SSL_CONF_cmd(3)
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
NAME
SSL_CONF_cmd - send configuration command
SYNOPSIS
#include <openssl/ssl.h>
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
int SSL_CONF_finish(SSL_CONF_CTX *cctx);
DESCRIPTION
The function SSL_CONF_cmd() performs configuration operation
cmd with optional parameter value on ctx. Its purpose is to
simplify application configuration of SSL_CTX or SSL
structures by providing a common framework for command line
options or configuration files.
SSL_CONF_cmd_value_type() returns the type of value that cmd
refers to.
The function SSL_CONF_finish() must be called after all
configuration operations have been completed. It is used to
finalise any operations or to process defaults.
SUPPORTED COMMAND LINE COMMANDS
Currently supported cmd names for command lines (i.e. when
the flag SSL_CONF_CMDLINE is set) are listed below. Note:
all cmd names are case sensitive. Unless otherwise stated
commands can be used by both clients and servers and the
value parameter is not used. The default prefix for command
line commands is - and that is reflected below.
-sigalgs
This sets the supported signature algorithms for TLS
v1.2. For clients this value is used directly for the
supported signature algorithms extension. For servers it
is used to determine which signature algorithms to
support.
The value argument should be a colon separated list of
signature algorithms in order of decreasing preference
of the form algorithm+hash. algorithm is one of RSA, DSA
or ECDSA and hash is a supported algorithm OID short
name such as SHA1, SHA224, SHA256, SHA384 of SHA512.
Note: algorithm and hash names are case sensitive.
If this option is not set then all signature algorithms
supported by the OpenSSL library are permissible.
-client_sigalgs
This sets the supported signature algorithms associated
with client authentication for TLS v1.2. For servers the
1.0.2t Last change: 2019-09-10 1
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
value is used in the supported signature algorithms
field of a certificate request. For clients it is used
to determine which signature algorithm to with the
client certificate. If a server does not request a
certificate this option has no effect.
The syntax of value is identical to -sigalgs. If not set
then the value set for -sigalgs will be used instead.
-curves
This sets the supported elliptic curves. For clients the
curves are sent using the supported curves extension.
For servers it is used to determine which curve to use.
This setting affects curves used for both signatures and
key exchange, if applicable.
The value argument is a colon separated list of curves.
The curve can be either the NIST name (e.g. P-256) or an
OpenSSL OID name (e.g prime256v1). Curve names are case
sensitive.
-named_curve
This sets the temporary curve used for ephemeral ECDH
modes. Only used by servers
The value argument is a curve name or the special value
auto which picks an appropriate curve based on client
and server preferences. The curve can be either the NIST
name (e.g. P-256) or an OpenSSL OID name (e.g
prime256v1). Curve names are case sensitive.
-cipher
Sets the cipher suite list to value. Note: syntax
checking of value is currently not performed unless a
SSL or SSL_CTX structure is associated with cctx.
-cert
Attempts to use the file value as the certificate for
the appropriate context. It currently uses
SSL_CTX_use_certificate_chain_file() if an SSL_CTX
structure is set or SSL_use_certificate_file() with
filetype PEM if an SSL structure is set. This option is
only supported if certificate operations are permitted.
-key
Attempts to use the file value as the private key for
the appropriate context. This option is only supported
if certificate operations are permitted. Note: if no
-key option is set then a private key is not loaded: it
does not currently use the -cert file.
-dhparam
1.0.2t Last change: 2019-09-10 2
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
Attempts to use the file value as the set of temporary
DH parameters for the appropriate context. This option
is only supported if certificate operations are
permitted.
-no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2
Disables protocol support for SSLv2, SSLv3, TLSv1.0,
TLSv1.1 or TLSv1.2 by setting the corresponding options
SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1,
SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 respectively.
-bugs
Various bug workarounds are set, same as setting
SSL_OP_ALL.
-no_comp
Disables support for SSL/TLS compression, same as
setting SSL_OP_NO_COMPRESS.
-no_ticket
Disables support for session tickets, same as setting
SSL_OP_NO_TICKET.
-serverpref
Use server and not client preference order when
determining which cipher suite, signature algorithm or
elliptic curve to use for an incoming connection.
Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used
by servers.
-no_resumption_on_reneg
set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
Only used by servers.
-legacyrenegotiation
permits the use of unsafe legacy renegotiation.
Equivalent to setting
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
-legacy_server_connect, -no_legacy_server_connect
permits or prohibits the use of unsafe legacy
renegotiation for OpenSSL clients only. Equivalent to
setting or clearing SSL_OP_LEGACY_SERVER_CONNECT. Set
by default.
