libtls/man/tls_config_set_protocols.3

*5c389b79Sbeck.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
e690d60fSschwarze.\"
e690d60fSschwarze.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4801fc0bSschwarze.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
4801fc0bSschwarze.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
e690d60fSschwarze.\"
e690d60fSschwarze.\" Permission to use, copy, modify, and distribute this software for any
e690d60fSschwarze.\" purpose with or without fee is hereby granted, provided that the above
e690d60fSschwarze.\" copyright notice and this permission notice appear in all copies.
e690d60fSschwarze.\"
e690d60fSschwarze.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
e690d60fSschwarze.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
e690d60fSschwarze.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
e690d60fSschwarze.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
e690d60fSschwarze.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
e690d60fSschwarze.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
e690d60fSschwarze.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
e690d60fSschwarze.\"
*5c389b79Sbeck.Dd $Mdocdate: July 2 2023 $
e690d60fSschwarze.Dt TLS_CONFIG_SET_PROTOCOLS 3
e690d60fSschwarze.Os
e690d60fSschwarze.Sh NAME
e690d60fSschwarze.Nm tls_config_set_protocols ,
e690d60fSschwarze.Nm tls_config_parse_protocols ,
e690d60fSschwarze.Nm tls_config_set_alpn ,
e690d60fSschwarze.Nm tls_config_set_ciphers ,
e690d60fSschwarze.Nm tls_config_set_dheparams ,
4896de1eSjsing.Nm tls_config_set_ecdhecurves ,
e690d60fSschwarze.Nm tls_config_prefer_ciphers_client ,
e690d60fSschwarze.Nm tls_config_prefer_ciphers_server
e690d60fSschwarze.Nd TLS protocol and cipher selection
e690d60fSschwarze.Sh SYNOPSIS
e690d60fSschwarze.In tls.h
e690d60fSschwarze.Ft int
e690d60fSschwarze.Fo tls_config_set_protocols
e690d60fSschwarze.Fa "struct tls_config *config"
e690d60fSschwarze.Fa "uint32_t protocols"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft int
e690d60fSschwarze.Fo tls_config_parse_protocols
e690d60fSschwarze.Fa "uint32_t *protocols"
e690d60fSschwarze.Fa "const char *protostr"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft int
e690d60fSschwarze.Fo tls_config_set_alpn
e690d60fSschwarze.Fa "struct tls_config *config"
e690d60fSschwarze.Fa "const char *alpn"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft int
e690d60fSschwarze.Fo tls_config_set_ciphers
e690d60fSschwarze.Fa "struct tls_config *config"
e690d60fSschwarze.Fa "const char *ciphers"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft int
e690d60fSschwarze.Fo tls_config_set_dheparams
e690d60fSschwarze.Fa "struct tls_config *config"
e690d60fSschwarze.Fa "const char *params"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft int
4896de1eSjsing.Fo tls_config_set_ecdhecurves
e690d60fSschwarze.Fa "struct tls_config *config"
4896de1eSjsing.Fa "const char *curves"
e690d60fSschwarze.Fc
e690d60fSschwarze.Ft void
e690d60fSschwarze.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
e690d60fSschwarze.Ft void
e690d60fSschwarze.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
e690d60fSschwarze.Sh DESCRIPTION
e690d60fSschwarzeThese functions modify a configuration by setting parameters.
e690d60fSschwarzeThe configuration options apply to both clients and servers, unless noted
e690d60fSschwarzeotherwise.
e690d60fSschwarze.Pp
e690d60fSschwarze.Fn tls_config_set_protocols
e690d60fSschwarzespecifies which versions of the TLS protocol may be used.
