[openssl-users] Wording in OpenSSL documentation for SSL_CTX_set_options

Julien ÉLIE julien at trigofacile.com
Fri Jul 29 19:15:16 UTC 2016


In a recent discussion in the news.software.nntp newsgroup, we discussed 
the use of SSL_OP_CIPHER_SERVER_PREFERENCE, and would like to point out 
a possible improvement in the wording of the documentation of 

Currently, there is in OpenSSL documentation:


Use server and not client preference order when determining which cipher 
suite, signature algorithm or elliptic curve to use for an incoming 
connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by 


"When choosing a cipher, use the server's preferences instead of the 
client preferences. When not set, the SSL server will always follow the 
clients preferences. When set, the SSL/TLS server will choose following 
its own preferences."

Maybe the documentation of SSL_CTX_set_options should also mention 
signature algorithms and elliptic curves.

Also, Michael Bäuerle noted that TLSv1.3 seems to change things a bit 
because FFDHE groups can now be negotiated too (codes starting at 256):
and therefore suggests to mention "(EC)DHE groups" in both the above man 

Have a nice day,

Julien ÉLIE

« La libertad, Sancho, es uno de los más preciosos dones que a los
   hombres dieron los cielos; con ella no pueden igualarse los tesoros
   que encierran la tierra y el mar: por la libertad, así como por la
   honra, se puede y debe aventurar la vida. » (Miguel de Cervantes

More information about the openssl-users mailing list