[openssl] master update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Fri Jan 31 15:35:19 UTC 2020
The branch master has been updated
via 03e16083ff526d6d38de519620747aabbfc69b83 (commit)
via 8b3efb53027dd4f7d51b7ca9dd9658f02d6f1b1a (commit)
from c98eab85b8a6c5d49353a229ac1d2f4cd0b84682 (commit)
- Log -----------------------------------------------------------------
commit 03e16083ff526d6d38de519620747aabbfc69b83
Author: Rich Salz <rsalz at akamai.com>
Date: Fri Jan 24 12:33:05 2020 -0500
Fix "ts" no-XXX options, document two TLS options
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10191)
commit 8b3efb53027dd4f7d51b7ca9dd9658f02d6f1b1a
Author: Rich Salz <rsalz at akamai.com>
Date: Sat Oct 12 17:45:56 2019 -0400
Update the SSL/TLS connection options
Refactor common flags for SSL/TLS connection options.
Update SSL_CONF_cmd.pod to match ordering.
Rewrite much of the documentation.
Fixes #10160
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10191)
-----------------------------------------------------------------------
Summary of changes:
doc/man1/openssl-s_server.pod.in | 19 ++-
doc/man1/openssl-ts.pod.in | 7 +-
doc/man3/SSL_CONF_cmd.pod | 327 ++++++++++++++++++++-------------------
doc/perlvars.pm | 17 +-
4 files changed, 194 insertions(+), 176 deletions(-)
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in
index 78119281db..b31d4f6a2c 100644
--- a/doc/man1/openssl-s_server.pod.in
+++ b/doc/man1/openssl-s_server.pod.in
@@ -41,6 +41,7 @@ B<openssl> B<s_server>
[B<-no_resume_ephemeral>]
[B<-www>]
[B<-WWW>]
+[B<-http_server_binmode>]
[B<-servername>]
[B<-servername_fatal>]
[B<-cert2> I<infile>]
@@ -88,7 +89,6 @@ B<openssl> B<s_server>
[B<-no_comp>]
[B<-comp>]
[B<-no_ticket>]
-[B<-num_tickets>]
[B<-serverpref>]
[B<-legacy_renegotiation>]
[B<-no_renegotiation>]
@@ -125,16 +125,17 @@ B<openssl> B<s_server>
[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
[B<-keylogfile> I<outfile>]
-[B<-max_early_data> I<int>]
[B<-recv_max_early_data> I<int>]
+[B<-max_early_data> I<int>]
[B<-early_data>]
[B<-stateless>]
[B<-anti_replay>]
[B<-no_anti_replay>]
-[B<-http_server_binmode>]
+[B<-num_tickets>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
@@ -371,6 +372,11 @@ In addition, the special URL C</stats> will return status
information like the B<-www> option.
Neither of these options can be used in conjunction with B<-early_data>.
+=item B<-http_server_binmode>
+
+When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
+by the client in binary mode.
+
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@@ -641,15 +647,12 @@ has been negotiated, and early data is enabled on the server. A full handshake
is forced if a session ticket is used a second or subsequent time. Any early
data that was sent will be rejected.
-=item B<-http_server_binmode>
-
-When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
-by the client in binary mode.
-
{- $OpenSSL::safe::opt_name_item -}
{- $OpenSSL::safe::opt_version_item -}
+{- $OpenSSL::safe::opt_s_item -}
+
{- $OpenSSL::safe::opt_x_item -}
{- $OpenSSL::safe::opt_trust_item -}
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index b9e911827d..f115f45072 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -50,7 +50,9 @@ B<-verify>
[B<-queryfile> I<request.tsq>]
[B<-in> I<response.tsr>]
[B<-token_in>]
-{- $OpenSSL::safe::opt_trust_synopsis -}
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
+[B<-CAstore> I<uri>]
{- $OpenSSL::safe::opt_v_synopsis -}
=for openssl ifdef engine
@@ -330,8 +332,9 @@ certificate. This file must contain the TSA signing certificate and
all intermediate CA certificates unless the response includes them.
(Optional)
-{- $OpenSSL::safe::opt_trust_item -}
+=item B<-CAfile> I<file>, B<-CApath> I<dir>, B<-CAstore> I<uri>
+See L<openssl(1)/Trusted Certificate Options> for details.
At least one of B<-CApath>, B<-CAfile> or B<-CAstore> must be specified.
