Dr. Stephen Henson
ce325c60c7
Only allow ephemeral RSA keys in export ciphersuites.
...
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 02:06:39 +00:00
Kurt Roeckx
45f55f6a5b
Remove SSLv2 support
...
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 11:55:03 +01:00
Rich Salz
fc1d88f02f
Close a whole bunch of documentation-related tickets:
...
298 424 656 882 939 1630 1807 2263 2294 2311 2424 2623
2637 2686 2697 2921 2922 2940 3055 3112 3156 3177 3277
2014-07-02 22:42:40 -04:00
Rich Salz
762a44de59
RT 3245; it's "bitwise or" not "logical or"
2014-07-01 13:00:18 -04:00
Dr. Stephen Henson
01f2f18f3c
Option to disable padding extension.
...
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.
This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.
PR#3336
2014-06-01 18:15:21 +01:00
Daniel Kahn Gillmor
0b30fc903f
documentation should use "DHE" instead of "EDH"
2014-01-09 15:43:28 +00:00
Rob Stradling
dece3209f2
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
...
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-05 13:09:03 +01:00
Bodo Möller
88f2a4cf9c
CVE-2010-4180 fix (from OpenSSL_1_0_0-stable)
2011-02-03 10:43:00 +00:00
Dr. Stephen Henson
69582a592e
clarify documentation
2010-02-18 12:41:33 +00:00
Dr. Stephen Henson
c2c49969e2
Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
...
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:31 +00:00
Dr. Stephen Henson
f959598866
update references to new RI RFC
2010-02-12 21:59:31 +00:00
Dr. Stephen Henson
9fb6fd34f8
reword RI description
2010-01-27 18:53:33 +00:00
Dr. Stephen Henson
99b36a8c31
update documentation to reflect new renegotiation options
2010-01-27 17:46:24 +00:00
Dr. Stephen Henson
2a30fec786
Typo
2010-01-05 17:49:49 +00:00
Dr. Stephen Henson
b5c002d5a8
clarify docs
2009-12-09 18:16:50 +00:00
Dr. Stephen Henson
4db82571ba
Document option clearning functions.
...
Initial secure renegotiation documentation.
2009-12-09 17:59:29 +00:00
Dr. Stephen Henson
f3fef74b09
Document ticket disabling option.
2007-08-23 22:49:13 +00:00
Bodo Möller
72dce7685e
Add fixes for CAN-2005-2969.
...
(This were in 0.9.7-stable and 0.9.8-stable, but not in HEAD so far.)
2005-10-26 19:40:45 +00:00
Dr. Stephen Henson
e27a259696
Doc fixes.
2005-03-22 17:55:33 +00:00
Richard Levitte
d177e6180d
Spelling errors.
...
PR: 538
2003-03-20 11:41:59 +00:00
Lutz Jänicke
2edcb4ac71
Typos in links between manual pages
...
Submitted by: Richard.Koenning@fujitsu-siemens.com
Reviewed by:
PR: 129
2002-07-10 19:35:54 +00:00
Bodo Möller
c21506ba02
New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
...
vulnerability workaround (included in SSL_OP_ALL).
PR: #90
2002-06-14 12:21:11 +00:00
Bodo Möller
51008ffce1
document SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2001-10-17 11:56:26 +00:00
Ulf Möller
3b80e3aa9e
ispell
2001-09-07 06:13:40 +00:00
Ulf Möller
f2ab7d1392
typo.
2001-08-22 18:35:17 +00:00
Lutz Jänicke
06da6e4977
Don't disable rollback attack detection as a recommended bug workaround.
2001-08-03 08:45:13 +00:00
Lutz Jänicke
37f599bcec
Reworked manual pages with a lot of input from Bodo Moeller.
2001-07-31 15:04:50 +00:00
Lutz Jänicke
4db48ec0bd
Documentation about ephemeral key exchange
2001-07-21 11:02:17 +00:00
Ulf Möller
52d160d85d
ispell
2001-02-16 02:09:53 +00:00
Lutz Jänicke
1b65ce7db3
Update for 0.9.7 with SSL_OP_CIPHER_SERVER_PREFERENCE.
2001-02-10 16:21:38 +00:00
Lutz Jänicke
7b9cb4a224
Manual page for SSL_CTX_set_options(). Unfortunately for some of the
...
options someone much longer working with OpenSSL/SSLeay is needed.
2001-02-10 16:18:35 +00:00