1SSL_CTX_NEW(3) OpenSSL SSL_CTX_NEW(3)
2
6 TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
7 SSL_CTX_new, SSL_CTX_up_ref, SSLv3_method, SSLv3_server_method,
8 SSLv3_client_method, TLSv1_method, TLSv1_server_method,
9 TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method,
10 TLSv1_1_client_method, TLS_method, TLS_server_method,
11 TLS_client_method, SSLv23_method, SSLv23_server_method,
12 SSLv23_client_method, DTLS_method, DTLS_server_method,
13 DTLS_client_method, DTLSv1_method, DTLSv1_server_method,
14 DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method,
15 DTLSv1_2_client_method - create a new SSL_CTX object as framework for
16 TLS/SSL or DTLS enabled functions
17
19 #include <openssl/ssl.h>
20 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
22 int SSL_CTX_up_ref(SSL_CTX *ctx);
23 const SSL_METHOD *TLS_method(void);
25 const SSL_METHOD *TLS_server_method(void);
26 const SSL_METHOD *TLS_client_method(void);
27 const SSL_METHOD *SSLv23_method(void);
29 const SSL_METHOD *SSLv23_server_method(void);
30 const SSL_METHOD *SSLv23_client_method(void);
31 #ifndef OPENSSL_NO_SSL3_METHOD
33 const SSL_METHOD *SSLv3_method(void);
34 const SSL_METHOD *SSLv3_server_method(void);
35 const SSL_METHOD *SSLv3_client_method(void);
36 #endif
37 #ifndef OPENSSL_NO_TLS1_METHOD
39 const SSL_METHOD *TLSv1_method(void);
40 const SSL_METHOD *TLSv1_server_method(void);
41 const SSL_METHOD *TLSv1_client_method(void);
42 #endif
43 #ifndef OPENSSL_NO_TLS1_1_METHOD
45 const SSL_METHOD *TLSv1_1_method(void);
46 const SSL_METHOD *TLSv1_1_server_method(void);
47 const SSL_METHOD *TLSv1_1_client_method(void);
48 #endif
49 #ifndef OPENSSL_NO_TLS1_2_METHOD
51 const SSL_METHOD *TLSv1_2_method(void);
52 const SSL_METHOD *TLSv1_2_server_method(void);
53 const SSL_METHOD *TLSv1_2_client_method(void);
54 #endif
55 const SSL_METHOD *DTLS_method(void);
57 const SSL_METHOD *DTLS_server_method(void);
58 const SSL_METHOD *DTLS_client_method(void);
59 #ifndef OPENSSL_NO_DTLS1_METHOD
61 const SSL_METHOD *DTLSv1_method(void);
62 const SSL_METHOD *DTLSv1_server_method(void);
63 const SSL_METHOD *DTLSv1_client_method(void);
64 #endif
65 #ifndef OPENSSL_NO_DTLS1_2_METHOD
67 const SSL_METHOD *DTLSv1_2_method(void);
68 const SSL_METHOD *DTLSv1_2_server_method(void);
69 const SSL_METHOD *DTLSv1_2_client_method(void);
70 #endif
71
73 SSL_CTX_new() creates a new SSL_CTX object as framework to establish
74 TLS/SSL or DTLS enabled connections. An SSL_CTX object is reference
75 counted. Creating an SSL_CTX object for the first time increments the
76 reference count. Freeing it (using SSL_CTX_free) decrements it. When
77 the reference count drops to zero, any memory or resources allocated to
78 the SSL_CTX object are freed. SSL_CTX_up_ref() increments the reference
79 count for an existing SSL_CTX structure.
80
82 The SSL_CTX object uses method as connection method. The methods exist
83 in a generic type (for client and server use), a server only type, and
84 a client only type. method can be of the following types:
85 TLS_method(), TLS_server_method(), TLS_client_method()
87 These are the general-purpose version-flexible SSL/TLS methods.
88 The actual protocol version used will be negotiated to the highest
89 version mutually supported by the client and the server. The
90 supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
91 Applications should use these methods, and avoid the version-
92 specific methods described below.
