1TLS_CONFIG_SET_PROTOC... BSD Library Functions Manual TLS_CONFIG_SET_PROTOC...
2

NAME

4     tls_config_set_protocols, tls_config_parse_protocols,
5     tls_config_set_alpn, tls_config_set_ciphers, tls_config_set_dheparams,
6     tls_config_set_ecdhecurves, tls_config_prefer_ciphers_client,
7     tls_config_prefer_ciphers_server — TLS protocol and cipher selection
8

SYNOPSIS

10     #include <tls.h>
11
12     int
13     tls_config_set_protocols(struct tls_config *config, uint32_t protocols);
14
15     int
16     tls_config_parse_protocols(uint32_t *protocols, const char *protostr);
17
18     int
19     tls_config_set_alpn(struct tls_config *config, const char *alpn);
20
21     int
22     tls_config_set_ciphers(struct tls_config *config, const char *ciphers);
23
24     int
25     tls_config_set_dheparams(struct tls_config *config, const char *params);
26
27     int
28     tls_config_set_ecdhecurves(struct tls_config *config,
29         const char *curves);
30
31     void
32     tls_config_prefer_ciphers_client(struct tls_config *config);
33
34     void
35     tls_config_prefer_ciphers_server(struct tls_config *config);
36

DESCRIPTION

38     These functions modify a configuration by setting parameters.  The con‐
39     figuration options apply to both clients and servers, unless noted other‐
40     wise.
41
42     tls_config_set_protocols() specifies which versions of the TLS protocol
43     may be used.  Possible values are the bitwise OR of:
44
45           TLS_PROTOCOL_TLSv1_0
46           TLS_PROTOCOL_TLSv1_1
47           TLS_PROTOCOL_TLSv1_2
48           TLS_PROTOCOL_TLSv1_3
49
50     Additionally, the values TLS_PROTOCOL_TLSv1 (TLSv1.0, TLSv1.1, TLSv1.2,
51     TLSv1.3), TLS_PROTOCOLS_ALL (all supported protocols) and
52     TLS_PROTOCOLS_DEFAULT (TLSv1.2 and TLSv1.3) may be used.
53
54     The tls_config_parse_protocols() utility function parses a protocol
55     string and returns the corresponding value via the protocols argument.
56     This value can then be passed to the tls_config_set_protocols() function.
57     The protocol string is a comma or colon separated list of keywords.
58     Valid keywords are:
59
60           tlsv1.0
61           tlsv1.1
62           tlsv1.2
63           tlsv1.3
64           all      (all supported protocols)
65           default  (an alias for secure)
66           legacy   (an alias for all)
67           secure   (currently TLSv1.2 and TLSv1.3)
68
69     If a value has a negative prefix (in the form of a leading exclamation
70     mark) then it is removed from the list of available protocols, rather
71     than being added to it.
72
73     tls_config_set_alpn() sets the ALPN protocols that are supported.  The
74     alpn string is a comma separated list of protocols, in order of prefer‐
75     ence.
76
77     tls_config_set_ciphers() sets the list of ciphers that may be used.
78     Lists of ciphers are specified by name, and the permitted names are:
79
80           secure (or alias default)
81           compat
82           legacy
83           insecure (or alias all)
84
85     Alternatively, libssl cipher strings can be specified.  See the CIPHERS
86     section of openssl(1) for further information.
87
88     tls_config_set_dheparams() specifies the parameters that will be used
89     during Diffie-Hellman Ephemeral (DHE) key exchange.  Possible values are:
90
91           none
92           auto
93           legacy
94
95     In auto mode, the key size for the ephemeral key is automatically se‐
96     lected based on the size of the private key being used for signing.  In
97     legacy mode, 1024 bit ephemeral keys are used.  The default value is
98     none, which disables DHE key exchange.
99
100     tls_config_set_ecdhecurves() specifies the names of the elliptic curves
101     that may be used during Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
102     key exchange.  This is a comma separated list, given in order of prefer‐
103     ence.  The special value of "default" will use the default curves (cur‐
104     rently X25519, P-256 and P-384).  This function replaces
105     tls_config_set_ecdhecurve(), which is deprecated.
106
107     tls_config_prefer_ciphers_client() prefers ciphers in the client's cipher
108     list when selecting a cipher suite (server only).  This is considered to
109     be less secure than preferring the server's list.
110
111     tls_config_prefer_ciphers_server() prefers ciphers in the server's cipher
112     list when selecting a cipher suite (server only).  This is considered to
113     be more secure than preferring the client's list and is the default.
114

RETURN VALUES

116     These functions return 0 on success or -1 on error.
117

SEE ALSO

119     tls_config_ocsp_require_stapling(3), tls_config_set_session_id(3),
120     tls_config_verify(3), tls_init(3), tls_load_file(3)
121

HISTORY

123     tls_config_set_ciphers() appeared in OpenBSD 5.6 and got its final name
124     in OpenBSD 5.7.
125
126     tls_config_set_protocols(), tls_config_parse_protocols(),
127     tls_config_set_dheparams(), and tls_config_set_ecdhecurve() appeared in
128     OpenBSD 5.7, tls_config_prefer_ciphers_client() and
129     tls_config_prefer_ciphers_server() in OpenBSD 5.9, and
130     tls_config_set_alpn() in OpenBSD 6.1.
131

AUTHORS

133     Joel Sing <jsing@openbsd.org> with contributions from
134     Ted Unangst <tedu@openbsd.org> (tls_config_set_ciphers()) and
135     Reyk Floeter <reyk@openbsd.org> (tls_config_set_ecdhecurve())
136
137BSD                             January 2, 2021                            BSD
Impressum