summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/luaossl.tex84
1 files changed, 64 insertions, 20 deletions
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
index e7d4c2d..5ae6956 100644
--- a/doc/luaossl.tex
+++ b/doc/luaossl.tex
@@ -697,40 +697,40 @@ Add or interpose a context class method. Returns the previous method, if any.
697 697
698\subsubsection[\fn{context:setOptions}]{\fn{context:setOptions($flags$)}} 698\subsubsection[\fn{context:setOptions}]{\fn{context:setOptions($flags$)}}
699 699
700Sets the option flags of the context instance. $flags$ is a bit-wise set of option flags to be ORd with the current set. The resultant option flags of the context instance will be the union of the old and new flags.\footnote{This idiosyncratic union behavior is how the OpenSSL routine works.} 700Adds the option flags to the context instance. $flags$ is a bit-wise set of option flags to be ORd with the current set. The resultant option flags of the context instance will be the union of the old and new flags.\footnote{This idiosyncratic union behavior is how the OpenSSL routine works.}
701 701
702\begin{ctabular}{ c | p{8cm} } 702\begin{ctabular}{ c | p{8cm} }
703name & description \\\hline 703name & \href{https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html}{description} \\\hline
704\small{\texttt{OP\_MICROSOFT\_SESS\_ID\_BUG}} & When talking SSLv2, if session-id reuse is performed, the session-id passed back in the server-finished message is different from the one decided upon. \\ 704\small{\texttt{OP\_MICROSOFT\_SESS\_ID\_BUG}} & When talking SSLv2, if session-id reuse is performed, the session-id passed back in the server-finished message is different from the one decided upon. \\
705\small{\texttt{OP\_NETSCAPE\_CHALLENGE\_BUG}} & Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte challenge but then appears to only use 16 bytes when generating the encryption keys. According to the SSLv3 spec, one should use 32 bytes for the challenge when operating in SSLv2/v3 compatibility mode, but as mentioned above, this breaks this server so 16 bytes is the way to go. \\ 705\small{\texttt{OP\_NETSCAPE\_CHALLENGE\_BUG}} & Workaround for Netscape-Commerce/1.12 servers. \\
706\small{\texttt{OP\_LEGACY\_SERVER\_CONNECT}} & $\ldots$ \\ 706\small{\texttt{OP\_LEGACY\_SERVER\_CONNECT}} & $\ldots$ \\
707\small{\texttt{OP\_NETSCAPE\_REUSE\_CIPHER\_CHANGE\_BUG}} & As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. \\ 707\small{\texttt{OP\_NETSCAPE\_REUSE\_CIPHER\_CHANGE\_BUG}} & As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. \\
708\small{\texttt{OP\_MICROSOFT\_BIG\_SSLV3\_BUFFER}} & $\ldots$ \\ 708\small{\texttt{OP\_MICROSOFT\_BIG\_SSLV3\_BUFFER}} & $\ldots$ \\
709\small{\texttt{OP\_SSLEAY\_080\_CLIENT\_DH\_BUG}} & $\ldots$ \\ 709\small{\texttt{OP\_SSLEAY\_080\_CLIENT\_DH\_BUG}} & $\ldots$ \\
710\small{\texttt{OP\_TLS\_D5\_BUG}} & $\ldots$ \\ 710\small{\texttt{OP\_TLS\_D5\_BUG}} & $\ldots$ \\
711\small{\texttt{OP\_TLS\_BLOCK\_PADDING\_BUG}} & $\ldots$ \\ 711\small{\texttt{OP\_TLS\_BLOCK\_PADDING\_BUG}} & $\ldots$ \\
712\small{\texttt{OP\_DONT\_INSERT\_EMPTY\_FRAGMENTS}} & $\ldots$ \\ 712\small{\texttt{OP\_DONT\_INSERT\_EMPTY\_FRAGMENTS}} & Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. \\
713\small{\texttt{OP\_NO\_QUERY\_MTU}} & $\ldots$ \\ 713\small{\texttt{OP\_NO\_QUERY\_MTU}} & $\ldots$ \\
