1TLS_CONFIG_SET_PROTOC... BSD Library Functions Manual TLS_CONFIG_SET_PROTOC...
2

NAME

4     tls_config_set_protocols, tls_config_parse_protocols,
5     tls_config_set_alpn, tls_config_set_ciphers, tls_config_set_dheparams,
6     tls_config_set_ecdhecurves, tls_config_prefer_ciphers_client,
7     tls_config_prefer_ciphers_server — TLS protocol and cipher selection
8

SYNOPSIS

10     #include <tls.h>
11
12     int
13     tls_config_set_protocols(struct tls_config *config, uint32_t protocols);
14
15     int
16     tls_config_parse_protocols(uint32_t *protocols, const char *protostr);
17
18     int
19     tls_config_set_alpn(struct tls_config *config, const char *alpn);
20
21     int
22     tls_config_set_ciphers(struct tls_config *config, const char *ciphers);
23
24     int
25     tls_config_set_dheparams(struct tls_config *config, const char *params);
26
27     int
28     tls_config_set_ecdhecurves(struct tls_config *config,
29         const char *curves);
30
31     void
32     tls_config_prefer_ciphers_client(struct tls_config *config);
33
34     void
35     tls_config_prefer_ciphers_server(struct tls_config *config);
36

DESCRIPTION

38     These functions modify a configuration by setting parameters.  The con‐
39     figuration options apply to both clients and servers, unless noted other‐
40     wise.
41
42     tls_config_set_protocols() specifies which versions of the TLS protocol
43     may be used.  Possible values are the bitwise OR of:
44
45           TLS_PROTOCOL_TLSv1_2
46           TLS_PROTOCOL_TLSv1_3
47
48     Additionally, the values TLS_PROTOCOL_TLSv1 (TLSv1.2, TLSv1.3),
49     TLS_PROTOCOLS_ALL (all supported protocols) and TLS_PROTOCOLS_DEFAULT
50     (TLSv1.2 and TLSv1.3) may be used.
51
52     The tls_config_parse_protocols() utility function parses a protocol
53     string and returns the corresponding value via the protocols argument.
54     This value can then be passed to the tls_config_set_protocols() function.
55     The protocol string is a comma or colon separated list of keywords.
56     Valid keywords are:
57
58           tlsv1.2
59           tlsv1.3
60           all      (all supported protocols)
61           default  (an alias for secure)
62           legacy   (an alias for all)
63           secure   (currently TLSv1.2 and TLSv1.3)
64
65     If a value has a negative prefix (in the form of a leading exclamation
66     mark) then it is removed from the list of available protocols, rather
67     than being added to it.
68
69     tls_config_set_alpn() sets the ALPN protocols that are supported.  The
70     alpn string is a comma separated list of protocols, in order of prefer‐
71     ence.
72
73     tls_config_set_ciphers() sets the list of ciphers that may be used.
74     Lists of ciphers are specified by name, and the permitted names are:
75
76           secure (or alias default)
77           compat
78           legacy
79           insecure (or alias all)
80
81     Alternatively, libssl cipher strings can be specified.  See the CIPHERS
82     section of openssl(1) for further information.
83
84     tls_config_set_dheparams() specifies the parameters that will be used
85     during Diffie-Hellman Ephemeral (DHE) key exchange.  Possible values are:
86
87           none
88           auto
89           legacy
90
91     In auto mode, the key size for the ephemeral key is automatically se‐
92     lected based on the size of the private key being used for signing.  In
93     legacy mode, 1024 bit ephemeral keys are used.  The default value is
94     none, which disables DHE key exchange.
95
96     tls_config_set_ecdhecurves() specifies the names of the elliptic curves
97     that may be used during Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
98     key exchange.  This is a comma separated list, given in order of prefer‐
99     ence.  The special value of "default" will use the default curves (cur‐
100     rently X25519, P-256 and P-384).  This function replaces
101     tls_config_set_ecdhecurve(), which is deprecated.
102
103     tls_config_prefer_ciphers_client() prefers ciphers in the client's cipher
104     list when selecting a cipher suite (server only).  This is considered to
105     be less secure than preferring the server's list.
106
107     tls_config_prefer_ciphers_server() prefers ciphers in the server's cipher
108     list when selecting a cipher suite (server only).  This is considered to
109     be more secure than preferring the client's list and is the default.
110

RETURN VALUES

112     These functions return 0 on success or -1 on error.
113

SEE ALSO

115     tls_config_ocsp_require_stapling(3), tls_config_set_session_id(3),
116     tls_config_verify(3), tls_init(3), tls_load_file(3)
117

HISTORY

119     tls_config_set_ciphers() appeared in OpenBSD 5.6 and got its final name
120     in OpenBSD 5.7.
121
122     tls_config_set_protocols(), tls_config_parse_protocols(),
123     tls_config_set_dheparams(), and tls_config_set_ecdhecurve() appeared in
124     OpenBSD 5.7, tls_config_prefer_ciphers_client() and
125     tls_config_prefer_ciphers_server() in OpenBSD 5.9, and
126     tls_config_set_alpn() in OpenBSD 6.1.
127

AUTHORS

129     Joel Sing <jsing@openbsd.org> with contributions from
130     Ted Unangst <tedu@openbsd.org> (tls_config_set_ciphers()) and
131     Reyk Floeter <reyk@openbsd.org> (tls_config_set_ecdhecurve())
132
133BSD                              July 2, 2023                              BSD
Impressum