From: Rich Salz Date: Thu, 3 Jul 2014 18:31:04 +0000 (-0400) Subject: Fix errors with last cherry-pick; SSL_CONF_* and s_client X-Git-Tag: OpenSSL_0_9_8zb~37 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c9e6fffa53aaf73600dafb1f6fb321ad86734522;p=oweals%2Fopenssl.git Fix errors with last cherry-pick; SSL_CONF_* and s_client -verify_return_error aren't in this release. --- diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 27764486d8..2e52876eea 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -10,7 +10,6 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] [B<-verify depth>] -[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -127,11 +126,6 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. -=item B<-verify_return_error> - -Return verification errors instead of continuing. This will typically -abort the handshake with a fatal error. - =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -375,8 +369,7 @@ The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test applications should B do this as it makes them vulnerable to a MITM -attack. This behaviour can be changed by with the B<-verify_return_error> -option: any verify errors are then returned aborting the handshake. +attack. =head1 BUGS diff --git a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod deleted file mode 100644 index 4fc8f06d9e..0000000000 --- a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod +++ /dev/null @@ -1,47 +0,0 @@ -=pod - -=head1 NAME - -SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl - set context to configure - -=head1 SYNOPSIS - - #include - - void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx); - void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl); - -=head1 DESCRIPTION - -SSL_CONF_CTX_set_ssl_ctx() sets the context associated with B to the -B structure B. Any previos B or B associated with -B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to -B. - -SSL_CONF_CTX_set_ssl() sets the context associated with B to the -B structure B. Any previos B or B associated with -B is cleared. Subsequent calls to SSL_CONF_cmd() will be sent to -B. - -=head1 NOTES - -The context need not be set or it can be set to B in which case only -syntax checking of commands is performed, where possible. - -=head1 RETURN VALUES - -SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value. - -=head1 SEE ALSO - -L, -L, -L, -L, -L - -=head1 HISTORY - -These functions were first added to OpenSSL 1.0.2 - -=cut diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod deleted file mode 100644 index 2a4019c871..0000000000 --- a/doc/ssl/SSL_CONF_cmd.pod +++ /dev/null @@ -1,438 +0,0 @@ -=pod - -=head1 NAME - -SSL_CONF_cmd - send configuration command - -=head1 SYNOPSIS - - #include - - int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); - int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); - int SSL_CONF_finish(SSL_CONF_CTX *cctx); - -=head1 DESCRIPTION - -The function SSL_CONF_cmd() performs configuration operation B with -optional parameter B on B. Its purpose is to simplify application -configuration of B or B structures by providing a common -framework for command line options or configuration files. - -SSL_CONF_cmd_value_type() returns the type of value that B refers to. - -The function SSL_CONF_finish() must be called after all configuration -operations have been completed. It is used to finalise any operations -or to process defaults. - -=head1 SUPPORTED COMMAND LINE COMMANDS - -Currently supported B names for command lines (i.e. when the -flag B is set) are listed below. Note: all B names -are case sensitive. Unless otherwise stated commands can be used by -both clients and servers and the B parameter is not used. The default -prefix for command line commands is B<-> and that is reflected below. - -=over 4 - -=item B<-sigalgs> - -This sets the supported signature algorithms for TLS v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. - -The B argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form B. B -is one of B, B or B and B is a supported algorithm -OID short name such as B, B, B, B of B. -Note: algorithm and hash names are case sensitive. - -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. - -=item B<-client_sigalgs> - -This sets the supported signature algorithms associated with client -authentication for TLS v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. -If a server does not request a certificate this option has no effect. - -The syntax of B is identical to B<-sigalgs>. If not set then -the value set for B<-sigalgs> will be used instead. - -=item B<-curves> - -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. - -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. - -=item B<-named_curve> - -This sets the temporary curve used for ephemeral ECDH modes. Only used by -servers - -The B argument is a curve name or the special value B which -picks an appropriate curve based on client and server preferences. The curve -can be either the B name (e.g. B) or an OpenSSL OID name -(e.g B). Curve names are case sensitive. - -=item B<-cipher> - -Sets the cipher suite list to B. Note: syntax checking of B is -currently not performed unless a B or B structure is -associated with B. - -=item B<-cert> - -Attempts to use the file B as the certificate for the appropriate -context. It