aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3')
-rw-r--r--secure/lib/libcrypto/man/man3/SSL_CTX_set_options.359
1 files changed, 31 insertions, 28 deletions
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
index e19269cf2eff..ac00a4dc6a1e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
@@ -1,5 +1,5 @@
.\" -*- mode: troff; coding: utf-8 -*-
-.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -52,10 +52,13 @@
. \}
.\}
.rr rF
+.\"
+.\" Required to disable full justification in groff 1.23.0.
+.if n .ds AD l
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_OPTIONS 3ossl"
-.TH SSL_CTX_SET_OPTIONS 3ossl 2025-09-30 3.5.4 OpenSSL
+.TH SSL_CTX_SET_OPTIONS 3ossl 2026-04-07 3.5.6 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -82,17 +85,17 @@ SSL_get_secure_renegotiation_support \- manipulate SSL options
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBctx\fR.
+\&\fBSSL_CTX_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBctx\fR.
\&\fBctx\fR \fBMUST NOT\fR be NULL.
Options already set before are not cleared!
.PP
-\&\fBSSL_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBssl\fR.
+\&\fBSSL_set_options()\fR adds the options set via bit\-mask in \fBoptions\fR to \fBssl\fR.
Options already set before are not cleared!
.PP
-\&\fBSSL_CTX_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR
+\&\fBSSL_CTX_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR
to \fBctx\fR.
.PP
-\&\fBSSL_clear_options()\fR clears the options set via bit-mask in \fBoptions\fR to \fBssl\fR.
+\&\fBSSL_clear_options()\fR clears the options set via bit\-mask in \fBoptions\fR to \fBssl\fR.
.PP
\&\fBSSL_CTX_get_options()\fR returns the options set for \fBctx\fR.
.PP
@@ -104,7 +107,7 @@ Note, this is implemented via a macro.
.SH NOTES
.IX Header "NOTES"
The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bit-masks and can be combined by a bitwise \fBor\fR
+The options are coded as bit\-masks and can be combined by a bitwise \fBor\fR
operation (|).
.PP
\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR affect the (external)
@@ -120,7 +123,7 @@ SSL objects. \fBSSL_clear()\fR does not affect the settings.
The following \fBbug workaround\fR options are available:
.IP SSL_OP_CRYPTOPRO_TLSEXT_BUG 4
.IX Item "SSL_OP_CRYPTOPRO_TLSEXT_BUG"
-Add server-hello extension from the early version of cryptopro draft
+Add server\-hello extension from the early version of cryptopro draft
when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro
CSP 3.x.
.IP SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 4
@@ -131,8 +134,8 @@ broken SSL implementations. This option has no effect for connections
using other ciphers.
.IP SSL_OP_SAFARI_ECDHE_ECDSA_BUG 4
.IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG"
-Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
-OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+Don\*(Aqt prefer ECDHE\-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE\-ECDSA ciphers.
.IP SSL_OP_TLSEXT_PADDING 4
.IX Item "SSL_OP_TLSEXT_PADDING"
Adds a padding extension to ensure the ClientHello size is never between
@@ -149,7 +152,7 @@ desired.
The following \fBmodifying\fR options are available:
.IP SSL_OP_ALLOW_CLIENT_RENEGOTIATION 4
.IX Item "SSL_OP_ALLOW_CLIENT_RENEGOTIATION"
-Client-initiated renegotiation is disabled by default. Use
+Client\-initiated renegotiation is disabled by default. Use
this option to enable it.
.IP SSL_OP_ALLOW_NO_DHE_KEX 4
.IX Item "SSL_OP_ALLOW_NO_DHE_KEX"
@@ -166,13 +169,13 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
servers. See the \fBSECURE RENEGOTIATION\fR section for more details.
.IP SSL_OP_CIPHER_SERVER_PREFERENCE 4
.IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
-When choosing a cipher, use the server's preferences instead of the client
+When choosing a cipher, use the server\*(Aqs preferences instead of the client
preferences. When not set, the SSL server will always follow the clients
preferences. When set, the SSL/TLS server will choose following its
own preferences.
.IP SSL_OP_CISCO_ANYCONNECT 4
.IX Item "SSL_OP_CISCO_ANYCONNECT"
-Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
+Use Cisco\*(Aqs version identifier of DTLS_BAD_VER when establishing a DTLSv1
connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR API.
.IP SSL_OP_CLEANSE_PLAINTEXT 4
.IX Item "SSL_OP_CLEANSE_PLAINTEXT"
@@ -211,9 +214,9 @@ have been compiled with support for it, and it must be supported by the
negotiated ciphersuites and extensions. The specific ciphersuites and extensions
that are supported may vary by platform and kernel version.