{- $OpenSSL::safe::opt_v_item -}
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ea1f1e8503..1f2e7b8ebb 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -9,222 +9,233 @@ SSL_CONF_cmd - send configuration command
#include <openssl/ssl.h>
- int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
- int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
+ int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value);
+ int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option);
=head1 DESCRIPTION
-The function SSL_CONF_cmd() performs configuration operation B<cmd> with
+The function SSL_CONF_cmd() performs configuration operation B<option> with
optional parameter B<value> on B<ctx>. Its purpose is to simplify application
configuration of B<SSL_CTX> or B<SSL> structures by providing a common
framework for command line options or configuration files.
-SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to.
+SSL_CONF_cmd_value_type() returns the type of value that B<option> refers to.
=head1 SUPPORTED COMMAND LINE COMMANDS
-Currently supported B<cmd> names for command lines (i.e. when the
-flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
+Currently supported B<option> names for command lines (i.e. when the
+flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<option> names
are case sensitive. Unless otherwise stated commands can be used by
both clients and servers and the B<value> parameter is not used. The default
prefix for command line commands is B<-> and that is reflected below.
=over 4
-=item B<-sigalgs>
+=item B<-bugs>
-This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
-For clients this
-value is used directly for the supported signature algorithms extension. For
-servers it is used to determine which signature algorithms to support.
+Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
-The B<value> argument should be a colon separated list of signature algorithms
-in order of decreasing preference of the form B<algorithm+hash> or
-B<signature_scheme>. B<algorithm>
-is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
-OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
-Note: algorithm and hash names are case sensitive.
-B<signature_scheme> is one of the signature schemes defined in TLSv1.3,
-specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>,
-or B<rsa_pss_pss_sha256>.
+=item B<-no_comp>
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
+Disables support for SSL/TLS compression, same as setting
+B<SSL_OP_NO_COMPRESSION>.
+As of OpenSSL 1.1.0, compression is off by default.
-Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
-using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
-identifiers) are ignored in TLSv1.3 and will not be negotiated.
+=item B<-comp>
-=item B<-client_sigalgs>
+Enables support for SSL/TLS compression, same as clearing
+B<SSL_OP_NO_COMPRESSION>.
+This command was introduced in OpenSSL 1.1.0.
+As of OpenSSL 1.1.0, compression is off by default.
-This sets the supported signature algorithms associated with client
-authentication for TLSv1.2 and TLSv1.3.
-For servers the value is used in the
-B<signature_algorithms> field of a B<CertificateRequest> message.
-For clients it is
-used to determine which signature algorithm to use with the client certificate.
-If a server does not request a certificate this option has no effect.
+=item B<-no_ticket>
-The syntax of B<value> is identical to B<-sigalgs>. If not set then
-the value set for B<-sigalgs> will be used instead.
+Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
-=item B<-groups>
+=item B<-serverpref>
-This sets the supported groups. For clients, the groups are
-sent using the supported groups extension. For servers, it is used
-to determine which group to use. This setting affects groups used for
-signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
-will also be used for the B<key_share> sent by a client in a TLSv1.3
-B<ClientHello>.
+Use server and not client preference order when determining which cipher suite,
+signature algorithm or elliptic curve to use for an incoming connection.
+Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
-The B<value> argument is a colon separated list of groups. The group can be
-either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
-applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name
-(e.g B<prime256v1>). Group names are case sensitive. The list should be in
-order of preference with the most preferred group first.
+=item B<-legacyrenegotiation>
-Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>,
-B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>,
-B<ffdhe8192>.
+permits the use of unsafe legacy renegotiation. Equivalent to setting
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
-=item B<-curves>
+=item B<-no_renegotiation>
-This is a synonym for the "-groups" command.
+Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
+B<SSL_OP_NO_RENEGOTIATION>.
-=item B<-named_curve>
+=item B<-no_resumption_on_reneg>
-This sets the temporary curve used for ephemeral ECDH modes. Only used by
-servers
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
-The B<value> argument is a curve name or the special value B<auto> which
-picks an appropriate curve based on client and server preferences. The curve
-can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
-(e.g B<prime256v1>). Curve names are case sensitive.
+=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
-=item B<-cipher>
+permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
+clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
+Set by default.
-Sets the TLSv1.2 and below ciphersuite list to B<value>. This list will be
-combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
-of B<value> is currently not performed unless a B<SSL> or B<SSL_CTX> structure is
-associated with B<cctx>.
+=item B<-prioritize_chacha>
-=item B<-ciphersuites>
+Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
+its preference list. This usually indicates a client without AES hardware
+acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
+Only used by servers. Requires B<-serverpref>.
-Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon
-(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
-list will be combined any configured TLSv1.2 and below ciphersuites.
-See L<openssl-ciphers(1)> for more information.
