Update the documentation for the new SSL_OP_ALLOW_NO_DHE_KEX option

author Matt Caswell <matt@openssl.org>

Mon, 3 Jul 2017 14:59:30 +0000 (15:59 +0100)

committer Matt Caswell <matt@openssl.org>

Fri, 7 Jul 2017 15:08:05 +0000 (16:08 +0100)
author Matt Caswell <matt@openssl.org>
Mon, 3 Jul 2017 14:59:30 +0000 (15:59 +0100)
committer Matt Caswell <matt@openssl.org>
Fri, 7 Jul 2017 15:08:05 +0000 (16:08 +0100)
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod

index 94356daffb7d95cddf3f0e0d9afec7e55f836333..c262d4a4963e1ce204f9ffceca07e4003f78b6ae 100644 (file)
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -93,6 +93,7 @@ B<openssl> B<s_client>
  [B<-bugs>]
  [B<-comp>]
  [B<-no_comp>]
+[B<-allow_no_dhe_kex>]
  [B<-sigalgs sigalglist>]
  [B<-curves curvelist>]
  [B<-cipher cipherlist>]
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod

index 5f6054ac83d8d7779d3248387ca231537024051a..b1195fdae33623aefe70aaea137f02ac26f05f0b 100644 (file)
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -102,6 +102,7 @@ B<openssl> B<s_server>
  [B<-legacy_server_connect>]
  [B<-no_resumption_on_reneg>]
  [B<-no_legacy_server_connect>]
+[B<-allow_no_dhe_kex>]
  [B<-strict>]
  [B<-sigalgs val>]
  [B<-client_sigalgs val>]
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod

index 173386c1bd430fa3fac2984b3153107ea6e59f75..529acdc356c870f867a7cd1c6e657a60accce169 100644 (file)
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -186,6 +186,11 @@ permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
  clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
  Set by default.
  
+=item B<-allow_no_dhe_kex>
+
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
+
  =item B<-strict>
  
  enables strict mode protocol handling. Equivalent to setting
@@ -399,6 +404,10 @@ B<EncryptThenMac>: use encrypt-then-mac extension, enabled by
  default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,
  B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.
  
+B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
+resumption. This means that there will be no forward secrecy for the resumed
+session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>.
+
  =item B<VerifyMode>
  
  The B<value> argument is a comma separated list of flags to set.
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod

index 5155a1f6792019a7d4d6a12f6148d2fe5a9e87d6..bd7f111d4cf7187c4dc795326a19a921cb77a709 100644 (file)
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -175,6 +175,11 @@ propose, and servers will not accept the extension.
  Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
  messages, and ignore renegotiation requests via ClientHello.
  
+=item SSL_OP_ALLOW_NO_DHE_KEX
+
+In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
+that there will be no forward secrecy for the resumed session.
+
  =back
  
  The following options no longer have any effect but their identifiers are
author	Matt Caswell <matt@openssl.org>
	Mon, 3 Jul 2017 14:59:30 +0000 (15:59 +0100)
committer	Matt Caswell <matt@openssl.org>
	Fri, 7 Jul 2017 15:08:05 +0000 (16:08 +0100)
doc/man1/s_client.pod		patch \| blob \| history
doc/man1/s_server.pod		patch \| blob \| history
doc/man3/SSL_CONF_cmd.pod		patch \| blob \| history
doc/man3/SSL_CTX_set_options.pod		patch \| blob \| history