1 files changed, 146 insertions, 0 deletions
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
new file mode 100644
index 0000000000..7435390edd
--- /dev/null
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -0,0 +1,146 @@
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.1 2017/01/25 23:53:18 schwarze Exp $
+.\"
+.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: January 25 2017 $
+.Dt TLS_CONFIG_SET_PROTOCOLS 3
+.Os
+.Sh NAME
+.Nm tls_config_set_protocols ,
+.Nm tls_config_parse_protocols ,
+.Nm tls_config_set_alpn ,
+.Nm tls_config_set_ciphers ,
+.Nm tls_config_set_dheparams ,
+.Nm tls_config_set_ecdhecurve ,
+.Nm tls_config_prefer_ciphers_client ,
+.Nm tls_config_prefer_ciphers_server
+.Nd TLS protocol and cipher selection
+.Sh SYNOPSIS
+.In tls.h
+.Ft int
+.Fo tls_config_set_protocols
+.Fa "struct tls_config *config"
+.Fa "uint32_t protocols"
+.Fc
+.Ft int
+.Fo tls_config_parse_protocols
+.Fa "uint32_t *protocols"
+.Fa "const char *protostr"
+.Fc
+.Ft int
+.Fo tls_config_set_alpn
+.Fa "struct tls_config *config"
+.Fa "const char *alpn"
+.Fc
+.Ft int
+.Fo tls_config_set_ciphers
+.Fa "struct tls_config *config"
+.Fa "const char *ciphers"
+.Fc
+.Ft int
+.Fo tls_config_set_dheparams
+.Fa "struct tls_config *config"
+.Fa "const char *params"
+.Fc
+.Ft int
+.Fo tls_config_set_ecdhecurve
+.Fa "struct tls_config *config"
+.Fa "const char *name"
+.Fc
+.Ft void
+.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
+.Ft void
+.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
+.Sh DESCRIPTION
+These functions modify a configuration by setting parameters.
+The configuration options apply to both clients and servers, unless noted
+otherwise.
+.Pp
+.Fn tls_config_set_protocols
+specifies which versions of the TLS protocol may be used.
+Possible values are the bitwise OR of:
+.Pp
+.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact
+.It Dv TLS_PROTOCOL_TLSv1_0
+.It Dv TLS_PROTOCOL_TLSv1_1
+.It Dv TLS_PROTOCOL_TLSv1_2
+.El
+.Pp
+Additionally, the values
+.Dv TLS_PROTOCOL_TLSv1
+(TLSv1.0, TLSv1.1 and TLSv1.2),
+.Dv TLS_PROTOCOLS_ALL
+(all supported protocols) and
+.Dv TLS_PROTOCOLS_DEFAULT
+(TLSv1.2 only) may be used.
+.Pp
+The
+.Fn tls_config_parse_protocols
+utility function parses a protocol string and returns the corresponding
+value via the
+.Ar protocols
+argument.
+This value can then be passed to the
+.Fn tls_config_set_protocols
+function.
+The protocol string is a comma or colon separated list of keywords.
+Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, all (all supported protocols),
+default (an alias for secure), legacy (an alias for all) and secure (currently
+TLSv1.2 only).
+If a value has a negative prefix (in the form of a leading exclamation mark)
+then it is removed from the list of available protocols, rather than being
+added to it.
+.Pp
+.Fn tls_config_set_alpn
+sets the ALPN protocols that are supported.
+The alpn string is a comma separated list of protocols, in order of preference.
+.Pp
+.Fn tls_config_set_ciphers
+sets the list of ciphers that may be used.
+Lists of ciphers are specified by name, and the
+permitted names are:
+.Pp
+.Bl -tag -width "insecure" -offset indent -compact
+.It Dv "secure" (or alias "default")
+.It Dv "compat"
+.It Dv "legacy"
+.It Dv "insecure" (or alias "all")
+.El
+.Pp
+Alternatively, libssl cipher strings can be specified.
+See the CIPHERS section of
+.Xr openssl 1
+for further information.
+.\" XXX tls_config_set_dheparams does what?
+.\" XXX tls_config_set_ecdhecurve does what?
+.Pp
+.Fn tls_config_prefer_ciphers_client
+prefers ciphers in the client's cipher list when selecting a cipher suite
+(server only).
+This is considered to be less secure than preferring the server's list.
+.Pp
+.Fn tls_config_prefer_ciphers_server
+prefers ciphers in the server's cipher list when selecting a cipher suite
+(server only).
+This is considered to be more secure than preferring the client's list and is
+the default.
+.Sh RETURN VALUES
+These functions return 0 on success or -1 on error.
