123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439 |
- =pod
- =head1 NAME
- SSL_CONF_cmd - send configuration command
- =head1 SYNOPSIS
- #include <openssl/ssl.h>
- int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
- int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
- int SSL_CONF_finish(SSL_CONF_CTX *cctx);
- =head1 DESCRIPTION
- The function SSL_CONF_cmd() performs configuration operation B<cmd> with
- optional parameter B<value> on B<ctx>. Its purpose is to simplify application
- configuration of B<SSL_CTX> or B<SSL> structures by providing a common
- framework for command line options or configuration files.
- SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to.
- The function SSL_CONF_finish() must be called after all configuration
- operations have been completed. It is used to finalise any operations
- or to process defaults.
- =head1 SUPPORTED COMMAND LINE COMMANDS
- Currently supported B<cmd> names for command lines (i.e. when the
- flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
- are case sensitive. Unless otherwise stated commands can be used by
- both clients and servers and the B<value> parameter is not used. The default
- prefix for command line commands is B<-> and that is reflected below.
- =over 4
- =item B<-sigalgs>
- This sets the supported signature algorithms for TLS v1.2. For clients this
- value is used directly for the supported signature algorithms extension. For
- servers it is used to determine which signature algorithms to support.
- The B<value> argument should be a colon separated list of signature algorithms
- in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
- is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
- OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
- Note: algorithm and hash names are case sensitive.
- If this option is not set then all signature algorithms supported by the
- OpenSSL library are permissible.
- =item B<-client_sigalgs>
- This sets the supported signature algorithms associated with client
- authentication for TLS v1.2. For servers the value is used in the supported
- signature algorithms field of a certificate request. For clients it is
- used to determine which signature algorithm to with the client certificate.
- If a server does not request a certificate this option has no effect.
- The syntax of B<value> is identical to B<-sigalgs>. If not set then
- the value set for B<-sigalgs> will be used instead.
- =item B<-curves>
- This sets the supported elliptic curves. For clients the curves are
- sent using the supported curves extension. For servers it is used
- to determine which curve to use. This setting affects curves used for both
- signatures and key exchange, if applicable.
- The B<value> argument is a colon separated list of curves. The curve can be
- either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
- B<prime256v1>). Curve names are case sensitive.
- =item B<-named_curve>
- This sets the temporary curve used for ephemeral ECDH modes. Only used by
- servers
- The B<value> argument is a curve name or the special value B<auto> which
- picks an appropriate curve based on client and server preferences. The curve
- can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
- (e.g B<prime256v1>). Curve names are case sensitive.
- =item B<-cipher>
- Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
- currently not performed unless a B<SSL> or B<SSL_CTX> structure is
- associated with B<cctx>.
- =item B<-cert>
- Attempts to use the file B<value> as the certificate for the appropriate
- context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
- structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
- structure is set. This option is only supported if certificate operations
- are permitted.
- =item B<-key>
- Attempts to use the file B<value> as the private key for the appropriate
- context. This option is only supported if certificate operations
- are permitted. Note: if no B<-key> option is set then a private key is
- not loaded: it does not currently use the B<-cert> file.
- =item B<-dhparam>
- Attempts to use the file B<value> as the set of temporary DH parameters for
- the appropriate context. This option is only supported if certificate
- operations are permitted.
- =item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
- Disables protocol support for SSLv2, SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2
- by setting the corresponding options B<SSL_OP_NO_SSLv2>, B<SSL_OP_NO_SSLv3>,
- B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1> and B<SSL_OP_NO_TLSv1_2> respectively.
- =item B<-bugs>
- Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
- =item B<-no_comp>
- Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
- =item B<-no_ticket>
- Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
- =item B<-serverpref>
- Use server and not client preference order when determining which cipher suite,
- signature algorithm or elliptic curve to use for an incoming connection.
- Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
- =item B<-no_resumption_on_reneg>
- set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
- =item B<-legacyrenegotiation>
- permits the use of unsafe legacy renegotiation. Equivalent to setting
- B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
- =item B<-legacy_server_connect>, B<-no_legacy_server_connect>
- permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
- clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
- Set by default.
