1=pod 2 3=head1 NAME 4 5SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, 6SSL_clear_options, SSL_CTX_get_options, SSL_get_options, 7SSL_get_secure_renegotiation_support - manipulate SSL options 8 9=head1 SYNOPSIS 10 11 #include <openssl/ssl.h> 12 13 uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t options); 14 uint64_t SSL_set_options(SSL *ssl, uint64_t options); 15 16 uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t options); 17 uint64_t SSL_clear_options(SSL *ssl, uint64_t options); 18 19 uint64_t SSL_CTX_get_options(const SSL_CTX *ctx); 20 uint64_t SSL_get_options(const SSL *ssl); 21 22 long SSL_get_secure_renegotiation_support(SSL *ssl); 23 24=head1 DESCRIPTION 25 26SSL_CTX_set_options() adds the options set via bit-mask in B<options> to B<ctx>. 27Options already set before are not cleared! 28 29SSL_set_options() adds the options set via bit-mask in B<options> to B<ssl>. 30Options already set before are not cleared! 31 32SSL_CTX_clear_options() clears the options set via bit-mask in B<options> 33to B<ctx>. 34 35SSL_clear_options() clears the options set via bit-mask in B<options> to B<ssl>. 36 37SSL_CTX_get_options() returns the options set for B<ctx>. 38 39SSL_get_options() returns the options set for B<ssl>. 40 41SSL_get_secure_renegotiation_support() indicates whether the peer supports 42secure renegotiation. 43Note, this is implemented via a macro. 44 45=head1 NOTES 46 47The behaviour of the SSL library can be changed by setting several options. 48The options are coded as bit-masks and can be combined by a bitwise B<or> 49operation (|). 50 51SSL_CTX_set_options() and SSL_set_options() affect the (external) 52protocol behaviour of the SSL library. The (internal) behaviour of 53the API can be changed by using the similar 54L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions. 55 56During a handshake, the option settings of the SSL object are used. When 57a new SSL object is created from a context using SSL_new(), the current 58option setting is copied. Changes to B<ctx> do not affect already created 59SSL objects. SSL_clear() does not affect the settings. 60 61The following B<bug workaround> options are available: 62 63=over 4 64 65=item SSL_OP_CRYPTOPRO_TLSEXT_BUG 66 67Add server-hello extension from the early version of cryptopro draft 68when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro 69CSP 3.x. 70 71=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 72 73Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol 74vulnerability affecting CBC ciphers, which cannot be handled by some 75broken SSL implementations. This option has no effect for connections 76using other ciphers. 77 78=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG 79 80Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. 81OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. 82 83=item SSL_OP_TLSEXT_PADDING 84 85Adds a padding extension to ensure the ClientHello size is never between 86256 and 511 bytes in length. This is needed as a workaround for some 87implementations. 88 89=item SSL_OP_ALL 90 91All of the above bug workarounds. 92 93=back 94 95It is usually safe to use B<SSL_OP_ALL> to enable the bug workaround 96options if compatibility with somewhat broken implementations is 97desired. 98 99The following B<modifying> options are available: 100 101=over 4 102 103=item SSL_OP_ALLOW_CLIENT_RENEGOTIATION 104 105Client-initiated renegotiation is disabled by default. Use 106this option to enable it. 107 108=item SSL_OP_ALLOW_NO_DHE_KEX 109 110In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means 111that there will be no forward secrecy for the resumed session. 112 113=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 114 115Allow legacy insecure renegotiation between OpenSSL and unpatched clients or 116servers. See the B<SECURE RENEGOTIATION> section for more details. 117 118=item SSL_OP_CIPHER_SERVER_PREFERENCE 119 120When choosing a cipher, use the server's preferences instead of the client 121preferences. When not set, the SSL server will always follow the clients 122preferences. When set, the SSL/TLS server will choose following its 123own preferences. 124 125=item SSL_OP_CISCO_ANYCONNECT 126 127Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1 128connection. Only available when using the deprecated DTLSv1_client_method() API. 129 130=item SSL_OP_CLEANSE_PLAINTEXT 131 132By default TLS connections keep a copy of received plaintext 133application data in a static buffer until it is overwritten by the 134next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT 135deciphered application data is cleansed by calling OPENSSL_cleanse(3) 136after passing data to the application. Data is also cleansed when 137releasing the connection (e.g. L<SSL_free(3)>). 138 139Since OpenSSL only cleanses internal buffers, the application is still 140responsible for cleansing all other buffers. Most notably, this 141applies to buffers passed to functions like L<SSL_read(3)>, 142L<SSL_peek(3)> but also like L<SSL_write(3)>. 