[openssl-users] Wording in OpenSSL documentation for SSL_CTX_set_options

Julien ÉLIE julien at trigofacile.com
Fri Jul 29 19:15:16 UTC 2016


Hi,

In a recent discussion in the news.software.nntp newsgroup, we discussed 
the use of SSL_OP_CIPHER_SERVER_PREFERENCE, and would like to point out 
a possible improvement in the wording of the documentation of 
SSL_CTX_set_options.

Currently, there is in OpenSSL documentation:

   https://www.openssl.org/docs/manmaster/ssl/SSL_CONF_cmd.html

"-serverpref
Use server and not client preference order when determining which cipher 
suite, signature algorithm or elliptic curve to use for an incoming 
connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by 
servers."


   https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

"When choosing a cipher, use the server's preferences instead of the 
client preferences. When not set, the SSL server will always follow the 
clients preferences. When set, the SSL/TLS server will choose following 
its own preferences."


Maybe the documentation of SSL_CTX_set_options should also mention 
signature algorithms and elliptic curves.

Also, Michael Bäuerle noted that TLSv1.3 seems to change things a bit 
because FFDHE groups can now be negotiated too (codes starting at 256):
<https://tools.ietf.org/html/draft-ietf-tls-tls13-14#section-4.2.3>
and therefore suggests to mention "(EC)DHE groups" in both the above man 
pages.


Have a nice day,

-- 
Julien ÉLIE

« La libertad, Sancho, es uno de los más preciosos dones que a los
   hombres dieron los cielos; con ella no pueden igualarse los tesoros
   que encierran la tierra y el mar: por la libertad, así como por la
   honra, se puede y debe aventurar la vida. » (Miguel de Cervantes
   Saavedra)


More information about the openssl-users mailing list