93 SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()
95 Use of these functions is deprecated. They have been replaced with
96 the above TLS_method(), TLS_server_method() and TLS_client_method()
97 respectively. New code should use those functions instead.
98 TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
100 A TLS/SSL connection established with these methods will only
101 understand the TLSv1.2 protocol.
102 TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()
104 A TLS/SSL connection established with these methods will only
105 understand the TLSv1.1 protocol.
106 TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()
108 A TLS/SSL connection established with these methods will only
109 understand the TLSv1 protocol.
110 SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()
112 A TLS/SSL connection established with these methods will only
113 understand the SSLv3 protocol. The SSLv3 protocol is deprecated
114 and should not be used.
115 DTLS_method(), DTLS_server_method(), DTLS_client_method()
117 These are the version-flexible DTLS methods. Currently supported
118 protocols are DTLS 1.0 and DTLS 1.2.
119 DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()
121 These are the version-specific methods for DTLSv1.2.
122 DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
124 These are the version-specific methods for DTLSv1.
125 SSL_CTX_new() initializes the list of ciphers, the session cache
127 setting, the callbacks, the keys and certificates and the options to
128 their default values.
129 TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(),
131 DTLS_server_method() and DTLS_client_method() are the version-flexible
132 methods. All other methods only support one specific protocol version.
133 Use the version-flexible methods instead of the version specific
134 methods.
135 If you want to limit the supported protocols for the version flexible
137 methods you can use SSL_CTX_set_min_proto_version(3),
138 SSL_set_min_proto_version(3), SSL_CTX_set_max_proto_version(3) and
139 SSL_set_max_proto_version(3) functions. Using these functions it is
140 possible to choose e.g. TLS_server_method() and be able to negotiate
141 with all possible clients, but to only allow newer protocols like TLS
142 1.0, TLS 1.1, TLS 1.2 or TLS 1.3.
143 The list of protocols available can also be limited using the
145 SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_3,
146 SSL_OP_NO_TLSv1_2 and SSL_OP_NO_TLSv1_3 options of the
147 SSL_CTX_set_options(3) or SSL_set_options(3) functions, but this
148 approach is not recommended. Clients should avoid creating "holes" in
149 the set of protocols they support. When disabling a protocol, make sure
150 that you also disable either all previous or all subsequent protocol
151 versions. In clients, when a protocol version is disabled without
152 disabling all previous protocol versions, the effect is to also disable
153 all subsequent protocol versions.
154 The SSLv3 protocol is deprecated and should generally not be used.
156 Applications should typically use SSL_CTX_set_min_proto_version(3) to
157 set the minimum protocol to at least TLS1_VERSION.
158
160 The following return values can occur:
161 NULL
163 The creation of a new SSL_CTX object failed. Check the error stack
164 to find out the reason.
165 Pointer to an SSL_CTX object
167 The return value points to an allocated SSL_CTX object.
168 SSL_CTX_up_ref() returns 1 for success and 0 for failure.
170
172 SSL_CTX_set_options(3), SSL_CTX_free(3), SSL_accept(3),
173 SSL_CTX_set_min_proto_version(3), ssl(7), SSL_set_connect_state(3)
174
176 Support for SSLv2 and the corresponding SSLv2_method(),
177 SSLv2_server_method() and SSLv2_client_method() functions where removed
178 in OpenSSL 1.1.0.
179 SSLv23_method(), SSLv23_server_method() and SSLv23_client_method() were
181 deprecated and the preferred TLS_method(), TLS_server_method() and
182 TLS_client_method() functions were added in OpenSSL 1.1.0.
183 All version-specific methods were deprecated in OpenSSL 1.1.0.
185
187 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
188 Licensed under the OpenSSL license (the "License"). You may not use
190 this file except in compliance with the License. You can obtain a copy
191 in the file LICENSE in the source distribution or at
192 <https://www.openssl.org/source/license.html>.
1931.1.1c 2019-05-28 SSL_CTX_NEW(3)