1SSL_CONF_CMD(3) OpenSSL SSL_CONF_CMD(3)
2
3
4
6 SSL_CONF_cmd_value_type, SSL_CONF_cmd - send configuration command
7
9 #include <openssl/ssl.h>
10
11 int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
12 int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
13
15 The function SSL_CONF_cmd() performs configuration operation cmd with
16 optional parameter value on ctx. Its purpose is to simplify application
17 configuration of SSL_CTX or SSL structures by providing a common
18 framework for command line options or configuration files.
19
20 SSL_CONF_cmd_value_type() returns the type of value that cmd refers to.
21
23 Currently supported cmd names for command lines (i.e. when the flag
24 SSL_CONF_CMDLINE is set) are listed below. Note: all cmd names are case
25 sensitive. Unless otherwise stated commands can be used by both clients
26 and servers and the value parameter is not used. The default prefix for
27 command line commands is - and that is reflected below.
28
29 -sigalgs
30 This sets the supported signature algorithms for TLSv1.2 and
31 TLSv1.3. For clients this value is used directly for the supported
32 signature algorithms extension. For servers it is used to determine
33 which signature algorithms to support.
34
35 The value argument should be a colon separated list of signature
36 algorithms in order of decreasing preference of the form
37 algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
38 ECDSA and hash is a supported algorithm OID short name such as
39 SHA1, SHA224, SHA256, SHA384 of SHA512. Note: algorithm and hash
40 names are case sensitive. signature_scheme is one of the signature
41 schemes defined in TLSv1.3, specified using the IETF name, e.g.,
42 ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
43
44 If this option is not set then all signature algorithms supported
45 by the OpenSSL library are permissible.
46
47 Note: algorithms which specify a PKCS#1 v1.5 signature scheme
48 (either by using RSA as the algorithm or by using one of the
49 rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
50 negotiated.
51
52 -client_sigalgs
53 This sets the supported signature algorithms associated with client
54 authentication for TLSv1.2 and TLSv1.3. For servers the value is
55 used in the signature_algorithms field of a CertificateRequest
56 message. For clients it is used to determine which signature
57 algorithm to use with the client certificate. If a server does not
58 request a certificate this option has no effect.
59
60 The syntax of value is identical to -sigalgs. If not set then the
61 value set for -sigalgs will be used instead.
62
63 -groups
64 This sets the supported groups. For clients, the groups are sent
65 using the supported groups extension. For servers, it is used to
66 determine which group to use. This setting affects groups used for
67 signatures (in TLSv1.2 and earlier) and key exchange. The first
68 group listed will also be used for the key_share sent by a client
69 in a TLSv1.3 ClientHello.
70
71 The value argument is a colon separated list of groups. The group
72 can be either the NIST name (e.g. P-256), some other commonly used
73 name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
74 prime256v1). Group names are case sensitive. The list should be in
75 order of preference with the most preferred group first.
76
77 -curves
78 This is a synonym for the "-groups" command.
79
80 -named_curve
81 This sets the temporary curve used for ephemeral ECDH modes. Only
82 used by servers
83
84 The value argument is a curve name or the special value auto which
85 picks an appropriate curve based on client and server preferences.
86 The curve can be either the NIST name (e.g. P-256) or an OpenSSL
87 OID name (e.g prime256v1). Curve names are case sensitive.
88
89 -cipher
90 Sets the TLSv1.2 and below ciphersuite list to value. This list
91 will be combined with any configured TLSv1.3 ciphersuites. Note:
92 syntax checking of value is currently not performed unless a SSL or
93 SSL_CTX structure is associated with cctx.
94
95 -ciphersuites
96 Sets the available ciphersuites for TLSv1.3 to value. This is a
97 simple colon (":") separated list of TLSv1.3 ciphersuite names in
98 order of preference. This list will be combined any configured
99 TLSv1.2 and below ciphersuites. See ciphers(1) for more
100 information.
101
102 -cert
103 Attempts to use the file value as the certificate for the
104 appropriate context. It currently uses
105 SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
106 or SSL_use_certificate_file() with filetype PEM if an SSL structure
107 is set. This option is only supported if certificate operations are
108 permitted.
