From 457751fb48d8f6c31f32cdc1bcfcc376db98bacb Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 15 Jun 2020 12:11:46 +0100 Subject: [PATCH] Update the SSL_dup documentation to match reality Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/12180) --- doc/man3/SSL_new.pod | 74 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/doc/man3/SSL_new.pod b/doc/man3/SSL_new.pod index 6dfe021ec7..4d963d10d8 100644 --- a/doc/man3/SSL_new.pod +++ b/doc/man3/SSL_new.pod @@ -26,16 +26,9 @@ structure are freed. SSL_up_ref() increments the reference count for an existing B structure. -SSL_dup() duplicates an existing B structure into a new allocated one -or just increments the reference count if the connection is active. All -settings are inherited from the original B structure. Dynamic data (i.e. -existing connection details) are not copied, the new B is set into an -initial accept (server) or connect (client) state. - -SSL_dup() allows applications to configure an SSL handle for use in multiple -SSL connections, and then duplicate it prior to initiating each connection -with the duplicated handle. Use of SSL_dup() avoids the need to repeat -the configuration of the handles for each connection. +The function SSL_dup() creates and returns a new B structure from the same +B that was used to create I. It additionally duplicates a subset of +the settings in I into the new B object. For SSL_dup() to work, the connection MUST be in its initial state and MUST NOT have not yet have started the SSL handshake. For connections @@ -45,6 +38,67 @@ use L to recycle an SSL handle that is not in its initial state for re-use, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. +The subset of settings in I that are duplicated are: + +=over 4 + +=item any session data if configured (including the session_id_context) + +=item any tmp_dh settings set via L, +L, or L + +=item any configured certificates, private keys or certificate chains + +=item any configured signature algorithms, or client signature algorithms + +=item any DANE settings + +=item any Options set via L + +=item any Mode set via L + +=item any minimum or maximum protocol settings set via +L or L (Note: Only +from OpenSSL 1.1.1h and above) + +=item any Verify mode, callback or depth set via L or +L or any configured X509 verification parameters + +=item any msg callback or info callback set via L or +L + +=item any default password callback set via L + +=item any session id generation callback set via L + +=item any configured Cipher List + +=item any BIOs configured on I will have new BIO's created and the BIO state +duplicated via BIO_dup_state(). + +=item initial accept (server) or connect (client) state + +=item the max cert list value set via L + +=item the read_ahead value set via L + +=item application specific data set via L + +=item any CA list or client CA list set via L, +SSL_set0_client_CA_list() or similar functions + +=item any security level settings or callbacks + +=item any configured serverinfo data + +=item any configured PSK identity hint + +=item any configured custom extensions + +=item any client certificate types configured via SSL_set1_client_certificate_types + +=back + =head1 RETURN VALUES The following return values can occur: -- 2.25.1