.Sp
-The kernel TLS data-path implements the record layer, and the encryption
+The kernel TLS data\-path implements the record layer, and the encryption
algorithm. The kernel will utilize the best hardware
-available for encryption. Using the kernel data-path should reduce the memory
+available for encryption. Using the kernel data\-path should reduce the memory
footprint of OpenSSL because no buffering is required. Also, the throughput
should improve because data copy is avoided when user data is encrypted into
kernel memory instead of the usual encrypt then copy to kernel.
@@ -233,7 +236,7 @@ performance boost when used with KTLS hardware offload. Note that invalid TLS
records might be transmitted if the file is changed while being sent. This
option has no effect if \fBSSL_OP_ENABLE_KTLS\fR is not enabled.
.Sp
-This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an
+This option only applies to Linux. KTLS sendfile on FreeBSD doesn\*(Aqt offer an
option to disable zerocopy and always runs in this mode.
.IP SSL_OP_ENABLE_MIDDLEBOX_COMPAT 4
.IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT"
@@ -264,11 +267,11 @@ Allow legacy insecure renegotiation between OpenSSL and unpatched servers
.IX Item "SSL_OP_NO_ANTI_REPLAY"
By default, when a server is configured for early data (i.e., max_early_data > 0),
OpenSSL will switch on replay protection. See \fBSSL_read_early_data\fR\|(3) for a
-description of the replay protection feature. Anti-replay measures are required
+description of the replay protection feature. Anti\-replay measures are required
to comply with the TLSv1.3 specification. Some applications may be able to
mitigate the replay risks in other ways and in such cases the built in OpenSSL
functionality is not required. Those applications can turn this feature off by
-setting this option. This is a server-side option only. It is ignored by
+setting this option. This is a server\-side option only. It is ignored by
clients.
.IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4
.IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION"
@@ -295,9 +298,9 @@ will have no effect without also changing the default security level. See
.IP SSL_OP_NO_ENCRYPT_THEN_MAC 4
.IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC"
Normally clients and servers will transparently attempt to negotiate the
-RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
+RFC7366 Encrypt\-then\-MAC option on TLS and DTLS connection.
.Sp
-If this option is set, Encrypt-then-MAC is disabled. Clients will not
+If this option is set, Encrypt\-then\-MAC is disabled. Clients will not
propose, and servers will not accept the extension.
.IP SSL_OP_NO_EXTENDED_MASTER_SECRET 4
.IX Item "SSL_OP_NO_EXTENDED_MASTER_SECRET"
@@ -356,7 +359,7 @@ its cache.
By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will
cause stateless tickets to not be issued. In TLSv1.2 and below this means no
ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be
-sent. This is a server-side option only.
+sent. This is a server\-side option only.
.Sp
In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from
being sent by calling \fBSSL_CTX_set_num_tickets\fR\|(3) or
@@ -375,11 +378,11 @@ Disable version rollback attack detection.
.Sp
During the client key exchange, the client must send the same information
about acceptable SSL/TLS protocol levels as during the first hello. Some
-clients violate this rule by adapting to the server's answer. (Example:
+clients violate this rule by adapting to the server\*(Aqs answer. (Example:
the client sends an SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
-to the server's answer and violate the version rollback protection.)
+to the server\*(Aqs answer and violate the version rollback protection.)
.PP
The following options no longer have any effect but their identifiers are
retained for compatibility purposes:
@@ -428,7 +431,7 @@ aware of. In the description below an implementation supporting secure
renegotiation is referred to as \fIpatched\fR. A server not supporting secure
renegotiation is referred to as \fIunpatched\fR.
.PP
-The following sections describe the operations permitted by OpenSSL's secure
+The following sections describe the operations permitted by OpenSSL\*(Aqs secure
renegotiation implementation.
.SS "Patched client and server"
.IX Subsection "Patched client and server"
@@ -505,16 +508,16 @@ default options set on any future streams which are created.
Other options not mentioned above do not have an effect and will be ignored.
.PP
Options which relate to QUIC streams may also be set directly on QUIC stream SSL
-objects. Setting connection-related options on such an object has no effect.
+objects. Setting connection\-related options on such an object has no effect.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
-\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit-mask
+\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit\-mask
after adding \fBoptions\fR.
.PP
-\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit-mask
+\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit\-mask
after clearing \fBoptions\fR.
.PP
-\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit-mask.
+\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit\-mask.
.PP
\&\fBSSL_get_secure_renegotiation_support()\fR returns 1 is the peer supports
secure renegotiation and 0 if it does not.
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-29 07:19:23 +0000