1*849d353bStb.\" $OpenBSD: ssl.3,v 1.26 2024/08/31 10:51:48 tb Exp $ 2c57a0d89Sschwarze.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 39ff9c5a5Sschwarze.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800 4f1a3c524Sschwarze.\" 53473863aSschwarze.\" This file was written by Ralf S. Engelschall <rse@openssl.org>, 63473863aSschwarze.\" Ben Laurie <ben@openssl.org>, and Ulf Moeller <ulf@openssl.org>. 73473863aSschwarze.\" Copyright (c) 1998-2002, 2005, 2013, 2015 The OpenSSL Project. 83473863aSschwarze.\" All rights reserved. 9f1a3c524Sschwarze.\" 103473863aSschwarze.\" Redistribution and use in source and binary forms, with or without 113473863aSschwarze.\" modification, are permitted provided that the following conditions 123473863aSschwarze.\" are met: 133473863aSschwarze.\" 143473863aSschwarze.\" 1. Redistributions of source code must retain the above copyright 153473863aSschwarze.\" notice, this list of conditions and the following disclaimer. 163473863aSschwarze.\" 173473863aSschwarze.\" 2. Redistributions in binary form must reproduce the above copyright 183473863aSschwarze.\" notice, this list of conditions and the following disclaimer in 193473863aSschwarze.\" the documentation and/or other materials provided with the 203473863aSschwarze.\" distribution. 213473863aSschwarze.\" 223473863aSschwarze.\" 3. All advertising materials mentioning features or use of this 233473863aSschwarze.\" software must display the following acknowledgment: 243473863aSschwarze.\" "This product includes software developed by the OpenSSL Project 253473863aSschwarze.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 263473863aSschwarze.\" 273473863aSschwarze.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 283473863aSschwarze.\" endorse or promote products derived from this software without 293473863aSschwarze.\" prior written permission. For written permission, please contact 303473863aSschwarze.\" openssl-core@openssl.org. 313473863aSschwarze.\" 323473863aSschwarze.\" 5. Products derived from this software may not be called "OpenSSL" 333473863aSschwarze.\" nor may "OpenSSL" appear in their names without prior written 343473863aSschwarze.\" permission of the OpenSSL Project. 353473863aSschwarze.\" 363473863aSschwarze.\" 6. Redistributions of any form whatsoever must retain the following 373473863aSschwarze.\" acknowledgment: 383473863aSschwarze.\" "This product includes software developed by the OpenSSL Project 393473863aSschwarze.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 403473863aSschwarze.\" 413473863aSschwarze.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 423473863aSschwarze.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 433473863aSschwarze.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443473863aSschwarze.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 453473863aSschwarze.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 463473863aSschwarze.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 473473863aSschwarze.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 483473863aSschwarze.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 493473863aSschwarze.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 503473863aSschwarze.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 513473863aSschwarze.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 523473863aSschwarze.\" OF THE POSSIBILITY OF SUCH DAMAGE. 533473863aSschwarze.