[openssl-users] Wording in OpenSSL documentation for SSL_CTX_set_options
Julien ÉLIE
julien at trigofacile.com
Thu Aug 4 19:25:39 UTC 2016
Hi all,
Another thing: couldn't SSL_OP_CIPHER_SERVER_PREFERENCE be renamed (or
aliased) to SSL_OP_SERVER_PREFERENCE in OpenSSL 1.1.0 because it applies
to more objects than only cipher suites?
--
Julien
-------- Message transféré --------
Sujet : Wording in OpenSSL documentation for SSL_CTX_set_options
Date : Fri, 29 Jul 2016 21:15:16 +0200
Hi,
In a recent discussion in the news.software.nntp newsgroup, we discussed
the use of SSL_OP_CIPHER_SERVER_PREFERENCE, and would like to point out
a possible improvement in the wording of the documentation of
SSL_CTX_set_options.
Currently, there is in OpenSSL documentation:
https://www.openssl.org/docs/manmaster/ssl/SSL_CONF_cmd.html
"-serverpref
Use server and not client preference order when determining which cipher
suite, signature algorithm or elliptic curve to use for an incoming
connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by
servers."
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
"When choosing a cipher, use the server's preferences instead of the
client preferences. When not set, the SSL server will always follow the
clients preferences. When set, the SSL/TLS server will choose following
its own preferences."
Maybe the documentation of SSL_CTX_set_options should also mention
signature algorithms and elliptic curves.
Also, Michael Bäuerle noted that TLSv1.3 seems to change things a bit
because FFDHE groups can now be negotiated too (codes starting at 256):
<https://tools.ietf.org/html/draft-ietf-tls-tls13-14#section-4.2.3>
and therefore suggests to mention "(EC)DHE groups" in both the above man
pages.
Have a nice day,
--
Julien ÉLIE
« La libertad, Sancho, es uno de los más preciosos dones que a los
hombres dieron los cielos; con ella no pueden igualarse los tesoros
que encierran la tierra y el mar: por la libertad, así como por la
honra, se puede y debe aventurar la vida. » (Miguel de Cervantes
Saavedra)
More information about the openssl-users
mailing list