+=item B<-allow_no_dhe_kex>
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
-=item B<-cert>
+=item B<-strict>
-Attempts to use the file B<value> as the certificate for the appropriate
-context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
-structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
-structure is set. This option is only supported if certificate operations
-are permitted.
+enables strict mode protocol handling. Equivalent to setting
+B<SSL_CERT_FLAG_TLS_STRICT>.
-=item B<-key>
+=item B<-sigalgs> I<algs>
-Attempts to use the file B<value> as the private key for the appropriate
-context. This option is only supported if certificate operations
-are permitted. Note: if no B<-key> option is set then a private key is
-not loaded unless the flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
+This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
+For clients this value is used directly for the supported signature
+algorithms extension. For servers it is used to determine which signature
+algorithms to support.
+
+The B<algs> argument should be a colon separated list of signature
+algorithms in order of decreasing preference of the form B<algorithm+hash>
+or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and
+B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>,
+B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case
+sensitive. B<signature_scheme> is one of the signature schemes defined in
+TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>,
+B<ed25519>, or B<rsa_pss_pss_sha256>.
-=item B<-dhparam>
+If this option is not set then all signature algorithms supported by the
+OpenSSL library are permissible.
-Attempts to use the file B<value> as the set of temporary DH parameters for
-the appropriate context. This option is only supported if certificate
-operations are permitted.
+Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
+using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
+identifiers) are ignored in TLSv1.3 and will not be negotiated.
-=item B<-record_padding>
+=item B<-client_sigalgs> I<algs>
-Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in
-length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the
-B<value> must be >1 or <=16384.
+This sets the supported signature algorithms associated with client
+authentication for TLSv1.2 and TLSv1.3. For servers the B<algs> is used
+in the B<signature_algorithms> field of a B<CertificateRequest> message.
+For clients it is used to determine which signature algorithm to use with
+the client certificate. If a server does not request a certificate this
+option has no effect.
-=item B<-no_renegotiation>
+The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the
+value set for B<-sigalgs> will be used instead.
-Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
-B<SSL_OP_NO_RENEGOTIATION>.
+=item B<-groups> I<groups>
-=item B<-min_protocol>, B<-max_protocol>
+This sets the supported groups. For clients, the groups are sent using
+the supported groups extension. For servers, it is used to determine which
+group to use. This setting affects groups used for signatures (in TLSv1.2
+and earlier) and key exchange. The first group listed will also be used
+for the B<key_share> sent by a client in a TLSv1.3 B<ClientHello>.
-Sets the minimum and maximum supported protocol.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>,
-B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS,
-and B<None> for no limit.
-If either bound is not specified then only the other bound applies,
-if specified.
-To restrict the supported protocol versions use these commands rather
-than the deprecated alternative commands below.
+The B<groups> argument is a colon separated list of groups. The group can
+be either the B<NIST> name (e.g. B<P-256>), some other commonly used name
+where applicable (e.g. B<X25519>, B<ffdhe2048>) or an OpenSSL OID name
+(e.g B<prime256v1>). Group names are case sensitive. The list should be
+in order of preference with the most preferred group first.
-=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
+Currently supported groups for B<TLSv1.3> are B<P-256>, B<P-384>, B<P-521>,
+B<X25519>, B<X448>, B<ffdhe2048>, B<ffdhe3072>, B<ffdhe4096>, B<ffdhe6144>,
+B<ffdhe8192>.
-Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
-setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
-B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
-respectively. These options are deprecated, instead use B<-min_protocol> and
-B<-max_protocol>.
+=item B<-curves> I<groups>
-=item B<-bugs>
+This is a synonym for the B<-groups> command.
-Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
+=item B<-named_curve> I<curve>
-=item B<-comp>
+This sets the temporary curve used for ephemeral ECDH modes. Only used
+by servers.
-Enables support for SSL/TLS compression, same as clearing
-B<SSL_OP_NO_COMPRESSION>.
-This command was introduced in OpenSSL 1.1.0.
-As of OpenSSL 1.1.0, compression is off by default.
+The B<groups> argument is a curve name or the special value B<auto> which
+picks an appropriate curve based on client and server preferences. The
+curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
+(e.g B<prime256v1>). Curve names are case sensitive.
-=item B<-no_comp>
+=item B<-cipher> I<ciphers>
-Disables support for SSL/TLS compression, same as setting
-B<SSL_OP_NO_COMPRESSION>.
-As of OpenSSL 1.1.0, compression is off by default.
+Sets the TLSv1.2 and below ciphersuite list to B<ciphers>. This list will be
+combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
+of B<ciphers> is currently not performed unless a B<SSL> or B<SSL_CTX>
+structure is associated with B<ctx>.