143 144=item SSL_OP_COOKIE_EXCHANGE 145 146Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects 147DTLS connections. 148 149=item SSL_OP_DISABLE_TLSEXT_CA_NAMES 150 151Disable TLS Extension CA Names. You may want to disable it for security reasons 152or for compatibility with some Windows TLS implementations crashing when this 153extension is larger than 1024 bytes. 154 155=item SSL_OP_ENABLE_KTLS 156 157Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must 158have been compiled with support for it, and it must be supported by the 159negotiated ciphersuites and extensions. The specific ciphersuites and extensions 160that are supported may vary by platform and kernel version. 161 162The kernel TLS data-path implements the record layer, and the encryption 163algorithm. The kernel will utilize the best hardware 164available for encryption. Using the kernel data-path should reduce the memory 165footprint of OpenSSL because no buffering is required. Also, the throughput 166should improve because data copy is avoided when user data is encrypted into 167kernel memory instead of the usual encrypt then copy to kernel. 168 169Kernel TLS might not support all the features of OpenSSL. For instance, 170renegotiation, and setting the maximum fragment size is not possible as of 171Linux 4.20. 172 173Note that with kernel TLS enabled some cryptographic operations are performed 174by the kernel directly and not via any available OpenSSL Providers. This might 175be undesirable if, for example, the application requires all cryptographic 176operations to be performed by the FIPS provider. 177 178=item SSL_OP_ENABLE_MIDDLEBOX_COMPAT 179 180If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This 181has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that 182do not understand TLSv1.3 will not drop the connection. Regardless of whether 183this option is set or not CCS messages received from the peer will always be 184ignored in TLSv1.3. This option is set by default. To switch it off use 185SSL_clear_options(). A future version of OpenSSL may not set this by default. 186 187=item SSL_OP_IGNORE_UNEXPECTED_EOF 188 189Some TLS implementations do not send the mandatory close_notify alert on 190shutdown. If the application tries to wait for the close_notify alert but the 191peer closes the connection without sending it, an error is generated. When this 192option is enabled the peer does not need to send the close_notify alert and a 193closed connection will be treated as if the close_notify alert was received. 194 195You should only enable this option if the protocol running over TLS 196can detect a truncation attack itself, and that the application is checking for 197that truncation attack. 198 199For more information on shutting down a connection, see L<SSL_shutdown(3)>. 200 201=item SSL_OP_LEGACY_SERVER_CONNECT 202 203Allow legacy insecure renegotiation between OpenSSL and unpatched servers 204B<only>. See the B<SECURE RENEGOTIATION> section for more details. 205 206=item SSL_OP_NO_ANTI_REPLAY 207 208By default, when a server is configured for early data (i.e., max_early_data > 0), 209OpenSSL will switch on replay protection. See L<SSL_read_early_data(3)> for a 210description of the replay protection feature. Anti-replay measures are required 211to comply with the TLSv1.3 specification. Some applications may be able to 212mitigate the replay risks in other ways and in such cases the built in OpenSSL 213functionality is not required. Those applications can turn this feature off by 214setting this option. This is a server-side option only. It is ignored by 215clients. 216 217=item SSL_OP_NO_COMPRESSION 218 219Do not use compression even if it is supported. This option is set by default. 220To switch it off use SSL_clear_options(). 221 222=item SSL_OP_NO_ENCRYPT_THEN_MAC 223 224Normally clients and servers will transparently attempt to negotiate the 225RFC7366 Encrypt-then-MAC option on TLS and DTLS connection. 226 227If this option is set, Encrypt-then-MAC is disabled. Clients will not 228propose, and servers will not accept the extension. 229 230=item SSL_OP_NO_EXTENDED_MASTER_SECRET 231 232Normally clients and servers will transparently attempt to negotiate the 233RFC7627 Extended Master Secret option on TLS and DTLS connection. 234 235If this option is set, Extended Master Secret is disabled. Clients will 236not propose, and servers will not accept the extension. 237 238=item SSL_OP_NO_QUERY_MTU 239 240Do not query the MTU. Only affects DTLS connections. 241 242=item SSL_OP_NO_RENEGOTIATION 243 244Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest 245messages, and ignore renegotiation requests via ClientHello. 246 247=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 248 249When performing renegotiation as a server, always start a new session 250(i.e., session resumption requests are only accepted in the initial 251handshake). This option is not needed for clients. 