summary refs log tree commit diff
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--man/Makefile.am49
-rw-r--r--man/tls_config_set_protocols.376
2 files changed, 106 insertions, 19 deletions
diff --git a/man/Makefile.am b/man/Makefile.am
index ad840b6..fcec4c3 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,4 +1,5 @@
 EXTRA_DIST = CMakeLists.txt
+if !ENABLE_LIBTLS_ONLY
 dist_man3_MANS =
 dist_man5_MANS =
 dist_man3_MANS += BIO_f_ssl.3
@@ -83,6 +84,7 @@ dist_man3_MANS += SSL_get_error.3
 dist_man3_MANS += SSL_get_ex_data_X509_STORE_CTX_idx.3
 dist_man3_MANS += SSL_get_ex_new_index.3
 dist_man3_MANS += SSL_get_fd.3
+dist_man3_MANS += SSL_get_finished.3
 dist_man3_MANS += SSL_get_peer_cert_chain.3
 dist_man3_MANS += SSL_get_peer_certificate.3
 dist_man3_MANS += SSL_get_rbio.3
@@ -1494,6 +1496,7 @@ install-data-hook:
 	ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3"
 	ln -sf "EVP_PKEY_meth_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3"
 	ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3"
+	ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3"
 	ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3"
 	ln -sf "EVP_PKEY_new.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3"
 	ln -sf "EVP_PKEY_print_private.3" "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3"
@@ -2230,6 +2233,7 @@ install-data-hook:
 	ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3"
 	ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3"
 	ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3"
+	ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3"
 	ln -sf "SSL_CTX_use_certificate.3" "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3"
 	ln -sf "SSL_SESSION_free.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3"
 	ln -sf "SSL_SESSION_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3"
@@ -2264,6 +2268,7 @@ install-data-hook:
 	ln -sf "SSL_get_ex_new_index.3" "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3"
 	ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3"
 	ln -sf "SSL_get_fd.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3"
+	ln -sf "SSL_get_finished.3" "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3"
 	ln -sf "SSL_get_rbio.3" "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3"
 	ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3"
 	ln -sf "SSL_get_session.3" "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3"
@@ -2282,9 +2287,19 @@ install-data-hook:
 	ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3"
 	ln -sf "SSL_num_renegotiations.3" "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3"
 	ln -sf "SSL_read.3" "$(DESTDIR)$(mandir)/man3/SSL_peek.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3"
+	ln -sf "SSL_read_early_data.3" "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3"
 	ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3"
 	ln -sf "SSL_renegotiate.3" "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3"
 	ln -sf "SSL_rstate_string.3" "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3"
+	ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3"
+	ln -sf "SSL_set1_host.3" "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3"
 	ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3"
 	ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3"
 	ln -sf "SSL_set1_param.3" "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3"
@@ -3093,6 +3108,16 @@ install-data-hook:
 	ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_handshake.3"
 	ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_reset.3"
 	ln -sf "tls_read.3" "$(DESTDIR)$(mandir)/man3/tls_write.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3"
+	ln -sf "x509_verify.3" "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3"
 
 uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3"
@@ -4097,6 +4122,7 @@ uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verify_recover.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_meth_set_verifyctx.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_free.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_CMAC_key.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_new_mac_key.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_up_ref.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/EVP_PKEY_print_params.3"
@@ -4833,6 +4859,7 @@ uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_RSAPrivateKey_file.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_ASN1.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_chain_file.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_use_certificate_file.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_up_ref.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_ex_data.3"
@@ -4867,6 +4894,7 @@ uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_ex_data.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_rfd.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wfd.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_peer_finished.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_wbio.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_session.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get1_session.3"
@@ -4885,9 +4913,19 @@ uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_clear_num_renegotiations.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_total_renegotiations.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_peek.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_get_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_SESSION_set_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_early_data_status.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_max_early_data.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_write_early_data.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_abbreviated.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_renegotiate_pending.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_rstate_string_long.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_peername.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_set_hostflags.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_get0_param.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_CTX_set1_param.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/SSL_get0_param.3"
@@ -5696,3 +5734,14 @@ uninstall-local:
 	-rm -f "$(DESTDIR)$(mandir)/man3/tls_handshake.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/tls_reset.3"
 	-rm -f "$(DESTDIR)$(mandir)/man3/tls_write.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_chain.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_depth.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_error_string.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_free.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_new.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_intermediates.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_chains.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_depth.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_max_signatures.3"
+	-rm -f "$(DESTDIR)$(mandir)/man3/x509_verify_ctx_set_purpose.3"
+endif
diff --git a/man/tls_config_set_protocols.3 b/man/tls_config_set_protocols.3
index 0aed5b9..7c62493 100644
--- a/man/tls_config_set_protocols.3
+++ b/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.8 2020/01/22 06:46:34 beck Exp $
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.11 2021/01/02 19:58:44 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 22 2020 $
+.Dd $Mdocdate: January 2 2021 $
 .Dt TLS_CONFIG_SET_PROTOCOLS 3
 .Os
 .Sh NAME
@@ -74,11 +74,15 @@ otherwise.
