2000-09-18 16:42:30 +00:00
|
|
|
=pod
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
SSL_CTX_set_cipher_list,
|
|
|
|
SSL_set_cipher_list,
|
|
|
|
SSL_CTX_set_ciphersuites,
|
|
|
|
SSL_set_ciphersuites
|
|
|
|
- choose list of available SSL_CIPHERs
|
2000-09-18 16:42:30 +00:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
|
|
|
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
|
|
|
|
int SSL_set_cipher_list(SSL *ssl, const char *str);
|
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
|
|
|
|
int SSL_set_ciphersuites(SSL *s, const char *str);
|
|
|
|
|
2000-09-18 16:42:30 +00:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below)
|
|
|
|
for B<ctx> using the control string B<str>. The format of the string is described
|
2015-08-17 19:21:33 +00:00
|
|
|
in L<ciphers(1)>. The list of ciphers is inherited by all
|
2018-02-21 17:23:11 +00:00
|
|
|
B<ssl> objects created from B<ctx>. This function does not impact TLSv1.3
|
|
|
|
ciphersuites. Use SSL_CTX_set_ciphersuites() to configure those.
|
|
|
|
|
|
|
|
SSL_set_cipher_list() sets the list of ciphers (TLSv1.2 and below) only for
|
|
|
|
B<ssl>.
|
|
|
|
|
|
|
|
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3
|
|
|
|
ciphersuites for B<ctx>. This is a simple colon (":") separated list of TLSv1.3
|
|
|
|
ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
=item TLS_AES_128_GCM_SHA256
|
|
|
|
|
|
|
|
=item TLS_AES_256_GCM_SHA384
|
|
|
|
|
|
|
|
=item TLS_CHACHA20_POLY1305_SHA256
|
2000-09-18 16:42:30 +00:00
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
=item TLS_AES_128_CCM_SHA256
|
|
|
|
|
|
|
|
=item TLS_AES_128_CCM_8_SHA256
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
An empty list is permissible. The default value for the this setting is:
|
|
|
|
|
|
|
|
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
|
|
|
|
|
|
|
SSL_set_ciphersuites() is the same as SSL_CTX_set_ciphersuites() except it
|
|
|
|
configures the ciphersuites for B<ssl>.
|
2000-09-18 16:42:30 +00:00
|
|
|
|
|
|
|
=head1 NOTES
|
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
The control string B<str> for SSL_CTX_set_cipher_list() and
|
|
|
|
SSL_set_cipher_list() should be universally usable and not depend
|
2000-09-18 16:42:30 +00:00
|
|
|
on details of the library configuration (ciphers compiled in). Thus no
|
|
|
|
syntax checking takes place. Items that are not recognized, because the
|
2000-09-18 22:58:02 +00:00
|
|
|
corresponding ciphers are not compiled in or because they are mistyped,
|
2000-09-18 16:42:30 +00:00
|
|
|
are simply ignored. Failure is only flagged if no ciphers could be collected
|
|
|
|
at all.
|
|
|
|
|
2000-09-19 23:10:32 +00:00
|
|
|
It should be noted, that inclusion of a cipher to be used into the list is
|
|
|
|
a necessary condition. On the client side, the inclusion into the list is
|
2014-03-28 16:40:56 +00:00
|
|
|
also sufficient unless the security level excludes it. On the server side,
|
|
|
|
additional restrictions apply. All ciphers have additional requirements.
|
|
|
|
ADH ciphers don't need a certificate, but DH-parameters must have been set.
|
|
|
|
All other ciphers need a corresponding certificate and key.
|
2001-07-20 19:23:43 +00:00
|
|
|
|
|
|
|
A RSA cipher can only be chosen, when a RSA certificate is available.
|
2013-12-19 20:23:05 +00:00
|
|
|
RSA ciphers using DHE need a certificate and key and additional DH-parameters
|
2015-08-17 19:21:33 +00:00
|
|
|
(see L<SSL_CTX_set_tmp_dh_callback(3)>).
|
2001-07-20 19:23:43 +00:00
|
|
|
|
|
|
|
A DSA cipher can only be chosen, when a DSA certificate is available.
|
2001-07-23 12:57:37 +00:00
|
|
|
DSA ciphers always use DH key exchange and therefore need DH-parameters
|
2015-08-17 19:21:33 +00:00
|
|
|
(see L<SSL_CTX_set_tmp_dh_callback(3)>).
|
2001-07-20 19:23:43 +00:00
|
|
|
|
|
|
|
When these conditions are not met for any cipher in the list (e.g. a
|
2016-03-20 15:51:06 +00:00
|
|
|
client only supports export RSA ciphers with an asymmetric key length
|
2001-07-20 19:23:43 +00:00
|
|
|
of 512 bits and the server is not configured to use temporary RSA
|
|
|
|
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
|
|
|
|
and the handshake will fail.
|
2000-09-19 23:10:32 +00:00
|
|
|
|
2000-09-18 16:42:30 +00:00
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
|
|
|
SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
|
|
|
|
could be selected and 0 on complete failure.
|
|
|
|
|
2018-02-21 17:23:11 +00:00
|
|
|
SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() return 1 if the requested
|
|
|
|
ciphersuite list was configured, and 0 otherwise.
|
|
|
|
|
2000-09-18 16:42:30 +00:00
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2016-11-11 08:33:09 +00:00
|
|
|
L<ssl(7)>, L<SSL_get_ciphers(3)>,
|
2015-08-17 19:21:33 +00:00
|
|
|
L<SSL_CTX_use_certificate(3)>,
|
|
|
|
L<SSL_CTX_set_tmp_dh_callback(3)>,
|
|
|
|
L<ciphers(1)>
|
2000-09-18 16:42:30 +00:00
|
|
|
|
2016-05-18 15:44:05 +00:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
2018-03-20 13:00:17 +00:00
|
|
|
Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2016-05-18 15:44:05 +00:00
|
|
|
|
|
|
|
Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
=cut
|