252 253=item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, 254SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 255 256These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol 257versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, 258respectively. 259As of OpenSSL 1.1.0, these options are deprecated, use 260L<SSL_CTX_set_min_proto_version(3)> and 261L<SSL_CTX_set_max_proto_version(3)> instead. 262 263=item SSL_OP_NO_TICKET 264 265SSL/TLS supports two mechanisms for resuming sessions: session ids and stateless 266session tickets. 267 268When using session ids a copy of the session information is 269cached on the server and a unique id is sent to the client. When the client 270wishes to resume it provides the unique id so that the server can retrieve the 271session information from its cache. 272 273When using stateless session tickets the server uses a session ticket encryption 274key to encrypt the session information. This encrypted data is sent to the 275client as a "ticket". When the client wishes to resume it sends the encrypted 276data back to the server. The server uses its key to decrypt the data and resume 277the session. In this way the server can operate statelessly - no session 278information needs to be cached locally. 279 280The TLSv1.3 protocol only supports tickets and does not directly support session 281ids. However, OpenSSL allows two modes of ticket operation in TLSv1.3: stateful 282and stateless. Stateless tickets work the same way as in TLSv1.2 and below. 283Stateful tickets mimic the session id behaviour available in TLSv1.2 and below. 284The session information is cached on the server and the session id is wrapped up 285in a ticket and sent back to the client. When the client wishes to resume, it 286presents a ticket in the same way as for stateless tickets. The server can then 287extract the session id from the ticket and retrieve the session information from 288its cache. 289 290By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will 291cause stateless tickets to not be issued. In TLSv1.2 and below this means no 292ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be 293sent. This is a server-side option only. 294 295In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from 296being sent by calling L<SSL_CTX_set_num_tickets(3)> or 297L<SSL_set_num_tickets(3)>. 298 299=item SSL_OP_PRIORITIZE_CHACHA 300 301When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize 302ChaCha20-Poly1305 ciphers to the top of the server cipher list if a 303ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps 304those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere 305in the server cipher list; but still allows other clients to use AES and other 306ciphers. Requires B<SSL_OP_CIPHER_SERVER_PREFERENCE>. 307 308=item SSL_OP_TLS_ROLLBACK_BUG 309 310Disable version rollback attack detection. 311 312During the client key exchange, the client must send the same information 313about acceptable SSL/TLS protocol levels as during the first hello. Some 314clients violate this rule by adapting to the server's answer. (Example: 315the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server 316only understands up to SSLv3. In this case the client must still use the 317same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect 318to the server's answer and violate the version rollback protection.) 319 320=item SSL_OP_ENABLE_KTLS 321 322Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must 323have been compiled with support for it, and it must be supported by the 324negotiated ciphersuites and extensions. The specific ciphersuites and extensions 325that are supported may vary by platform and kernel version. 326 327The kernel TLS data-path implements the record layer, and the encryption 328algorithm. The kernel will utilize the best hardware 329available for encryption. Using the kernel data-path should reduce the memory 330footprint of OpenSSL because no buffering is required. Also, the throughput 331should improve because data copy is avoided when user data is encrypted into 332kernel memory instead of the usual encrypt then copy to kernel. 333 334Kernel TLS might not support all the features of OpenSSL. For instance, 335renegotiation, and setting the maximum fragment size is not possible as of 336Linux 4.20. 337 338Note that with kernel TLS enabled some cryptographic operations are performed 339by the kernel directly and not via any available OpenSSL Providers. This might 340be undesirable if, for example, the application requires all cryptographic 341operations to be performed by the FIPS provider. 