diff options
| author |   guenther <guenther@openbsd.org> | 2014-04-18 15:39:53 +0000 |
|---|---|---|
| committer | guenther <guenther@openbsd.org> | 2014-04-18 15:39:53 +0000 |
| commit | 4a5070f579eeac314136c9f15b58ae4f9baec16d (patch) | |
| tree | f692478dd30d23b2b78aee599abbf2b2f1d7920b /lib/libssl/src/doc/ssl | |
| parent | use the portable construct around asprintf; pointed out by halex (diff) | |
| download | wireguard-openbsd-4a5070f579eeac314136c9f15b58ae4f9baec16d.tar.xz wireguard-openbsd-4a5070f579eeac314136c9f15b58ae4f9baec16d.zip | |
Finish zapping SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION usage; only keep
the #define for compat, but document that it's a no-op now. Also, neuter
the -legacy_renegotiation option to "openssl s_{client,server}"
ok beck@
Diffstat (limited to 'lib/libssl/src/doc/ssl')
| -rw-r--r-- | lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod index fded0601b56..d9322825514 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod @@ -216,8 +216,10 @@ not be used by clients or servers. =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION -Allow legacy insecure renegotiation between OpenSSL and unpatched clients or -servers. See the B<SECURE RENEGOTIATION> section for more details. +As of OpenBSD 5.6, this option has no effect. +In previous versions it allowed legacy insecure renegotiation between +OpenSSL and unpatched clients or servers. +See the B<SECURE RENEGOTIATION> section for more details. =item SSL_OP_LEGACY_SERVER_CONNECT @@ -258,9 +260,6 @@ If the patched OpenSSL server attempts to renegotiate a fatal B<handshake_failure> alert is sent. This is because the server code may be unaware of the unpatched nature of the client. -If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then -renegotiation B<always> succeeds. - B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are unpatched) will result in the connection hanging if it receives a B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard @@ -271,8 +270,7 @@ was refused. =head2 Patched OpenSSL client and unpatched server. -If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections +If the option B<SSL_OP_LEGACY_SERVER_CONNECT> is set then initial connections and renegotiation between patched OpenSSL clients and unpatched servers succeeds. If neither option is set then initial connections to unpatched servers will fail. @@ -295,13 +293,6 @@ unpatched servers (and thus avoid any security issues) should always B<clear> B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or SSL_clear_options(). -The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that -B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure -renegotiation between OpenSSL clients and unpatched servers B<only>, while -B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections -and renegotiation between OpenSSL and unpatched clients or servers. - =head1 RETURN VALUES SSL_CTX_set_options() and SSL_set_options() return the new options bitmask @@ -344,4 +335,7 @@ B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> and the function SSL_get_secure_renegotiation_support() were first added in OpenSSL 0.9.8m. +B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> was changed to have no effect +in OpenBSD 5.6. + =cut |