714\small{\texttt{OP\_COOKIE\_EXCHANGE}} & $\ldots$ \\ 714\small{\texttt{OP\_COOKIE\_EXCHANGE}} & $\ldots$ \\
715\small{\texttt{OP\_NO\_TICKET}} & $\ldots$ \\ 715\small{\texttt{OP\_NO\_TICKET}} & Disable RFC4507bis ticket stateless session resumption. \\
716\small{\texttt{OP\_CISCO\_ANYCONNECT}} & $\ldots$ \\ 716\small{\texttt{OP\_CISCO\_ANYCONNECT}} & $\ldots$ \\
717\small{\texttt{OP\_NO\_SESSION\_RESUMPTION\_ON\_RENEGOTIATION}} & $\ldots$ \\ 717\small{\texttt{OP\_NO\_SESSION\_RESUMPTION\_ON\_RENEGOTIATION}} & When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). This option is not needed for clients. \\
718\small{\texttt{OP\_NO\_COMPRESSION}} & $\ldots$ \\ 718\small{\texttt{OP\_NO\_COMPRESSION}} & $\ldots$ \\
719\small{\texttt{OP\_ALLOW\_UNSAFE\_LEGACY\_RENEGOTIATION}} & $\ldots$ \\ 719\small{\texttt{OP\_ALLOW\_UNSAFE\_LEGACY\_RENEGOTIATION}} & $\ldots$ \\
720\small{\texttt{OP\_SINGLE\_ECDH\_USE}} & $\ldots$ \\ 720\small{\texttt{OP\_SINGLE\_ECDH\_USE}} & Always create a new key when using temporary/ephemeral ECDH parameters. \\
721\small{\texttt{OP\_SINGLE\_DH\_USE}} & $\ldots$ \\ 721\small{\texttt{OP\_SINGLE\_DH\_USE}} & Always create a new key when using temporary/ephemeral DH parameters. \\
722\small{\texttt{OP\_EPHEMERAL\_RSA}} & $\ldots$ \\ 722\small{\texttt{OP\_EPHEMERAL\_RSA}} & Always use ephemeral (temporary) RSA key when doing RSA operations. \\
723\small{\texttt{OP\_CIPHER\_SERVER\_PREFERENCE}} & $\ldots$ \\ 723\small{\texttt{OP\_CIPHER\_SERVER\_PREFERENCE}} & When choosing a cipher, use the server's preferences instead of the client preferences. \\
724\small{\texttt{OP\_TLS\_ROLLBACK\_BUG}} & $\ldots$ \\ 724\small{\texttt{OP\_TLS\_ROLLBACK\_BUG}} & Disable version rollback attack detection. \\
725\small{\texttt{OP\_NO\_SSLv2}} & $\ldots$ \\ 725\small{\texttt{OP\_NO\_SSLv2}} & Do not use the SSLv2 protocol. \\
726\small{\texttt{OP\_NO\_SSLv3}} & $\ldots$ \\ 726\small{\texttt{OP\_NO\_SSLv3}} & Do not use the SSLv3 protocol. \\
727\small{\texttt{OP\_NO\_TLSv1}} & $\ldots$ \\ 727\small{\texttt{OP\_NO\_TLSv1}} & Do not use the TLSv1.0 protocol. \\
728\small{\texttt{OP\_NO\_TLSv1\_2}} & $\ldots$ \\ 728\small{\texttt{OP\_NO\_TLSv1\_2}} & Do not use the TLSv1.1 protocol. \\
729\small{\texttt{OP\_NO\_TLSv1\_1}} & $\ldots$ \\ 729\small{\texttt{OP\_NO\_TLSv1\_1}} & Do not use the TLSv1.2 protocol. \\
730\small{\texttt{OP\_NETSCAPE\_CA\_DN\_BUG}} & $\ldots$ \\ 730\small{\texttt{OP\_NETSCAPE\_CA\_DN\_BUG}} & $\ldots$ \\
731\small{\texttt{OP\_NETSCAPE\_DEMO\_CIPHER\_CHANGE\_BUG}} & $\ldots$ \\ 731\small{\texttt{OP\_NETSCAPE\_DEMO\_CIPHER\_CHANGE\_BUG}} & $\ldots$ \\
732\small{\texttt{OP\_CRYPTOPRO\_TLSEXT\_BUG}} & $\ldots$ \\ 732\small{\texttt{OP\_CRYPTOPRO\_TLSEXT\_BUG}} & $\ldots$ \\
733\small{\texttt{OP\_ALL}} & $\ldots$ \\ 733\small{\texttt{OP\_ALL}} & All of the bug workarounds. \\
734\end{ctabular} 734\end{ctabular}
735 735
736\subsubsection[\fn{context:getOptions}]{\fn{context:getOptions()}} 736\subsubsection[\fn{context:getOptions}]{\fn{context:getOptions()}}
@@ -784,15 +784,30 @@ Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchange
784 784
785\begin{Module}{openssl.ssl} 785\begin{Module}{openssl.ssl}
786 786
787Binds the ``SSL'' OpenSSL object, which represents an SSL connection instance. See \method{socket.checktls}. 787Binds the ``SSL'' OpenSSL object, which represents an SSL connection instance. See \method{cqueues.socket:checktls}.
