diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/luaossl.pdf | bin | 274840 -> 300085 bytes | |||
| -rw-r--r-- | doc/luaossl.tex | 42 |
2 files changed, 40 insertions, 2 deletions
diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf Binary files differindex 106b4ea..81112d9 100644 --- a/doc/luaossl.pdf +++ b/doc/luaossl.pdf diff --git a/doc/luaossl.tex b/doc/luaossl.tex index e75a678..5ac7761 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -284,7 +284,9 @@ field & type:default & description\\\hline .bits & number:1024 & private key size \\ -.exp & number:65537 & RSA or Diffie-Hellman exponent \\ +.exp & number:65537 & RSA exponent \\ + +.generator & number:2 & Diffie-Hellman generator \\ .dhparam & string & PEM encoded string with precomputed DH parameters \\ @@ -933,11 +935,17 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. +\subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}} + +Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. -\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{\href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{According to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-* applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} +\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} @@ -997,6 +1005,30 @@ Returns the option flags of the SSL connection instance. See \fn{openssl.ssl.con Clears the option flags of the SSL connection instance. See \fn{openssl.ssl.context:clearOptions}. +\subsubsection[\fn{ssl:setVerify}]{\fn{ssl:setVerify([$mode$][, $depth$])}} + +Sets the verification mode flags and maximum validation chain depth. +See \fn{openssl.ssl.context:setVerify}. + +\subsubsection[\fn{ssl:getVerify}]{\fn{ssl:getVerify()}} + +Returns two values: the bitwise verification mode flags, and the maximum validation depth. +See \fn{openssl.ssl.context:getVerify}. + +\subsubsection[\fn{ssl:getVerifyResult}]{\fn{ssl:getVerifyResult()}} + +Returns two values: the integer verification result code and the string representation of that code. + +\subsubsection[\fn{ssl:setCertificate}]{\fn{ssl:setCertificate($crt$)}} + +Sets the X.509 certificate \module{openssl.x509} object $crt$ to send during SSL connection instance handshakes. +See \fn{openssl.ssl.context:setCertificate}. + +\subsubsection[\fn{ssl:setPrivateKey}]{\fn{ssl:setPrivateKey($key$)}} + +Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes. +See \fn{openssl.ssl.context:setPrivateKey}. + \subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}} Returns the X.509 peer certificate as an \module{openssl.x509} object. If no peer certificate is available, returns $nil$. @@ -1046,6 +1078,12 @@ TLS1\_2\_VERSION & 16-bit TLSv1.2 identifier (0x0303). \\ Returns the SSL/TLS version supported by the client, which should be greater than or equal to the negotiated version. See \fn{ssl:getVersion}. +\subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}} + +Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} Returns the negotiated ALPN protocol as a string. |