1 files changed, 0 insertions, 387 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
deleted file mode 100644
index 6036dcdb2d..0000000000
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ /dev/null
@@ -1,387 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
-.\"
-.Dd $Mdocdate: December 2 2014 $
-.Dt SSL_CTX_SET_OPTIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_options ,
-.Nm SSL_set_options ,
-.Nm SSL_CTX_clear_options ,
-.Nm SSL_clear_options ,
-.Nm SSL_CTX_get_options ,
-.Nm SSL_get_options ,
-.Nm SSL_get_secure_renegotiation_support
-.Nd manipulate SSL options
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_set_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_clear_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_get_options "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_get_options "SSL *ssl"
-.Ft long
-.Fn SSL_get_secure_renegotiation_support "SSL *ssl"
-.Sh DESCRIPTION
-Note: all these functions are implemented using macros.
-.Pp
-.Fn SSL_CTX_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_CTX_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-.Pp
-.Fn SSL_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_get_options
-returns the options set for
-.Fa ctx .
-.Pp
-.Fn SSL_get_options
-returns the options set for
-.Fa ssl .
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-indicates whether the peer supports secure renegotiation.
-.Sh NOTES
-The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bitmasks and can be combined by a bitwise OR
-operation (|).
-.Pp
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-affect the (external) protocol behaviour of the SSL library.
-The (internal) behaviour of the API can be changed by using the similar
-.Xr SSL_CTX_set_mode 3
-and
-.Xr SSL_set_mode 3
-functions.
-.Pp
-During a handshake, the option settings of the SSL object are used.
-When a new SSL object is created from a context using
-.Xr SSL_new 3 ,
-the current option setting is copied.
-Changes to
-.Fa ctx
-do not affect already created
-.Vt SSL
-objects.
-.Fn SSL_clear
-does not affect the settings.
-.Pp
-The following
-.Em bug workaround
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_MICROSOFT_SESS_ID_BUG
-.Lk www.microsoft.com
-\(en when talking SSLv2, if session-id reuse is performed,
-the session-id passed back in the server-finished message is different from the
-one decided upon.
-.It Dv SSL_OP_NETSCAPE_CHALLENGE_BUG
-Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte challenge but
-then appears to only use 16 bytes when generating the encryption keys.
-Using 16 bytes is ok but it should be ok to use 32.
-According to the SSLv3 spec, one should use 32 bytes for the challenge when
-operating in SSLv2/v3 compatibility mode, but as mentioned above, this breaks
-this server so 16 bytes is the way to go.
-.It Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
-As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
-.It Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
-\&...
-.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-\&...
-.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
-OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
-.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-\&...
-.It Dv SSL_OP_TLS_D5_BUG
-\&...
-.It Dv SSL_OP_TLS_BLOCK_PADDING_BUG
-\&...
-.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
-affecting CBC ciphers, which cannot be handled by some broken SSL
-implementations.
-This option has no effect for connections using other ciphers.
-.It Dv SSL_OP_TLSEXT_PADDING
-Adds a padding extension to ensure the ClientHello size is never between 256
-and 511 bytes in length.
-This is needed as a workaround for some implementations.
-.It Dv SSL_OP_ALL
-All of the above bug workarounds.
-.El
-.Pp
-It is usually safe to use
-.Dv SSL_OP_ALL
-to enable the bug workaround options if compatibility with somewhat broken
-implementations is desired.
-.Pp
-The following
-.Em modifying
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_TLS_ROLLBACK_BUG
-Disable version rollback attack detection.
-.Pp
-During the client key exchange, the client must send the same information
-about acceptable SSL/TLS protocol levels as during the first hello.
-Some clients violate this rule by adapting to the server's answer.
-(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1,
-the server only understands up to SSLv3.
-In this case the client must still use the same SSLv3.1=TLSv1 announcement.
-Some clients step down to SSLv3 with respect to the server's answer and violate
-the version rollback protection.)
-.It Dv SSL_OP_SINGLE_DH_USE
-Always create a new key when using temporary/ephemeral DH parameters
-(see
-.Xr SSL_CTX_set_tmp_dh_callback 3 ) .
-This option must be used to prevent small subgroup attacks, when the DH
-parameters were not generated using
-.Dq strong
-primes (e.g., when using DSA-parameters, see
-.Xr openssl 1 ) .
-If
-.Dq strong
-primes were used, it is not strictly necessary to generate a new DH key during
-each handshake but it is also recommended.