- =item B<-strict>
- enables strict mode protocol handling. Equivalent to setting
- B<SSL_CERT_FLAG_TLS_STRICT>.
- =item B<-debug_broken_protocol>
- disables various checks and permits several kinds of broken protocol behaviour
- for testing purposes: it should B<NEVER> be used in anything other than a test
- environment. Only supported if OpenSSL is configured with
- B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.
- =back
- =head1 SUPPORTED CONFIGURATION FILE COMMANDS
- Currently supported B<cmd> names for configuration files (i.e. when the
- flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
- B<cmd> names and are case insensitive so B<signaturealgorithms> is recognised
- as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
- are also case insensitive.
- Note: the command prefix (if set) alters the recognised B<cmd> values.
- =over 4
- =item B<CipherString>
- Sets the cipher suite list to B<value>. Note: syntax checking of B<value> is
- currently not performed unless an B<SSL> or B<SSL_CTX> structure is
- associated with B<cctx>.
- =item B<Certificate>
- Attempts to use the file B<value> as the certificate for the appropriate
- context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
- structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
- structure is set. This option is only supported if certificate operations
- are permitted.
- =item B<PrivateKey>
- Attempts to use the file B<value> as the private key for the appropriate
- context. This option is only supported if certificate operations
- are permitted. Note: if no B<-key> option is set then a private key is
- not loaded: it does not currently use the B<Certificate> file.
- =item B<ServerInfoFile>
- Attempts to use the file B<value> in the "serverinfo" extension using the
- function SSL_CTX_use_serverinfo_file.
- =item B<DHParameters>
- Attempts to use the file B<value> as the set of temporary DH parameters for
- the appropriate context. This option is only supported if certificate
- operations are permitted.
- =item B<SignatureAlgorithms>
- This sets the supported signature algorithms for TLS v1.2. For clients this
- value is used directly for the supported signature algorithms extension. For
- servers it is used to determine which signature algorithms to support.
- The B<value> argument should be a colon separated list of signature algorithms
- in order of decreasing preference of the form B<algorithm+hash>. B<algorithm>
- is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
- OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
- Note: algorithm and hash names are case sensitive.
- If this option is not set then all signature algorithms supported by the
- OpenSSL library are permissible.
- =item B<ClientSignatureAlgorithms>
- This sets the supported signature algorithms associated with client
- authentication for TLS v1.2. For servers the value is used in the supported
- signature algorithms field of a certificate request. For clients it is
- used to determine which signature algorithm to with the client certificate.
- The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
- the value set for B<SignatureAlgorithms> will be used instead.
- =item B<Curves>
- This sets the supported elliptic curves. For clients the curves are
- sent using the supported curves extension. For servers it is used
- to determine which curve to use. This setting affects curves used for both
- signatures and key exchange, if applicable.
- The B<value> argument is a colon separated list of curves. The curve can be
- either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name (e.g
- B<prime256v1>). Curve names are case sensitive.
- =item B<ECDHParameters>
- This sets the temporary curve used for ephemeral ECDH modes. Only used by
- servers
- The B<value> argument is a curve name or the special value B<Automatic> which
- picks an appropriate curve based on client and server preferences. The curve
- can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
- (e.g B<prime256v1>). Curve names are case sensitive.
- =item B<Protocol>
- The supported versions of the SSL or TLS protocol.
- The B<value> argument is a comma separated list of supported protocols to
- enable or disable. If an protocol is preceded by B<-> that version is disabled.
- Currently supported protocol values are B<SSLv2>, B<SSLv3>, B<TLSv1>,
- B<TLSv1.1> and B<TLSv1.2>.
- All protocol versions other than B<SSLv2> are enabled by default.
- To avoid inadvertent enabling of B<SSLv2>, when SSLv2 is disabled, it is not
- possible to enable it via the B<Protocol> command.
- =item B<Options>
- The B<value> argument is a comma separated list of various flags to set.
- If a flag string is preceded B<-> it is disabled. See the
- B<SSL_CTX_set_options> function for more details of individual options.
- Each option is listed below. Where an operation is enabled by default
- the B<-flag> syntax is needed to disable it.
