docs: Added All OpenBSD Manuals

1 files changed, 375 insertions, 0 deletions

diff --git a/static/openbsd/man3/SSL_CTX_set_options.3 b/static/openbsd/man3/SSL_CTX_set_options.3
new file mode 100644
index 00000000..5e81c978
--- /dev/null
+++ b/static/openbsd/man3/SSL_CTX_set_options.3
@@ -0,0 +1,375 @@
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
+.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
+.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
+.\"
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
+.\" Bodo Moeller <bodo@openssl.org>, and
+.\" Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2001-2003, 2005, 2007, 2009, 2010, 2013-2015
+.\" The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: June 8 2025 $
+.Dt SSL_CTX_SET_OPTIONS 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set_options ,
+.Nm SSL_set_options ,
+.Nm SSL_CTX_clear_options ,
+.Nm SSL_clear_options ,
+.Nm SSL_CTX_get_options ,
+.Nm SSL_get_options ,
+.Nm SSL_get_secure_renegotiation_support
+.Nd manipulate SSL options
+.Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
+.Ft long
+.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
+.Ft long
+.Fn SSL_set_options "SSL *ssl" "long options"
+.Ft long
+.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options"
+.Ft long
+.Fn SSL_clear_options "SSL *ssl" "long options"
+.Ft long
+.Fn SSL_CTX_get_options "SSL_CTX *ctx"
+.Ft long
+.Fn SSL_get_options "SSL *ssl"
+.Ft long
+.Fn SSL_get_secure_renegotiation_support "SSL *ssl"
+.Sh DESCRIPTION
+.Fn SSL_CTX_set_options
+adds the options set via bitmask in
+.Fa options
+to
+.Fa ctx .
+Options already set before are not cleared!
+.Pp
+.Fn SSL_set_options
+adds the options set via bitmask in
+.Fa options
+to
+.Fa ssl .
+Options already set before are not cleared!
+.Pp
+.Fn SSL_CTX_clear_options
+clears the options set via bitmask in
+.Fa options
+to
+.Fa ctx .
+.Pp
+.Fn SSL_clear_options
+clears the options set via bitmask in
+.Fa options
+to
+.Fa ssl .
+.Pp
+.Fn SSL_CTX_get_options
+returns the options set for
+.Fa ctx .
+.Pp
+.Fn SSL_get_options
+returns the options set for
+.Fa ssl .
+.Pp
+.Fn SSL_get_secure_renegotiation_support
+indicates whether the peer supports secure renegotiation.
+.Pp
+All these functions are implemented using macros.
+.Pp
+The behaviour of the SSL library can be changed by setting several options.
+The options are coded as bitmasks and can be combined by a bitwise OR
+operation (|).
+.Pp
+.Fn SSL_CTX_set_options
+and
+.Fn SSL_set_options
+affect the (external) protocol behaviour of the SSL library.
+The (internal) behaviour of the API can be changed by using the similar
+.Xr SSL_CTX_set_mode 3
+and
+.Xr SSL_set_mode 3
+functions.
+.Pp
+During a handshake, the option settings of the SSL object are used.
+When a new SSL object is created from a context using
+.Xr SSL_new 3 ,
+the current option setting is copied.
+Changes to
+.Fa ctx
+do not affect already created
+.Vt SSL
+objects.
+.Fn SSL_clear
+does not affect the settings.
+.Pp
+The following
+.Em bug workaround
+options are available:
+.Bl -tag -width Ds
+.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+Disables a countermeasure against a TLS 1.0 protocol vulnerability
+affecting CBC ciphers, which cannot be handled by some broken SSL
+implementations.
+This option has no effect for connections using other ciphers.
+.It Dv SSL_OP_ALL
+This is currently an alias for
+.Dv SSL_OP_LEGACY_SERVER_CONNECT .
+.El
+.Pp
+It is usually safe to use
+.Dv SSL_OP_ALL
+to enable the bug workaround options if compatibility with somewhat broken
+implementations is desired.