-.Dv SSL_OP_SINGLE_DH_USE
-should therefore be enabled whenever temporary/ephemeral DH parameters are used.
-.It SSL_OP_EPHEMERAL_RSA
-Always use ephemeral (temporary) RSA key when doing RSA operations (see
-.Xr SSL_CTX_set_tmp_rsa_callback 3 ) .
-According to the specifications, this is only done when a RSA key can only be
-used for signature operations (namely under export ciphers with restricted RSA
-keylength).
-By setting this option, ephemeral RSA keys are always used.
-This option breaks compatibility with the SSL/TLS specifications and may lead
-to interoperability problems with clients and should therefore never be used.
-Ciphers with EDH (ephemeral Diffie-Hellman) key exchange should be used instead.
-.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
-When choosing a cipher, use the server's preferences instead of the client
-preferences.
-When not set, the SSL server will always follow the client's preferences.
-When set, the SSLv3/TLSv1 server will choose following its own preferences.
-Because of the different protocol, for SSLv2 the server will send its list of
-preferences to the client and the client chooses.
-.It Dv SSL_OP_NETSCAPE_CA_DN_BUG
-If we accept a netscape connection, demand a client cert, have a
-non-self-signed CA which does not have its CA in netscape, and the browser has
-a cert, it will crash/hang.
-Works for 3.x and 4.xbeta
-.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-\&...
-.It Dv SSL_OP_NO_SSLv2
-As of
-.Ox 5.6 ,
-this option has no effect as SSLv2 support has been removed.
-In previous versions it disabled use of the SSLv2 protocol.
-.It Dv SSL_OP_NO_SSLv3
-Do not use the SSLv3 protocol.
-.It Dv SSL_OP_NO_TLSv1
-Do not use the TLSv1.0 protocol.
-.It Dv SSL_OP_NO_TLSv1_1
-Do not use the TLSv1.1 protocol.
-.It Dv SSL_OP_NO_TLSv1_2
-Do not use the TLSv1.2 protocol.
-.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-When performing renegotiation as a server, always start a new session (i.e.,
-session resumption requests are only accepted in the initial handshake).
-This option is not needed for clients.
-.It Dv SSL_OP_NO_TICKET
-Normally clients and servers will, where possible, transparently make use of
-RFC4507bis tickets for stateless session resumption.
-.Pp
-If this option is set this functionality is disabled and tickets will not be
-used by clients or servers.
-.It Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-As of
-.Ox 5.6 ,
-this option has no effect.
-In previous versions it allowed legacy insecure renegotiation between OpenSSL
-and unpatched clients or servers.
-See the
-.Sx SECURE RENEGOTIATION
-section for more details.
-.It Dv SSL_OP_LEGACY_SERVER_CONNECT
-Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-.Em only :
-this option is currently set by default.
-See the
-.Sx SECURE RENEGOTIATION
-section for more details.
-.El
-.Sh SECURE RENEGOTIATION
-OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in RFC5746.
-This counters the prefix attack described in CVE-2009-3555 and elsewhere.
-.Pp
-The deprecated and highly broken SSLv2 protocol does not support renegotiation
-at all; its use is
-.Em strongly
-discouraged.
-.Pp
-This attack has far-reaching consequences which application writers should be
-aware of.
-In the description below an implementation supporting secure renegotiation is
-referred to as
-.Dq patched .
-A server not supporting secure
-renegotiation is referred to as
-.Dq unpatched .
-.Pp
-The following sections describe the operations permitted by OpenSSL's secure
-renegotiation implementation.
-.Ss Patched client and server
-Connections and renegotiation are always permitted by OpenSSL implementations.
-.Ss Unpatched client and patched OpenSSL server
-The initial connection succeeds but client renegotiation is denied by the
-server with a
-.Em no_renegotiation
-warning alert if TLS v1.0 is used or a fatal
-.Em handshake_failure
-alert in SSL v3.0.
-.Pp
-If the patched OpenSSL server attempts to renegotiate a fatal
-.Em handshake_failure
-alert is sent.
-This is because the server code may be unaware of the unpatched nature of the
-client.
-.Pp
-.Em N.B.:
-a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will
-result in the connection hanging if it receives a
-.Em no_renegotiation
-alert.
-OpenSSL versions 0.9.8m and later will regard a
-.Em no_renegotiation
-alert as fatal and respond with a fatal
-.Em handshake_failure
-alert.
-This is because the OpenSSL API currently has no provision to indicate to an
-application that a renegotiation attempt was refused.