109
110 -key
111 Attempts to use the file value as the private key for the
112 appropriate context. This option is only supported if certificate
113 operations are permitted. Note: if no -key option is set then a
114 private key is not loaded unless the flag
115 SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
116
117 -dhparam
118 Attempts to use the file value as the set of temporary DH
119 parameters for the appropriate context. This option is only
120 supported if certificate operations are permitted.
121
122 -record_padding
123 Attempts to pad TLSv1.3 records so that they are a multiple of
124 value in length on send. A value of 0 or 1 turns off padding.
125 Otherwise, the value must be >1 or <=16384.
126
127 -no_renegotiation
128 Disables all attempts at renegotiation in TLSv1.2 and earlier, same
129 as setting SSL_OP_NO_RENEGOTIATION.
130
131 -min_protocol, -max_protocol
132 Sets the minimum and maximum supported protocol. Currently
133 supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2,
134 TLSv1.3 for TLS and DTLSv1, DTLSv1.2 for DTLS, and None for no
135 limit. If either bound is not specified then only the other bound
136 applies, if specified. To restrict the supported protocol versions
137 use these commands rather than the deprecated alternative commands
138 below.
139
140 -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3
141 Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or
142 TLSv1.3 by setting the corresponding options SSL_OP_NO_SSLv3,
143 SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2 and
144 SSL_OP_NO_TLSv1_3 respectively. These options are deprecated,
145 instead use -min_protocol and -max_protocol.
146
147 -bugs
148 Various bug workarounds are set, same as setting SSL_OP_ALL.
149
150 -comp
151 Enables support for SSL/TLS compression, same as clearing
152 SSL_OP_NO_COMPRESSION. This command was introduced in OpenSSL
153 1.1.0. As of OpenSSL 1.1.0, compression is off by default.
154
155 -no_comp
156 Disables support for SSL/TLS compression, same as setting
157 SSL_OP_NO_COMPRESSION. As of OpenSSL 1.1.0, compression is off by
158 default.
159
160 -no_ticket
161 Disables support for session tickets, same as setting
162 SSL_OP_NO_TICKET.
163
164 -serverpref
165 Use server and not client preference order when determining which
166 cipher suite, signature algorithm or elliptic curve to use for an
167 incoming connection. Equivalent to
168 SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
169
170 -prioritize_chacha
171 Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at
172 the top of its preference list. This usually indicates a client
173 without AES hardware acceleration (e.g. mobile) is in use.
174 Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
175 Requires -serverpref.
176
177 -no_resumption_on_reneg
178 set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used
179 by servers.
180
181 -legacyrenegotiation
182 permits the use of unsafe legacy renegotiation. Equivalent to
183 setting SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
184
185 -legacy_server_connect, -no_legacy_server_connect
186 permits or prohibits the use of unsafe legacy renegotiation for
187 OpenSSL clients only. Equivalent to setting or clearing
188 SSL_OP_LEGACY_SERVER_CONNECT. Set by default.
189
190 -allow_no_dhe_kex
191 In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
192 resumption. This means that there will be no forward secrecy for
193 the resumed session.
194
195 -strict
196 enables strict mode protocol handling. Equivalent to setting
197 SSL_CERT_FLAG_TLS_STRICT.
198
199 -anti_replay, -no_anti_replay
200 Switches replay protection, on or off respectively. With replay
201 protection on, OpenSSL will automatically detect if a session
202 ticket has been used more than once, TLSv1.3 has been negotiated,
203 and early data is enabled on the server. A full handshake is forced
204 if a session ticket is used a second or subsequent time. Anti-
205 Replay is on by default unless overridden by a configuration file
206 and is only used by servers. Anti-replay measures are required for
207 compliance with the TLSv1.3 specification. Some applications may be
208 able to mitigate the replay risks in other ways and in such cases
209 the built-in OpenSSL functionality is not required. Switching off
210 anti-replay is equivalent to SSL_OP_NO_ANTI_REPLAY.
