[openssl-users] Wording in OpenSSL documentation for SSL_CTX_set_options

Julien ÉLIE julien at trigofacile.com
Thu Aug 4 19:25:39 UTC 2016

Hi all,

Another thing:  couldn't SSL_OP_CIPHER_SERVER_PREFERENCE be renamed (or 
aliased) to SSL_OP_SERVER_PREFERENCE in OpenSSL 1.1.0 because it applies 
to more objects than only cipher suites?


-------- Message transféré --------
Sujet : Wording in OpenSSL documentation for SSL_CTX_set_options
Date : Fri, 29 Jul 2016 21:15:16 +0200


In a recent discussion in the news.software.nntp newsgroup, we discussed 
the use of SSL_OP_CIPHER_SERVER_PREFERENCE, and would like to point out 
a possible improvement in the wording of the documentation of 

Currently, there is in OpenSSL documentation:


Use server and not client preference order when determining which cipher 
suite, signature algorithm or elliptic curve to use for an incoming 
connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by 


"When choosing a cipher, use the server's preferences instead of the 
client preferences. When not set, the SSL server will always follow the 
clients preferences. When set, the SSL/TLS server will choose following 
its own preferences."

Maybe the documentation of SSL_CTX_set_options should also mention 
signature algorithms and elliptic curves.

Also, Michael Bäuerle noted that TLSv1.3 seems to change things a bit 
because FFDHE groups can now be negotiated too (codes starting at 256):
and therefore suggests to mention "(EC)DHE groups" in both the above man 

Have a nice day,

Julien ÉLIE

« La libertad, Sancho, es uno de los más preciosos dones que a los
    hombres dieron los cielos; con ella no pueden igualarse los tesoros
    que encierran la tierra y el mar: por la libertad, así como por la
    honra, se puede y debe aventurar la vida. » (Miguel de Cervantes

More information about the openssl-users mailing list