From 8bdf20f26a6580e88111cc7a9fae93e53d18156e Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Sat, 19 Aug 2017 23:45:10 +0000 Subject: Import SSL_CTX_set_min_proto_version(3) from OpenSSL, suggested by jsing@. While importing: * Fix the prototypes, they all contained wrong datatypes. * Delete SSL3_VERSION which is no longer supported. * Delete TLS1_3_VERSION and DTLS1_2_VERSION, not yet supported. * Delete the lie that these would be macros. * Improve SEE ALSO and HISTORY sections. --- src/lib/libssl/man/Makefile | 3 +- src/lib/libssl/man/SSL_CTX_new.3 | 6 +- src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 | 114 +++++++++++++++++++++ src/lib/libssl/man/SSL_CTX_set_options.3 | 12 ++- src/lib/libssl/man/ssl.3 | 6 +- 5 files changed, 134 insertions(+), 7 deletions(-) create mode 100644 src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 (limited to 'src/lib/libssl/man') diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index 2fcc90eab9..ab11293d1c 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.57 2017/08/12 14:09:34 schwarze Exp $ +# $OpenBSD: Makefile,v 1.58 2017/08/19 23:45:10 schwarze Exp $ .include @@ -30,6 +30,7 @@ MAN = BIO_f_ssl.3 \ SSL_CTX_set_generate_session_id.3 \ SSL_CTX_set_info_callback.3 \ SSL_CTX_set_max_cert_list.3 \ + SSL_CTX_set_min_proto_version.3 \ SSL_CTX_set_mode.3 \ SSL_CTX_set_msg_callback.3 \ SSL_CTX_set_options.3 \ diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3 index ee60f2a9f8..0c846ceade 100644 --- a/src/lib/libssl/man/SSL_CTX_new.3 +++ b/src/lib/libssl/man/SSL_CTX_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_new.3,v 1.2 2016/11/30 15:48:53 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_new.3,v 1.3 2017/08/19 23:45:10 schwarze Exp $ .\" OpenSSL 21cd6e00 Aug 17 15:21:33 2015 -0400 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 30 2016 $ +.Dd $Mdocdate: August 19 2017 $ .Dt SSL_CTX_NEW 3 .Os .Sh NAME @@ -218,4 +218,6 @@ object. .Xr ssl 3 , .Xr SSL_accept 3 , .Xr SSL_CTX_free 3 , +.Xr SSL_CTX_set_min_proto_version 3 , +.Xr SSL_CTX_set_options 3 , .Xr SSL_set_connect_state 3 diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 new file mode 100644 index 0000000000..ff057cadac --- /dev/null +++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 @@ -0,0 +1,114 @@ +.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.1 2017/08/19 23:45:10 schwarze Exp $ +.\" OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 +.\" +.\" This file was written by Kurt Roeckx . +.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: August 19 2017 $ +.Dt SSL_CTX_SET_MIN_PROTO_VERSION 3 +.Os +.Sh NAME +.Nm SSL_CTX_set_min_proto_version , +.Nm SSL_CTX_set_max_proto_version , +.Nm SSL_set_min_proto_version , +.Nm SSL_set_max_proto_version +.Nd set minimum and maximum supported protocol version +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft int +.Fo SSL_CTX_set_min_proto_version +.Fa "SSL_CTX *ctx" +.Fa "uint16_t version" +.Fc +.Ft int +.Fo SSL_CTX_set_max_proto_version +.Fa "SSL_CTX *ctx" +.Fa "uint16_t version" +.Fc +.Ft int +.Fo SSL_set_min_proto_version +.Fa "SSL *ssl" +.Fa "uint16_t version" +.Fc +.Ft int +.Fo SSL_set_max_proto_version +.Fa "SSL *ssl" +.Fa "uint16_t version" +.Fc +.Sh DESCRIPTION +These functions set the minimum and maximum supported protocol +versions for +.Fa ctx +or +.Fa ssl . +This works in combination with the options set via +.Xr SSL_CTX_set_options 3 +that also make it possible to disable specific protocol versions. +Use these functions instead of disabling specific protocol versions. +.Pp +Setting the minimum or maximum version to 0 will enable protocol +versions down to the lowest or up to the highest version supported +by the library, respectively. +.Pp +Currently supported versions are +.Sy TLS1_VERSION , +.Sy TLS1_1_VERSION , +and +.Sy TLS1_2_VERSION +for TLS and +.Sy DTLS1_VERSION +for DTLS. +.Sh RETURN VALUES +These functions return 1 on success or 0 on failure. +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_CTX_new 3 , +.Xr SSL_CTX_set_options 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.1.0 +and have been available since +.Ox 6.2 . diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3 index b77f1176a1..98c1a6d365 100644 --- a/src/lib/libssl/man/SSL_CTX_set_options.3 +++ b/src/lib/libssl/man/SSL_CTX_set_options.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.3 2017/04/10 14:00:51 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $ .\" OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100 .\" .\" This file was written by Lutz Jaenicke , @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 10 2017 $ +.Dd $Mdocdate: August 19 2017 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -189,10 +189,16 @@ When not set, the server will always follow the client's preferences. When set, the server will choose following its own preferences. .It Dv SSL_OP_NO_TLSv1 Do not use the TLSv1.0 protocol. +Deprecated; use +.Xr SSL_CTX_set_min_proto_version 3 +instead. .It Dv SSL_OP_NO_TLSv1_1 Do not use the TLSv1.1 protocol. .It Dv SSL_OP_NO_TLSv1_2 Do not use the TLSv1.2 protocol. +Deprecated; use +.Xr SSL_CTX_set_max_proto_version 3 +instead. .It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). @@ -332,8 +338,10 @@ return the current bitmask. returns 1 is the peer supports secure renegotiation and 0 if it does not. .Sh SEE ALSO .Xr openssl 1 , +.Xr ssl 3 , .Xr SSL_clear 3 , .Xr SSL_CTX_ctrl 3 , +.Xr SSL_CTX_set_min_proto_version 3 , .Xr SSL_new 3 .Sh HISTORY .Fn SSL_CTX_clear_options diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index 031df50190..fe72bbc4d2 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.3,v 1.9 2017/08/12 14:09:34 schwarze Exp $ +.\" $OpenBSD: ssl.3,v 1.10 2017/08/19 23:45:10 schwarze Exp $ .\" OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 .\" .\" This file was written by Ralf S. Engelschall , @@ -50,7 +50,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 12 2017 $ +.Dd $Mdocdate: August 19 2017 $ .Dt SSL 3 .Os .Sh NAME @@ -213,7 +213,9 @@ Configuration functions: .Xr SSL_CTX_set_default_passwd_cb 3 , .Xr SSL_CTX_set_generate_session_id 3 , .Xr SSL_CTX_set_info_callback 3 , +.Xr SSL_CTX_set_min_proto_version 3 , .Xr SSL_CTX_set_msg_callback 3 , +.Xr SSL_CTX_set_options 3 , .Xr SSL_CTX_set_quiet_shutdown 3 , .Xr SSL_CTX_set_read_ahead 3 , .Xr SSL_CTX_set_session_id_context 3 , -- cgit v1.2.3-55-g6feb