From d0bbaa08d1670a014759055bfdfdf78d5b608943 Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Wed, 13 Jul 2016 16:30:49 +0000 Subject: Split the existing TLS cipher suite groups into four: "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@ --- lib/libtls/tls_init.3 | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'lib/libtls/tls_init.3') diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index cd1f00af237..b4c6a7cc3a5 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.61 2016/05/27 11:25:57 sthen Exp $ +.\" $OpenBSD: tls_init.3,v 1.62 2016/07/13 16:30:48 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 27 2016 $ +.Dd $Mdocdate: July 13 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -322,13 +322,18 @@ sets the list of ciphers that may be used. Lists of ciphers are specified by name, and the permitted names are: .Pp -.Bl -tag -width "default" -offset indent -compact -.It Dv "secure" -.It Dv "default" (an alias for secure) +.Bl -tag -width "insecure" -offset indent -compact +.It Dv "secure" (or alias "default") +.It Dv "compat" .It Dv "legacy" -.It Dv "compat" (an alias for legacy) +.It Dv "insecure" (or alias "all") .El .Pp +Alternatively, libssl cipher strings can be specified. +See the CIPHERS section of +.Xr openssl 1 +for further information. +.Pp .Em (Client and server) .It .Fn tls_config_set_key_file -- cgit v1.2.3