From 4e8dcc3be3a44bacbaeb4f967669477a05aea21b Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sun, 15 Feb 2015 13:33:14 +0000 Subject: Document tls_config_parse_protocols() and update documentation for tls_config_set_protocols(). --- src/lib/libtls/Makefile | 3 ++- src/lib/libtls/tls_init.3 | 29 +++++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index 61368bccfd..6baf210143 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.5 2015/02/11 07:01:10 jsing Exp $ +# $OpenBSD: Makefile,v 1.6 2015/02/15 13:33:14 jsing Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -20,6 +20,7 @@ MAN= tls_init.3 MLINKS+=tls_init.3 tls_config_new.3 MLINKS+=tls_init.3 tls_config_free.3 +MLINKS+=tls_init.3 tls_config_parse_protocols.3 MLINKS+=tls_init.3 tls_config_set_ca_file.3 MLINKS+=tls_init.3 tls_config_set_ca_path.3 MLINKS+=tls_init.3 tls_config_set_ca_mem.3 diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index c1e59383c4..5f72d9549b 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.12 2015/02/11 07:01:10 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.13 2015/02/15 13:33:14 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 11 2015 $ +.Dd $Mdocdate: February 15 2015 $ .Dt TLS 3 .Os .Sh NAME @@ -22,6 +22,7 @@ .Nm tls_error , .Nm tls_config_new , .Nm tls_config_free , +.Nm tls_config_parse_protocols , .Nm tls_config_set_ca_file , .Nm tls_config_set_ca_path , .Nm tls_config_set_ca_mem , @@ -64,6 +65,8 @@ .Ft "void" .Fn tls_config_free "struct tls_config *config" .Ft "int" +.Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" +.Ft "int" .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" .Ft "int" .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" @@ -208,6 +211,22 @@ allocates a new default configuration object. frees a configuration object. .El .Pp +The +.Fn tls_config_parse_protocols +function parses a protocol string and returns the corresponding value via the +.Ar protocols +argument. +This value can then be passed to the +.Fn tls_config_set_protocols +function. +The protocol string is a comma or colon separated list of keywords. +Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, all (all supported protocols), +default (an alias for secure), legacy (an alias for all) and secure (currently +TLSv1.2 only). +If a value has a negative prefix (in the form of a leading exclamation mark) +then it is removed from the list of available protocols, rather than being +added to it. +.Pp The following functions modify a configuration by setting parameters. Configuration options may apply to only clients or only servers or both. .Bl -bullet -offset four @@ -258,9 +277,11 @@ Possible values are the bitwise OR of: .Pp Additionally, the values .Dv TLS_PROTOCOL_TLSv1 -(all TLS versions) and +(TLSv1.0, TLSv1.1 and TLSv1.2), +.Dv TLS_PROTOCOLS_ALL +(all supported protocols) and .Dv TLS_PROTOCOLS_DEFAULT -(currently all TLS versions) may be used. +(TLSv1.2 only) may be used. .Em (Client and server) .It .Fn tls_config_clear_keys -- cgit v1.2.3-55-g6feb