diff options
| author |   schwarze <schwarze@openbsd.org> | 2018-02-27 17:08:20 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2018-02-27 17:08:20 +0000 |
| commit | a3f6f872168ab9c26b658821bbd108ac94a3dba2 (patch) | |
| tree | d53ac12aabec286e18be849c8604030d19e4a552 /lib/libssl/man | |
| parent | Move fsize initialization into get_fsize() to eliminate duplication. (diff) | |
| download | wireguard-openbsd-a3f6f872168ab9c26b658821bbd108ac94a3dba2.tar.xz wireguard-openbsd-a3f6f872168ab9c26b658821bbd108ac94a3dba2.zip | |
Mention that SSL_OP_TLSEXT_PADDING no longer has any effect,
and correct the description of SSL_OP_ALL.
Found by inspecting <openssl/ssl.h>.
Diffstat (limited to 'lib/libssl/man')
| -rw-r--r-- | lib/libssl/man/SSL_CTX_set_options.3 | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/lib/libssl/man/SSL_CTX_set_options.3 b/lib/libssl/man/SSL_CTX_set_options.3 index 98c1a6d365e..f7445ad7c4a 100644 --- a/lib/libssl/man/SSL_CTX_set_options.3 +++ b/lib/libssl/man/SSL_CTX_set_options.3 @@ -1,5 +1,6 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.4 2017/08/19 23:45:10 schwarze Exp $ -.\" OpenSSL 361a1191 Dec 6 17:56:41 2015 +0100 +.\" $OpenBSD: SSL_CTX_set_options.3,v 1.5 2018/02/27 17:08:20 schwarze Exp $ +.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 +.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 .\" .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>, .\" Bodo Moeller <bodo@openssl.org>, and @@ -51,7 +52,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: August 19 2017 $ +.Dd $Mdocdate: February 27 2018 $ .Dt SSL_CTX_SET_OPTIONS 3 .Os .Sh NAME @@ -154,12 +155,9 @@ Disables a countermeasure against a TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken SSL implementations. This option has no effect for connections using other ciphers. -.It Dv SSL_OP_TLSEXT_PADDING -Adds a padding extension to ensure the ClientHello size is never between 256 -and 511 bytes in length. -This is needed as a workaround for some implementations. .It Dv SSL_OP_ALL -All of the above bug workarounds. +This is currently an alias for +.Dv SSL_OP_LEGACY_SERVER_CONNECT . .El .Pp It is usually safe to use @@ -237,7 +235,8 @@ and no longer have any effect: .Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , .Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , .Dv SSL_OP_TLS_BLOCK_PADDING_BUG , -.Dv SSL_OP_TLS_D5_BUG . +.Dv SSL_OP_TLS_D5_BUG , +.Dv SSL_OP_TLSEXT_PADDING . .Sh SECURE RENEGOTIATION OpenSSL 0.9.8m and later always attempts to use secure renegotiation as described in RFC5746. @@ -268,9 +267,8 @@ alert is sent. This is because the server code may be unaware of the unpatched nature of the client. .Pp -.Em N.B.: -a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will -result in the connection hanging if it receives a +Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which +are unpatched) will result in the connection hanging if it receives a .Em no_renegotiation alert. OpenSSL versions 0.9.8m and later will regard a |