currently uses SSL_CTX_use_cerificate_chain_file if an B -structure is set or SSL_use_certifcate_file with filetype PEM if an B -structure is set. This option is only supported if certificate operations -are permitted. - -=item B<-key> - -Attempts to use the file B as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B<-cert> file. - -=item B<-dhparam> - -Attempts to use the file B as the set of temporary DH parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. - -=item B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - -Disables protocol support for SSLv2, SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 -by setting the corresponding options B, B, -B, B and B respectively. - -=item B<-bugs> - -Various bug workarounds are set, same as setting B. - -=item B<-no_comp> - -Disables support for SSL/TLS compression, same as setting B. - -=item B<-no_ticket> - -Disables support for session tickets, same as setting B. - -=item B<-serverpref> - -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to B. Only used by servers. - -=item B<-no_resumption_on_reneg> - -set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers. - -=item B<-legacyrenegotiation> - -permits the use of unsafe legacy renegotiation. Equivalent to setting -B. - -=item B<-legacy_server_connect>, B<-no_legacy_server_connect> - -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing B. -Set by default. - -=item B<-strict> - -enables strict mode protocol handling. Equivalent to setting -B. - -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. - -=back - -=head1 SUPPORTED CONFIGURATION FILE COMMANDS - -Currently supported B names for configuration files (i.e. when the -flag B is set) are listed below. All configuration file -B names are case insensitive so B is recognised -as well as B. Unless otherwise stated the B names -are also case insensitive. - -Note: the command prefix (if set) alters the recognised B values. - -=over 4 - -=item B - -Sets the cipher suite list to B. Note: syntax checking of B is -currently not performed unless an B or B structure is -associated with B. - -=item B - -Attempts to use the file B as the certificate for the appropriate -context. It currently uses SSL_CTX_use_cerificate_chain_file if an B -structure is set or SSL_use_certifcate_file with filetype PEM if an B -structure is set. This option is only supported if certificate operations -are permitted. - -=item B - -Attempts to use the file B as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no B<-key> option is set then a private key is -not loaded: it does not currently use the B file. - -=item B - -Attempts to use the file B in the "serverinfo" extension using the -function SSL_CTX_use_serverinfo_file. - -=item B - -Attempts to use the file B as the set of temporary DH parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. - -=item B - -This sets the supported signature algorithms for TLS v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. - -The B argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form B. B -is one of B, B or B and B is a supported algorithm -OID short name such as B, B, B, B of B. -Note: algorithm and hash names are case sensitive. - -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. - -=item B - -This sets the supported signature algorithms associated with client -authentication for TLS v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. - -The syntax of B is identical to B. If not set then -the value set for B will be used instead. - -=item B - -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. - -The B argument is a colon separated list of curves. The curve can be -either the B name (e.g. B) or an OpenSSL OID name (e.g -B). Curve names are case sensitive. - -=item B - -This sets the temporary curve used for ephemeral ECDH modes. Only used by -servers - -The B argument is a curve name or the special value B which -picks an appropriate curve based on client and server preferences. The curve -can be either the B name (e.g. B) or an OpenSSL OID name -(e.g B). Curve names are case sensitive. - -=item B - -The supported versions of the SSL or TLS protocol. - -The B argument is a comma separated list of supported protocols to -enable or disable. If an protocol is preceded by B<-> that version is disabled. -All versions are enabled by default, though applications may choose to -explicitly disable some. Currently supported protocol values are B, -B, B, B and B. The special value B refers -to all supported versions. - -=item B - -The B argument is a comma separated list of various flags to set. -If a flag string is preceded B<-> it is disabled. See the -B function for more details of individual options. - -Each option is listed below. Where an operation is enabled by default -the B<-flag> syntax is needed to disable it. - -B: session ticket support, enabled by default. Inverse of -B: that is B<-SessionTicket> is the same as setting -B. - -B: SSL/TLS compression support, enabled by default. Inverse -of B. - -B: use empty fragments as a countermeasure against a -SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It -is set by default. Inverse of B. - -B: enable various bug workarounds. Same as B. - -B: enable single use DH keys, set by default. Inverse of -B. Only used by servers. - -B enable single use ECDH keys, set by