211
213 Currently supported cmd names for configuration files (i.e. when the
214 flag SSL_CONF_FLAG_FILE is set) are listed below. All configuration
215 file cmd names are case insensitive so signaturealgorithms is
216 recognised as well as SignatureAlgorithms. Unless otherwise stated the
217 value names are also case insensitive.
218
219 Note: the command prefix (if set) alters the recognised cmd values.
220
221 CipherString
222 Sets the ciphersuite list for TLSv1.2 and below to value. This list
223 will be combined with any configured TLSv1.3 ciphersuites. Note:
224 syntax checking of value is currently not performed unless an SSL
225 or SSL_CTX structure is associated with cctx.
226
227 Ciphersuites
228 Sets the available ciphersuites for TLSv1.3 to value. This is a
229 simple colon (":") separated list of TLSv1.3 ciphersuite names in
230 order of preference. This list will be combined any configured
231 TLSv1.2 and below ciphersuites. See ciphers(1) for more
232 information.
233
234 Certificate
235 Attempts to use the file value as the certificate for the
236 appropriate context. It currently uses
237 SSL_CTX_use_certificate_chain_file() if an SSL_CTX structure is set
238 or SSL_use_certificate_file() with filetype PEM if an SSL structure
239 is set. This option is only supported if certificate operations are
240 permitted.
241
242 PrivateKey
243 Attempts to use the file value as the private key for the
244 appropriate context. This option is only supported if certificate
245 operations are permitted. Note: if no PrivateKey option is set then
246 a private key is not loaded unless the
247 SSL_CONF_FLAG_REQUIRE_PRIVATE is set.
248
249 ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath
250 These options indicate a file or directory used for building
251 certificate chains or verifying certificate chains. These options
252 are only supported if certificate operations are permitted.
253
254 RequestCAFile
255 This option indicates a file containing a set of certificates in
256 PEM form. The subject names of the certificates are sent to the
257 peer in the certificate_authorities extension for TLS 1.3 (in
258 ClientHello or CertificateRequest) or in a certificate request for
259 previous versions or TLS.
260
261 ServerInfoFile
262 Attempts to use the file value in the "serverinfo" extension using
263 the function SSL_CTX_use_serverinfo_file.
264
265 DHParameters
266 Attempts to use the file value as the set of temporary DH
267 parameters for the appropriate context. This option is only
268 supported if certificate operations are permitted.
269
270 RecordPadding
271 Attempts to pad TLSv1.3 records so that they are a multiple of
272 value in length on send. A value of 0 or 1 turns off padding.
273 Otherwise, the value must be >1 or <=16384.
274
275 SignatureAlgorithms
276 This sets the supported signature algorithms for TLSv1.2 and
277 TLSv1.3. For clients this value is used directly for the supported
278 signature algorithms extension. For servers it is used to determine
279 which signature algorithms to support.
280
281 The value argument should be a colon separated list of signature
282 algorithms in order of decreasing preference of the form
283 algorithm+hash or signature_scheme. algorithm is one of RSA, DSA or
284 ECDSA and hash is a supported algorithm OID short name such as
285 SHA1, SHA224, SHA256, SHA384 of SHA512. Note: algorithm and hash
286 names are case sensitive. signature_scheme is one of the signature
287 schemes defined in TLSv1.3, specified using the IETF name, e.g.,
288 ecdsa_secp256r1_sha256, ed25519, or rsa_pss_pss_sha256.
289
290 If this option is not set then all signature algorithms supported
291 by the OpenSSL library are permissible.
292
293 Note: algorithms which specify a PKCS#1 v1.5 signature scheme
294 (either by using RSA as the algorithm or by using one of the
295 rsa_pkcs1_* identifiers) are ignored in TLSv1.3 and will not be
296 negotiated.
297
298 ClientSignatureAlgorithms
299 This sets the supported signature algorithms associated with client
300 authentication for TLSv1.2 and TLSv1.3. For servers the value is
301 used in the signature_algorithms field of a CertificateRequest
302 message. For clients it is used to determine which signature
303 algorithm to use with the client certificate. If a server does not
304 request a certificate this option has no effect.