\" 54*849d353bStb.Dd $Mdocdate: August 31 2024 $ 55f1a3c524Sschwarze.Dt SSL 3 56f1a3c524Sschwarze.Os 57f1a3c524Sschwarze.Sh NAME 58f1a3c524Sschwarze.Nm ssl 592f9dee1dStb.Nd OpenSSL TLS library 60f1a3c524Sschwarze.Sh DESCRIPTION 612f9dee1dStbThe 62f1a3c524Sschwarze.Nm ssl 632f9dee1dStblibrary implements the Transport Layer Security (TLS) protocol, 64f2395cb1Sjmcthe successor to the Secure Sockets Layer (SSL) protocol. 65f1a3c524Sschwarze.Pp 66536f31e8SschwarzeAn 67f1a3c524Sschwarze.Vt SSL_CTX 68f1a3c524Sschwarzeobject is created as a framework to establish TLS/SSL enabled connections (see 69f1a3c524Sschwarze.Xr SSL_CTX_new 3 ) . 70f1a3c524SschwarzeVarious options regarding certificates, algorithms, etc., can be set in this 71f1a3c524Sschwarzeobject. 72f1a3c524Sschwarze.Pp 73f1a3c524SschwarzeWhen a network connection has been created, it can be assigned to an 74f1a3c524Sschwarze.Vt SSL 75f1a3c524Sschwarzeobject. 76f1a3c524SschwarzeAfter the 77f1a3c524Sschwarze.Vt SSL 78f1a3c524Sschwarzeobject has been created using 79f1a3c524Sschwarze.Xr SSL_new 3 , 80f1a3c524Sschwarze.Xr SSL_set_fd 3 81f1a3c524Sschwarzeor 82f1a3c524Sschwarze.Xr SSL_set_bio 3 83f1a3c524Sschwarzecan be used to associate the network connection with the object. 84f1a3c524Sschwarze.Pp 85f1a3c524SschwarzeThen the TLS/SSL handshake is performed using 86f1a3c524Sschwarze.Xr SSL_accept 3 87f1a3c524Sschwarzeor 88f1a3c524Sschwarze.Xr SSL_connect 3 89f1a3c524Sschwarzerespectively. 90f1a3c524Sschwarze.Xr SSL_read 3 91f1a3c524Sschwarzeand 92f1a3c524Sschwarze.Xr SSL_write 3 93f1a3c524Sschwarzeare used to read and write data on the TLS/SSL connection. 94f1a3c524Sschwarze.Xr SSL_shutdown 3 95f1a3c524Sschwarzecan be used to shut down the TLS/SSL connection. 96f1a3c524Sschwarze.Sh DATA STRUCTURES 972f9dee1dStbCurrently the 98f1a3c524Sschwarze.Nm ssl 993473863aSschwarzelibrary functions deal with the following data structures: 100f1a3c524Sschwarze.Bl -tag -width Ds 101f1a3c524Sschwarze.It Vt SSL_METHOD No (SSL Method) 102f1a3c524SschwarzeThat's a dispatch structure describing the internal 103f1a3c524Sschwarze.Nm ssl 10462601677Sschwarzelibrary methods/functions which implement the various protocol versions. 105f1a3c524SschwarzeIt's needed to create an 106f1a3c524Sschwarze.Vt SSL_CTX . 1073473863aSschwarzeSee 1083473863aSschwarze.Xr TLS_method 3 1093473863aSschwarzefor constructors. 110f1a3c524Sschwarze.It Vt SSL_CIPHER No (SSL Cipher) 111f1a3c524SschwarzeThis structure holds the algorithm information for a particular cipher which 112f1a3c524Sschwarzeis a core part of the SSL/TLS protocol. 113f1a3c524SschwarzeThe available ciphers are configured on an 114f1a3c524Sschwarze.Vt SSL_CTX 115f1a3c524Sschwarzebasis and the actually used ones are then part of the 116f1a3c524Sschwarze.Vt SSL_SESSION . 117f1a3c524Sschwarze.It Vt SSL_CTX No (SSL Context) 118f1a3c524SschwarzeThat's the global context structure which is created by a server or client 119f1a3c524Sschwarzeonce per program lifetime and which holds mainly default values for the 120f1a3c524Sschwarze.Vt SSL 121f1a3c524Sschwarzestructures which are later created for the connections. 122f1a3c524Sschwarze.It Vt SSL_SESSION No (SSL Session) 123f1a3c524SschwarzeThis is a structure containing the current TLS/SSL session details for a 124f1a3c524Sschwarzeconnection: 125ded0e0cbSjmc.Vt SSL_CIPHER Ns s , 126ded0e0cbSjmcclient and server certificates, keys, etc. 127f1a3c524Sschwarze.It Vt SSL No (SSL Connection) 128f1a3c524SschwarzeThat's the main SSL/TLS structure which is created by a server or client per 129f1a3c524Sschwarzeestablished connection. 