-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.13 2021/04/15 16:35:54 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.14 2021/06/11 19:41:39 jmc Exp $
.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
.\"
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 11 2021 $
.Dt SSL_CTX_SET_OPTIONS 3
.Os
.Sh NAME
When not set, the server will always follow the client's preferences.
When set, the server will choose following its own preferences.
.It Dv SSL_OP_COOKIE_EXCHANGE
-Turn on Cookie Exchange as described in RFC4347 Section 4.2.1.
+Turn on Cookie Exchange as described in RFC 4347 Section 4.2.1.
Only affects DTLS connections.
.It Dv SSL_OP_LEGACY_SERVER_CONNECT
Allow legacy insecure renegotiation between OpenSSL and unpatched servers
.Dv SSL_OP_TLSEXT_PADDING .
.Sh SECURE RENEGOTIATION
OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in RFC5746.
+described in RFC 5746.
This counters the prefix attack described in CVE-2009-3555 and elsewhere.
.Pp
This attack has far-reaching consequences which application writers should be
-.\" $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Rich Salz <rsalz@akamai.com>
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 11 2021 $
.Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
.Os
.Sh NAME
.Fa cb
for handling session tickets for the ssl context
.Fa sslctx .
-Session tickets, defined in RFC5077, provide an enhanced session
+Session tickets, defined in RFC 5077, provide an enhanced session
resumption capability where the server implementation is not required to
maintain per session state.
.Pp
cryptographic parameters and to maintain their state.
.Pp
The OpenSSL library uses the callback function to help implement a
-common TLS ticket construction state according to RFC5077 Section 4 such
+common TLS ticket construction state according to RFC 5077 Section 4 such
that per session state is unnecessary and a small set of cryptographic
variables needs to be maintained by the callback function
implementation.
.Fa cb
again with an
.Fa enc
-argument of 1 to set the new ticket (see RFC5077 3.3 paragraph 2).
+argument of 1 to set the new ticket (see RFC 5077 3.3 paragraph 2).
.It 1
This indicates that the
.Fa ctx
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.5 2021/06/11 15:28:14 landry Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
.\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
.\"
.\" This file was written by Matt Caswell <matt@openssl.org>.
.Sh DESCRIPTION
SRTP is the Secure Real-Time Transport Protocol.
OpenSSL implements support for the "use_srtp" DTLS extension
-defined in RFC5764.
+defined in RFC 5764.
This provides a mechanism for establishing SRTP keying material,
algorithms and parameters using DTLS.
This capability may be used as part of an implementation that
-conforms to RFC5763.
-OpenSSL does not implement SRTP itself or RFC5763.
+conforms to RFC 5763.
+OpenSSL does not implement SRTP itself or RFC 5763.
Note that OpenSSL does not support the use of SRTP Master Key
Identifiers (MKIs).
Also note that this extension is only supported in DTLS.
The currently supported protection profile names are:
.Bl -tag -width Ds
.It Dv SRTP_AES128_CM_SHA1_80
-This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC5764.
+This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC 5764.
.It Dv SRTP_AES128_CM_SHA1_32
-This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC5764.
+This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC 5764.
.It Dv SRTP_AEAD_AES_128_GCM
-This corresponds to SRTP_AEAD_AES_128_GCM defined in RFC7714.
+This corresponds to SRTP_AEAD_AES_128_GCM defined in RFC 7714.
.It Dv SRTP_AEAD_AES_256_GCM
-This corresponds to SRTP_AEAD_AES_256_GCM defined in RFC7714.
+This corresponds to SRTP_AEAD_AES_256_GCM defined in RFC 7714.
.El
.Pp
Supplying an unrecognised protection profile name results in an error.
-.\" $OpenBSD: SSL_clear.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 11 2021 $
.Dt SSL_CLEAR 3
.Os
.Sh NAME
If a session is still
.Em open ,
it is considered bad and will be removed from the session cache,
-as required by RFC2246.
+as required by RFC 2246.
A session is considered open if
.Xr SSL_shutdown 3
was not called for the connection or at least
-.\" $OpenBSD: SSL_free.3,v 1.5 2020/03/30 10:28:59 schwarze Exp $
+.\" $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 11 2021 $
.Dt SSL_FREE 3
.Os
.Sh NAME
was not used to set the
.Vt SSL_SENT_SHUTDOWN
state, the session will also be removed from the session cache as required by
-RFC2246.
+RFC 2246.
.Sh SEE ALSO
.Xr ssl 3 ,
.Xr SSL_clear 3 ,
-.\" $OpenBSD: SSL_set_shutdown.3,v 1.5 2020/03/30 10:28:59 schwarze Exp $
+.\" $OpenBSD: SSL_set_shutdown.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 11 2021 $
.Dt SSL_SET_SHUTDOWN 3
.Os
.Sh NAME
.Xr SSL_clear 3
or
.Xr SSL_free 3
-is called, it is considered bad and removed according to RFC2246.
+is called, it is considered bad and removed according to RFC 2246.
The actual condition for a correctly closed session is
.Dv SSL_SENT_SHUTDOWN
(according to the TLS RFC, it is acceptable to only send the
projects / openbsd / commitdiff