 specifies which versions of the TLS protocol may be used.
 Possible values are the bitwise OR of:
 .Pp
-.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact
-.It Dv TLS_PROTOCOL_TLSv1_0
-.It Dv TLS_PROTOCOL_TLSv1_1
-.It Dv TLS_PROTOCOL_TLSv1_2
-.It Dv TLS_PROTOCOL_TLSv1_3
+.Bl -item -offset indent -compact
+.It
+.Dv TLS_PROTOCOL_TLSv1_0
+.It
+.Dv TLS_PROTOCOL_TLSv1_1
+.It
+.Dv TLS_PROTOCOL_TLSv1_2
+.It
+.Dv TLS_PROTOCOL_TLSv1_3
 .El
 .Pp
 Additionally, the values
@@ -99,9 +103,23 @@ This value can then be passed to the
 .Fn tls_config_set_protocols
 function.
 The protocol string is a comma or colon separated list of keywords.
-Valid keywords are tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3, all (all supported
-protocols), default (an alias for secure), legacy (an alias for all) and
-secure (currently TLSv1.2 and TLSv1.3).
+Valid keywords are:
+.Pp
+.Bl -tag -width "tlsv1.3" -offset indent -compact
+.It Dv tlsv1.0
+.It Dv tlsv1.1
+.It Dv tlsv1.2
+.It Dv tlsv1.3
+.It Dv all
+.Pq all supported protocols
+.It Dv default
+.Pq an alias for Dv secure
+.It Dv legacy
+.Pq an alias for Dv all
+.It Dv secure
+.Pq currently TLSv1.2 and TLSv1.3
+.El
+.Pp
 If a value has a negative prefix (in the form of a leading exclamation mark)
 then it is removed from the list of available protocols, rather than being
 added to it.
@@ -115,11 +133,15 @@ sets the list of ciphers that may be used.
 Lists of ciphers are specified by name, and the
 permitted names are:
 .Pp
-.Bl -tag -width "insecure" -offset indent -compact
-.It Dv "secure" (or alias "default")
-.It Dv "compat"
-.It Dv "legacy"
-.It Dv "insecure" (or alias "all")
+.Bl -item -offset indent -compact
+.It
+.Dv secure Pq or alias Dv default
+.It
+.Dv compat
+.It
+.Dv legacy
+.It
+.Dv insecure Pq or alias Dv all
 .El
 .Pp
 Alternatively, libssl cipher strings can be specified.
@@ -130,11 +152,27 @@ for further information.
 .Fn tls_config_set_dheparams
 specifies the parameters that will be used during Diffie-Hellman Ephemeral
 (DHE) key exchange.
-Possible values are "none", "auto" and "legacy".
-In "auto" mode, the key size for the ephemeral key is automatically selected
+Possible values are:
+.Pp
+.Bl -item -offset indent -compact
+.It
+.Dv none
+.It
+.Dv auto
+.It
+.Dv legacy
+.El
+.Pp
+In
+.Dv auto
+mode, the key size for the ephemeral key is automatically selected
 based on the size of the private key being used for signing.
-In "legacy" mode, 1024 bit ephemeral keys are used.
-The default value is "none", which disables DHE key exchange.
+In
+.Dv legacy
+mode, 1024 bit ephemeral keys are used.
+The default value is
+.Dv none ,
+which disables DHE key exchange.
 .Pp
 .Fn tls_config_set_ecdhecurves
 specifies the names of the elliptic curves that may be used during Elliptic