342 343=back 344 345The following options no longer have any effect but their identifiers are 346retained for compatibility purposes: 347 348=over 4 349 350=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 351 352=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 353 354=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG 355 356=item SSL_OP_TLS_D5_BUG 357 358=item SSL_OP_TLS_BLOCK_PADDING_BUG 359 360=item SSL_OP_MSIE_SSLV2_RSA_PADDING 361 362=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 363 364=item SSL_OP_MICROSOFT_SESS_ID_BUG 365 366=item SSL_OP_NETSCAPE_CHALLENGE_BUG 367 368=item SSL_OP_PKCS1_CHECK_1 369 370=item SSL_OP_PKCS1_CHECK_2 371 372=item SSL_OP_SINGLE_DH_USE 373 374=item SSL_OP_SINGLE_ECDH_USE 375 376=item SSL_OP_EPHEMERAL_RSA 377 378=item SSL_OP_NETSCAPE_CA_DN_BUG 379 380=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 381 382=back 383 384=head1 SECURE RENEGOTIATION 385 386OpenSSL always attempts to use secure renegotiation as 387described in RFC5746. This counters the prefix attack described in 388CVE-2009-3555 and elsewhere. 389 390This attack has far reaching consequences which application writers should be 391aware of. In the description below an implementation supporting secure 392renegotiation is referred to as I<patched>. A server not supporting secure 393renegotiation is referred to as I<unpatched>. 394 395The following sections describe the operations permitted by OpenSSL's secure 396renegotiation implementation. 397 398=head2 Patched client and server 399 400Connections and renegotiation are always permitted by OpenSSL implementations. 401 402=head2 Unpatched client and patched OpenSSL server 403 404The initial connection succeeds but client renegotiation is denied by the 405server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal 406B<handshake_failure> alert in SSL v3.0. 407 408If the patched OpenSSL server attempts to renegotiate a fatal 409B<handshake_failure> alert is sent. This is because the server code may be 410unaware of the unpatched nature of the client. 411 412If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then 413renegotiation B<always> succeeds. 414 415=head2 Patched OpenSSL client and unpatched server 416 417If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or 418B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections 419and renegotiation between patched OpenSSL clients and unpatched servers 420succeeds. If neither option is set then initial connections to unpatched 421servers will fail. 422 423Setting the option B<SSL_OP_LEGACY_SERVER_CONNECT> has security implications; 424clients that are willing to connect to servers that do not implement 425RFC 5746 secure renegotiation are subject to attacks such as 426CVE-2009-3555. 427 428OpenSSL client applications wishing to ensure they can connect to unpatched 429servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT> 430 431OpenSSL client applications that want to ensure they can B<not> connect to 432unpatched servers (and thus avoid any security issues) should always B<clear> 433B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or 434SSL_clear_options(). 435 436The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and 437B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that 438B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure 439renegotiation between OpenSSL clients and unpatched servers B<only>, while 440B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections 441and renegotiation between OpenSSL and unpatched clients or servers. 442 443=head1 RETURN VALUES 444 445SSL_CTX_set_options() and SSL_set_options() return the new options bit-mask 446after adding B<options>. 447 448SSL_CTX_clear_options() and SSL_clear_options() return the new options bit-mask 449after clearing B<options>. 450 451SSL_CTX_get_options() and SSL_get_options() return the current bit-mask. 452 453SSL_get_secure_renegotiation_support() returns 1 is the peer supports 454secure renegotiation and 0 if it does not. 455 456=head1 SEE ALSO 457 458L<ssl(7)>, L<SSL_new(3)>, L<SSL_clear(3)>, L<SSL_shutdown(3)> 459L<SSL_CTX_set_tmp_dh_callback(3)>, 460L<SSL_CTX_set_min_proto_version(3)>, 461L<openssl-dhparam(1)> 462 463=head1 HISTORY 464 465The attempt to always try to use secure renegotiation was added in 466OpenSSL 0.9.8m. 467 468The B<SSL_OP_PRIORITIZE_CHACHA> and B<SSL_OP_NO_RENEGOTIATION> options 469were added in OpenSSL 1.1.1. 470 471The B<SSL_OP_NO_EXTENDED_MASTER_SECRET> and B<SSL_OP_IGNORE_UNEXPECTED_EOF> 472options were added in OpenSSL 3.0. 473 474The B<SSL_OP_> constants and the corresponding parameter and return values 475of the affected functions were changed to C<uint64_t> type in OpenSSL 3.0. 476For that reason it is no longer possible use the B<SSL_OP_> macro values 477in preprocessor C<#if> conditions. However it is still possible to test 478whether these macros are defined or not. 479 480=head1 COPYRIGHT 481 482Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. 483 484Licensed under the Apache License 2.0 (the "License"). You may not use 485this file except in compliance with the License. You can obtain a copy 486in the file LICENSE in the source distribution or at 487L<https://www.openssl.org/source/license.html>. 488 489=cut 490