diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/luaossl.pdf | bin | 276077 -> 300041 bytes | |||
| -rw-r--r-- | doc/luaossl.tex | 14 |
2 files changed, 13 insertions, 1 deletions
diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf index 25c58ca..81142cb 100644 --- a/doc/luaossl.pdf +++ b/doc/luaossl.pdf | |||
| Binary files differ | |||
diff --git a/doc/luaossl.tex b/doc/luaossl.tex index 5e19e66..7bb85df 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex | |||
| @@ -933,11 +933,17 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne | |||
| 933 | 933 | ||
| 934 | Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. | 934 | Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. |
| 935 | 935 | ||
| 936 | \subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}} | ||
| 937 | |||
| 938 | Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}. | ||
| 939 | |||
| 940 | \emph{Only supported since OpenSSL 1.0.2.} | ||
| 941 | |||
| 936 | \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} | 942 | \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} |
| 937 | 943 | ||
| 938 | Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. | 944 | Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. |
| 939 | 945 | ||
| 940 | \emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{\href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{According to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-* applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} | 946 | \emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} |
| 941 | 947 | ||
| 942 | \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} | 948 | \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} |
| 943 | 949 | ||
| @@ -1070,6 +1076,12 @@ TLS1\_2\_VERSION & 16-bit TLSv1.2 identifier (0x0303). \\ | |||
| 1070 | 1076 | ||
| 1071 | Returns the SSL/TLS version supported by the client, which should be greater than or equal to the negotiated version. See \fn{ssl:getVersion}. | 1077 | Returns the SSL/TLS version supported by the client, which should be greater than or equal to the negotiated version. See \fn{ssl:getVersion}. |
| 1072 | 1078 | ||
| 1079 | \subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}} | ||
| 1080 | |||
| 1081 | Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}. | ||
| 1082 | |||
| 1083 | \emph{Only supported since OpenSSL 1.0.2.} | ||
| 1084 | |||
| 1073 | \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} | 1085 | \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} |
| 1074 | 1086 | ||
| 1075 | Returns the negotiated ALPN protocol as a string. | 1087 | Returns the negotiated ALPN protocol as a string. |