-.Ss Patched OpenSSL client and unpatched server
-If the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is set then initial connections and renegotiation between patched OpenSSL
-clients and unpatched servers succeeds.
-If neither option is set then initial connections to unpatched servers will
-fail.
-.Pp
-The option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is currently set by default even though it has security implications:
-otherwise it would be impossible to connect to unpatched servers (i.e., all of
-them initially) and this is clearly not acceptable.
-Renegotiation is permitted because this does not add any additional security
-issues: during an attack clients do not see any renegotiations anyway.
-.Pp
-As more servers become patched the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-will
-.Em not
-be set by default in a future version of OpenSSL.
-.Pp
-OpenSSL client applications wishing to ensure they can connect to unpatched
-servers should always
-.Em set
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-.Pp
-OpenSSL client applications that want to ensure they can
-.Em not
-connect to unpatched servers (and thus avoid any security issues) should always
-.Em clear
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-using
-.Fn SSL_CTX_clear_options
-or
-.Fn SSL_clear_options .
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-return the new options bitmask after adding
-.Fa options .
-.Pp
-.Fn SSL_CTX_clear_options
-and
-.Fn SSL_clear_options
-return the new options bitmask after clearing
-.Fa options .
-.Pp
-.Fn SSL_CTX_get_options
-and
-.Fn SSL_get_options
-return the current bitmask.
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-returns 1 is the peer supports secure renegotiation and 0 if it does not.
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_set_tmp_dh_callback 3 ,
-.Xr SSL_CTX_set_tmp_rsa_callback 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Dv SSL_OP_CIPHER_SERVER_PREFERENCE
-and
-.Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-have been added in
-OpenSSL 0.9.7.
-.Pp
-.Dv SSL_OP_TLS_ROLLBACK_BUG
-has been added in OpenSSL 0.9.6 and was automatically enabled with
-.Dv SSL_OP_ALL .
-As of 0.9.7, it is no longer included in
-.Dv SSL_OP_ALL
-and must be explicitly set.
-.Pp
-.Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-has been added in OpenSSL 0.9.6e.
-Versions up to OpenSSL 0.9.6c do not include the countermeasure that can be
-disabled with this option (in OpenSSL 0.9.6d, it was always enabled).
-.Pp
-.Fn SSL_CTX_clear_options
-and
-.Fn SSL_clear_options
-were first added in OpenSSL 0.9.8m.
-.Pp
-.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION ,
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-and the function
-.Fn SSL_get_secure_renegotiation_support
-were first added in OpenSSL 0.9.8m.
-.Pp
-.Dv SSL_OP_NO_SSLv2
-and
-.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-were changed to have no effect in
-.Ox 5.6 .

diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3 deleted file mode 100644 index 6036dcdb2d..0000000000 --- a/src/lib/libssl/doc/SSL_CTX_set_options.3 +++ /dev/null
@@ -1,387 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_CTX_set_options.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
3	.\"
4	.Dd $Mdocdate: December 2 2014 $
5	.Dt SSL_CTX_SET_OPTIONS 3
6	.Os
7	.Sh NAME
8	.Nm SSL_CTX_set_options ,
9	.Nm SSL_set_options ,
10	.Nm SSL_CTX_clear_options ,
11	.Nm SSL_clear_options ,
12	.Nm SSL_CTX_get_options ,
13	.Nm SSL_get_options ,
14	.Nm SSL_get_secure_renegotiation_support
15	.Nd manipulate SSL options
16	.Sh SYNOPSIS
17	.In openssl/ssl.h
18	.Ft long
19	.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
20	.Ft long
21	.Fn SSL_set_options "SSL *ssl" "long options"
22	.Ft long
23	.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options"
24	.Ft long
25	.Fn SSL_clear_options "SSL *ssl" "long options"
26	.Ft long
27	.Fn SSL_CTX_get_options "SSL_CTX *ctx"
28	.Ft long
29	.Fn SSL_get_options "SSL *ssl"
30	.Ft long
31	.Fn SSL_get_secure_renegotiation_support "SSL *ssl"
32	.Sh DESCRIPTION
33	Note: all these functions are implemented using macros.
34	.Pp
35	.Fn SSL_CTX_set_options
36	adds the options set via bitmask in
37	.Fa options
38	to
39	.Fa ctx .
40	Options already set before are not cleared!
41	.Pp
42	.Fn SSL_set_options
43	adds the options set via bitmask in
44	.Fa options
45	to
46	.Fa ssl .
