aboutsummaryrefslogtreecommitdiff
path: root/openssl/doc/ssl
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-01-10 12:26:41 -0500
committerMike DePaulo <mikedep333@gmail.com>2015-01-10 15:20:57 -0500
commitee914bf036b78dcbde9bf694794c15482d721028 (patch)
tree13793fdc02dbf47bd4dd5e93861bccac71d58887 /openssl/doc/ssl
parentfaa5026e540d03f858265b2796054d685f687383 (diff)
downloadvcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.tar.gz
vcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.tar.bz2
vcxsrv-ee914bf036b78dcbde9bf694794c15482d721028.zip
Update openssl to version openssl-1.0.1k
Conflicts: openssl/Makefile
Diffstat (limited to 'openssl/doc/ssl')
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_mode.pod10
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_options.pod10
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod23
3 files changed, 19 insertions, 24 deletions
diff --git a/openssl/doc/ssl/SSL_CTX_set_mode.pod b/openssl/doc/ssl/SSL_CTX_set_mode.pod
index 8cb669dae..2a5aaa555 100644
--- a/openssl/doc/ssl/SSL_CTX_set_mode.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_mode.pod
@@ -71,6 +71,16 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can
save around 34k per idle SSL connection.
This flag has no effect on SSL v2 connections, or on DTLS connections.
+=item SSL_MODE_SEND_FALLBACK_SCSV
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+To be set only by applications that reconnect with a downgraded protocol
+version; see draft-ietf-tls-downgrade-scsv-00 for details.
+
+DO NOT ENABLE THIS if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft-ietf-tls-downgrade-scsv-00.
+
=back
=head1 RETURN VALUES
diff --git a/openssl/doc/ssl/SSL_CTX_set_options.pod b/openssl/doc/ssl/SSL_CTX_set_options.pod
index 6e6b5e6d8..e80a72cd4 100644
--- a/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used.
=item SSL_OP_EPHEMERAL_RSA
-Always use ephemeral (temporary) RSA key when doing RSA operations
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
-According to the specifications this is only done, when a RSA key
-can only be used for signature operations (namely under export ciphers
-with restricted RSA keylength). By setting this option, ephemeral
-RSA keys are always used. This option breaks compatibility with the
-SSL/TLS specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with EDH (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
=item SSL_OP_CIPHER_SERVER_PREFERENCE
diff --git a/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
index 534643cd9..8794eb7ac 100644
--- a/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
in order to achieve forward secrecy (see
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
-standard. When ephemeral RSA key exchange is required for export ciphers,
-it will automatically be used without this option!
-
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a RSA key is however costly, it will lead to a significant
-delay in the handshake procedure. Another advantage of the callback function
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+RSA key is however costly, it will lead to a significant delay in the handshake
+procedure. Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
The B<tmp_rsa_callback> is called with the B<keylength> needed and
the B<is_export> information. The B<is_export> flag is set, when the