| OLD | NEW |
|---|
| 1 =pod | 1 =pod |
| 2 | 2 |
| 3 =head1 NAME | 3 =head1 NAME |
| 4 | 4 |
| 5 SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options,
SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - man
ipulate SSL options | 5 SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options,
SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - man
ipulate SSL options |
| 6 | 6 |
| 7 =head1 SYNOPSIS | 7 =head1 SYNOPSIS |
| 8 | 8 |
| 9 #include <openssl/ssl.h> | 9 #include <openssl/ssl.h> |
| 10 | 10 |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 71 | 71 |
| 72 Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte | 72 Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte |
| 73 challenge but then appears to only use 16 bytes when generating the | 73 challenge but then appears to only use 16 bytes when generating the |
| 74 encryption keys. Using 16 bytes is ok but it should be ok to use 32. | 74 encryption keys. Using 16 bytes is ok but it should be ok to use 32. |
| 75 According to the SSLv3 spec, one should use 32 bytes for the challenge | 75 According to the SSLv3 spec, one should use 32 bytes for the challenge |
| 76 when operating in SSLv2/v3 compatibility mode, but as mentioned above, | 76 when operating in SSLv2/v3 compatibility mode, but as mentioned above, |
| 77 this breaks this server so 16 bytes is the way to go. | 77 this breaks this server so 16 bytes is the way to go. |
| 78 | 78 |
| 79 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | 79 =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
| 80 | 80 |
| 81 ssl3.netscape.com:443, first a connection is established with RC4-MD5. | 81 As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. |
| 82 If it is then resumed, we end up using DES-CBC3-SHA. It should be | |
| 83 RC4-MD5 according to 7.6.1.3, 'cipher_suite'. | |
| 84 | |
| 85 Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. | |
| 86 It only really shows up when connecting via SSLv2/v3 then reconnecting | |
| 87 via SSLv3. The cipher list changes.... | |
| 88 | |
| 89 NEW INFORMATION. Try connecting with a cipher list of just | |
| 90 DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses | |
| 91 RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when | |
| 92 doing a re-connect, always takes the first cipher in the cipher list. | |
| 93 | 82 |
| 94 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | 83 =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
| 95 | 84 |
| 96 ... | 85 ... |
| 97 | 86 |
| 98 =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | 87 =item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
| 99 | 88 |
| 100 ... | 89 ... |
| 101 | 90 |
| 102 =item SSL_OP_MSIE_SSLV2_RSA_PADDING | 91 =item SSL_OP_MSIE_SSLV2_RSA_PADDING |
| (...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 212 | 201 |
| 213 =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | 202 =item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
| 214 | 203 |
| 215 When performing renegotiation as a server, always start a new session | 204 When performing renegotiation as a server, always start a new session |
| 216 (i.e., session resumption requests are only accepted in the initial | 205 (i.e., session resumption requests are only accepted in the initial |
| 217 handshake). This option is not needed for clients. | 206 handshake). This option is not needed for clients. |
| 218 | 207 |
| 219 =item SSL_OP_NO_TICKET | 208 =item SSL_OP_NO_TICKET |
| 220 | 209 |
| 221 Normally clients and servers will, where possible, transparently make use | 210 Normally clients and servers will, where possible, transparently make use |
| 222 of RFC4507bis tickets for stateless session resumption if extension support | 211 of RFC4507bis tickets for stateless session resumption. |
| 223 is explicitly set when OpenSSL is compiled. | |
| 224 | 212 |
| 225 If this option is set this functionality is disabled and tickets will | 213 If this option is set this functionality is disabled and tickets will |
| 226 not be used by clients or servers. | 214 not be used by clients or servers. |
| 227 | 215 |
| 228 =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | 216 =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
| 229 | 217 |
| 230 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or | 218 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or |
| 231 servers. See the B<SECURE RENEGOTIATION> section for more details. | 219 servers. See the B<SECURE RENEGOTIATION> section for more details. |
| 232 | 220 |
| 233 =item SSL_OP_LEGACY_SERVER_CONNECT | 221 =item SSL_OP_LEGACY_SERVER_CONNECT |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 349 enabled). | 337 enabled). |
| 350 | 338 |
| 351 SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL | 339 SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL |
| 352 0.9.8m. | 340 0.9.8m. |
| 353 | 341 |
| 354 B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> | 342 B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT> |
| 355 and the function SSL_get_secure_renegotiation_support() were first added in | 343 and the function SSL_get_secure_renegotiation_support() were first added in |
| 356 OpenSSL 0.9.8m. | 344 OpenSSL 0.9.8m. |
| 357 | 345 |
| 358 =cut | 346 =cut |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/