summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_init.3
diff options
context:
space:
mode:
authorjsing <>2015-09-10 09:10:42 +0000
committerjsing <>2015-09-10 09:10:42 +0000
commitbb55b96be5873414f5139ee6f86706b2f219123a (patch)
tree7e607278f29d9ff6cd6a4157a2b2362498680e58 /src/lib/libtls/tls_init.3
parentf4a4d0ccce6152a6e48d345c33b3db9dbdaad529 (diff)
downloadopenbsd-bb55b96be5873414f5139ee6f86706b2f219123a.tar.gz
openbsd-bb55b96be5873414f5139ee6f86706b2f219123a.tar.bz2
openbsd-bb55b96be5873414f5139ee6f86706b2f219123a.zip
Add support for preferring the server's cipher list or the client's cipher
list. Prefer the server's cipher list by default. Based on a diff from Kyle Thompson <jmp at giga dot moe>. ok beck@ bcook@
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls_init.321
1 files changed, 19 insertions, 2 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 16495112ff..17822d444d 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_init.3,v 1.25 2015/07/19 17:10:23 jmc Exp $ 1.\" $OpenBSD: tls_init.3,v 1.26 2015/09/10 09:10:42 jsing Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: July 19 2015 $ 17.Dd $Mdocdate: September 10 2015 $
18.Dt TLS_INIT 3 18.Dt TLS_INIT 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -35,6 +35,8 @@
35.Nm tls_config_set_key_mem , 35.Nm tls_config_set_key_mem ,
36.Nm tls_config_set_protocols , 36.Nm tls_config_set_protocols ,
37.Nm tls_config_set_verify_depth , 37.Nm tls_config_set_verify_depth ,
38.Nm tls_config_prefer_ciphers_client ,
39.Nm tls_config_prefer_ciphers_server ,
38.Nm tls_config_clear_keys , 40.Nm tls_config_clear_keys ,
39.Nm tls_config_insecure_noverifycert , 41.Nm tls_config_insecure_noverifycert ,
40.Nm tls_config_insecure_noverifyname , 42.Nm tls_config_insecure_noverifyname ,
@@ -92,6 +94,10 @@
92.Ft "void" 94.Ft "void"
93.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth" 95.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth"
94.Ft "void" 96.Ft "void"
97.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
98.Ft "void"
99.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
100.Ft "void"
95.Fn tls_config_clear_keys "struct tls_config *config" 101.Fn tls_config_clear_keys "struct tls_config *config"
96.Ft "void" 102.Ft "void"
97.Fn tls_config_insecure_noverifycert "struct tls_config *config" 103.Fn tls_config_insecure_noverifycert "struct tls_config *config"
@@ -291,6 +297,17 @@ Additionally, the values
291(TLSv1.2 only) may be used. 297(TLSv1.2 only) may be used.
292.Em (Client and server) 298.Em (Client and server)
293.It 299.It
300.Fn tls_config_prefer_ciphers_client
301prefers ciphers in the client's cipher list when selecting a cipher suite.
302This is considered to be less secure than preferring the server's list.
303.Em (Server)
304.It
305.Fn tls_config_prefer_ciphers_server
306prefers ciphers in the server's cipher list when selecting a cipher suite.
307This is considered to be more secure than preferring the client's list and is
308the default.
309.Em (Server)
310.It
294.Fn tls_config_clear_keys 311.Fn tls_config_clear_keys
295clears any secret keys from memory. 312clears any secret keys from memory.
296.Em (Server) 313.Em (Server)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-04 05:17:11 +0000