47	Options already set before are not cleared!
48	.Pp
49	.Fn SSL_CTX_clear_options
50	clears the options set via bitmask in
51	.Fa options
52	to
53	.Fa ctx .
54	.Pp
55	.Fn SSL_clear_options
56	clears the options set via bitmask in
57	.Fa options
58	to
59	.Fa ssl .
60	.Pp
61	.Fn SSL_CTX_get_options
62	returns the options set for
63	.Fa ctx .
64	.Pp
65	.Fn SSL_get_options
66	returns the options set for
67	.Fa ssl .
68	.Pp
69	.Fn SSL_get_secure_renegotiation_support
70	indicates whether the peer supports secure renegotiation.
71	.Sh NOTES
72	The behaviour of the SSL library can be changed by setting several options.
73	The options are coded as bitmasks and can be combined by a bitwise OR
74	operation (\|).
75	.Pp
76	.Fn SSL_CTX_set_options
77	and
78	.Fn SSL_set_options
79	affect the (external) protocol behaviour of the SSL library.
80	The (internal) behaviour of the API can be changed by using the similar
81	.Xr SSL_CTX_set_mode 3
82	and
83	.Xr SSL_set_mode 3
84	functions.
85	.Pp
86	During a handshake, the option settings of the SSL object are used.
87	When a new SSL object is created from a context using
88	.Xr SSL_new 3 ,
89	the current option setting is copied.
90	Changes to
91	.Fa ctx
92	do not affect already created
93	.Vt SSL
94	objects.
95	.Fn SSL_clear
96	does not affect the settings.
97	.Pp
98	The following
99	.Em bug workaround
100	options are available:
101	.Bl -tag -width Ds
102	.It Dv SSL_OP_MICROSOFT_SESS_ID_BUG
103	.Lk www.microsoft.com
104	\(en when talking SSLv2, if session-id reuse is performed,
105	the session-id passed back in the server-finished message is different from the
106	one decided upon.
107	.It Dv SSL_OP_NETSCAPE_CHALLENGE_BUG
108	Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte challenge but
109	then appears to only use 16 bytes when generating the encryption keys.
110	Using 16 bytes is ok but it should be ok to use 32.
111	According to the SSLv3 spec, one should use 32 bytes for the challenge when
112	operating in SSLv2/v3 compatibility mode, but as mentioned above, this breaks
113	this server so 16 bytes is the way to go.
114	.It Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
115	As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
116	.It Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
117	\&...
118	.It Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
119	\&...
120	.It Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG
121	Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
122	OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
123	.It Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG
124	\&...
125	.It Dv SSL_OP_TLS_D5_BUG
126	\&...
127	.It Dv SSL_OP_TLS_BLOCK_PADDING_BUG
128	\&...
129	.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
130	Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
131	affecting CBC ciphers, which cannot be handled by some broken SSL
132	implementations.
133	This option has no effect for connections using other ciphers.
134	.It Dv SSL_OP_TLSEXT_PADDING
135	Adds a padding extension to ensure the ClientHello size is never between 256
136	and 511 bytes in length.
137	This is needed as a workaround for some implementations.
138	.It Dv SSL_OP_ALL
139	All of the above bug workarounds.
140	.El
141	.Pp
142	It is usually safe to use
143	.Dv SSL_OP_ALL
144	to enable the bug workaround options if compatibility with somewhat broken
145	implementations is desired.
146	.Pp
147	The following
148	.Em modifying
149	options are available:
150	.Bl -tag -width Ds
151	.It Dv SSL_OP_TLS_ROLLBACK_BUG
152	Disable version rollback attack detection.
153	.Pp
154	During the client key exchange, the client must send the same information
155	about acceptable SSL/TLS protocol levels as during the first hello.
156	Some clients violate this rule by adapting to the server's answer.
157	(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1,
158	the server only understands up to SSLv3.
159	In this case the client must still use the same SSLv3.1=TLSv1 announcement.
160	Some clients step down to SSLv3 with respect to the server's answer and violate
161	the version rollback protection.)
162	.It Dv SSL_OP_SINGLE_DH_USE
163	Always create a new key when using temporary/ephemeral DH parameters
164	(see
165	.Xr SSL_CTX_set_tmp_dh_callback 3 ) .
166	This option must be used to prevent small subgroup attacks, when the DH
167	parameters were not generated using
168	.Dq strong
169	primes (e.g., when using DSA-parameters, see
170	.Xr openssl 1 ) .
