summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorschwarze <>2020-09-21 15:18:13 +0000
committerschwarze <>2020-09-21 15:18:13 +0000
commitfc8e6d5cd1971d9de7b7940c1a5bf70e5f877c3a (patch)
tree854cbd90972e63429accdf24fb1fcffefc75a01d /src/lib
parent11de539d915a22f42d21f9ed4114d8edd9a3f93d (diff)
downloadopenbsd-fc8e6d5cd1971d9de7b7940c1a5bf70e5f877c3a.tar.gz
openbsd-fc8e6d5cd1971d9de7b7940c1a5bf70e5f877c3a.tar.bz2
openbsd-fc8e6d5cd1971d9de7b7940c1a5bf70e5f877c3a.zip
s/before the handshake is complete/during the handshake/g
because that is both shorter and more precise; wording suggested by jsing@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libssl/man/SSL_read_early_data.315
1 files changed, 7 insertions, 8 deletions
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
index 71ad3c52a3..e08b954516 100644
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: SSL_read_early_data.3,v 1.1 2020/09/21 08:53:56 schwarze Exp $ 1.\" $OpenBSD: SSL_read_early_data.3,v 1.2 2020/09/21 15:18:13 schwarze Exp $
2.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 2.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
3.\" 3.\"
4.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org> 4.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -28,7 +28,7 @@
28.Nm SSL_write_early_data , 28.Nm SSL_write_early_data ,
29.Nm SSL_read_early_data , 29.Nm SSL_read_early_data ,
30.Nm SSL_get_early_data_status 30.Nm SSL_get_early_data_status
31.Nd transmit application data before the handshake is complete 31.Nd transmit application data during the handshake
32.Sh SYNOPSIS 32.Sh SYNOPSIS
33.In openssl/ssl.h 33.In openssl/ssl.h
34.Ft int 34.Ft int
@@ -87,8 +87,7 @@ and because when they are used, inconspicuous oversights are likely
87to cause serious security vulnerabilities. 87to cause serious security vulnerabilities.
88.Pp 88.Pp
89If these functions are used, other TLS implementations 89If these functions are used, other TLS implementations
90may allow the transfer of application data 90may allow the transfer of application data during the inital handshake.
91before the inital handshake is complete.
92Even when used as designed, security of the connection is compromised; 91Even when used as designed, security of the connection is compromised;
93in particular, application data is exchanged with unauthenticated peers, 92in particular, application data is exchanged with unauthenticated peers,
94and there is no forward secrecy. 93and there is no forward secrecy.
@@ -99,19 +98,19 @@ Other downsides include an increased risk of replay attacks.
99and 98and
100.Fn SSL_SESSION_set_max_early_data 99.Fn SSL_SESSION_set_max_early_data
101are intended to configure the maximum number of bytes per session 100are intended to configure the maximum number of bytes per session
102that can be transmitted before the handshake is complete. 101that can be transmitted during the handshake.
103With LibreSSL, all arguments are ignored. 102With LibreSSL, all arguments are ignored.
104.Pp 103.Pp
105An endpoint can attempt to send application data with 104An endpoint can attempt to send application data with
106.Fn SSL_write_early_data 105.Fn SSL_write_early_data
107before the handshake is complete. 106during the handshake.
108With LibreSSL, such attempts always fail and set 107With LibreSSL, such attempts always fail and set
109.Pf * Fa written 108.Pf * Fa written
110to 0. 109to 0.
111.Pp 110.Pp
112A server can attempt to read application data from the client using 111A server can attempt to read application data from the client using
113.Fn SSL_read_early_data 112.Fn SSL_read_early_data
114before the handshake is complete. 113during the handshake.
115With LibreSSL, no such data is ever accepted and 114With LibreSSL, no such data is ever accepted and
116.Pf * Fa readbytes 115.Pf * Fa readbytes
117is always set to 0. 116is always set to 0.
@@ -128,7 +127,7 @@ With LibreSSL, they always succeed.
128and 127and
129.Fn SSL_SESSION_get_max_early_data 128.Fn SSL_SESSION_get_max_early_data
130return the maximum number of bytes of application data 129return the maximum number of bytes of application data
131that will be accepted from the peer before the handshake is complete. 130that will be accepted from the peer during the handshake.
132With LibreSSL, they always return 0. 131With LibreSSL, they always return 0.
133.Pp 132.Pp
134.Fn SSL_write_early_data 133.Fn SSL_write_early_data