Lines Matching +full:comp +full:- +full:disable
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
134 .TH SSL_CONF_CMD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
141 SSL_CONF_cmd \- send configuration command
154 configuration of \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structures by providing a common
161 flag \fB\s-1SSL_CONF_FLAG_CMDLINE\s0\fR is set) are listed below. Note: all \fBoption\fR
164 prefix for command line commands is \fB\-\fR and that is reflected below.
165 .IP "\fB\-bugs\fR" 4
166 .IX Item "-bugs"
167 Various bug workarounds are set, same as setting \fB\s-1SSL_OP_ALL\s0\fR.
168 .IP "\fB\-no_comp\fR" 4
169 .IX Item "-no_comp"
170 Disables support for \s-1SSL/TLS\s0 compression, same as setting
171 \&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
173 .IP "\fB\-comp\fR" 4
174 .IX Item "-comp"
175 Enables support for \s-1SSL/TLS\s0 compression, same as clearing
176 \&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
179 .IP "\fB\-no_ticket\fR" 4
180 .IX Item "-no_ticket"
181 Disables support for session tickets, same as setting \fB\s-1SSL_OP_NO_TICKET\s0\fR.
182 .IP "\fB\-serverpref\fR" 4
183 .IX Item "-serverpref"
186 Equivalent to \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
187 .IP "\fB\-client_renegotiation\fR" 4
188 .IX Item "-client_renegotiation"
189 Allows servers to accept client-initiated renegotiation. Equivalent to
190 setting \fB\s-1SSL_OP_ALLOW_CLIENT_RENEGOTIATION\s0\fR.
192 .IP "\fB\-legacy_renegotiation\fR" 4
193 .IX Item "-legacy_renegotiation"
195 \&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
196 .IP "\fB\-no_renegotiation\fR" 4
197 .IX Item "-no_renegotiation"
199 \&\fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
200 .IP "\fB\-no_resumption_on_reneg\fR" 4
201 .IX Item "-no_resumption_on_reneg"
202 Sets \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR. Only used by servers.
203 .IP "\fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR" 4
204 .IX Item "-legacy_server_connect, -no_legacy_server_connect"
206 clients only. Equivalent to setting or clearing \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
207 .IP "\fB\-prioritize_chacha\fR" 4
208 .IX Item "-prioritize_chacha"
210 its preference list. This usually indicates a client without \s-1AES\s0 hardware
211 acceleration (e.g. mobile) is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
212 Only used by servers. Requires \fB\-serverpref\fR.
213 .IP "\fB\-allow_no_dhe_kex\fR" 4
214 .IX Item "-allow_no_dhe_kex"
215 In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means
217 .IP "\fB\-strict\fR" 4
218 .IX Item "-strict"
220 \&\fB\s-1SSL_CERT_FLAG_TLS_STRICT\s0\fR.
221 .IP "\fB\-sigalgs\fR \fIalgs\fR" 4
222 .IX Item "-sigalgs algs"
230 or \fBsignature_scheme\fR. \fBalgorithm\fR is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1E…
231 \&\fBhash\fR is a supported algorithm \s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA22…
232 \&\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR. Note: algorithm and hash names …
234 TLSv1.3, specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR,
241 using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
243 .IP "\fB\-client_sigalgs\fR \fIalgs\fR" 4
244 .IX Item "-client_sigalgs algs"
252 The syntax of \fBalgs\fR is identical to \fB\-sigalgs\fR. If not set, then the
253 value set for \fB\-sigalgs\fR will be used instead.
254 .IP "\fB\-groups\fR \fIgroups\fR" 4
255 .IX Item "-groups groups"
263 be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name
264 where applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL \s-1OID\s0 name
268 Currently supported groups for \fBTLSv1.3\fR are \fBP\-256\fR, \fBP\-384\fR, \fBP\-521\fR,
271 .IP "\fB\-curves\fR \fIgroups\fR" 4
272 .IX Item "-curves groups"
273 This is a synonym for the \fB\-groups\fR command.
274 .IP "\fB\-named_curve\fR \fIcurve\fR" 4
275 .IX Item "-named_curve curve"
276 This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used
281 curve can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name
283 .IP "\fB\-cipher\fR \fIciphers\fR" 4
284 .IX Item "-cipher ciphers"
287 of \fBciphers\fR is currently not performed unless a \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR
289 .IP "\fB\-ciphersuites\fR \fI1.3ciphers\fR" 4
290 .IX Item "-ciphersuites 1.3ciphers"