+.Pp
+The following
+.Em modifying
+options are available:
+.Bl -tag -width Ds
+.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
+When choosing a cipher, use the server's preferences instead of the client
+preferences.
+When not set, the server will always follow the client's preferences.
+When set, the server will choose following its own preferences.
+.It Dv SSL_OP_COOKIE_EXCHANGE
+Turn on Cookie Exchange as described in RFC 4347 Section 4.2.1.
+Only affects DTLS connections.
+.It Dv SSL_OP_LEGACY_SERVER_CONNECT
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+.Em only :
+this option is currently set by default.
+See the
+.Sx SECURE RENEGOTIATION
+section for more details.
+.It Dv SSL_OP_NO_DTLSv1
+Do not use the DTLSv1 protocol.
+Deprecated; use
+.Xr SSL_CTX_set_min_proto_version 3
+instead.
+.It Dv SSL_OP_NO_DTLSv1_2
+Do not use the DTLSv1.2 protocol.
+Deprecated; use
+.Xr SSL_CTX_set_min_proto_version 3
+instead.
+.It Dv SSL_OP_NO_QUERY_MTU
+Do not query the MTU.
+Only affects DTLS connections.
+.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+When performing renegotiation as a server, always start a new session (i.e.,
+session resumption requests are only accepted in the initial handshake).
+This option is not needed for clients.
+.It Dv SSL_OP_NO_TICKET
+Normally clients and servers using TLSv1.2 and earlier will, where possible,
+transparently make use of
+RFC 5077 tickets for stateless session resumption.
+.Pp
+If this option is set, this functionality is disabled and tickets will not be
+used by clients or servers.
+.It Dv SSL_OP_NO_TLSv1
+Do not use the TLSv1.0 protocol.
+Deprecated; use
+.Xr SSL_CTX_set_min_proto_version 3
+instead.
+.It Dv SSL_OP_NO_TLSv1_1
+Do not use the TLSv1.1 protocol.
+Deprecated; use
+.Xr SSL_CTX_set_min_proto_version 3
+instead.
+.It Dv SSL_OP_NO_TLSv1_2
+Do not use the TLSv1.2 protocol.
+Deprecated; use
+.Xr SSL_CTX_set_max_proto_version 3
+instead.
+.El
+.Pp
+The following options used to be supported at some point in the past
+and no longer have any effect:
+.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION ,
+.Dv SSL_OP_EPHEMERAL_RSA ,
+.Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ,
+.Dv SSL_OP_MICROSOFT_SESS_ID_BUG ,
+.Dv SSL_OP_NETSCAPE_CA_DN_BUG ,
+.Dv SSL_OP_NETSCAPE_CHALLENGE_BUG ,
+.Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ,
+.Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ,
+.Dv SSL_OP_NO_COMPRESSION ,
+.Dv SSL_OP_NO_SSLv2 ,
+.Dv SSL_OP_NO_SSLv3 ,
+.Dv SSL_OP_PKCS1_CHECK_1 ,
+.Dv SSL_OP_PKCS1_CHECK_2 ,
+.Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG ,
+.Dv SSL_OP_SINGLE_DH_USE ,
+.Dv SSL_OP_SINGLE_ECDH_USE ,
+.Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG ,
+.Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ,
+.Dv SSL_OP_TLS_BLOCK_PADDING_BUG ,
+.Dv SSL_OP_TLS_D5_BUG ,
+.Dv SSL_OP_TLS_ROLLBACK_BUG ,
+.Dv SSL_OP_TLSEXT_PADDING .
+.Sh SECURE RENEGOTIATION
+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
+described in RFC 5746.
+This counters the prefix attack described in CVE-2009-3555 and elsewhere.
+.Pp
+This attack has far-reaching consequences which application writers should be
+aware of.
+In the description below an implementation supporting secure renegotiation is
+referred to as
+.Dq patched .
+A server not supporting secure
+renegotiation is referred to as
+.Dq unpatched .
