1TLS_CONFIG_SET_PROTOC... BSD Library Functions Manual TLS_CONFIG_SET_PROTOC...
2

NAME

4     tls_config_set_protocols, tls_config_parse_protocols,
5     tls_config_set_alpn, tls_config_set_ciphers, tls_config_set_dheparams,
6     tls_config_set_ecdhecurves, tls_config_prefer_ciphers_client,
7     tls_config_prefer_ciphers_server — TLS protocol and cipher selection
8

SYNOPSIS

10     #include <tls.h>
11
12     int
13     tls_config_set_protocols(struct tls_config *config, uint32_t protocols);
14
15     int
16     tls_config_parse_protocols(uint32_t *protocols, const char *protostr);
17
18     int
19     tls_config_set_alpn(struct tls_config *config, const char *alpn);
20
21     int
22     tls_config_set_ciphers(struct tls_config *config, const char *ciphers);
23
24     int
25     tls_config_set_dheparams(struct tls_config *config, const char *params);
26
27     int
28     tls_config_set_ecdhecurves(struct tls_config *config,
29         const char *curves);
30
31     void
32     tls_config_prefer_ciphers_client(struct tls_config *config);
33
34     void
35     tls_config_prefer_ciphers_server(struct tls_config *config);
36

DESCRIPTION

38     These functions modify a configuration by setting parameters.  The con‐
39     figuration options apply to both clients and servers, unless noted other‐
40     wise.
41
42     tls_config_set_protocols() specifies which versions of the TLS protocol
43     may be used.  Possible values are the bitwise OR of:
44
45           TLS_PROTOCOL_TLSv1_0
46           TLS_PROTOCOL_TLSv1_1
47           TLS_PROTOCOL_TLSv1_2
48           TLS_PROTOCOL_TLSv1_3
49
50     Additionally, the values TLS_PROTOCOL_TLSv1 (TLSv1.0, TLSv1.1, TLSv1.2,
51     TLSv1.3), TLS_PROTOCOLS_ALL (all supported protocols) and
52     TLS_PROTOCOLS_DEFAULT (TLSv1.2 and TLSv1.3) may be used.
53
54     The tls_config_parse_protocols() utility function parses a protocol
55     string and returns the corresponding value via the protocols argument.
56     This value can then be passed to the tls_config_set_protocols() function.
57     The protocol string is a comma or colon separated list of keywords.
58     Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all supported
59     protocols), default (an alias for secure), legacy (an alias for all) and
60     secure (currently TLSv1.2 and TLSv1.3).  If a value has a negative prefix
61     (in the form of a leading exclamation mark) then it is removed from the
62     list of available protocols, rather than being added to it.
63
64     tls_config_set_alpn() sets the ALPN protocols that are supported.  The
65     alpn string is a comma separated list of protocols, in order of prefer‐
66     ence.
67
68     tls_config_set_ciphers() sets the list of ciphers that may be used.
69     Lists of ciphers are specified by name, and the permitted names are:
70
71           secure (or alias default)
72           compat
73           legacy
74           insecure (or alias all)
75
76     Alternatively, libssl cipher strings can be specified.  See the CIPHERS
77     section of openssl(1) for further information.
78
79     tls_config_set_dheparams() specifies the parameters that will be used
80     during Diffie-Hellman Ephemeral (DHE) key exchange.  Possible values are
81     "none", "auto" and "legacy".  In "auto" mode, the key size for the
82     ephemeral key is automatically selected based on the size of the private
83     key being used for signing.  In "legacy" mode, 1024 bit ephemeral keys
84     are used.  The default value is "none", which disables DHE key exchange.
85
86     tls_config_set_ecdhecurves() specifies the names of the elliptic curves
87     that may be used during Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
88     key exchange.  This is a comma separated list, given in order of prefer‐
89     ence.  The special value of "default" will use the default curves (cur‐
90     rently X25519, P-256 and P-384).  This function replaces
91     tls_config_set_ecdhecurve(), which is deprecated.
92
93     tls_config_prefer_ciphers_client() prefers ciphers in the client's cipher
94     list when selecting a cipher suite (server only).  This is considered to
95     be less secure than preferring the server's list.
96
97     tls_config_prefer_ciphers_server() prefers ciphers in the server's cipher
98     list when selecting a cipher suite (server only).  This is considered to
99     be more secure than preferring the client's list and is the default.
100

RETURN VALUES

102     These functions return 0 on success or -1 on error.
103

SEE ALSO

105     tls_config_ocsp_require_stapling(3), tls_config_set_session_id(3),
106     tls_config_verify(3), tls_init(3), tls_load_file(3)
107

HISTORY

109     tls_config_set_ciphers() appeared in OpenBSD 5.6 and got its final name
110     in OpenBSD 5.7.
111
112     tls_config_set_protocols(), tls_config_parse_protocols(),
113     tls_config_set_dheparams(), and tls_config_set_ecdhecurve() appeared in
114     OpenBSD 5.7, tls_config_prefer_ciphers_client() and
115     tls_config_prefer_ciphers_server() in OpenBSD 5.9, and
116     tls_config_set_alpn() in OpenBSD 6.1.
117

AUTHORS

119     Joel Sing <jsing@openbsd.org> with contributions from
120     Ted Unangst <tedu@openbsd.org> (tls_config_set_ciphers()) and
121     Reyk Floeter <reyk@openbsd.org> (tls_config_set_ecdhecurve())
122
123BSD                            January 22, 2020                            BSD
Impressum