[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Wed Mar 29 05:10:26 UTC 2017
The branch master has been updated
via 7bd278957d27e09511520dabdc8696366ffb2b96 (commit)
via edb79c3a34987cf2389376e4578a711f8f4566e8 (commit)
via 3aaa1bd076bef8baf2ff9a71eb83e0a445943ea3 (commit)
via d5d5b5fc77fbfa6df320ed50ee8f68d3385699a2 (commit)
via f5f85f755d6abbbcbcda99ca80854e286f4e7f0a (commit)
via 818f8617562fbbcbdee36f0ea547d38b4181cef7 (commit)
from 2fae041d6c507315a619e2f29bff86e44cc1d0a1 (commit)
- Log -----------------------------------------------------------------
commit 7bd278957d27e09511520dabdc8696366ffb2b96
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Wed Mar 29 11:45:29 2017 +1000
Typo in SSL_CTX_sess_number.pod - started
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
commit edb79c3a34987cf2389376e4578a711f8f4566e8
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Wed Mar 29 10:07:14 2017 +1000
Tidy up the SSL options in SSL_CTX_set_options.pod
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
commit 3aaa1bd076bef8baf2ff9a71eb83e0a445943ea3
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Tue Mar 28 16:35:25 2017 +1000
SSL_CTX_use_PrivateKey_file uses private key, not certificate
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
commit d5d5b5fc77fbfa6df320ed50ee8f68d3385699a2
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Tue Mar 28 16:32:01 2017 +1000
Typo in SSL_CONF_cmd_argv.pod
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
commit f5f85f755d6abbbcbcda99ca80854e286f4e7f0a
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Tue Mar 28 16:30:43 2017 +1000
Typo in SSL_CONF_CTX_set1_prefix.pod - change SSL_CTX_cmd to SSL_CONF_cmd
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
commit 818f8617562fbbcbdee36f0ea547d38b4181cef7
Author: Jon Spillett <jon.spillett at oracle.com>
Date: Tue Mar 28 16:25:52 2017 +1000
Typo in SSL_CONF_CTX_set_flags.pod
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3070)
-----------------------------------------------------------------------
Summary of changes:
doc/man3/SSL_CONF_CTX_set1_prefix.pod | 2 +-
doc/man3/SSL_CONF_CTX_set_flags.pod | 2 +-
doc/man3/SSL_CONF_cmd.pod | 12 ++---
doc/man3/SSL_CONF_cmd_argv.pod | 2 +-
doc/man3/SSL_CTX_sess_number.pod | 4 +-
doc/man3/SSL_CTX_set_options.pod | 92 +++++++++++++++++++----------------
doc/man3/SSL_CTX_use_certificate.pod | 2 +-
7 files changed, 62 insertions(+), 54 deletions(-)
diff --git a/doc/man3/SSL_CONF_CTX_set1_prefix.pod b/doc/man3/SSL_CONF_CTX_set1_prefix.pod
index da9e580..d986470 100644
--- a/doc/man3/SSL_CONF_CTX_set1_prefix.pod
+++ b/doc/man3/SSL_CONF_CTX_set1_prefix.pod
@@ -17,7 +17,7 @@ to B<prefix>. If B<prefix> is B<NULL> it is restored to the default value.
=head1 NOTES
-Command prefixes alter the commands recognised by subsequent SSL_CTX_cmd()
+Command prefixes alter the commands recognised by subsequent SSL_CONF_cmd()
calls. For example for files, if the prefix "SSL" is set then command names
such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol"
and "Options". Similarly for command lines if the prefix is "--ssl-" then
diff --git a/doc/man3/SSL_CONF_CTX_set_flags.pod b/doc/man3/SSL_CONF_CTX_set_flags.pod
index efd8da3..766d984 100644
--- a/doc/man3/SSL_CONF_CTX_set_flags.pod
+++ b/doc/man3/SSL_CONF_CTX_set_flags.pod
@@ -2,7 +2,7 @@
=head1 NAME
-SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags - Set of clear SSL configuration context flags
+SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags - Set or clear SSL configuration context flags
=head1 SYNOPSIS
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index 754fe0e..6045a4f 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -428,22 +428,22 @@ however the call sequence is:
SSLv3 is B<always> disabled and attempt to override this by the user are
ignored.
-By checking the return code of SSL_CTX_cmd() it is possible to query if a
-given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
+By checking the return code of SSL_CONF_cmd() it is possible to query if a
+given B<cmd> is recognised, this is useful is SSL_CONF_cmd() values are
mixed with additional application specific operations.
-For example an application might call SSL_CTX_cmd() and if it returns
+For example an application might call SSL_CONF_cmd() and if it returns
-2 (unrecognised command) continue with processing of application specific
commands.
-Applications can also use SSL_CTX_cmd() to process command lines though the
-utility function SSL_CTX_cmd_argv() is normally used instead. One way
+Applications can also use SSL_CONF_cmd() to process command lines though the
+utility function SSL_CONF_cmd_argv() is normally used instead. One way
to do this is to set the prefix to an appropriate value using
SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
following argument to B<value> (which may be NULL).
In this case if the return value is positive then it is used to skip that
-number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
+number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is
returned then B<cmd> is not recognised and application specific arguments
can be checked instead. If -3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error occurred and
diff --git a/doc/man3/SSL_CONF_cmd_argv.pod b/doc/man3/SSL_CONF_cmd_argv.pod
index 15529a5..567fa5a 100644
--- a/doc/man3/SSL_CONF_cmd_argv.pod
+++ b/doc/man3/SSL_CONF_cmd_argv.pod
@@ -15,7 +15,7 @@ SSL_CONF_cmd_argv - SSL configuration command line processing
The function SSL_CONF_cmd_argv() processes at most two command line
arguments from B<pargv> and B<pargc>. The values of B<pargv> and B<pargc>
are updated to reflect the number of command options processed. The B<pargc>
-argument can be set to B<NULL> is it is not used.