e690d60fSschwarzePossible values are the bitwise OR of:
e690d60fSschwarze.Pp
14dc8396Sschwarze.Bl -item -offset indent -compact
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv TLS_PROTOCOL_TLSv1_2
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv TLS_PROTOCOL_TLSv1_3
e690d60fSschwarze.El
e690d60fSschwarze.Pp
e690d60fSschwarzeAdditionally, the values
e690d60fSschwarze.Dv TLS_PROTOCOL_TLSv1
*5c389b79Sbeck(TLSv1.2, TLSv1.3),
e690d60fSschwarze.Dv TLS_PROTOCOLS_ALL
e690d60fSschwarze(all supported protocols) and
e690d60fSschwarze.Dv TLS_PROTOCOLS_DEFAULT
6f8363eeSbeck(TLSv1.2 and TLSv1.3) may be used.
e690d60fSschwarze.Pp
e690d60fSschwarzeThe
e690d60fSschwarze.Fn tls_config_parse_protocols
e690d60fSschwarzeutility function parses a protocol string and returns the corresponding
e690d60fSschwarzevalue via the
e690d60fSschwarze.Ar protocols
e690d60fSschwarzeargument.
e690d60fSschwarzeThis value can then be passed to the
e690d60fSschwarze.Fn tls_config_set_protocols
e690d60fSschwarzefunction.
e690d60fSschwarzeThe protocol string is a comma or colon separated list of keywords.
fcde59b2SknValid keywords are:
fcde59b2Skn.Pp
fcde59b2Skn.Bl -tag -width "tlsv1.3" -offset indent -compact
fcde59b2Skn.It Dv tlsv1.2
fcde59b2Skn.It Dv tlsv1.3
14dc8396Sschwarze.It Dv all
14dc8396Sschwarze.Pq all supported protocols
14dc8396Sschwarze.It Dv default
14dc8396Sschwarze.Pq an alias for Dv secure
14dc8396Sschwarze.It Dv legacy
14dc8396Sschwarze.Pq an alias for Dv all
14dc8396Sschwarze.It Dv secure
14dc8396Sschwarze.Pq currently TLSv1.2 and TLSv1.3
fcde59b2Skn.El
fcde59b2Skn.Pp
e690d60fSschwarzeIf a value has a negative prefix (in the form of a leading exclamation mark)
e690d60fSschwarzethen it is removed from the list of available protocols, rather than being
e690d60fSschwarzeadded to it.
e690d60fSschwarze.Pp
e690d60fSschwarze.Fn tls_config_set_alpn
e690d60fSschwarzesets the ALPN protocols that are supported.
e690d60fSschwarzeThe alpn string is a comma separated list of protocols, in order of preference.
e690d60fSschwarze.Pp
e690d60fSschwarze.Fn tls_config_set_ciphers
e690d60fSschwarzesets the list of ciphers that may be used.
e690d60fSschwarzeLists of ciphers are specified by name, and the
e690d60fSschwarzepermitted names are:
e690d60fSschwarze.Pp
14dc8396Sschwarze.Bl -item -offset indent -compact
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv secure Pq or alias Dv default
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv compat
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv legacy
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv insecure Pq or alias Dv all
e690d60fSschwarze.El
e690d60fSschwarze.Pp
e690d60fSschwarzeAlternatively, libssl cipher strings can be specified.
e690d60fSschwarzeSee the CIPHERS section of
e690d60fSschwarze.Xr openssl 1
e690d60fSschwarzefor further information.
e8bac763Sjsing.Pp
e8bac763Sjsing.Fn tls_config_set_dheparams
e8bac763Sjsingspecifies the parameters that will be used during Diffie-Hellman Ephemeral
e8bac763Sjsing(DHE) key exchange.
4a699ee4SknPossible values are:
4a699ee4Skn.Pp
14dc8396Sschwarze.Bl -item -offset indent -compact
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv none
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv auto
14dc8396Sschwarze.It
14dc8396Sschwarze.Dv legacy
4a699ee4Skn.El
4a699ee4Skn.Pp
4a699ee4SknIn
4a699ee4Skn.Dv auto
4a699ee4Sknmode, the key size for the ephemeral key is automatically selected
e8bac763Sjsingbased on the size of the private key being used for signing.