+.Sh SEE ALSO
+.Xr tls_config_ocsp_require_stapling 3 ,
+.Xr tls_config_set_session_id 3 ,
+.Xr tls_config_verify 3 ,
+.Xr tls_init 3 ,
+.Xr tls_load_file 3

diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3 new file mode 100644 index 0000000000..7435390edd --- /dev/null +++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -0,0 +1,146 @@
	1	.\" $OpenBSD: tls_config_set_protocols.3,v 1.1 2017/01/25 23:53:18 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: January 25 2017 $
	18	.Dt TLS_CONFIG_SET_PROTOCOLS 3
	19	.Os
	20	.Sh NAME
	21	.Nm tls_config_set_protocols ,
	22	.Nm tls_config_parse_protocols ,
	23	.Nm tls_config_set_alpn ,
	24	.Nm tls_config_set_ciphers ,
	25	.Nm tls_config_set_dheparams ,
	26	.Nm tls_config_set_ecdhecurve ,
	27	.Nm tls_config_prefer_ciphers_client ,
	28	.Nm tls_config_prefer_ciphers_server
	29	.Nd TLS protocol and cipher selection
	30	.Sh SYNOPSIS
	31	.In tls.h
	32	.Ft int
	33	.Fo tls_config_set_protocols
	34	.Fa "struct tls_config *config"
	35	.Fa "uint32_t protocols"
	36	.Fc
	37	.Ft int
	38	.Fo tls_config_parse_protocols
	39	.Fa "uint32_t *protocols"
	40	.Fa "const char *protostr"
	41	.Fc
	42	.Ft int
	43	.Fo tls_config_set_alpn
	44	.Fa "struct tls_config *config"
	45	.Fa "const char *alpn"
	46	.Fc
	47	.Ft int
	48	.Fo tls_config_set_ciphers
	49	.Fa "struct tls_config *config"
	50	.Fa "const char *ciphers"
	51	.Fc
	52	.Ft int
	53	.Fo tls_config_set_dheparams
	54	.Fa "struct tls_config *config"
	55	.Fa "const char *params"
	56	.Fc
	57	.Ft int
	58	.Fo tls_config_set_ecdhecurve
	59	.Fa "struct tls_config *config"
	60	.Fa "const char *name"
	61	.Fc
	62	.Ft void
	63	.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
	64	.Ft void
	65	.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
	66	.Sh DESCRIPTION
	67	These functions modify a configuration by setting parameters.
	68	The configuration options apply to both clients and servers, unless noted
	69	otherwise.
	70	.Pp
	71	.Fn tls_config_set_protocols
	72	specifies which versions of the TLS protocol may be used.
	73	Possible values are the bitwise OR of:
	74	.Pp
	75	.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact
	76	.It Dv TLS_PROTOCOL_TLSv1_0
	77	.It Dv TLS_PROTOCOL_TLSv1_1
	78	.It Dv TLS_PROTOCOL_TLSv1_2
	79	.El
	80	.Pp
	81	Additionally, the values
	82	.Dv TLS_PROTOCOL_TLSv1
	83	(TLSv1.0, TLSv1.1 and TLSv1.2),
	84	.Dv TLS_PROTOCOLS_ALL
	85	(all supported protocols) and
	86	.Dv TLS_PROTOCOLS_DEFAULT
	87	(TLSv1.2 only) may be used.
	88	.Pp
	89	The
	90	.Fn tls_config_parse_protocols
	91	utility function parses a protocol string and returns the corresponding
	92	value via the
	93	.Ar protocols
	94	argument.
	95	This value can then be passed to the
	96	.Fn tls_config_set_protocols
	97	function.
	98	The protocol string is a comma or colon separated list of keywords.
	99	Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, all (all supported protocols),
	100	default (an alias for secure), legacy (an alias for all) and secure (currently
	101	TLSv1.2 only).
	102	If a value has a negative prefix (in the form of a leading exclamation mark)
	103	then it is removed from the list of available protocols, rather than being
	104	added to it.
	105	.Pp
	106	.Fn tls_config_set_alpn
	107	sets the ALPN protocols that are supported.
	108	The alpn string is a comma separated list of protocols, in order of preference.
	109	.Pp
	110	.Fn tls_config_set_ciphers
	111	sets the list of ciphers that may be used.
	112	Lists of ciphers are specified by name, and the
	113	permitted names are:
	114	.Pp
	115	.Bl -tag -width "insecure" -offset indent -compact
	116	.It Dv "secure" (or alias "default")
	117	.It Dv "compat"
	118	.It Dv "legacy"
	119	.It Dv "insecure" (or alias "all")
	120	.El
	121	.Pp
	122	Alternatively, libssl cipher strings can be specified.
	123	See the CIPHERS section of
	124	.Xr openssl 1
	125	for further information.
	126	.\" XXX tls_config_set_dheparams does what?
	127	.\" XXX tls_config_set_ecdhecurve does what?
	128	.Pp
	129	.Fn tls_config_prefer_ciphers_client
	130	prefers ciphers in the client's cipher list when selecting a cipher suite
	131	(server only).
	132	This is considered to be less secure than preferring the server's list.
	133	.Pp
	134	.Fn tls_config_prefer_ciphers_server
	135	prefers ciphers in the server's cipher list when selecting a cipher suite
	136	(server only).
	137	This is considered to be more secure than preferring the client's list and is
	138	the default.
	139	.Sh RETURN VALUES
	140	These functions return 0 on success or -1 on error.
	141	.Sh SEE ALSO
	142	.Xr tls_config_ocsp_require_stapling 3 ,
	143	.Xr tls_config_set_session_id 3 ,
	144	.Xr tls_config_verify 3 ,
	145	.Xr tls_init 3 ,
	146	.Xr tls_load_file 3