+argument can be set to B<NULL> if it is not used.
=head1 RETURN VALUES
diff --git a/doc/man3/SSL_CTX_sess_number.pod b/doc/man3/SSL_CTX_sess_number.pod
index a91cd74..a96c8dd 100644
--- a/doc/man3/SSL_CTX_sess_number.pod
+++ b/doc/man3/SSL_CTX_sess_number.pod
@@ -32,7 +32,7 @@ client mode.
SSL_CTX_sess_connect_good() returns the number of successfully established
SSL/TLS sessions in client mode.
-SSL_CTX_sess_connect_renegotiate() returns the number of start renegotiations
+SSL_CTX_sess_connect_renegotiate() returns the number of started renegotiations
in client mode.
SSL_CTX_sess_accept() returns the number of started SSL/TLS handshakes in
@@ -41,7 +41,7 @@ server mode.
SSL_CTX_sess_accept_good() returns the number of successfully established
SSL/TLS sessions in server mode.
-SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations
+SSL_CTX_sess_accept_renegotiate() returns the number of started renegotiations
in server mode.
SSL_CTX_sess_hits() returns the number of successfully reused sessions.
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 57d3d8a..d12a039 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -62,27 +62,11 @@ The following B<bug workaround> options are available:
=over 4
-=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-
-...
-
-=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-
-...
-
=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
-=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-
-...
-
-=item SSL_OP_TLS_D5_BUG
-
-...
-
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
@@ -98,7 +82,8 @@ implementations.
=item SSL_OP_ALL
-All of the above bug workarounds.
+All of the above bug workarounds plus B<SSL_OP_LEGACY_SERVER_CONNECT> as
+mentioned below.
=back
@@ -122,22 +107,6 @@ only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)
-=item SSL_OP_SINGLE_DH_USE
-
-Always create a new key when using temporary/ephemeral DH parameters
-(see L<SSL_CTX_set_tmp_dh_callback(3)>).
-This option must be used to prevent small subgroup attacks, when
-the DH parameters were not generated using "strong" primes
-(e.g. when using DSA-parameters, see L<dhparam(1)>).
-If "strong" primes were used, it is not strictly necessary to generate
-a new DH key during each handshake but it is also recommended.
-B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever
-temporary/ephemeral DH parameters are used.
-
-=item SSL_OP_EPHEMERAL_RSA
-
-This option is no longer implemented and is treated as no op.
-
=item SSL_OP_CIPHER_SERVER_PREFERENCE
When choosing a cipher, use the server's preferences instead of the client
@@ -145,15 +114,6 @@ preferences. When not set, the SSL server will always follow the clients
preferences. When set, the SSL/TLS server will choose following its
own preferences.
-=item SSL_OP_PKCS1_CHECK_1
-
-...
-
-=item SSL_OP_PKCS1_CHECK_2
-
-...
-
-
=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1,
SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2
@@ -170,6 +130,19 @@ When performing renegotiation as a server, always start a new session
(i.e., session resumption requests are only accepted in the initial
handshake). This option is not needed for clients.
+=item SSL_OP_NO_COMPRESSION
+
+Do not use compression even if it is supported.
+
+=item SSL_OP_NO_QUERY_MTU
+
+Do not query the MTU. Only affects DTLS connections.
+
+=item SSL_OP_COOKIE_EXCHANGE
+
+Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
+DTLS connections.
+
=item SSL_OP_NO_TICKET
Normally clients and servers will, where possible, transparently make use
@@ -199,6 +172,41 @@ propose, and servers will not accept the extension.
=back
+The following options no longer have any effect but their identifiers are
+retained for compatibility purposes:
+
+=over 4
+
+=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+
+=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+
+=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+
+=item SSL_OP_TLS_D5_BUG
+
+=item SSL_OP_TLS_BLOCK_PADDING_BUG
+
+=item SSL_OP_MSIE_SSLV2_RSA_PADDING
+
+=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+
+=item SSL_OP_MICROSOFT_SESS_ID_BUG
+
+=item SSL_OP_NETSCAPE_CHALLENGE_BUG
+
+=item SSL_OP_PKCS1_CHECK_1
+
+=item SSL_OP_PKCS1_CHECK_2
+
+=item SSL_OP_SINGLE_DH_USE
+
+=item SSL_OP_SINGLE_ECDH_USE
+
+=item SSL_OP_EPHEMERAL_RSA
+
+=back
+
=head1 SECURE RENEGOTIATION
OpenSSL always attempts to use secure renegotiation as
diff --git a/doc/man3/SSL_CTX_use_certificate.pod b/doc/man3/SSL_CTX_use_certificate.pod
index 1feb576..22420f9 100644
--- a/doc/man3/SSL_CTX_use_certificate.pod
+++ b/doc/man3/SSL_CTX_use_certificate.pod
@@ -103,7 +103,7 @@ SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private
key to B<ssl>.
SSL_CTX_use_PrivateKey_file() adds the first private key found in
-B<file> to B<ctx>. The formatting B<type> of the certificate must be specified
+B<file> to B<ctx>. The formatting B<type> of the private key must be specified
from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in
B<file> to B<ctx>. SSL_use_PrivateKey_file() adds the first private key found
More information about the openssl-commits
mailing list