-=item B<-no_ticket>
+=item B<-ciphersuites> I<1.3ciphers>
-Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
+Sets the available ciphersuites for TLSv1.3 to value. This is a
+colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
+list will be combined any configured TLSv1.2 and below ciphersuites.
+See L<openssl-ciphers(1)> for more information.
-=item B<-serverpref>
+=item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>
-Use server and not client preference order when determining which cipher suite,
-signature algorithm or elliptic curve to use for an incoming connection.
-Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
+Sets the minimum and maximum supported protocol. Currently supported
+protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3>
+for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> for no limit.
+If either bound is not specified then only the other bound applies,
+if specified. To restrict the supported protocol versions use these
+commands rather than the deprecated alternative commands below.
-=item B<-prioritize_chacha>
+=item B<-record_padding> I<padding>
-Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
-its preference list. This usually indicates a client without AES hardware
-acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
-Only used by servers. Requires B<-serverpref>.
+Attempts to pad TLSv1.3 records so that they are a multiple of B<padding>
+in length on send. A B<padding> of 0 or 1 turns off padding. Otherwise,
+the B<padding> must be >1 or <=16384.
-=item B<-no_resumption_on_reneg>
+=item B<-debug_broken_protocol>
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
+Ignored.
-=item B<-legacyrenegotiation>
+=item B<-no_middlebox>
-permits the use of unsafe legacy renegotiation. Equivalent to setting
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
+Turn off "middlebox compatibility", as described below.
-=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
+=back
-permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
-clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
-Set by default.
+=head2 Additional Options
-=item B<-allow_no_dhe_kex>
+The following options are accepted by SSL_CONF_cmd(), but are not
+processed by the OpenSSL commands.
-In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
-that there will be no forward secrecy for the resumed session.
+=over 4
-=item B<-strict>
+=item B<-cert> I<file>
-enables strict mode protocol handling. Equivalent to setting
-B<SSL_CERT_FLAG_TLS_STRICT>.
+Attempts to use B<file> as the certificate for the appropriate context. It
+currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
+structure is set or SSL_use_certificate_file() with filetype PEM if an
+B<SSL> structure is set. This option is only supported if certificate
+operations are permitted.
+
+=item B<-key> I<file>
+
+Attempts to use B<file> as the private key for the appropriate context. This
+option is only supported if certificate operations are permitted. Note:
+if no B<-key> option is set then a private key is not loaded unless the
+flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
+
+=item B<-dhparam> I<file>
+
+Attempts to use B<file> as the set of temporary DH parameters for
+the appropriate context. This option is only supported if certificate
+operations are permitted.
+
+=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
+
+Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
+setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
+B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
+respectively. These options are deprecated, use B<-min_protocol> and
+B<-max_protocol> instead.
=item B<-anti_replay>, B<-no_anti_replay>
@@ -242,13 +253,13 @@ required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>.
=head1 SUPPORTED CONFIGURATION FILE COMMANDS
-Currently supported B<cmd> names for configuration files (i.e. when the
+Currently supported B<option> names for configuration files (i.e., when the
flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
-B<cmd> names are case insensitive so B<signaturealgorithms> is recognised
+B<option> names are case insensitive so B<signaturealgorithms> is recognised
as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
are also case insensitive.
-Note: the command prefix (if set) alters the recognised B<cmd> values.
+Note: the command prefix (if set) alters the recognised B<option> values.
=over 4
@@ -257,12 +268,12 @@ Note: the command prefix (if set) alters the recognised B<cmd> values.
Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be
combined with any configured TLSv1.3 ciphersuites. Note: syntax
checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX>
-structure is associated with B<cctx>.
+structure is associated with B<ctx>.
=item B<Ciphersuites>
-Sets the available ciphersuites for TLSv1.3 to B<value>. This is a simple colon
-(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
+Sets the available ciphersuites for TLSv1.3 to B<value>. This is a
+colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
list will be combined any configured TLSv1.2 and below ciphersuites.
See L<openssl-ciphers(1)> for more information.
@@ -540,7 +551,7 @@ types:
=item B<SSL_CONF_TYPE_UNKNOWN>
-The B<cmd> string is unrecognised, this return value can be use to flag
+The B<option> string is unrecognised, this return value can be use to flag
syntax errors.
=item B<SSL_CONF_TYPE_STRING>
@@ -580,7 +591,7 @@ SSLv3 is B<always> disabled and attempt to override this by the user are
ignored.
By checking the return code of SSL_CONF_cmd() it is possible to query if a
-given B<cmd> is recognised, this is useful if SSL_CONF_cmd() values are
+given B<option> is recognised, this is useful if SSL_CONF_cmd() values are
mixed with additional application specific operations.