-strict
enables strict mode protocol handling. Equivalent to
setting SSL_CERT_FLAG_TLS_STRICT.
-debug_broken_protocol
disables various checks and permits several kinds of
broken protocol behaviour for testing purposes: it
1.0.2t Last change: 2019-09-10 3
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
should NEVER be used in anything other than a test
environment. Only supported if OpenSSL is configured
with -DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
SUPPORTED CONFIGURATION FILE COMMANDS
Currently supported cmd names for configuration files (i.e.
when the flag SSL_CONF_FLAG_FILE is set) are listed below.
All configuration file cmd names and are case insensitive so
signaturealgorithms is recognised as well as
SignatureAlgorithms. Unless otherwise stated the value names
are also case insensitive.
Note: the command prefix (if set) alters the recognised cmd
values.
CipherString
Sets the cipher suite list to value. Note: syntax
checking of value is currently not performed unless an
SSL or SSL_CTX structure is associated with cctx.
Certificate
Attempts to use the file value as the certificate for
the appropriate context. It currently uses
SSL_CTX_use_certificate_chain_file() if an SSL_CTX
structure is set or SSL_use_certificate_file() with
filetype PEM if an SSL structure is set. This option is
only supported if certificate operations are permitted.
PrivateKey
Attempts to use the file value as the private key for
the appropriate context. This option is only supported
if certificate operations are permitted. Note: if no
-key option is set then a private key is not loaded: it
does not currently use the Certificate file.
ServerInfoFile
Attempts to use the file value in the "serverinfo"
extension using the function
SSL_CTX_use_serverinfo_file.
DHParameters
Attempts to use the file value as the set of temporary
DH parameters for the appropriate context. This option
is only supported if certificate operations are
permitted.
SignatureAlgorithms
This sets the supported signature algorithms for TLS
v1.2. For clients this value is used directly for the
supported signature algorithms extension. For servers it
is used to determine which signature algorithms to
support.
1.0.2t Last change: 2019-09-10 4
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
The value argument should be a colon separated list of
signature algorithms in order of decreasing preference
of the form algorithm+hash. algorithm is one of RSA, DSA
or ECDSA and hash is a supported algorithm OID short
name such as SHA1, SHA224, SHA256, SHA384 of SHA512.
Note: algorithm and hash names are case sensitive.
If this option is not set then all signature algorithms
supported by the OpenSSL library are permissible.
ClientSignatureAlgorithms
This sets the supported signature algorithms associated
with client authentication for TLS v1.2. For servers the
value is used in the supported signature algorithms
field of a certificate request. For clients it is used
to determine which signature algorithm to with the
client certificate.
The syntax of value is identical to SignatureAlgorithms.
If not set then the value set for SignatureAlgorithms
will be used instead.
Curves
This sets the supported elliptic curves. For clients the
curves are sent using the supported curves extension.
For servers it is used to determine which curve to use.
This setting affects curves used for both signatures and
key exchange, if applicable.
The value argument is a colon separated list of curves.
The curve can be either the NIST name (e.g. P-256) or an
OpenSSL OID name (e.g prime256v1). Curve names are case
sensitive.
ECDHParameters
This sets the temporary curve used for ephemeral ECDH
modes. Only used by servers
The value argument is a curve name or the special value
Automatic which picks an appropriate curve based on
client and server preferences. The curve can be either
the NIST name (e.g. P-256) or an OpenSSL OID name (e.g
prime256v1). Curve names are case sensitive.
Protocol
The supported versions of the SSL or TLS protocol.
The value argument is a comma separated list of
supported protocols to enable or disable. If an protocol
is preceded by - that version is disabled. Currently
supported protocol values are SSLv2, SSLv3, TLSv1,
TLSv1.1 and TLSv1.2. All protocol versions other than
1.0.2t Last change: 2019-09-10 5
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
SSLv2 are enabled by default. To avoid inadvertent
enabling of SSLv2, when SSLv2 is disabled, it is not
possible to enable it via the Protocol command.
Options
The value argument is a comma separated list of various
flags to set. If a flag string is preceded - it is
disabled. See the SSL_CTX_set_options function for more
details of individual options.
Each option is listed below. Where an operation is
enabled by default the -flag syntax is needed to disable
it.
SessionTicket: session ticket support, enabled by
default. Inverse of SSL_OP_NO_TICKET: that is
-SessionTicket is the same as setting SSL_OP_NO_TICKET.
Compression: SSL/TLS compression support, enabled by
default. Inverse of SSL_OP_NO_COMPRESSION.