4a699ee4SknIn
4a699ee4Skn.Dv legacy
4a699ee4Sknmode, 1024 bit ephemeral keys are used.
4a699ee4SknThe default value is
4a699ee4Skn.Dv none ,
4a699ee4Sknwhich disables DHE key exchange.
4896de1eSjsing.Pp
4896de1eSjsing.Fn tls_config_set_ecdhecurves
e8bac763Sjsingspecifies the names of the elliptic curves that may be used during Elliptic
e8bac763SjsingCurve Diffie-Hellman Ephemeral (ECDHE) key exchange.
4896de1eSjsingThis is a comma separated list, given in order of preference.
4896de1eSjsingThe special value of "default" will use the default curves (currently X25519,
a0786738SjmcP-256 and P-384).
a0786738SjmcThis function replaces
4896de1eSjsing.Fn tls_config_set_ecdhecurve ,
4896de1eSjsingwhich is deprecated.
e690d60fSschwarze.Pp
e690d60fSschwarze.Fn tls_config_prefer_ciphers_client
e690d60fSschwarzeprefers ciphers in the client's cipher list when selecting a cipher suite
e690d60fSschwarze(server only).
e690d60fSschwarzeThis is considered to be less secure than preferring the server's list.
e690d60fSschwarze.Pp
e690d60fSschwarze.Fn tls_config_prefer_ciphers_server
e690d60fSschwarzeprefers ciphers in the server's cipher list when selecting a cipher suite
e690d60fSschwarze(server only).
e690d60fSschwarzeThis is considered to be more secure than preferring the client's list and is
e690d60fSschwarzethe default.
e690d60fSschwarze.Sh RETURN VALUES
e690d60fSschwarzeThese functions return 0 on success or -1 on error.
e690d60fSschwarze.Sh SEE ALSO
e690d60fSschwarze.Xr tls_config_ocsp_require_stapling 3 ,
e690d60fSschwarze.Xr tls_config_set_session_id 3 ,
e690d60fSschwarze.Xr tls_config_verify 3 ,
e690d60fSschwarze.Xr tls_init 3 ,
e690d60fSschwarze.Xr tls_load_file 3
8b02f64eSschwarze.Sh HISTORY
8b02f64eSschwarze.Fn tls_config_set_ciphers
8b02f64eSschwarzeappeared in
8b02f64eSschwarze.Ox 5.6
8b02f64eSschwarzeand got its final name in
8b02f64eSschwarze.Ox 5.7 .
8b02f64eSschwarze.Pp
8b02f64eSschwarze.Fn tls_config_set_protocols ,
8b02f64eSschwarze.Fn tls_config_parse_protocols ,
8b02f64eSschwarze.Fn tls_config_set_dheparams ,
8b02f64eSschwarzeand
8b02f64eSschwarze.Fn tls_config_set_ecdhecurve
8b02f64eSschwarzeappeared in
8b02f64eSschwarze.Ox 5.7 ,
8b02f64eSschwarze.Fn tls_config_prefer_ciphers_client
8b02f64eSschwarzeand
8b02f64eSschwarze.Fn tls_config_prefer_ciphers_server
8b02f64eSschwarzein
8b02f64eSschwarze.Ox 5.9 ,
8b02f64eSschwarzeand
8b02f64eSschwarze.Fn tls_config_set_alpn
8b02f64eSschwarzein
8b02f64eSschwarze.Ox 6.1 .
8b02f64eSschwarze.Sh AUTHORS
8b02f64eSschwarze.An Joel Sing Aq Mt jsing@openbsd.org
8b02f64eSschwarzewith contributions from
8b02f64eSschwarze.An Ted Unangst Aq Mt tedu@openbsd.org
8b02f64eSschwarze.Pq Fn tls_config_set_ciphers
8b02f64eSschwarzeand
8b02f64eSschwarze.An Reyk Floeter Aq Mt reyk@openbsd.org
8b02f64eSschwarze.Pq Fn tls_config_set_ecdhecurve