aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto/man/man3/SSL_key_update.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libcrypto/man/man3/SSL_key_update.3')
-rw-r--r--secure/lib/libcrypto/man/man3/SSL_key_update.3154
1 files changed, 48 insertions, 106 deletions
diff --git a/secure/lib/libcrypto/man/man3/SSL_key_update.3 b/secure/lib/libcrypto/man/man3/SSL_key_update.3
index 19baa9d74be0..4afa54bc1b01 100644
--- a/secure/lib/libcrypto/man/man3/SSL_key_update.3
+++ b/secure/lib/libcrypto/man/man3/SSL_key_update.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -15,29 +16,12 @@
.ft R
.fi
..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
. ds C`
. ds C'
'br\}
@@ -68,82 +52,22 @@
. \}
.\}
.rr rF
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_KEY_UPDATE 3ossl"
-.TH SSL_KEY_UPDATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_KEY_UPDATE 3ossl 2025-07-01 3.5.1 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
-.SH "NAME"
+.SH NAME
SSL_key_update,
SSL_get_key_update_type,
SSL_renegotiate,
SSL_renegotiate_abbreviated,
SSL_renegotiate_pending
\&\- initiate and obtain information about updating connection keys
-.SH "SYNOPSIS"
+.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
@@ -155,27 +79,27 @@ SSL_renegotiate_pending
\& int SSL_renegotiate_abbreviated(SSL *s);
\& int SSL_renegotiate_pending(const SSL *s);
.Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
.IX Header "DESCRIPTION"
-\&\fBSSL_key_update()\fR schedules an update of the keys for the current \s-1TLS\s0 connection.
-If the \fBupdatetype\fR parameter is set to \fB\s-1SSL_KEY_UPDATE_NOT_REQUESTED\s0\fR then
+\&\fBSSL_key_update()\fR schedules an update of the keys for the current TLS connection.
+If the \fBupdatetype\fR parameter is set to \fBSSL_KEY_UPDATE_NOT_REQUESTED\fR then
the sending keys for this connection will be updated and the peer will be
informed of the change. If the \fBupdatetype\fR parameter is set to
-\&\fB\s-1SSL_KEY_UPDATE_REQUESTED\s0\fR then the sending keys for this connection will be
+\&\fBSSL_KEY_UPDATE_REQUESTED\fR then the sending keys for this connection will be
updated and the peer will be informed of the change along with a request for the
peer to additionally update its sending keys. It is an error if \fBupdatetype\fR is
-set to \fB\s-1SSL_KEY_UPDATE_NONE\s0\fR.
+set to \fBSSL_KEY_UPDATE_NONE\fR.
.PP
\&\fBSSL_key_update()\fR must only be called after the initial handshake has been
-completed and TLSv1.3 has been negotiated, at the same time, the application
-needs to ensure that the writing of data has been completed. The key update
-will not take place until the next time an \s-1IO\s0 operation such as \fBSSL_read_ex()\fR
-or \fBSSL_write_ex()\fR takes place on the connection. Alternatively \fBSSL_do_handshake()\fR
-can be called to force the update to take place immediately.
+completed and TLSv1.3 or QUIC has been negotiated, at the same time, the
+application needs to ensure that the writing of data has been completed. The key
+update will not take place until the next time an IO operation such as
+\&\fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR takes place on the connection. Alternatively
+\&\fBSSL_do_handshake()\fR can be called to force the update to take place immediately.
.PP
\&\fBSSL_get_key_update_type()\fR can be used to determine whether a key update
operation has been scheduled but not yet performed. The type of the pending key
-update operation will be returned if there is one, or \s-1SSL_KEY_UPDATE_NONE\s0
+update operation will be returned if there is one, or SSL_KEY_UPDATE_NONE
otherwise.
.PP
\&\fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR should only be called for
@@ -183,12 +107,14 @@ connections that have negotiated TLSv1.2 or less. Calling them on any other
connection will result in an error.