- B<SessionTicket>: session ticket support, enabled by default. Inverse of
- B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
- B<SSL_OP_NO_TICKET>.
- B<Compression>: SSL/TLS compression support, enabled by default. Inverse
- of B<SSL_OP_NO_COMPRESSION>.
- B<EmptyFragments>: use empty fragments as a countermeasure against a
- SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
- is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
- B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>.
- B<DHSingle>: enable single use DH keys, set by default. Inverse of
- B<SSL_OP_DH_SINGLE>. Only used by servers.
- B<ECDHSingle> enable single use ECDH keys, set by default. Inverse of
- B<SSL_OP_ECDH_SINGLE>. Only used by servers.
- B<ServerPreference> use server and not client preference order when
- determining which cipher suite, signature algorithm or elliptic curve
- to use for an incoming connection. Equivalent to
- B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
- B<NoResumptionOnRenegotiation> set
- B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.
- B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
- Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
- B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
- for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
- Set by default.
- =back
- =head1 SUPPORTED COMMAND TYPES
- The function SSL_CONF_cmd_value_type() currently returns one of the following
- types:
- =over 4
- =item B<SSL_CONF_TYPE_UNKNOWN>
- The B<cmd> string is unrecognised, this return value can be use to flag
- syntax errors.
- =item B<SSL_CONF_TYPE_STRING>
- The value is a string without any specific structure.
- =item B<SSL_CONF_TYPE_FILE>
- The value is a file name.
- =item B<SSL_CONF_TYPE_DIR>
- The value is a directory name.
- =back
- =head1 NOTES
- The order of operations is significant. This can be used to set either defaults
- or values which cannot be overridden. For example if an application calls:
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
- SSL_CONF_cmd(ctx, userparam, uservalue);
- it will disable SSLv3 support by default but the user can override it. If
- however the call sequence is:
- SSL_CONF_cmd(ctx, userparam, uservalue);
- SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
- then SSLv3 is B<always> disabled and attempt to override this by the user are
- ignored.
- By checking the return code of SSL_CTX_cmd() it is possible to query if a
- given B<cmd> is recognised, this is useful is SSL_CTX_cmd() values are
- mixed with additional application specific operations.
- For example an application might call SSL_CTX_cmd() and if it returns
- -2 (unrecognised command) continue with processing of application specific
- commands.
- Applications can also use SSL_CTX_cmd() to process command lines though the
- utility function SSL_CTX_cmd_argv() is normally used instead. One way
- to do this is to set the prefix to an appropriate value using
- SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
- following argument to B<value> (which may be NULL).
- In this case if the return value is positive then it is used to skip that
- number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is
- returned then B<cmd> is not recognised and application specific arguments
- can be checked instead. If -3 is returned a required argument is missing
- and an error is indicated. If 0 is returned some other error occurred and
- this can be reported back to the user.
- The function SSL_CONF_cmd_value_type() can be used by applications to
- check for the existence of a command or to perform additional syntax
- checking or translation of the command value. For example if the return
- value is B<SSL_CONF_TYPE_FILE> an application could translate a relative
- pathname to an absolute pathname.
- =head1 EXAMPLES
- Set supported signature algorithms:
- SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
- Enable all protocols except SSLv3 and SSLv2:
- SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
- Only enable TLSv1.2:
- SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
- Disable TLS session tickets:
- SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
- Set supported curves to P-256, P-384:
- SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
- Set automatic support for any elliptic curve for key exchange:
- SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");
- =head1 RETURN VALUES
- SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is
- B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
- returns the number of arguments processed. This is useful when processing
- command lines.
- A return value of -2 means B<cmd> is not recognised.
- A return value of -3 means B<cmd> is recognised and the command requires a
- value but B<value> is NULL.
- A return code of 0 indicates that both B<cmd> and B<value> are valid but an
- error occurred attempting to perform the operation: for example due to an
- error in the syntax of B<value> in this case the error queue may provide
- additional information.
- SSL_CONF_finish() returns 1 for success and 0 for failure.
- =head1 SEE ALSO
- L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
- L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
- L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
- L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
- L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
- =head1 HISTORY
- SSL_CONF_cmd() was first added to OpenSSL 1.0.2
- =cut
|