summaryrefslogtreecommitdiff
path: root/lib/libssl/man
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2018-02-27 17:17:01 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2018-02-27 17:17:01 +0000
commitb3a3e5074d03f52781876d04cbe7d63367484980 (patch)
tree91e163bad9f7cdfbba590b43cfa0c81e8e3558fa /lib/libssl/man
parentba6c2f71d5b6cff1cb903ff30dfad205a615acc1 (diff)
sort option list alphabetically in preparation for adding missing options;
no text change
Diffstat (limited to 'lib/libssl/man')
-rw-r--r--lib/libssl/man/SSL_CTX_set_options.356
1 files changed, 28 insertions, 28 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_options.3 b/lib/libssl/man/SSL_CTX_set_options.3
index f7445ad7c4a..453ffdcdf3e 100644
--- a/lib/libssl/man/SSL_CTX_set_options.3
+++ b/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2018/02/27 17:08:20 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.6 2018/02/27 17:17:00 schwarze Exp $
.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
.\"
@@ -169,22 +169,28 @@ The following
.Em modifying
options are available:
.Bl -tag -width Ds
-.It Dv SSL_OP_TLS_ROLLBACK_BUG
-Disable version rollback attack detection.
-.Pp
-During the client key exchange, the client must send the same information
-about acceptable SSL/TLS protocol levels as during the first hello.
-Some clients violate this rule by adapting to the server's answer.
-(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1,
-the server only understands up to SSLv3.
-In this case the client must still use the same SSLv3.1=TLSv1 announcement.
-Some clients step down to SSLv3 with respect to the server's answer and violate
-the version rollback protection.)
.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
When choosing a cipher, use the server's preferences instead of the client
preferences.
When not set, the server will always follow the client's preferences.
When set, the server will choose following its own preferences.
+.It Dv SSL_OP_LEGACY_SERVER_CONNECT
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+.Em only :
+this option is currently set by default.
+See the
+.Sx SECURE RENEGOTIATION
+section for more details.
+.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+When performing renegotiation as a server, always start a new session (i.e.,
+session resumption requests are only accepted in the initial handshake).
+This option is not needed for clients.
+.It Dv SSL_OP_NO_TICKET
+Normally clients and servers will, where possible, transparently make use of
+RFC4507bis tickets for stateless session resumption.
+.Pp
+If this option is set this functionality is disabled and tickets will not be
+used by clients or servers.
.It Dv SSL_OP_NO_TLSv1
Do not use the TLSv1.0 protocol.
Deprecated; use
@@ -197,23 +203,17 @@ Do not use the TLSv1.2 protocol.
Deprecated; use
.Xr SSL_CTX_set_max_proto_version 3
instead.
-.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-When performing renegotiation as a server, always start a new session (i.e.,
-session resumption requests are only accepted in the initial handshake).
-This option is not needed for clients.
-.It Dv SSL_OP_NO_TICKET
-Normally clients and servers will, where possible, transparently make use of
-RFC4507bis tickets for stateless session resumption.
+.It Dv SSL_OP_TLS_ROLLBACK_BUG
+Disable version rollback attack detection.
.Pp
-If this option is set this functionality is disabled and tickets will not be
-used by clients or servers.
-.It Dv SSL_OP_LEGACY_SERVER_CONNECT
-Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-.Em only :
-this option is currently set by default.
-See the
-.Sx SECURE RENEGOTIATION
-section for more details.
+During the client key exchange, the client must send the same information
+about acceptable SSL/TLS protocol levels as during the first hello.
+Some clients violate this rule by adapting to the server's answer.
+(Example: the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1,
+the server only understands up to SSLv3.
+In this case the client must still use the same SSLv3.1=TLSv1 announcement.
+Some clients step down to SSLv3 with respect to the server's answer and violate
+the version rollback protection.)
.El
.Pp
The following options used to be supported at some point in the past