.PP
When called from the client side, \fBSSL_renegotiate()\fR schedules a completely new
-handshake over an existing \s-1SSL/TLS\s0 connection. The next time an \s-1IO\s0 operation
+handshake over an existing SSL/TLS connection. The next time an IO operation
such as \fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR takes place on the connection a check
will be performed to confirm that it is a suitable time to start a
renegotiation. If so, then it will be initiated immediately. OpenSSL will not
attempt to resume any session associated with the connection in the new
-handshake.
+handshake. Note that some servers will respond to reneogitation attempts with
+a "no_renegotiation" alert. An OpenSSL will immediately fail the connection in
+this case.
.PP
When called from the client side, \fBSSL_renegotiate_abbreviated()\fR works in the
same was as \fBSSL_renegotiate()\fR except that OpenSSL will attempt to resume the
@@ -196,28 +122,44 @@ session associated with the current connection in the new handshake.
.PP
When called from the server side, \fBSSL_renegotiate()\fR and
\&\fBSSL_renegotiate_abbreviated()\fR behave identically. They both schedule a request
-for a new handshake to be sent to the client. The next time an \s-1IO\s0 operation is
+for a new handshake to be sent to the client. The next time an IO operation is
performed then the same checks as on the client side are performed and then, if
appropriate, the request is sent. The client may or may not respond with a new
handshake and it may or may not attempt to resume an existing session. If
a new handshake is started then this will be handled transparently by calling
-any OpenSSL \s-1IO\s0 function.
+any OpenSSL IO function.
.PP
If an OpenSSL client receives a renegotiation request from a server then again
-this will be handled transparently through calling any OpenSSL \s-1IO\s0 function. For
-a \s-1TLS\s0 connection the client will attempt to resume the current session in the
-new handshake. For historical reasons, \s-1DTLS\s0 clients will not attempt to resume
+this will be handled transparently through calling any OpenSSL IO function. For
+a TLS connection the client will attempt to resume the current session in the
+new handshake. For historical reasons, DTLS clients will not attempt to resume
the session in the new handshake.
.PP
The \fBSSL_renegotiate_pending()\fR function returns 1 if a renegotiation or
renegotiation request has been scheduled but not yet acted on, or 0 otherwise.
+.SH "USAGE WITH QUIC"
+.IX Header "USAGE WITH QUIC"
+\&\fBSSL_key_update()\fR can also be used to perform a key update when using QUIC. The
+function must be called on a QUIC connection SSL object. This is normally done
+automatically when needed. Since a locally initiated QUIC key update always
+causes a peer to also trigger a key update, passing
+\&\fBSSL_KEY_UPDATE_NOT_REQUESTED\fR as \fBupdatetype\fR has the same effect as passing
+\&\fBSSL_KEY_UPDATE_REQUESTED\fR.
+.PP
+The QUIC connection must have been fully established before a key update can be
+performed, and other QUIC protocol rules govern how frequently QUIC key update
+can be performed. \fBSSL_key_update()\fR will fail if these requirements are not met.
+.PP
+Because QUIC key updates are always handled immediately,
+\&\fBSSL_get_key_update_type()\fR always returns SSL_KEY_UPDATE_NONE when called on a
+QUIC connection SSL object.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_key_update()\fR, \fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR return 1
on success or 0 on error.
.PP
\&\fBSSL_get_key_update_type()\fR returns the update type of the pending key update
-operation or \s-1SSL_KEY_UPDATE_NONE\s0 if there is none.
+operation or SSL_KEY_UPDATE_NONE if there is none.
.PP
\&\fBSSL_renegotiate_pending()\fR returns 1 if a renegotiation or renegotiation request
has been scheduled but not yet acted on, or 0 otherwise.
@@ -226,15 +168,15 @@ has been scheduled but not yet acted on, or 0 otherwise.
\&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3),
\&\fBSSL_write_ex\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
.IX Header "HISTORY"
The \fBSSL_key_update()\fR and \fBSSL_get_key_update_type()\fR functions were added in
OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
.IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2025 The OpenSSL Project Authors. All Rights Reserved.
.PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-13 23:08:07 +0000