. This means that there will be no forward
436           secrecy for the resumed session. Equivalent to
437           SSL_OP_ALLOW_NO_DHE_KEX.
438
439           MiddleboxCompat: If set then dummy Change Cipher Spec (CCS)
440           messages are sent in TLSv1.3. This has the effect of making TLSv1.3
441           look more like TLSv1.2 so that middleboxes that do not understand
442           TLSv1.3 will not drop the connection. This option is set by
443           default. A future version of OpenSSL may not set this by default.
444           Equivalent to SSL_OP_ENABLE_MIDDLEBOX_COMPAT.
445
446           AntiReplay: If set then OpenSSL will automatically detect if a
447           session ticket has been used more than once, TLSv1.3 has been
448           negotiated, and early data is enabled on the server. A full
449           handshake is forced if a session ticket is used a second or
450           subsequent time. This option is set by default and is only used by
451           servers. Anti-replay measures are required to comply with the
452           TLSv1.3 specification. Some applications may be able to mitigate
453           the replay risks in other ways and in such cases the built-in
454           OpenSSL functionality is not required.  Disabling anti-replay is
455           equivalent to setting SSL_OP_NO_ANTI_REPLAY.
456
457       VerifyMode
458           The value argument is a comma separated list of flags to set.
459
460           Peer enables peer verification: for clients only.
461
462           Request requests but does not require a certificate from the
463           client.  Servers only.
464
465           Require requests and requires a certificate from the client: an
466           error occurs if the client does not present a certificate. Servers
467           only.
468
469           Once requests a certificate from a client only on the initial
470           connection: not when renegotiating. Servers only.
471
472           RequestPostHandshake configures the connection to support requests
473           but does not require a certificate from the client post-handshake.
474           A certificate will not be requested during the initial handshake.
475           The server application must provide a mechanism to request a
476           certificate post-handshake. Servers only.  TLSv1.3 only.
477
478           RequiresPostHandshake configures the connection to support requests
479           and requires a certificate from the client post-handshake: an error
480           occurs if the client does not present a certificate. A certificate
481           will not be requested during the initial handshake. The server
482           application must provide a mechanism to request a certificate post-
483           handshake. Servers only. TLSv1.3 only.
484
485       ClientCAFile, ClientCAPath
486           A file or directory of certificates in PEM format whose names are
487           used as the set of acceptable names for client CAs. Servers only.
488           This option is only supported if certificate operations are
489           permitted.
490

SUPPORTED COMMAND TYPES

492       The function SSL_CONF_cmd_value_type() currently returns one of the
493       following types:
494
495       SSL_CONF_TYPE_UNKNOWN
496           The cmd string is unrecognised, this return value can be use to
497           flag syntax errors.
498
499       SSL_CONF_TYPE_STRING
500           The value is a string without any specific structure.
501
502       SSL_CONF_TYPE_FILE
503           The value is a filename.
504
505       SSL_CONF_TYPE_DIR
506           The value is a directory name.
507
508       SSL_CONF_TYPE_NONE
509           The value string is not used e.g. a command line option which
510           doesn't take an argument.
511

