528b1f9a9f
Update protocols supported and note that SSLv2 is effectively disabled by default. PR#3184
74 lines
2.9 KiB
Text
74 lines
2.9 KiB
Text
=pod
|
|
|
|
=head1 NAME
|
|
|
|
SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
|
|
int SSL_set_cipher_list(SSL *ssl, const char *str);
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
SSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx>
|
|
using the control string B<str>. The format of the string is described
|
|
in L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all
|
|
B<ssl> objects created from B<ctx>.
|
|
|
|
SSL_set_cipher_list() sets the list of ciphers only for B<ssl>.
|
|
|
|
=head1 NOTES
|
|
|
|
The control string B<str> should be universally usable and not depend
|
|
on details of the library configuration (ciphers compiled in). Thus no
|
|
syntax checking takes place. Items that are not recognized, because the
|
|
corresponding ciphers are not compiled in or because they are mistyped,
|
|
are simply ignored. Failure is only flagged if no ciphers could be collected
|
|
at all.
|
|
|
|
It should be noted, that inclusion of a cipher to be used into the list is
|
|
a necessary condition. On the client side, the inclusion into the list is
|
|
also sufficient unless the security level excludes it. On the server side,
|
|
additional restrictions apply. All ciphers have additional requirements.
|
|
ADH ciphers don't need a certificate, but DH-parameters must have been set.
|
|
All other ciphers need a corresponding certificate and key.
|
|
|
|
A RSA cipher can only be chosen, when a RSA certificate is available.
|
|
RSA export ciphers with a keylength of 512 bits for the RSA key require
|
|
a temporary 512 bit RSA key, as typically the supplied key has a length
|
|
of 1024 bit (see
|
|
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
|
|
RSA ciphers using DHE need a certificate and key and additional DH-parameters
|
|
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
|
|
|
A DSA cipher can only be chosen, when a DSA certificate is available.
|
|
DSA ciphers always use DH key exchange and therefore need DH-parameters
|
|
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
|
|
|
When these conditions are not met for any cipher in the list (e.g. a
|
|
client only supports export RSA ciphers with a asymmetric key length
|
|
of 512 bits and the server is not configured to use temporary RSA
|
|
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
|
|
and the handshake will fail.
|
|
|
|
If the cipher list does not contain any SSLv2 cipher suites (this is the
|
|
default) then SSLv2 is effectively disabled and neither clients nor servers
|
|
will attempt to use SSLv2.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher
|
|
could be selected and 0 on complete failure.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
|
|
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
|
|
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
|
|
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
|
|
L<ciphers(1)|ciphers(1)>
|
|
|
|
=cut
|