+.Pp
+The following sections describe the operations permitted by OpenSSL's secure
+renegotiation implementation.
+.Ss Patched client and server
+Connections and renegotiation are always permitted by OpenSSL implementations.
+.Ss Unpatched client and patched OpenSSL server
+The initial connection succeeds but client renegotiation is denied by the
+server with a
+.Em no_renegotiation
+warning alert.
+.Pp
+If the patched OpenSSL server attempts to renegotiate, a fatal
+.Em handshake_failure
+alert is sent.
+This is because the server code may be unaware of the unpatched nature of the
+client.
+.Pp
+Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which
+are unpatched) will result in the connection hanging if it receives a
+.Em no_renegotiation
+alert.
+OpenSSL versions 0.9.8m and later will regard a
+.Em no_renegotiation
+alert as fatal and respond with a fatal
+.Em handshake_failure
+alert.
+This is because the OpenSSL API currently has no provision to indicate to an
+application that a renegotiation attempt was refused.
+.Ss Patched OpenSSL client and unpatched server
+If the option
+.Dv SSL_OP_LEGACY_SERVER_CONNECT
+is set then initial connections and renegotiation between patched OpenSSL
+clients and unpatched servers succeeds.
+If neither option is set then initial connections to unpatched servers will
+fail.
+.Pp
+The option
+.Dv SSL_OP_LEGACY_SERVER_CONNECT
+is currently set by default even though it has security implications:
+otherwise it would be impossible to connect to unpatched servers (i.e., all of
+them initially) and this is clearly not acceptable.
+Renegotiation is permitted because this does not add any additional security
+issues: during an attack clients do not see any renegotiations anyway.
+.Pp
+As more servers become patched, the option
+.Dv SSL_OP_LEGACY_SERVER_CONNECT
+will
+.Em not
+be set by default in a future version of OpenSSL.
+.Pp
+OpenSSL client applications wishing to ensure they can connect to unpatched
+servers should always
+.Em set
+.Dv SSL_OP_LEGACY_SERVER_CONNECT .
+.Pp
+OpenSSL client applications that want to ensure they can
+.Em not
+connect to unpatched servers (and thus avoid any security issues) should always
+.Em clear
+.Dv SSL_OP_LEGACY_SERVER_CONNECT
+using
+.Fn SSL_CTX_clear_options
+or
+.Fn SSL_clear_options .
+.Sh RETURN VALUES
+.Fn SSL_CTX_set_options
+and
+.Fn SSL_set_options
+return the new options bitmask after adding
+.Fa options .
+.Pp
+.Fn SSL_CTX_clear_options
+and
+.Fn SSL_clear_options
+return the new options bitmask after clearing
+.Fa options .
+.Pp
+.Fn SSL_CTX_get_options
+and
+.Fn SSL_get_options
+return the current bitmask.
+.Pp
+.Fn SSL_get_secure_renegotiation_support
+returns 1 is the peer supports secure renegotiation and 0 if it does not.
+.Sh SEE ALSO
+.Xr openssl 1 ,
+.Xr ssl 3 ,
+.Xr SSL_clear 3 ,
+.Xr SSL_CTX_ctrl 3 ,
+.Xr SSL_CTX_set_min_proto_version 3 ,
+.Xr SSL_new 3
+.Sh HISTORY
+.Fn SSL_CTX_set_options
+and
+.Fn SSL_set_options
+first appeared in SSLeay 0.9.0 and have been available since
+.Ox 2.4 .
+.Pp
+.Fn SSL_CTX_get_options
+and
+.Fn SSL_get_options
+first appeared in OpenSSL 0.9.2b and have been available since
+.Ox 2.6 .
+.Pp
+.Fn SSL_CTX_clear_options ,
+.Fn SSL_clear_options ,
+and
+.Fn SSL_get_secure_renegotiation_support
+first appeared in OpenSSL 0.9.8m and have been available since
+.Ox 4.9 .