292 colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
294 See \fBopenssl\-ciphers\fR\|(1) for more information.
295 .IP "\fB\-min_protocol\fR \fIminprot\fR, \fB\-max_protocol\fR \fImaxprot\fR" 4
296 .IX Item "-min_protocol minprot, -max_protocol maxprot"
299 \&\fBTLSv1.2\fR, \fBTLSv1.3\fR for \s-1TLS\s0; \fBDTLSv1\fR, \fBDTLSv1.2\fR for \s-1DTLS,\s0 and \f…
303 If your application supports both \s-1TLS\s0 and \s-1DTLS\s0 you can specify any of these
304 options twice, once with a bound for \s-1TLS\s0 and again with an appropriate bound
305 for \s-1DTLS.\s0
308 .IP "\fB\-record_padding\fR \fIpadding\fR" 4
309 .IX Item "-record_padding padding"
313 .IP "\fB\-debug_broken_protocol\fR" 4
314 .IX Item "-debug_broken_protocol"
316 .IP "\fB\-no_middlebox\fR" 4
317 .IX Item "-no_middlebox"
323 .IP "\fB\-cert\fR \fIfile\fR" 4
324 .IX Item "-cert file"
326 currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
327 structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an
328 \&\fB\s-1SSL\s0\fR structure is set. This option is only supported if certificate
330 .IP "\fB\-key\fR \fIfile\fR" 4
331 .IX Item "-key file"
334 if no \fB\-key\fR option is set then a private key is not loaded unless the
335 flag \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
336 .IP "\fB\-dhparam\fR \fIfile\fR" 4
337 .IX Item "-dhparam file"
338 Attempts to use \fBfile\fR as the set of temporary \s-1DH\s0 parameters for
341 .IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
342 .IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
346 respectively. These options are deprecated, use \fB\-min_protocol\fR and
347 \&\fB\-max_protocol\fR instead.
348 .IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
349 .IX Item "-anti_replay, -no_anti_replay"
354 time. Anti-Replay is on by default unless overridden by a configuration file and
355 is only used by servers. Anti-replay measures are required for compliance with
357 risks in other ways and in such cases the built-in OpenSSL functionality is not
358 required. Switching off anti-replay is equivalent to \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
362 flag \fB\s-1SSL_CONF_FLAG_FILE\s0\fR is set) are listed below. All configuration file
372 checking of \fBvalue\fR is currently not performed unless an \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\…
377 colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
379 See \fBopenssl\-ciphers\fR\|(1) for more information.
383 context. It currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
384 structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR
392 not loaded unless the \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
400 This option indicates a file containing a set of certificates in \s-1PEM\s0 form.
402 \&\fBcertificate_authorities\fR extension for \s-1TLS 1.3\s0 (in ClientHello or
404 \&\s-1TLS.\s0
411 Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for
429 is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported al…
430 \&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-…
433 specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR,
440 using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
464 either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where
465 applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL \s-1OID\s0 name
469 Currently supported groups for \fBTLSv1.3\fR are \fBP\-256\fR, \fBP\-384\fR, \fBP\-521\fR,
477 This sets the minimum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
481 The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
482 apply only to DTLS-based contexts.
483 The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
484 other setting a \s-1DTLS\s0 bound.
488 This sets the maximum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
492 The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
493 apply only to DTLS-based contexts.
494 The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
495 other setting a \s-1DTLS\s0 bound.
499 This can be used to enable or disable certain versions of the \s-1SSL,
500 TLS\s0 or \s-1DTLS\s0 protocol.
503 to enable or disable.
504 If a protocol is preceded by \fB\-\fR that version is disabled.
507 You need to disable at least one protocol version for this setting have any
509 Only enabling some protocol versions does not disable the other protocol
514 The special value \fB\s-1ALL\s0\fR refers to all supported versions.
517 or \fBMaxProtocol\fR, but can disable protocols that are still allowed
523 protocols has no \*(L"holes\*(R", e.g. if \s-1TLS 1.0\s0 and \s-1TLS 1.2\s0 are both enabled, make
524 sure to also leave \s-1TLS 1.1\s0 enabled.
528 If a flag string is preceded \fB\-\fR it is disabled.
533 the \fB\-flag\fR syntax is needed to disable it.
536 \&\fB\s-1SSL_OP_NO_TICKET\s0\fR: that is \fB\-SessionTicket\fR is the same as setting
537 \&\fB\s-1SSL_OP_NO_TICKET\s0\fR.
539 \&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, disabled by default. Inverse
540 of \fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
543 \&\s-1SSL 3.0/TLS 1.0\s0 protocol vulnerability affecting \s-1CBC\s0 ciphers. It
544 is set by default. Inverse of \fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR.
546 \&\fBBugs\fR: enable various bug workarounds. Same as \fB\s-1SSL_OP_ALL\s0\fR.
