summaryrefslogtreecommitdiffstats
path: root/upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl')
-rw-r--r--upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl77
1 files changed, 73 insertions, 4 deletions
diff --git a/upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl b/upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl
index d3ee86e2..afcddec9 100644
--- a/upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl
+++ b/upstream/debian-unstable/man3/SSL_CTX_set_options.3ssl
@@ -55,7 +55,7 @@
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_OPTIONS 3SSL"
-.TH SSL_CTX_SET_OPTIONS 3SSL 2024-02-03 3.1.5 OpenSSL
+.TH SSL_CTX_SET_OPTIONS 3SSL 2024-04-04 3.2.2-dev OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -170,7 +170,7 @@ Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR API.
.IP SSL_OP_CLEANSE_PLAINTEXT 4
.IX Item "SSL_OP_CLEANSE_PLAINTEXT"
-By default TLS connections keep a copy of received plaintext
+By default TLS and QUIC SSL objects keep a copy of received plaintext
application data in a static buffer until it is overwritten by the
next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT
deciphered application data is cleansed by calling \fBOPENSSL_cleanse\fR\|(3)
@@ -181,6 +181,14 @@ Since OpenSSL only cleanses internal buffers, the application is still
responsible for cleansing all other buffers. Most notably, this
applies to buffers passed to functions like \fBSSL_read\fR\|(3),
\&\fBSSL_peek\fR\|(3) but also like \fBSSL_write\fR\|(3).
+.Sp
+TLS connections do not buffer data to be sent in plaintext. QUIC stream
+objects do buffer plaintext data to be sent and this option will also cause
+that data to be cleansed when it is discarded.
+.Sp
+This option can be set differently on individual QUIC stream objects and
+has no effect on QUIC connection objects (except where a default stream is
+being used).
.IP SSL_OP_COOKIE_EXCHANGE 4
.IX Item "SSL_OP_COOKIE_EXCHANGE"
Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
@@ -212,6 +220,15 @@ Note that with kernel TLS enabled some cryptographic operations are performed
by the kernel directly and not via any available OpenSSL Providers. This might
be undesirable if, for example, the application requires all cryptographic
operations to be performed by the FIPS provider.
+.IP SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE 4
+.IX Item "SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE"
+With this option, \fBsendfile()\fR will use the zerocopy mode, which gives a
+performance boost when used with KTLS hardware offload. Note that invalid TLS
+records might be transmitted if the file is changed while being sent. This
+option has no effect if \fBSSL_OP_ENABLE_KTLS\fR is not enabled.
+.Sp
+This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an
+option to disable zerocopy and always runs in this mode.
.IP SSL_OP_ENABLE_MIDDLEBOX_COMPAT 4
.IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT"
If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This
@@ -247,10 +264,28 @@ mitigate the replay risks in other ways and in such cases the built in OpenSSL
functionality is not required. Those applications can turn this feature off by
setting this option. This is a server-side option only. It is ignored by
clients.
+.IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION"
+Normally clients and servers will transparently attempt to negotiate the
+RFC8879 certificate compression option on TLSv1.3 connections.
+.Sp
+If this option is set, the certificate compression extension is ignored
+upon receipt and compressed certificates will not be sent to the peer.
+.IP SSL_OP_NO_RX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_RX_CERTIFICATE_COMPRESSION"
+Normally clients and servers will transparently attempt to negotiate the
+RFC8879 certificate compression option on TLSv1.3 connections.
+.Sp
+If this option is set, the certificate compression extension will not be sent
+and compressed certificates will not be accepted from the peer.
.IP SSL_OP_NO_COMPRESSION 4
.IX Item "SSL_OP_NO_COMPRESSION"
-Do not use compression even if it is supported. This option is set by default.
-To switch it off use \fBSSL_clear_options()\fR.
+Do not use TLS record compression even if it is supported. This option is set by
+default. To switch it off use \fBSSL_clear_options()\fR. Note that TLS record
+compression is not recommended and is not available at security level 2 or
+above. From OpenSSL 3.2 the default security level is 2, so clearing this option
+will have no effect without also changing the default security level. See
+\&\fBSSL_CTX_set_security_level\fR\|(3).
.IP SSL_OP_NO_ENCRYPT_THEN_MAC 4
.IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC"
Normally clients and servers will transparently attempt to negotiate the
@@ -431,6 +466,40 @@ The difference between the \fBSSL_OP_LEGACY_SERVER_CONNECT\fR and
renegotiation between OpenSSL clients and unpatched servers \fBonly\fR, while
\&\fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR allows initial connections
and renegotiation between OpenSSL and unpatched clients or servers.
+.SS "Applicability of options to QUIC connections and streams"
+.IX Subsection "Applicability of options to QUIC connections and streams"
+These options apply to SSL objects referencing a QUIC connection:
+.IP SSL_OP_ALLOW_NO_DHE_KEX 4
+.IX Item "SSL_OP_ALLOW_NO_DHE_KEX"
+.PD 0
+.IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION"
+.IP SSL_OP_NO_RX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_RX_CERTIFICATE_COMPRESSION"
+.IP SSL_OP_NO_TICKET 4
+.IX Item "SSL_OP_NO_TICKET"
+.IP SSL_OP_PRIORITIZE_CHACHA 4
+.IX Item "SSL_OP_PRIORITIZE_CHACHA"
+.PD
+.PP
+These options apply to SSL objects referencing a QUIC stream:
+.IP SSL_OP_CLEANSE_PLAINTEXT 4
+.IX Item "SSL_OP_CLEANSE_PLAINTEXT"
+.PP
+Options on QUIC connections are initialized from the options set on SSL_CTX
+before a QUIC connection SSL object is created. Options on QUIC streams are
+initialised from the options configured on the QUIC connection SSL object
+they are created from.
+.PP
+Setting options which relate to QUIC streams on a QUIC connection SSL object has
+no direct effect on the QUIC connection SSL object itself, but will change the
+options set on the default stream (if there is one) and will also determine the
+default options set on any future streams which are created.
+.PP
+Other options not mentioned above do not have an effect and will be ignored.
+.PP
+Options which relate to QUIC streams may also be set directly on QUIC stream SSL
+objects. Setting connection-related options on such an object has no effect.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit-mask
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-05 00:56:17 +0000