leviathan
/
openssl
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add missing SSL_OP flags

Browse Source 
Add missing SSL_OP flags. Correct the list of flags set by SSL_OP_ALL.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16236)
master
Todd Short 2 years ago committed by Tomas Mraz
parent 0f70d60134
commit 73dadb9300
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File

32
doc/man3/SSL_CTX_set_options.pod
Unescape View File

@ -67,12 +67,6 @@ The following B<bug workaround> options are available:
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
Disable TLS Extension CA Names. You may want to disable it for security reasons
or for compatibility with some Windows TLS implementations crashing when this
extension is larger than 1024 bytes.
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
@ -80,6 +74,12 @@ vulnerability affecting CBC ciphers, which cannot be handled by some
broken SSL implementations. This option has no effect for connections
using other ciphers.
=item SSL_OP_CRYPTOPRO_TLSEXT_BUG
Make server add server-hello extension from early version of cryptopro draft,
when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro
CSP 3.x.
=item SSL_OP_TLSEXT_PADDING
Adds a padding extension to ensure the ClientHello size is never between
@ -100,6 +100,17 @@ The following B<modifying> options are available:
=over 4
=item SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Client-initiated renegotiation is disabled by default. To allow it, use the
this option to enable it.
=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
Disable TLS Extension CA Names. You may want to disable it for security reasons
or for compatibility with some Windows TLS implementations crashing when this
extension is larger than 1024 bytes.
=item SSL_OP_TLS_ROLLBACK_BUG
Disable version rollback attack detection.
@ -137,7 +148,9 @@ handshake). This option is not needed for clients.
=item SSL_OP_NO_COMPRESSION
Do not use compression even if it is supported.
Do not use compression even if it is supported. This option is set by default.
To switch it off use SSL_clear_options(). A future version of OpenSSL may not
set this by default.
=item SSL_OP_NO_QUERY_MTU
@ -243,6 +256,11 @@ those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere
in the server cipher list; but still allows other clients to use AES and other
ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>.
=item SSL_OP_CISCO_ANYCONNECT
Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
connection. Only available when using the deprecated DTLSv1_client_method() API.
=item SSL_OP_ENABLE_MIDDLEBOX_COMPAT
If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This

Write Preview
Loading…
Cancel
Save