171	If
172	.Dq strong
173	primes were used, it is not strictly necessary to generate a new DH key during
174	each handshake but it is also recommended.
175	.Dv SSL_OP_SINGLE_DH_USE
176	should therefore be enabled whenever temporary/ephemeral DH parameters are used.
177	.It SSL_OP_EPHEMERAL_RSA
178	Always use ephemeral (temporary) RSA key when doing RSA operations (see
179	.Xr SSL_CTX_set_tmp_rsa_callback 3 ) .
180	According to the specifications, this is only done when a RSA key can only be
181	used for signature operations (namely under export ciphers with restricted RSA
182	keylength).
183	By setting this option, ephemeral RSA keys are always used.
184	This option breaks compatibility with the SSL/TLS specifications and may lead
185	to interoperability problems with clients and should therefore never be used.
186	Ciphers with EDH (ephemeral Diffie-Hellman) key exchange should be used instead.
187	.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
188	When choosing a cipher, use the server's preferences instead of the client
189	preferences.
190	When not set, the SSL server will always follow the client's preferences.
191	When set, the SSLv3/TLSv1 server will choose following its own preferences.
192	Because of the different protocol, for SSLv2 the server will send its list of
193	preferences to the client and the client chooses.
194	.It Dv SSL_OP_NETSCAPE_CA_DN_BUG
195	If we accept a netscape connection, demand a client cert, have a
196	non-self-signed CA which does not have its CA in netscape, and the browser has
197	a cert, it will crash/hang.
198	Works for 3.x and 4.xbeta
199	.It Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
200	\&...
201	.It Dv SSL_OP_NO_SSLv2
202	As of
203	.Ox 5.6 ,
204	this option has no effect as SSLv2 support has been removed.
205	In previous versions it disabled use of the SSLv2 protocol.
206	.It Dv SSL_OP_NO_SSLv3
207	Do not use the SSLv3 protocol.
208	.It Dv SSL_OP_NO_TLSv1
209	Do not use the TLSv1.0 protocol.
210	.It Dv SSL_OP_NO_TLSv1_1
211	Do not use the TLSv1.1 protocol.
212	.It Dv SSL_OP_NO_TLSv1_2
213	Do not use the TLSv1.2 protocol.
214	.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
215	When performing renegotiation as a server, always start a new session (i.e.,
216	session resumption requests are only accepted in the initial handshake).
217	This option is not needed for clients.
218	.It Dv SSL_OP_NO_TICKET
219	Normally clients and servers will, where possible, transparently make use of
220	RFC4507bis tickets for stateless session resumption.
221	.Pp
222	If this option is set this functionality is disabled and tickets will not be
223	used by clients or servers.
224	.It Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
225	As of
226	.Ox 5.6 ,
227	this option has no effect.
228	In previous versions it allowed legacy insecure renegotiation between OpenSSL
229	and unpatched clients or servers.
230	See the
231	.Sx SECURE RENEGOTIATION
232	section for more details.
233	.It Dv SSL_OP_LEGACY_SERVER_CONNECT
234	Allow legacy insecure renegotiation between OpenSSL and unpatched servers
235	.Em only :
236	this option is currently set by default.
237	See the
238	.Sx SECURE RENEGOTIATION
239	section for more details.
240	.El
241	.Sh SECURE RENEGOTIATION
242	OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
243	described in RFC5746.
244	This counters the prefix attack described in CVE-2009-3555 and elsewhere.
245	.Pp
246	The deprecated and highly broken SSLv2 protocol does not support renegotiation
247	at all; its use is
248	.Em strongly
249	discouraged.
250	.Pp
251	This attack has far-reaching consequences which application writers should be
252	aware of.
253	In the description below an implementation supporting secure renegotiation is
254	referred to as
255	.Dq patched .
256	A server not supporting secure
257	renegotiation is referred to as
258	.Dq unpatched .
259	.Pp
260	The following sections describe the operations permitted by OpenSSL's secure
261	renegotiation implementation.
262	.Ss Patched client and server
263	Connections and renegotiation are always permitted by OpenSSL implementations.
264	.Ss Unpatched client and patched OpenSSL server
265	The initial connection succeeds but client renegotiation is denied by the
266	server with a
267	.Em no_renegotiation
268	warning alert if TLS v1.0 is used or a fatal
269	.Em handshake_failure
270	alert in SSL v3.0.
