Lines Matching +full:comp +full:- +full:disable

6 SSL_CONF_cmd - send configuration command
30 prefix for command line commands is B<-> and that is reflected below.
34 =item B<-bugs>
38 =item B<-no_comp>
44 =item B<-comp>
54 =item B<-no_ticket>
58 =item B<-serverpref>
64 =item B<-client_renegotiation>
66 Allows servers to accept client-initiated renegotiation. Equivalent to
70 =item B<-legacy_renegotiation>
75 =item B<-no_renegotiation>
80 =item B<-no_resumption_on_reneg>
84 =item B<-legacy_server_connect>, B<-no_legacy_server_connect>
89 =item B<-prioritize_chacha>
94 Only used by servers. Requires B<-serverpref>.
96 =item B<-allow_no_dhe_kex>
98 In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
101 =item B<-prefer_no_dhe_kex>
103 In TLSv1.3, on resumption let the server prefer a non-(ec)dhe based key
104 exchange mode over an (ec)dhe based one. Requires B<-allow_no_dhe_kex>.
107 =item B<-strict>
112 =item B<-sigalgs> I<algs>
128 further algorithms via the TLS-SIGALG capability.
130 in the B<algorithm+hash> form are case-insensitive.
131 See L<provider-base(7)>.
140 =item B<-client_sigalgs> I<algs>
149 The syntax of B<algs> is identical to B<-sigalgs>. If not set, then the
150 value set for B<-sigalgs> will be used instead.
152 =item B<-groups> I<groups>
161 …upported Groups|https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameter…
165 Such an alias could be a B<NIST> name (e.g. B<P-256>), an OpenSSL OID name
167 Group names are case-insensitive in OpenSSL 3.5 and later.
176     $ openssl list -tls1_2 -tls-groups
177     $ openssl list -tls1_3 -tls-groups
197 =item B<-curves> I<groups>
199 This is a synonym for the B<-groups> command.
201 =item B<-named_curve> I<curve>
209 curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
213 Curve names are case-insensitive in OpenSSL 3.5 and later.
215 =item B<-tx_cert_comp>
219 =item B<-no_tx_cert_comp>
223 =item B<-rx_cert_comp>
227 =item B<-no_rx_cert_comp>
231 =item B<-comp>
233 =item B<-cipher> I<ciphers>
240 =item B<-ciphersuites> I<1.3ciphers>
243 colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
245 See L<openssl-ciphers(1)> for more information.
247 =item B<-min_protocol> I<minprot>, B<-max_protocol> I<maxprot>
261 =item B<-record_padding> I<padding>
273 =item B<-debug_broken_protocol>
277 =item B<-no_middlebox>
290 =item B<-cert> I<file>
298 =item B<-key> I<file>
302 if no B<-key> option is set then a private key is not loaded unless the
305 =item B<-dhparam> I<file>
311 =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
316 respectively. These options are deprecated, use B<-min_protocol> and
317 B<-max_protocol> instead.
319 =item B<-anti_replay>, B<-no_anti_replay>
325 time. Anti-Replay is on by default unless overridden by a configuration file and
326 is only used by servers. Anti-replay measures are required for compliance with
328 risks in other ways and in such cases the built-in OpenSSL functionality is not
329 required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>.
355 colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
357 See L<openssl-ciphers(1)> for more information.
428 in the B<algorithm+hash> form are case-insensitive.
430 TLS_SIGALG capability. See L<provider-base(7)/CAPABILITIES>.
463 …upported Groups|https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameter…
466 Such an alias could be a B<NIST> name (e.g. B<P-256>), an OpenSSL OID name
468 Group names are case-insensitive in OpenSSL 3.5 and later.
474     $ openssl list -tls1_2 -tls-groups
475     $ openssl list -tls1_3 -tls-groups
494 The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
495 apply only to DTLS-based contexts.
506 The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
507 apply only to DTLS-based contexts.
514 This can be used to enable or disable certain versions of the SSL,
518 to enable or disable.
519 If a protocol is preceded by B<-> that version is disabled.
522 You need to disable at least one protocol version for this setting have any
524 Only enabling some protocol versions does not disable the other protocol
532 or B<MaxProtocol>, but can disable protocols that are still allowed
544 If a flag string is preceded B<-> it is disabled.
549 the B<-flag> syntax is needed to disable it.
552 B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
592 B<EncryptThenMac>: use encrypt-then-mac extension, enabled by
594 B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.
596 B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
601 non-(ec)dhe based key exchange mode over an (ec)dhe based one. Requires
615 servers. Anti-replay measures are required to comply with the TLSv1.3
617 other ways and in such cases the built-in OpenSSL functionality is not required.
618 Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.
622 B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
626 B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
637 B<-TxCertificateCompression> is the same as setting B<SSL_OP_NO_TX_CERTIFICATE_COMPRESSION>.
641 B<-RxCertificateCompression> is the same as setting B<SSL_OP_NO_RX_CERTIFICATE_COMPRESSION>.
648 KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and
672 not require a certificate from the client post-handshake. A certificate will
674 provide a mechanism to request a certificate post-handshake. Servers only.
678 requires a certificate from the client post-handshake: an error occurs if the
681 to request a certificate post-handshake. Servers only. TLSv1.3 only.
727  SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
730 it will disable SSLv3 support by default but the user can override it. If
734  SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
744 -2 (unrecognised command) continue with processing of application specific
754 number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is
756 can be checked instead. If -3 is returned a required argument is missing
773 A return value of -2 means B<option> is not recognised.
775 A return value of -3 means B<option> is recognised and the command requires a
792 This is the recommended way to disable protocols.
798  SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
800 The following will first enable all protocols, and then disable
803 "-SSLv3", but if some versions were disables this will re-enable them before
806  SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
815  SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
817 Disable TLS session tickets:
819  SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
825 Set supported curves to P-256, P-384:
827  SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
862 OpenSSL 3.5 introduces support for post-quantum (PQ) TLS key exchange via the
864 These are based on the underlying B<ML-KEM-512>, B<ML-KEM-768> and
865 B<ML-KEM-1024> algorithms from FIPS 203.
872 The third group, B<SecP384r1MLKEM1024> is substantially more CPU-intensive,
873 largely as a result of the high CPU cost of ECDH for the underlying B<P-384>
878 As of OpenSSL 3.5 key exchange group names are case-insensitive.
882 Copyright 2012-2025 The OpenSSL Project Authors. All Rights Reserved.