You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74 lines
2.9 KiB
74 lines
2.9 KiB
=pod |
|
|
|
=head1 NAME |
|
|
|
SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs |
|
|
|
=head1 SYNOPSIS |
|
|
|
#include <openssl/ssl.h> |
|
|
|
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); |
|
int SSL_set_cipher_list(SSL *ssl, const char *str); |
|
|
|
=head1 DESCRIPTION |
|
|
|
SSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx> |
|
using the control string B<str>. The format of the string is described |
|
in L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all |
|
B<ssl> objects created from B<ctx>. |
|
|
|
SSL_set_cipher_list() sets the list of ciphers only for B<ssl>. |
|
|
|
=head1 NOTES |
|
|
|
The control string B<str> should be universally usable and not depend |
|
on details of the library configuration (ciphers compiled in). Thus no |
|
syntax checking takes place. Items that are not recognized, because the |
|
corresponding ciphers are not compiled in or because they are mistyped, |
|
are simply ignored. Failure is only flagged if no ciphers could be collected |
|
at all. |
|
|
|
It should be noted, that inclusion of a cipher to be used into the list is |
|
a necessary condition. On the client side, the inclusion into the list is |
|
also sufficient. On the server side, additional restrictions apply. All ciphers |
|
have additional requirements. ADH ciphers don't need a certificate, but |
|
DH-parameters must have been set. All other ciphers need a corresponding |
|
certificate and key. |
|
|
|
A RSA cipher can only be chosen, when a RSA certificate is available. |
|
RSA export ciphers with a keylength of 512 bits for the RSA key require |
|
a temporary 512 bit RSA key, as typically the supplied key has a length |
|
of 1024 bit (see |
|
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). |
|
RSA ciphers using EDH need a certificate and key and additional DH-parameters |
|
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
|
|
|
A DSA cipher can only be chosen, when a DSA certificate is available. |
|
DSA ciphers always use DH key exchange and therefore need DH-parameters |
|
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
|
|
|
When these conditions are not met for any cipher in the list (e.g. a |
|
client only supports export RSA ciphers with a asymmetric key length |
|
of 512 bits and the server is not configured to use temporary RSA |
|
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated |
|
and the handshake will fail. |
|
|
|
If the cipher list does not contain any SSLv2 cipher suites (this is the |
|
default) then SSLv2 is effectively disabled and neither clients nor servers |
|
will attempt to use SSLv2. |
|
|
|
=head1 RETURN VALUES |
|
|
|
SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher |
|
could be selected and 0 on complete failure. |
|
|
|
=head1 SEE ALSO |
|
|
|
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, |
|
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, |
|
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, |
|
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, |
|
L<ciphers(1)|ciphers(1)> |
|
|
|
=cut
|
|
|