271	.Pp
272	If the patched OpenSSL server attempts to renegotiate a fatal
273	.Em handshake_failure
274	alert is sent.
275	This is because the server code may be unaware of the unpatched nature of the
276	client.
277	.Pp
278	.Em N.B.:
279	a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will
280	result in the connection hanging if it receives a
281	.Em no_renegotiation
282	alert.
283	OpenSSL versions 0.9.8m and later will regard a
284	.Em no_renegotiation
285	alert as fatal and respond with a fatal
286	.Em handshake_failure
287	alert.
288	This is because the OpenSSL API currently has no provision to indicate to an
289	application that a renegotiation attempt was refused.
290	.Ss Patched OpenSSL client and unpatched server
291	If the option
292	.Dv SSL_OP_LEGACY_SERVER_CONNECT
293	is set then initial connections and renegotiation between patched OpenSSL
294	clients and unpatched servers succeeds.
295	If neither option is set then initial connections to unpatched servers will
296	fail.
297	.Pp
298	The option
299	.Dv SSL_OP_LEGACY_SERVER_CONNECT
300	is currently set by default even though it has security implications:
301	otherwise it would be impossible to connect to unpatched servers (i.e., all of
302	them initially) and this is clearly not acceptable.
303	Renegotiation is permitted because this does not add any additional security
304	issues: during an attack clients do not see any renegotiations anyway.
305	.Pp
306	As more servers become patched the option
307	.Dv SSL_OP_LEGACY_SERVER_CONNECT
308	will
309	.Em not
310	be set by default in a future version of OpenSSL.
311	.Pp
312	OpenSSL client applications wishing to ensure they can connect to unpatched
313	servers should always
314	.Em set
315	.Dv SSL_OP_LEGACY_SERVER_CONNECT
316	.Pp
317	OpenSSL client applications that want to ensure they can
318	.Em not
319	connect to unpatched servers (and thus avoid any security issues) should always
320	.Em clear
321	.Dv SSL_OP_LEGACY_SERVER_CONNECT
322	using
323	.Fn SSL_CTX_clear_options
324	or
325	.Fn SSL_clear_options .
326	.Sh RETURN VALUES
327	.Fn SSL_CTX_set_options
328	and
329	.Fn SSL_set_options
330	return the new options bitmask after adding
331	.Fa options .
332	.Pp
333	.Fn SSL_CTX_clear_options
334	and
335	.Fn SSL_clear_options
336	return the new options bitmask after clearing
337	.Fa options .
338	.Pp
339	.Fn SSL_CTX_get_options
340	and
341	.Fn SSL_get_options
342	return the current bitmask.
343	.Pp
344	.Fn SSL_get_secure_renegotiation_support
345	returns 1 is the peer supports secure renegotiation and 0 if it does not.
346	.Sh SEE ALSO
347	.Xr openssl 1 ,
348	.Xr ssl 3 ,
349	.Xr SSL_clear 3 ,
350	.Xr SSL_CTX_set_tmp_dh_callback 3 ,
351	.Xr SSL_CTX_set_tmp_rsa_callback 3 ,
352	.Xr SSL_new 3
353	.Sh HISTORY
354	.Dv SSL_OP_CIPHER_SERVER_PREFERENCE
355	and
356	.Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
357	have been added in
358	OpenSSL 0.9.7.
359	.Pp
360	.Dv SSL_OP_TLS_ROLLBACK_BUG
361	has been added in OpenSSL 0.9.6 and was automatically enabled with
362	.Dv SSL_OP_ALL .
363	As of 0.9.7, it is no longer included in
364	.Dv SSL_OP_ALL
365	and must be explicitly set.
366	.Pp
367	.Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
368	has been added in OpenSSL 0.9.6e.
369	Versions up to OpenSSL 0.9.6c do not include the countermeasure that can be
370	disabled with this option (in OpenSSL 0.9.6d, it was always enabled).
371	.Pp
372	.Fn SSL_CTX_clear_options
373	and
374	.Fn SSL_clear_options
375	were first added in OpenSSL 0.9.8m.
376	.Pp
377	.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION ,
378	.Dv SSL_OP_LEGACY_SERVER_CONNECT
379	and the function
380	.Fn SSL_get_secure_renegotiation_support
381	were first added in OpenSSL 0.9.8m.
382	.Pp
383	.Dv SSL_OP_NO_SSLv2
384	and
385	.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
386	were changed to have no effect in
387	.Ox 5.6 .