305
306 The syntax of value is identical to SignatureAlgorithms. If not set
307 then the value set for SignatureAlgorithms will be used instead.
308
309 Groups
310 This sets the supported groups. For clients, the groups are sent
311 using the supported groups extension. For servers, it is used to
312 determine which group to use. This setting affects groups used for
313 signatures (in TLSv1.2 and earlier) and key exchange. The first
314 group listed will also be used for the key_share sent by a client
315 in a TLSv1.3 ClientHello.
316
317 The value argument is a colon separated list of groups. The group
318 can be either the NIST name (e.g. P-256), some other commonly used
319 name where applicable (e.g. X25519) or an OpenSSL OID name (e.g
320 prime256v1). Group names are case sensitive. The list should be in
321 order of preference with the most preferred group first.
322
323 Curves
324 This is a synonym for the "Groups" command.
325
326 MinProtocol
327 This sets the minimum supported SSL, TLS or DTLS version.
328
329 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
330 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The value None will disable
331 the limit.
332
333 MaxProtocol
334 This sets the maximum supported SSL, TLS or DTLS version.
335
336 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
337 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The value None will disable
338 the limit.
339
340 Protocol
341 This can be used to enable or disable certain versions of the SSL,
342 TLS or DTLS protocol.
343
344 The value argument is a comma separated list of supported protocols
345 to enable or disable. If a protocol is preceded by - that version
346 is disabled.
347
348 All protocol versions are enabled by default. You need to disable
349 at least one protocol version for this setting have any effect.
350 Only enabling some protocol versions does not disable the other
351 protocol versions.
352
353 Currently supported protocol values are SSLv3, TLSv1, TLSv1.1,
354 TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The special value ALL
355 refers to all supported versions.
356
357 This can't enable protocols that are disabled using MinProtocol or
358 MaxProtocol, but can disable protocols that are still allowed by
359 them.
360
361 The Protocol command is fragile and deprecated; do not use it. Use
362 MinProtocol and MaxProtocol instead. If you do use Protocol, make
363 sure that the resulting range of enabled protocols has no "holes",
364 e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also
365 leave TLS 1.1 enabled.
366
367 Options
368 The value argument is a comma separated list of various flags to
369 set. If a flag string is preceded - it is disabled. See the
370 SSL_CTX_set_options(3) function for more details of individual
371 options.
372
373 Each option is listed below. Where an operation is enabled by
374 default the -flag syntax is needed to disable it.
375
376 SessionTicket: session ticket support, enabled by default. Inverse
377 of SSL_OP_NO_TICKET: that is -SessionTicket is the same as setting
378 SSL_OP_NO_TICKET.
379
380 Compression: SSL/TLS compression support, enabled by default.
381 Inverse of SSL_OP_NO_COMPRESSION.
382
383 EmptyFragments: use empty fragments as a countermeasure against a
384 SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It is
385 set by default. Inverse of SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
386
387 Bugs: enable various bug workarounds. Same as SSL_OP_ALL.
388
389 DHSingle: enable single use DH keys, set by default. Inverse of
390 SSL_OP_DH_SINGLE. Only used by servers.
391
392 ECDHSingle: enable single use ECDH keys, set by default. Inverse of
393 SSL_OP_ECDH_SINGLE. Only used by servers.
394
395 ServerPreference: use server and not client preference order when
396 determining which cipher suite, signature algorithm or elliptic
397 curve to use for an incoming connection. Equivalent to
398 SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
399
400 PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a
401 ChaCha20 cipher at the top of its preference list. This usually
402 indicates a mobile client is in use. Equivalent to
403 SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
404
405 NoResumptionOnRenegotiation: set
406 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by
407 servers.
408
409 NoRenegotiation: disables all attempts at renegotiation in TLSv1.2
410 and earlier, same as setting SSL_OP_NO_RENEGOTIATION.