130f1a3c524SschwarzeThis actually is the core structure in the SSL API. 131c57a0d89SschwarzeAt run-time the application usually deals with this structure which has 132f1a3c524Sschwarzelinks to mostly all other structures. 133f1a3c524Sschwarze.El 134f1a3c524Sschwarze.Sh HEADER FILES 1352f9dee1dStbCurrently the 136f1a3c524Sschwarze.Nm ssl 137f1a3c524Sschwarzelibrary provides the following C header files containing the prototypes for the 138f1a3c524Sschwarzedata structures and functions: 139f1a3c524Sschwarze.Bl -tag -width Ds 140f1a3c524Sschwarze.It Pa ssl.h 141f1a3c524SschwarzeThat's the common header file for the SSL/TLS API. 142f1a3c524SschwarzeInclude it into your program to make the API of the 143f1a3c524Sschwarze.Nm ssl 144f1a3c524Sschwarzelibrary available. 145f1a3c524SschwarzeIt internally includes both more private SSL headers and headers from the 146f1a3c524Sschwarze.Em crypto 147f1a3c524Sschwarzelibrary. 148f1a3c524SschwarzeWhenever you need hardcore details on the internals of the SSL API, look inside 149f1a3c524Sschwarzethis header file. 150f1a3c524Sschwarze.It Pa ssl3.h 151f1a3c524SschwarzeThat's the sub header file dealing with the SSLv3 protocol only. 152f1a3c524Sschwarze.Bf Em 153f1a3c524SschwarzeUsually you don't have to include it explicitly because it's already included 154f1a3c524Sschwarzeby 155f1a3c524Sschwarze.Pa ssl.h . 156f1a3c524Sschwarze.Ef 157f1a3c524Sschwarze.It Pa tls1.h 158f1a3c524SschwarzeThat's the sub header file dealing with the TLSv1 protocol only. 159f1a3c524Sschwarze.Bf Em 160f1a3c524SschwarzeUsually you don't have to include it explicitly because it's already included 161f1a3c524Sschwarzeby 162f1a3c524Sschwarze.Pa ssl.h . 163f1a3c524Sschwarze.Ef 164f1a3c524Sschwarze.El 165f1a3c524Sschwarze.Sh API FUNCTIONS 1663473863aSschwarze.Ss Ciphers 1673473863aSschwarzeThe following pages describe functions acting on 168f1a3c524Sschwarze.Vt SSL_CIPHER 1693473863aSschwarzeobjects: 1703473863aSschwarze.Xr SSL_get_ciphers 3 , 1713473863aSschwarze.Xr SSL_get_current_cipher 3 , 1723473863aSschwarze.Xr SSL_CIPHER_get_name 3 1733473863aSschwarze.Ss Protocol contexts 1743473863aSschwarzeThe following pages describe functions acting on 175f1a3c524Sschwarze.Vt SSL_CTX 1763473863aSschwarzeobjects. 177f1a3c524Sschwarze.Pp 1783473863aSschwarzeConstructors and destructors: 1793473863aSschwarze.Xr SSL_CTX_new 3 , 1803473863aSschwarze.Xr SSL_CTX_set_ssl_version 3 , 1813473863aSschwarze.Xr SSL_CTX_free 3 182f1a3c524Sschwarze.Pp 183f714030dSschwarzeCertificate configuration: 1843d842696Sschwarze.Xr SSL_CTX_add_extra_chain_cert 3 , 185f714030dSschwarze.Xr SSL_CTX_get0_certificate 3 , 186f1a3c524Sschwarze.Xr SSL_CTX_load_verify_locations 3 , 187f1a3c524Sschwarze.Xr SSL_CTX_set_cert_store 3 , 188f1a3c524Sschwarze.Xr SSL_CTX_set_cert_verify_callback 3 , 189f1a3c524Sschwarze.Xr SSL_CTX_set_client_cert_cb 3 , 190f1a3c524Sschwarze.Xr SSL_CTX_set_default_passwd_cb 3 , 191f714030dSschwarze.Xr SSL_CTX_set_tlsext_status_cb 3 192f714030dSschwarze.Pp 193f714030dSschwarzeSession configuration: 194f714030dSschwarze.Xr SSL_CTX_add_session 3 , 195f714030dSschwarze.Xr SSL_CTX_flush_sessions 3 , 196f714030dSschwarze.Xr SSL_CTX_sess_number 3 , 197f714030dSschwarze.Xr SSL_CTX_sess_set_cache_size 3 , 198f714030dSschwarze.Xr SSL_CTX_sess_set_get_cb 3 , 199f714030dSschwarze.Xr SSL_CTX_sessions 3 , 200f714030dSschwarze.Xr SSL_CTX_set_session_cache_mode 3 , 201f1a3c524Sschwarze.Xr SSL_CTX_set_timeout 3 , 202f714030dSschwarze.