For example an application might call SSL_CONF_cmd() and if it returns
@@ -590,12 +601,12 @@ commands.
Applications can also use SSL_CONF_cmd() to process command lines though the
utility function SSL_CONF_cmd_argv() is normally used instead. One way
to do this is to set the prefix to an appropriate value using
-SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
+SSL_CONF_CTX_set1_prefix(), pass the current argument to B<option> and the
following argument to B<value> (which may be NULL).
In this case if the return value is positive then it is used to skip that
number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is
-returned then B<cmd> is not recognised and application specific arguments
+returned then B<option> is not recognised and application specific arguments
can be checked instead. If -3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error occurred and
this can be reported back to the user.
@@ -608,17 +619,17 @@ pathname to an absolute pathname.
=head1 RETURN VALUES
-SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is
-B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
+SSL_CONF_cmd() returns 1 if the value of B<option> is recognised and B<value> is
+B<NOT> used and 2 if both B<option> and B<value> are used. In other words it
returns the number of arguments processed. This is useful when processing
command lines.
-A return value of -2 means B<cmd> is not recognised.
+A return value of -2 means B<option> is not recognised.
-A return value of -3 means B<cmd> is recognised and the command requires a
+A return value of -3 means B<option> is recognised and the command requires a
value but B<value> is NULL.
-A return code of 0 indicates that both B<cmd> and B<value> are valid but an
+A return code of 0 indicates that both B<option> and B<value> are valid but an
error occurred attempting to perform the operation: for example due to an
error in the syntax of B<value> in this case the error queue may provide
additional information.
diff --git a/doc/perlvars.pm b/doc/perlvars.pm
index c20f4aedaa..bae8b15e83 100644
--- a/doc/perlvars.pm
+++ b/doc/perlvars.pm
@@ -65,7 +65,7 @@ $OpenSSL::safe::opt_x_synopsis = ""
$OpenSSL::safe::opt_x_item = ""
. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
. "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
-. "B<-xkeyform> B<DER>|B<PEM>>\n"
+. "B<-xkeyform> B<DER>|B<PEM>\n"
. "\n"
. "Set extended certificate verification options.\n"
. "See L<openssl(1)/Extended Verification Options> for details.";
@@ -143,16 +143,17 @@ $OpenSSL::safe::opt_version_item = "\n"
. "See L<openssl(1)/TLS Version Options>.";
# SSL connection options.
-# TODO options will probably be re-ordered.
+# TODO # options will probably be re-ordered.
$OpenSSL::safe::opt_s_synopsis = ""
. "[B<-bugs>]\n"
. "[B<-no_comp>]\n"
+. "[B<-comp>]\n"
. "[B<-no_ticket>]\n"
. "[B<-serverpref>]\n"
. "[B<-legacy_renegotiation>]\n"
. "[B<-no_renegotiation>]\n"
-. "[B<-legacy_server_connect>]\n"
. "[B<-no_resumption_on_reneg>]\n"
+. "[B<-legacy_server_connect>]\n"
. "[B<-no_legacy_server_connect>]\n"
. "[B<-allow_no_dhe_kex>]\n"
. "[B<-prioritize_chacha>]\n"
@@ -161,7 +162,7 @@ $OpenSSL::safe::opt_s_synopsis = ""
. "[B<-client_sigalgs> I<algs>]\n"
. "[B<-groups> I<groups>]\n"
. "[B<-curves> I<curves>]\n"
-. "[B<-named_curve> I<curves>]\n"
+. "[B<-named_curve> I<curve>]\n"
. "[B<-cipher> I<ciphers>]\n"
. "[B<-ciphersuites> I<1.3ciphers>]\n"
. "[B<-min_protocol> I<minprot>]\n"
@@ -170,12 +171,12 @@ $OpenSSL::safe::opt_s_synopsis = ""
. "[B<-debug_broken_protocol>]\n"
. "[B<-no_middlebox>]";
$OpenSSL::safe::opt_s_item = ""
-. "=item B<-bugs>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,"
-. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-legacy_server_connect>,\n"
-. "B<-no_resumption_on_reneg>, B<-no_legacy_server_connect>,\n"
+. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
+. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
+. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
. "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"
-. "I<curves>, B<-named_curve> I<curves>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
+. "I<curves>, B<-named_curve> I<curve>, B<-cipher> I<ciphers>, B<-ciphersuites>\n"
. "I<1.3ciphers>, B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>,\n"
. "B<-record_padding> I<padding>, B<-debug_broken_protocol>, B<-no_middlebox>\n"
. "\n"
More information about the openssl-commits
mailing list