411
412 UnsafeLegacyRenegotiation: permits the use of unsafe legacy
413 renegotiation. Equivalent to
414 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
415
416 UnsafeLegacyServerConnect: permits the use of unsafe legacy
417 renegotiation for OpenSSL clients only. Equivalent to
418 SSL_OP_LEGACY_SERVER_CONNECT. Set by default.
419
420 EncryptThenMac: use encrypt-then-mac extension, enabled by default.
421 Inverse of SSL_OP_NO_ENCRYPT_THEN_MAC: that is, -EncryptThenMac is
422 the same as setting SSL_OP_NO_ENCRYPT_THEN_MAC.
423
424 AllowNoDHEKEX: In TLSv1.3 allow a non-(ec)dhe based key exchange
425 mode on resumption. This means that there will be no forward
426 secrecy for the resumed session. Equivalent to
427 SSL_OP_ALLOW_NO_DHE_KEX.
428
429 MiddleboxCompat: If set then dummy Change Cipher Spec (CCS)
430 messages are sent in TLSv1.3. This has the effect of making TLSv1.3
431 look more like TLSv1.2 so that middleboxes that do not understand
432 TLSv1.3 will not drop the connection. This option is set by
433 default. A future version of OpenSSL may not set this by default.
434 Equivalent to SSL_OP_ENABLE_MIDDLEBOX_COMPAT.
435
436 AntiReplay: If set then OpenSSL will automatically detect if a
437 session ticket has been used more than once, TLSv1.3 has been
438 negotiated, and early data is enabled on the server. A full
439 handshake is forced if a session ticket is used a second or
440 subsequent time. This option is set by default and is only used by
441 servers. Anti-replay measures are required to comply with the
442 TLSv1.3 specification. Some applications may be able to mitigate
443 the replay risks in other ways and in such cases the built-in
444 OpenSSL functionality is not required. Disabling anti-replay is
445 equivalent to setting SSL_OP_NO_ANTI_REPLAY.
446
447 VerifyMode
448 The value argument is a comma separated list of flags to set.
449
450 Peer enables peer verification: for clients only.
451
452 Request requests but does not require a certificate from the
453 client. Servers only.
454
455 Require requests and requires a certificate from the client: an
456 error occurs if the client does not present a certificate. Servers
457 only.
458
459 Once requests a certificate from a client only on the initial
460 connection: not when renegotiating. Servers only.
461
462 RequestPostHandshake configures the connection to support requests
463 but does not require a certificate from the client post-handshake.
464 A certificate will not be requested during the initial handshake.
465 The server application must provide a mechanism to request a
466 certificate post-handshake. Servers only. TLSv1.3 only.
467
468 RequiresPostHandshake configures the connection to support requests
469 and requires a certificate from the client post-handshake: an error
470 occurs if the client does not present a certificate. A certificate
471 will not be requested during the initial handshake. The server
472 application must provide a mechanism to request a certificate post-
473 handshake. Servers only. TLSv1.3 only.
474
475 ClientCAFile, ClientCAPath
476 A file or directory of certificates in PEM format whose names are
477 used as the set of acceptable names for client CAs. Servers only.
478 This option is only supported if certificate operations are
479 permitted.
480
482 The function SSL_CONF_cmd_value_type() currently returns one of the
483 following types:
484
485 SSL_CONF_TYPE_UNKNOWN
486 The cmd string is unrecognised, this return value can be use to
487 flag syntax errors.
488
489 SSL_CONF_TYPE_STRING
490 The value is a string without any specific structure.
491
492 SSL_CONF_TYPE_FILE
493 The value is a file name.
494
495 SSL_CONF_TYPE_DIR
496 The value is a directory name.
497
498 SSL_CONF_TYPE_NONE
499 The value string is not used e.g. a command line option which
500 doesn't take an argument.
501
503 The order of operations is significant. This can be used to set either
504 defaults or values which cannot be overridden. For example if an
505 application calls:
506
507 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
508 SSL_CONF_cmd(ctx, userparam, uservalue);
509
510 it will disable SSLv3 support by default but the user can override it.
511 If however the call sequence is:
512
513 SSL_CONF_cmd(ctx, userparam, uservalue);
514 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
515
516 SSLv3 is always disabled and attempt to override this by the user are
517 ignored.