default. Inverse of -B. Only used by servers. - -B use server and not client preference order when -determining which cipher suite, signature algorithm or elliptic curve -to use for an incoming connection. Equivalent to -B. Only used by servers. - -B set -B flag. Only used by servers. - -B permits the use of unsafe legacy renegotiation. -Equivalent to B. - -B permits the use of unsafe legacy renegotiation -for OpenSSL clients only. Equivalent to B. -Set by default. - -=back - -=head1 SUPPORTED COMMAND TYPES - -The function SSL_CONF_cmd_value_type() currently returns one of the following -types: - -=over 4 - -=item B - -The B string is unrecognised, this return value can be use to flag -syntax errors. - -=item B - -The value is a string without any specific structure. - -=item B - -The value is a file name. - -=item B - -The value is a directory name. - -=back - -=head1 NOTES - -The order of operations is significant. This can be used to set either defaults -or values which cannot be overridden. For example if an application calls: - - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); - SSL_CONF_cmd(ctx, userparam, uservalue); - -it will disable SSLv2 support by default but the user can override it. If -however the call sequence is: - - SSL_CONF_cmd(ctx, userparam, uservalue); - SSL_CONF_cmd(ctx, "Protocol", "-SSLv2"); - -SSLv2 is B disabled and attempt to override this by the user are -ignored. - -By checking the return code of SSL_CTX_cmd() it is possible to query if a -given B is recognised, this is useful is SSL_CTX_cmd() values are -mixed with additional application specific operations. - -For example an application might call SSL_CTX_cmd() and if it returns --2 (unrecognised command) continue with processing of application specific -commands. - -Applications can also use SSL_CTX_cmd() to process command lines though the -utility function SSL_CTX_cmd_argv() is normally used instead. One way -to do this is to set the prefix to an appropriate value using -SSL_CONF_CTX_set1_prefix(), pass the current argument to B and the -following argument to B (which may be NULL). - -In this case if the return value is positive then it is used to skip that -number of arguments as they have been processed by SSL_CTX_cmd(). If -2 is -returned then B is not recognised and application specific arguments -can be checked instead. If -3 is returned a required argument is missing -and an error is indicated. If 0 is returned some other error occurred and -this can be reported back to the user. - -The function SSL_CONF_cmd_value_type() can be used by applications to -check for the existence of a command or to perform additional syntax -checking or translation of the command value. For example if the return -value is B an application could translate a relative -pathname to an absolute pathname. - -=head1 EXAMPLES - -Set supported signature algorithms: - - SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); - -Enable all protocols except SSLv3 and SSLv2: - - SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3,-SSLv2"); - -Only enable TLSv1.2: - - SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2"); - -Disable TLS session tickets: - - SSL_CONF_cmd(ctx, "Options", "-SessionTicket"); - -Set supported curves to P-256, P-384: - - SSL_CONF_cmd(ctx, "Curves", "P-256:P-384"); - -Set automatic support for any elliptic curve for key exchange: - - SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); - -=head1 RETURN VALUES - -SSL_CONF_cmd() returns 1 if the value of B is recognised and B is -B used and 2 if both B and B are used. In other words it -returns the number of arguments processed. This is useful when processing -command lines. - -A return value of -2 means B is not recognised. - -A return value of -3 means B is recognised and the command requires a -value but B is NULL. - -A return code of 0 indicates that both B and B are valid but an -error occurred attempting to perform the operation: for example due to an -error in the syntax of B in this case the error queue may provide -additional information. - -SSL_CONF_finish() returns 1 for success and 0 for failure. - -=head1 SEE ALSO - -L, -L, -L, -L, -L - -=head1 HISTORY - -SSL_CONF_cmd() was first added to OpenSSL 1.0.2 - -=cut diff --git a/doc/ssl/SSL_CONF_cmd_argv.pod b/doc/ssl/SSL_CONF_cmd_argv.pod deleted file mode 100644 index 246eaa5bd3..0000000000 --- a/doc/ssl/SSL_CONF_cmd_argv.pod +++ /dev/null @@ -1,42 +0,0 @@ -=pod - -=head1 NAME - -SSL_CONF_cmd_argv - SSL configuration command line processing. - -=head1 SYNOPSIS - - #include - - int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv); - -=head1 DESCRIPTION - -The function SSL_CONF_cmd_argv() processes at most two command line -arguments from B and B. The values of B and B -are updated to reflect the number of command options procesed. The B -argument can be set to B is it is not used. - -=head1 RETURN VALUES - -SSL_CONF_cmd_argv() returns the number of command arguments processed: 0, 1, 2 -or a negative error code. - -If -2 is returned then an argument for a command is missing. - -If -1 is returned the command is recognised but couldn't be processed due -to an error: for example a syntax error in the argument. - -=head1 SEE ALSO - -L, -L, -L, -L, -L - -=head1 HISTORY - -These functions were first added to OpenSSL 1.0.2 - -=cut