NOTES

513       The order of operations is significant. This can be used to set either
514       defaults or values which cannot be overridden. For example if an
515       application calls:
516
517        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
518        SSL_CONF_cmd(ctx, userparam, uservalue);
519
520       it will disable SSLv3 support by default but the user can override it.
521       If however the call sequence is:
522
523        SSL_CONF_cmd(ctx, userparam, uservalue);
524        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
525
526       SSLv3 is always disabled and attempt to override this by the user are
527       ignored.
528
529       By checking the return code of SSL_CONF_cmd() it is possible to query
530       if a given cmd is recognised, this is useful if SSL_CONF_cmd() values
531       are mixed with additional application specific operations.
532
533       For example an application might call SSL_CONF_cmd() and if it returns
534       -2 (unrecognised command) continue with processing of application
535       specific commands.
536
537       Applications can also use SSL_CONF_cmd() to process command lines
538       though the utility function SSL_CONF_cmd_argv() is normally used
539       instead. One way to do this is to set the prefix to an appropriate
540       value using SSL_CONF_CTX_set1_prefix(), pass the current argument to
541       cmd and the following argument to value (which may be NULL).
542
543       In this case if the return value is positive then it is used to skip
544       that number of arguments as they have been processed by SSL_CONF_cmd().
545       If -2 is returned then cmd is not recognised and application specific
546       arguments can be checked instead. If -3 is returned a required argument
547       is missing and an error is indicated. If 0 is returned some other error
548       occurred and this can be reported back to the user.
549
550       The function SSL_CONF_cmd_value_type() can be used by applications to
551       check for the existence of a command or to perform additional syntax
552       checking or translation of the command value. For example if the return
553       value is SSL_CONF_TYPE_FILE an application could translate a relative
554       pathname to an absolute pathname.
555

RETURN VALUES

557       SSL_CONF_cmd() returns 1 if the value of cmd is recognised and value is
558       NOT used and 2 if both cmd and value are used. In other words it
559       returns the number of arguments processed. This is useful when
560       processing command lines.
561
562       A return value of -2 means cmd is not recognised.
563
564       A return value of -3 means cmd is recognised and the command requires a
565       value but value is NULL.
566
567       A return code of 0 indicates that both cmd and value are valid but an
568       error occurred attempting to perform the operation: for example due to
569       an error in the syntax of value in this case the error queue may
570       provide additional information.
571

EXAMPLES

573       Set supported signature algorithms:
574
575        SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
576
577       There are various ways to select the supported protocols.
578
579       This set the minimum protocol version to TLSv1, and so disables SSLv3.
580       This is the recommended way to disable protocols.
581
582        SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
583
584       The following also disables SSLv3:
585
586        SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
587
588       The following will first enable all protocols, and then disable SSLv3.
589       If no protocol versions were disabled before this has the same effect
590       as "-SSLv3", but if some versions were disables this will re-enable
591       them before disabling SSLv3.
592
593        SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
594
595       Only enable TLSv1.2:
596
597        SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
598        SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
599
600       This also only enables TLSv1.2:
601
602        SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
603
604       Disable TLS session tickets:
605
606        SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
607
608       Enable compression:
609
610        SSL_CONF_cmd(ctx, "Options", "Compression");
611
612       Set supported curves to P-256, P-384:
613
614        SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
615

SEE ALSO

617       SSL_CONF_CTX_new(3), SSL_CONF_CTX_set_flags(3),
618       SSL_CONF_CTX_set1_prefix(3), SSL_CONF_CTX_set_ssl_ctx(3),
619       SSL_CONF_cmd_argv(3), SSL_CTX_set_options(3)
620

HISTORY

622       The SSL_CONF_cmd() function was added in OpenSSL 1.0.2.
623
624       The SSL_OP_NO_SSL2 option doesn't have effect since 1.1.0, but the
625       macro is retained for backwards compatibility.
626
627       The SSL_CONF_TYPE_NONE was added in OpenSSL 1.1.0. In earlier versions
628       of OpenSSL passing a command which didn't take an argument would return
629       SSL_CONF_TYPE_UNKNOWN.
630
631       MinProtocol and MaxProtocol where added in OpenSSL 1.1.0.
632
633       AllowNoDHEKEX and PrioritizeChaCha were added in OpenSSL 1.1.1.
634
636       Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
637
638       Licensed under the OpenSSL license (the "License").  You may not use
639       this file except in compliance with the License.  You can obtain a copy
640       in the file LICENSE in the source distribution or at
641       <https://www.openssl.org/source/license.html>.
642
643
644
6451.1.1q                            2023-02-06                   SSL_CONF_CMD(3)
Impressum