518
519 By checking the return code of SSL_CONF_cmd() it is possible to query
520 if a given cmd is recognised, this is useful if SSL_CONF_cmd() values
521 are mixed with additional application specific operations.
522
523 For example an application might call SSL_CONF_cmd() and if it returns
524 -2 (unrecognised command) continue with processing of application
525 specific commands.
526
527 Applications can also use SSL_CONF_cmd() to process command lines
528 though the utility function SSL_CONF_cmd_argv() is normally used
529 instead. One way to do this is to set the prefix to an appropriate
530 value using SSL_CONF_CTX_set1_prefix(), pass the current argument to
531 cmd and the following argument to value (which may be NULL).
532
533 In this case if the return value is positive then it is used to skip
534 that number of arguments as they have been processed by SSL_CONF_cmd().
535 If -2 is returned then cmd is not recognised and application specific
536 arguments can be checked instead. If -3 is returned a required argument
537 is missing and an error is indicated. If 0 is returned some other error
538 occurred and this can be reported back to the user.
539
540 The function SSL_CONF_cmd_value_type() can be used by applications to
541 check for the existence of a command or to perform additional syntax
542 checking or translation of the command value. For example if the return
543 value is SSL_CONF_TYPE_FILE an application could translate a relative
544 pathname to an absolute pathname.
545
547 SSL_CONF_cmd() returns 1 if the value of cmd is recognised and value is
548 NOT used and 2 if both cmd and value are used. In other words it
549 returns the number of arguments processed. This is useful when
550 processing command lines.
551
552 A return value of -2 means cmd is not recognised.
553
554 A return value of -3 means cmd is recognised and the command requires a
555 value but value is NULL.
556
557 A return code of 0 indicates that both cmd and value are valid but an
558 error occurred attempting to perform the operation: for example due to
559 an error in the syntax of value in this case the error queue may
560 provide additional information.
561
563 Set supported signature algorithms:
564
565 SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
566
567 There are various ways to select the supported protocols.
568
569 This set the minimum protocol version to TLSv1, and so disables SSLv3.
570 This is the recommended way to disable protocols.
571
572 SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
573
574 The following also disables SSLv3:
575
576 SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
577
578 The following will first enable all protocols, and then disable SSLv3.
579 If no protocol versions were disabled before this has the same effect
580 as "-SSLv3", but if some versions were disables this will re-enable
581 them before disabling SSLv3.
582
583 SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
584
585 Only enable TLSv1.2:
586
587 SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
588 SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
589
590 This also only enables TLSv1.2:
591
592 SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
593
594 Disable TLS session tickets:
595
596 SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
597
598 Enable compression:
599
600 SSL_CONF_cmd(ctx, "Options", "Compression");
601
602 Set supported curves to P-256, P-384:
603
604 SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
605
607 SSL_CONF_CTX_new(3), SSL_CONF_CTX_set_flags(3),
608 SSL_CONF_CTX_set1_prefix(3), SSL_CONF_CTX_set_ssl_ctx(3),
609 SSL_CONF_cmd_argv(3), SSL_CTX_set_options(3)
610
612 The SSL_CONF_cmd() function was added in OpenSSL 1.0.2.
613
614 The SSL_OP_NO_SSL2 option doesn't have effect since 1.1.0, but the
615 macro is retained for backwards compatibility.
616
617 The SSL_CONF_TYPE_NONE was added in OpenSSL 1.1.0. In earlier versions
618 of OpenSSL passing a command which didn't take an argument would return
619 SSL_CONF_TYPE_UNKNOWN.
620
621 MinProtocol and MaxProtocol where added in OpenSSL 1.1.0.
622
623 AllowNoDHEKEX and PrioritizeChaCha were added in OpenSSL 1.1.1.
624
626 Copyright 2012-2019 The OpenSSL Project Authors. All Rights Reserved.
627
628 Licensed under the OpenSSL license (the "License"). You may not use
629 this file except in compliance with the License. You can obtain a copy
630 in the file LICENSE in the source distribution or at
631 <https://www.openssl.org/source/license.html>.
632
633
634
6351.1.1d 2019-10-03 SSL_CONF_CMD(3)