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 203f714030dSschwarze.Pp 204f714030dSschwarzeVarious configuration: 205f714030dSschwarze.Xr SSL_CTX_get_ex_new_index 3 , 206f714030dSschwarze.Xr SSL_CTX_set_tlsext_servername_callback 3 207f714030dSschwarze.Ss Common configuration of contexts and connections 208f714030dSschwarzeThe functions on the following pages each come in two variants: 209f714030dSschwarzeone to directly configure a single 210f714030dSschwarze.Vt SSL 211f714030dSschwarzeconnection and another to be called on an 212f714030dSschwarze.Vt SSL_CTX 213f714030dSschwarzeobject, to set up defaults for all future 214f714030dSschwarze.Vt SSL 215f714030dSschwarzeconnections created from that context. 216f714030dSschwarze.Pp 217f714030dSschwarzeProtocol and algorithm configuration: 218f714030dSschwarze.Xr SSL_CTX_set_alpn_select_cb 3 , 219f714030dSschwarze.Xr SSL_CTX_set_cipher_list 3 , 220f714030dSschwarze.Xr SSL_CTX_set_min_proto_version 3 , 221f714030dSschwarze.Xr SSL_CTX_set_options 3 , 222d039934cSschwarze.Xr SSL_CTX_set_security_level 3 , 223f714030dSschwarze.Xr SSL_CTX_set_tlsext_use_srtp 3 , 224f1a3c524Sschwarze.Xr SSL_CTX_set_tmp_dh_callback 3 , 225f714030dSschwarze.Xr SSL_CTX_set1_groups 3 226f714030dSschwarze.Pp 227f714030dSschwarzeCertificate configuration: 228f714030dSschwarze.Xr SSL_CTX_add1_chain_cert 3 , 229f714030dSschwarze.Xr SSL_CTX_get_verify_mode 3 , 230f714030dSschwarze.Xr SSL_CTX_set_client_CA_list 3 , 231f714030dSschwarze.Xr SSL_CTX_set_max_cert_list 3 , 232f1a3c524Sschwarze.Xr SSL_CTX_set_verify 3 , 233f1a3c524Sschwarze.Xr SSL_CTX_use_certificate 3 , 234f714030dSschwarze.Xr SSL_get_client_CA_list 3 235ee3c233fSschwarze.Xr SSL_set1_param 3 2363473863aSschwarze.Pp 237f714030dSschwarzeSession configuration: 238f714030dSschwarze.Xr SSL_CTX_set_generate_session_id 3 , 239f714030dSschwarze.Xr SSL_CTX_set_session_id_context 3 240f714030dSschwarze.Pp 241f714030dSschwarzeVarious configuration: 242f714030dSschwarze.Xr SSL_CTX_ctrl 3 , 243f714030dSschwarze.Xr SSL_CTX_set_info_callback 3 , 244f714030dSschwarze.Xr SSL_CTX_set_mode 3 , 245f714030dSschwarze.Xr SSL_CTX_set_msg_callback 3 , 246f714030dSschwarze.Xr SSL_CTX_set_quiet_shutdown 3 , 247f714030dSschwarze.Xr SSL_CTX_set_read_ahead 3 , 248f714030dSschwarze.Xr SSL_set_max_send_fragment 3 2493473863aSschwarze.Ss Sessions 2503473863aSschwarzeThe following pages describe functions acting on 2513473863aSschwarze.Vt SSL_SESSION 2523473863aSschwarzeobjects. 2533473863aSschwarze.Pp 2543473863aSschwarzeConstructors and destructors: 2553473863aSschwarze.Xr SSL_SESSION_new 3 , 2563473863aSschwarze.Xr SSL_SESSION_free 3 2573473863aSschwarze.Pp 2583473863aSschwarzeAccessors: 259a1e5cce1Sschwarze.Xr SSL_SESSION_get_compress_id 3 , 2603473863aSschwarze.Xr SSL_SESSION_get_ex_new_index 3 , 261a1e5cce1Sschwarze.Xr SSL_SESSION_get_id 3 , 26281636af2Sschwarze.Xr SSL_SESSION_get_protocol_version 3 , 263a1e5cce1Sschwarze.Xr SSL_SESSION_get_time 3 , 264a1e5cce1Sschwarze.Xr SSL_SESSION_get0_peer 3 , 265323d22ccSschwarze.Xr SSL_SESSION_has_ticket 3 , 266a1e5cce1Sschwarze.Xr SSL_SESSION_set1_id_context 3 2673473863aSschwarze.Pp 2683473863aSschwarzeEncoding and decoding: 2693473863aSschwarze.Xr d2i_SSL_SESSION 3 , 2703473863aSschwarze.Xr PEM_read_SSL_SESSION 3 , 2713473863aSschwarze.Xr SSL_SESSION_print 3 2723473863aSschwarze.Ss Connections 2733473863aSschwarzeThe following