788 788
789\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose($name$, $function$)}} 789\subsubsection[\fn{ssl[]}]{\fn{ssl[]}}
790
791A table mapping OpenSSL named constants. Includes all constants provided by \module{openssl.ssl.context}. Additional constants are documented with the relevant method.
790 792
793\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose($name$, $function$)}}
791Add or interpose an ssl class method. Returns the previous method, if any. 794Add or interpose an ssl class method. Returns the previous method, if any.
792 795
796\subsubsection[\fn{ssl:setOptions}]{\fn{ssl:setOptions($flags$)}}
797
798Adds the option flags of the SSL connection instance. See \fn{openssl.ssl.context:setOptions}.
799
800\subsubsection[\fn{ssl:getOptions}]{\fn{ssl:getOptions()}}
801
802Returns the option flags of the SSL connection instance. See \fn{openssl.ssl.context:getOptions}.
803
804\subsubsection[\fn{ssl:clearOptions}]{\fn{ssl:clearOptions()}}
805
806Clears the option flags of the SSL connection instance. See \fn{openssl.ssl.context:clearOptions}.
807
793\subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}} 808\subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}}
794 809
795Returns the X.509 peer certificate as an \module{openssl.x509} object. If no peer certificate is available, returns nil. 810Returns the X.509 peer certificate as an \module{openssl.x509} object. If no peer certificate is available, returns $nil$.
796 811
797\subsubsection[\fn{ssl:getPeerChain}]{\fn{ssl:getPeerChain()}} 812\subsubsection[\fn{ssl:getPeerChain}]{\fn{ssl:getPeerChain()}}
798 813
@@ -810,6 +825,35 @@ field & description\\\hline
810.description & key:value cipher description returned by \fn{SSL\_CIPHER\_description} 825.description & key:value cipher description returned by \fn{SSL\_CIPHER\_description}
811\end{tabular} 826\end{tabular}
812 827
828\subsubsection[\fn{ssl:setHostName}]{\fn{ssl:setHostName($host$)}}
829
830Sets the Server Name Indication (SNI) host name. Using the SNI TLS extension, clients tells the server which domain they're contacting so the server can select the proper certificate and key. This permits SSL virtual hosting. This routine is only relevant for clients.
831
832\subsubsection[\fn{ssl:getHostName}]{\fn{ssl:getHostName()}}
833
834Returns the Server Name Indication (SNI) host name sent by the client. If no host name was sent, returns $nil$. This routine is only relevant for servers.
835
836\subsubsection[\fn{ssl:getVersion}]{\fn{ssl:getVersion([$format$])}}
837
838Returns the SSL/TLS version of the negotiated SSL connection. By default returns a 16-bit integer where the top 8 bits are the major version number and the bottom 8 bits the minor version number. For example, SSL 3.0 is 0x0300 and TLS 1.1 is 0x0302. SSL 2.0 is 0x0002.
839
840If $format$ is ``.'' returns a floating point number. 0x0300 becomes 3.0, and 0x0302 becomes 3.2. If the minor version is $\geq$ 10 an error is thrown.\footnote{This condition shouldn't be possible.}
841
842The following OpenSSL named constants can be used.
843
844\begin{tabular}{ c | l }
845name & description \\\hline
846SSL2\_VERSION & 16-bit SSLv2 identifier (0x0002). \\
847SSL3\_VERSION & 16-bit SSLv3 identifier (0x0300). \\
848TLS1\_VERSION & 16-bit TLSv1.0 identifier (0x0301). \\
849TLS1\_1\_VERSION & 16-bit TLSv1.1 identifier (0x0302). \\
850TLS1\_2\_VERSION & 16-bit TLSv1.2 identifier (0x0303). \\
851\end{tabular}
852
853\subsubsection[\fn{ssl:getVersion}]{\fn{ssl:getClientVersion([$format$])}}
854
855Returns the SSL/TLS version supported by the client, which should be greater than or equal to the negotiated version. See \fn{ssl:getVersion}.
856
813\end{Module} 857\end{Module}
814 858
815 859
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-15 22:14:10 +0000