diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:26:41 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 15:20:57 -0500 |
commit | ee914bf036b78dcbde9bf694794c15482d721028 (patch) | |
tree | 13793fdc02dbf47bd4dd5e93861bccac71d58887 /openssl/doc/ssl | |
parent | faa5026e540d03f858265b2796054d685f687383 (diff) | |
download | vcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.tar.gz vcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.tar.bz2 vcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.zip |
Update openssl to version openssl-1.0.1k
Conflicts:
openssl/Makefile
Diffstat (limited to 'openssl/doc/ssl')
-rw-r--r-- | openssl/doc/ssl/SSL_CTX_set_mode.pod | 10 | ||||
-rw-r--r-- | openssl/doc/ssl/SSL_CTX_set_options.pod | 10 | ||||
-rw-r--r-- | openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 |
3 files changed, 19 insertions, 24 deletions
diff --git a/openssl/doc/ssl/SSL_CTX_set_mode.pod b/openssl/doc/ssl/SSL_CTX_set_mode.pod index 8cb669dae..2a5aaa555 100644 --- a/openssl/doc/ssl/SSL_CTX_set_mode.pod +++ b/openssl/doc/ssl/SSL_CTX_set_mode.pod @@ -71,6 +71,16 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can save around 34k per idle SSL connection. This flag has no effect on SSL v2 connections, or on DTLS connections. +=item SSL_MODE_SEND_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set only by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + +DO NOT ENABLE THIS if your application attempts a normal handshake. +Only use this in explicit fallback retries, following the guidance +in draft-ietf-tls-downgrade-scsv-00. + =back =head1 RETURN VALUES diff --git a/openssl/doc/ssl/SSL_CTX_set_options.pod b/openssl/doc/ssl/SSL_CTX_set_options.pod index 6e6b5e6d8..e80a72cd4 100644 --- a/openssl/doc/ssl/SSL_CTX_set_options.pod +++ b/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used. =item SSL_OP_EPHEMERAL_RSA -Always use ephemeral (temporary) RSA key when doing RSA operations -(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). -According to the specifications this is only done, when a RSA key -can only be used for signature operations (namely under export ciphers -with restricted RSA keylength). By setting this option, ephemeral -RSA keys are always used. This option breaks compatibility with the -SSL/TLS specifications and may lead to interoperability problems with -clients and should therefore never be used. Ciphers with EDH (ephemeral -Diffie-Hellman) key exchange should be used instead. +This option is no longer implemented and is treated as no op. =item SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod index 534643cd9..8794eb7ac 100644 --- a/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +++ b/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod @@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead in order to achieve forward secrecy (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). -On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default -and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of -L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL -standard. When ephemeral RSA key exchange is required for export ciphers, -it will automatically be used without this option! - -An application may either directly specify the key or can supply the key via -a callback function. The callback approach has the advantage, that the -callback may generate the key only in case it is actually needed. As the -generation of a RSA key is however costly, it will lead to a significant -delay in the handshake procedure. Another advantage of the callback function -is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA -usage) while the explicit setting of the key is only useful for key size of -512 bits to satisfy the export restricted ciphers and does give away key length -if a longer key would be allowed. +An application may either directly specify the key or can supply the key via a +callback function. The callback approach has the advantage, that the callback +may generate the key only in case it is actually needed. As the generation of a +RSA key is however costly, it will lead to a significant delay in the handshake +procedure. Another advantage of the callback function is that it can supply +keys of different size while the explicit setting of the key is only useful for +key size of 512 bits to satisfy the export restricted ciphers and does give +away key length if a longer key would be allowed. The B<tmp_rsa_callback> is called with the B<keylength> needed and the B<is_export> information. The B<is_export> flag is set, when the |