pages describe functions acting on 2743473863aSschwarze.Vt SSL 2753473863aSschwarzeconnection objects: 2763473863aSschwarze.Pp 2773473863aSschwarzeConstructors and destructors: 2783473863aSschwarze.Xr SSL_new 3 , 2793473863aSschwarze.Xr SSL_dup 3 , 280f714030dSschwarze.Xr SSL_free 3 , 281f714030dSschwarze.Xr BIO_f_ssl 3 2823473863aSschwarze.Pp 283f714030dSschwarzeTo change the configuration: 284f714030dSschwarze.Xr SSL_clear 3 , 285dca1bfe7Sschwarze.Xr SSL_set_SSL_CTX 3 , 286f714030dSschwarze.Xr SSL_copy_session_id 3 , 287f714030dSschwarze.Xr SSL_set_bio 3 , 288f714030dSschwarze.Xr SSL_set_connect_state 3 , 289f714030dSschwarze.Xr SSL_set_fd 3 , 290f714030dSschwarze.Xr SSL_set_session 3 , 29195069a65Sschwarze.Xr SSL_set1_host 3 , 292f714030dSschwarze.Xr SSL_set_verify_result 3 293f714030dSschwarze.Pp 294f714030dSschwarzeTo inspect the configuration: 295f714030dSschwarze.Xr SSL_get_certificate 3 , 296f714030dSschwarze.Xr SSL_get_default_timeout 3 , 297f714030dSschwarze.Xr SSL_get_ex_new_index 3 , 298f714030dSschwarze.Xr SSL_get_fd 3 , 299f714030dSschwarze.Xr SSL_get_rbio 3 , 300f714030dSschwarze.Xr SSL_get_SSL_CTX 3 301f714030dSschwarze.Pp 302f714030dSschwarzeTo transmit data: 3033473863aSschwarze.Xr DTLSv1_listen 3 , 3043473863aSschwarze.Xr SSL_accept 3 , 3053473863aSschwarze.Xr SSL_connect 3 , 306f1a3c524Sschwarze.Xr SSL_do_handshake 3 , 3073473863aSschwarze.Xr SSL_read 3 , 3085d6f1c4aSkn.Xr SSL_read_early_data 3 , 3093473863aSschwarze.Xr SSL_renegotiate 3 , 3103473863aSschwarze.Xr SSL_shutdown 3 , 3113473863aSschwarze.Xr SSL_write 3 3123473863aSschwarze.Pp 313f714030dSschwarzeTo inspect the state after a connection is established: 314478adf1cSschwarze.Xr SSL_export_keying_material 3 , 31581636af2Sschwarze.Xr SSL_get_client_random 3 , 316f1a3c524Sschwarze.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 , 317f1a3c524Sschwarze.Xr SSL_get_peer_cert_chain 3 , 3183473863aSschwarze.Xr SSL_get_peer_certificate 3 , 319f714030dSschwarze.Xr SSL_get_server_tmp_key 3 , 320f714030dSschwarze.Xr SSL_get_servername 3 , 321f714030dSschwarze.Xr SSL_get_session 3 , 3223473863aSschwarze.Xr SSL_get_shared_ciphers 3 , 323f1a3c524Sschwarze.Xr SSL_get_verify_result 3 , 324f1a3c524Sschwarze.Xr SSL_get_version 3 , 325f714030dSschwarze.Xr SSL_session_reused 3 326f714030dSschwarze.Pp 327f714030dSschwarzeTo inspect the state during ongoing communication: 328f714030dSschwarze.Xr SSL_get_error 3 , 329f714030dSschwarze.Xr SSL_get_shutdown 3 , 330f714030dSschwarze.Xr SSL_get_state 3 , 331f714030dSschwarze.Xr SSL_num_renegotiations 3 , 332f1a3c524Sschwarze.Xr SSL_pending 3 , 333f1a3c524Sschwarze.Xr SSL_rstate_string 3 , 334f1a3c524Sschwarze.Xr SSL_state_string 3 , 3353473863aSschwarze.Xr SSL_want 3 336f714030dSschwarze.Ss Utility functions 3373473863aSschwarze.Xr SSL_alert_type_string 3 , 3383473863aSschwarze.Xr SSL_dup_CA_list 3 , 3393473863aSschwarze.Xr SSL_load_client_CA_file 3 340f714030dSschwarze.Ss Obsolete functions 341f714030dSschwarze.Xr OPENSSL_init_ssl 3 , 342*849d353bStb.Xr SSL_COMP_get_compression_methods 3 , 343f714030dSschwarze.Xr SSL_CTX_set_tmp_rsa_callback 3 , 344536f31e8Sschwarze.Xr SSL_library_init 3 , 345f714030dSschwarze.Xr SSL_set_tmp_ecdh 3 3463473863aSschwarze.Sh SEE ALSO 3473473863aSschwarze.Xr openssl 1 , 3483473863aSschwarze.Xr crypto 3 , 349536f31e8Sschwarze.Xr tls_init 3 350f1a3c524Sschwarze.Sh HISTORY 351f1a3c524SschwarzeThe 352f1a3c524Sschwarze.Nm 353f1a3c524Sschwarzedocument appeared in OpenSSL 0.9.2. 354