Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "SSL_CTX_SET1_CURVES 3ossl"
way too many mistakes in technical documents.
\fBSSL_CTX_set1_groups() sets the supported groups for ctx to glistlen groups in the array glist. The array consist of all NIDs of groups in preference order. For a \s-1TLS\s0 client the groups are used directly in the supported groups extension. For a \s-1TLS\s0 server the groups are used to determine the set of shared groups. Currently supported groups for \fBTLSv1.3 are NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, \fB\s-1NID_X25519\s0, \s-1NID_X448\s0, NID_ffdhe2048, NID_ffdhe3072, \fBNID_ffdhe4096, NID_ffdhe6144 and NID_ffdhe8192.
\fBSSL_CTX_set1_groups_list() sets the supported groups for ctx to string list. The string is a colon separated list of group NIDs or names, for example \*(L"P-521:P-384:P-256:X25519:ffdhe2048\*(R". Currently supported groups for TLSv1.3 are P-256, P-384, P-521, X25519, X448, \fBffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192. Support for other groups may be added by external providers.
\fBSSL_set1_groups() and SSL_set1_groups_list() are similar except they set supported groups for the \s-1SSL\s0 structure ssl.
\fBSSL_get1_groups() returns the set of supported groups sent by a client in the supported groups extension. It returns the total number of supported groups. The groups parameter can be \s-1NULL\s0 to simply return the number of groups for memory allocation purposes. The \fBgroups array is in the form of a set of group NIDs in preference order. It can return zero if the client did not send a supported groups extension. If a supported group \s-1NID\s0 is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.
\fBSSL_get_shared_group() returns the \s-1NID\s0 of the shared group n for a server-side \s-1SSL\s0 ssl. If n is -1 then the total number of shared groups is returned, which may be zero. Other than for diagnostic purposes, most applications will only be interested in the first shared group so n is normally set to zero. If the value n is out of range, NID_undef is returned. If the \s-1NID\s0 for the shared group is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.
\fBSSL_get_negotiated_group() returns the \s-1NID\s0 of the negotiated group used for the handshake key exchange process. For TLSv1.3 connections this typically reflects the state of the current connection, though in the case of PSK-only resumption, the returned value will be from a previous connection. For earlier \s-1TLS\s0 versions, when a session has been resumed, it always reflects the group used for key exchange during the initial handshake (otherwise it is from the current, non-resumption, connection). This can be called by either client or server. If the \s-1NID\s0 for the shared group is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.
All these functions are implemented as macros.
The curve functions are synonyms for the equivalently named group functions and are identical in every respect. They exist because, prior to \s-1TLS1.3,\s0 there was only the concept of supported curves. In \s-1TLS1.3\s0 this was renamed to supported groups, and extended to include Diffie Hellman groups. The group functions should be used in preference.
\fBSSL_get1_groups() returns the number of groups, which may be zero.
\fBSSL_get_shared_group() returns the \s-1NID\s0 of shared group n or NID_undef if there is no shared group n; or the total number of shared groups if n is -1.
When called on a client ssl, SSL_get_shared_group() has no meaning and returns -1.
\fBSSL_get_negotiated_group() returns the \s-1NID\s0 of the negotiated group used for key exchange, or NID_undef if there was no negotiated group.
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.