548 \&\fBDHSingle\fR: enable single use \s-1DH\s0 keys, set by default. Inverse of
549 \&\fB\s-1SSL_OP_DH_SINGLE\s0\fR. Only used by servers.
551 \&\fBECDHSingle\fR: enable single use \s-1ECDH\s0 keys, set by default. Inverse of
552 \&\fB\s-1SSL_OP_ECDH_SINGLE\s0\fR. Only used by servers.
557 \&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
561 a mobile client is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
565 \&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR flag. Only used by servers.
568 earlier, same as setting \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
571 Equivalent to \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
574 for OpenSSL clients only. Equivalent to \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
576 \&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by
577 default. Inverse of \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR: that is,
578 \&\fB\-EncryptThenMac\fR is the same as setting \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR.
580 \&\fBAllowNoDHEKEX\fR: In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on
582 session. Equivalent to \fB\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0\fR.
584 \&\fBMiddleboxCompat\fR: If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent
588 default. Equivalent to \fB\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0\fR.
594 servers. Anti-replay measures are required to comply with the TLSv1.3
596 other ways and in such cases the built-in OpenSSL functionality is not required.
597 Disabling anti-replay is equivalent to setting \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
600 default. Inverse of \fB\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0\fR: that is,
601 \&\fB\-ExtendedMasterSecret\fR is the same as setting \fB\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0\fR.
603 \&\fBCANames\fR: use \s-1CA\s0 names extension, enabled by
604 default. Inverse of \fB\s-1SSL_OP_DISABLE_TLSEXT_CA_NAMES\s0\fR: that is,
605 \&\fB\-CANames\fR is the same as setting \fB\s-1SSL_OP_DISABLE_TLSEXT_CA_NAMES\s0\fR.
607 \&\fB\s-1KTLS\s0\fR: Enables kernel \s-1TLS\s0 if support has been compiled in, and it is supported
609 \&\fB\s-1SSL_OP_ENABLE_KTLS\s0\fR.
626 not require a certificate from the client post-handshake. A certificate will
628 provide a mechanism to request a certificate post-handshake. Servers only.
632 requires a certificate from the client post-handshake: an error occurs if the
635 to request a certificate post-handshake. Servers only. TLSv1.3 only.
638 A file or directory of certificates in \s-1PEM\s0 format whose names are used as the
645 .IP "\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR" 4
649 .IP "\fB\s-1SSL_CONF_TYPE_STRING\s0\fR" 4
652 .IP "\fB\s-1SSL_CONF_TYPE_FILE\s0\fR" 4
655 .IP "\fB\s-1SSL_CONF_TYPE_DIR\s0\fR" 4
658 .IP "\fB\s-1SSL_CONF_TYPE_NONE\s0\fR" 4
668 \& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
672 it will disable SSLv3 support by default but the user can override it. If
677 \& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
688 \&\-2 (unrecognised command) continue with processing of application specific
695 following argument to \fBvalue\fR (which may be \s-1NULL\s0).
698 number of arguments as they have been processed by \fBSSL_CONF_cmd()\fR. If \-2 is
700 can be checked instead. If \-3 is returned a required argument is missing
707 value is \fB\s-1SSL_CONF_TYPE_FILE\s0\fR an application could translate a relative
712 \&\fB\s-1NOT\s0\fR used and 2 if both \fBoption\fR and \fBvalue\fR are used. In other words it
716 A return value of \-2 means \fBoption\fR is not recognised.
718 A return value of \-3 means \fBoption\fR is recognised and the command requires a
719 value but \fBvalue\fR is \s-1NULL.\s0
736 This is the recommended way to disable protocols.
745 \& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
748 The following will first enable all protocols, and then disable
751 \&\*(L"\-SSLv3\*(R", but if some versions were disables this will re-enable them before
755 \& SSL_CONF_cmd(ctx, "Protocol", "ALL,\-SSLv3");
768 \& SSL_CONF_cmd(ctx, "Protocol", "\-ALL,TLSv1.2");
771 Disable \s-1TLS\s0 session tickets:
774 \& SSL_CONF_cmd(ctx, "Options", "\-SessionTicket");
783 Set supported curves to P\-256, P\-384:
786 \& SSL_CONF_cmd(ctx, "Curves", "P\-256:P\-384");
801 The \fB\s-1SSL_OP_NO_SSL2\s0\fR option doesn't have effect since 1.1.0, but the macro
804 The \fB\s-1SSL_CONF_TYPE_NONE\s0\fR was added in OpenSSL 1.1.0. In earlier versions of
806 \&\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR.
816 Copyright 2012\-2022 The OpenSSL Project Authors. All Rights Reserved.
820 in the file \s-1LICENSE\s0 in the source distribution or at