EmptyFragments: use empty fragments as a countermeasure
against a SSL 3.0/TLS 1.0 protocol vulnerability
affecting CBC ciphers. It is set by default. Inverse of
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
Bugs: enable various bug workarounds. Same as
SSL_OP_ALL.
DHSingle: enable single use DH keys, set by default.
Inverse of SSL_OP_DH_SINGLE. Only used by servers.
ECDHSingle enable single use ECDH keys, set by default.
Inverse of SSL_OP_ECDH_SINGLE. Only used by servers.
ServerPreference use server and not client preference
order when determining which cipher suite, signature
algorithm or elliptic curve to use for an incoming
connection. Equivalent to
SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
NoResumptionOnRenegotiation set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only
used by servers.
UnsafeLegacyRenegotiation permits the use of unsafe
legacy renegotiation. Equivalent to
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.
UnsafeLegacyServerConnect permits the use of unsafe
legacy renegotiation for OpenSSL clients only.
Equivalent to SSL_OP_LEGACY_SERVER_CONNECT. Set by
1.0.2t Last change: 2019-09-10 6
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
default.
SUPPORTED COMMAND TYPES
The function SSL_CONF_cmd_value_type() currently returns one
of the following types:
SSL_CONF_TYPE_UNKNOWN
The cmd string is unrecognised, this return value can be
use to flag syntax errors.
SSL_CONF_TYPE_STRING
The value is a string without any specific structure.
SSL_CONF_TYPE_FILE
The value is a file name.
SSL_CONF_TYPE_DIR
The value is a directory name.
NOTES
The order of operations is significant. This can be used to
set either defaults or values which cannot be overridden.
For example if an application calls:
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSL_CONF_cmd(ctx, userparam, uservalue);
it will disable SSLv3 support by default but the user can
override it. If however the call sequence is:
SSL_CONF_cmd(ctx, userparam, uservalue);
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
then SSLv3 is always disabled and attempt to override this
by the user are ignored.
By checking the return code of SSL_CTX_cmd() it is possible
to query if a given cmd is recognised, this is useful is
SSL_CTX_cmd() values are mixed with additional application
specific operations.
For example an application might call SSL_CTX_cmd() and if
it returns -2 (unrecognised command) continue with
processing of application specific commands.
Applications can also use SSL_CTX_cmd() to process command
lines though the utility function SSL_CTX_cmd_argv() is
normally used instead. One way to do this is to set the
prefix to an appropriate value using
SSL_CONF_CTX_set1_prefix(), pass the current argument to cmd
and the following argument to value (which may be NULL).
1.0.2t Last change: 2019-09-10 7
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
In this case if the return value is positive then it is used
to skip that number of arguments as they have been processed
by SSL_CTX_cmd(). If -2 is returned then cmd is not
recognised and application specific arguments can be checked
instead. If -3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error
occurred and this can be reported back to the user.
The function SSL_CONF_cmd_value_type() can be used by
applications to check for the existence of a command or to
perform additional syntax checking or translation of the
command value. For example if the return value is
SSL_CONF_TYPE_FILE an application could translate a relative
pathname to an absolute pathname.
EXAMPLES
Set supported signature algorithms:
SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
Enable all protocols except SSLv3 and SSLv2:
SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2");
Only enable TLSv1.2:
SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
Disable TLS session tickets:
SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
Set supported curves to P-256, P-384:
SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
Set automatic support for any elliptic curve for key
exchange:
SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic");
RETURN VALUES
SSL_CONF_cmd() returns 1 if the value of cmd is recognised
and value is NOT used and 2 if both cmd and value are used.
In other words it returns the number of arguments processed.
This is useful when processing command lines.
A return value of -2 means cmd is not recognised.
A return value of -3 means cmd is recognised and the command
requires a value but value is NULL.
1.0.2t Last change: 2019-09-10 8
SSL_CONF_cmd(3) OpenSSL SSL_CONF_cmd(3)
A return code of 0 indicates that both cmd and value are
valid but an error occurred attempting to perform the
operation: for example due to an error in the syntax of
value in this case the error queue may provide additional
information.
SSL_CONF_finish() returns 1 for success and 0 for failure.
SEE ALSO
SSL_CONF_CTX_new(3), SSL_CONF_CTX_set_flags(3),
SSL_CONF_CTX_set1_prefix(3), SSL_CONF_CTX_set_ssl_ctx(3),
SSL_CONF_cmd_argv(3)
HISTORY
SSL_CONF_cmd() was first added to OpenSSL 1.0.2
1.0.2t Last change: 2019-09-10 9
Man(1) output converted with
man2html