From dac3c57f6c9d5d00933a510fc4f6303976b45ca5 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Wed, 12 Jun 2019 17:01:12 +1000 Subject: src/openssl.c: rename setCurvesList to setGroups Old alias is left for compat --- doc/luaossl.pdf | Bin 182545 -> 182982 bytes doc/luaossl.tex | 27 ++++++++++++++------------- 2 files changed, 14 insertions(+), 13 deletions(-) (limited to 'doc') diff --git a/doc/luaossl.pdf b/doc/luaossl.pdf index fb5679d..b7a09dc 100644 Binary files a/doc/luaossl.pdf and b/doc/luaossl.pdf differ diff --git a/doc/luaossl.tex b/doc/luaossl.tex index c371dbd..efc6422 100644 --- a/doc/luaossl.tex +++ b/doc/luaossl.tex @@ -1089,23 +1089,24 @@ Sets the private key \module{openssl.pkey} object $key$ for use during SSL conne Sets the allowed public key and private key algorithm(s). The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}. -\subsubsection[\fn{context:setCurvesList}]{\fn{context:setCurvesList($string$ [, ...])}} - -Sets the supported curves. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. A list of supported curves can be found by running \texttt{openssl ecparam -list\_curves}. - -\emph{Only supported since OpenSSL 1.0.2.} - \subsubsection[\fn{context:setCipherSuites}]{\fn{context:setCipherSuites($string$ [, ...])}} Sets the supported TLS 1.3 cipher suites. The string format is a list of colon separated curve names similar to \texttt{ctx:setCipherList(...)}. \emph{Only supported since OpenSSL 1.1.1.} +\subsubsection[\fn{context:setGroups}]{\fn{context:setGroups($string$ [, ...])}} + +Sets the supported groups. The string format is a list of colon separated group names similar to \texttt{ctx:setCipherList(...)}. +A list of supported EC groups can be found by running \texttt{openssl ecparam -list\_curves}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{context:setEphemeralKey}]{\fn{context:setEphemeralKey($key$)}} Sets \module{openssl.pkey} object $key$ as the ephemeral key during key exchanges which use that particular key type. Typically $key$ will be either a Diffie-Hellman or Elliptic Curve key. -\emph{In order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} +\emph{In older version of OpenSSL, in order to configure an SSL server to support an ephemeral key exchange cipher suite (i.e. DHE-* and ECDHE-*), the application must explicitly set the ephemeral keys. Simply enabling the cipher suite is not sufficient. The application can statically generate Diffie-Hellman public key parameters, and many servers ship with such a key compiled into the software. Elliptic curve keys are necessarily static, and instantiated by curve name\footnote{OpenSSL < 1.0.2 only supports a single curve, \href{http://en.wikipedia.org/w/index.php?title=Comparison\_of\_TLS\_implementations&oldid=629779090\#Supported\_elliptic\_curves}{according to Wikipedia} the most widely supported curve is prime256v1, so to enable ECDHE-*, applications can simply do \texttt{ctx:setEphemeralKey(pkey.new\{ type = ``EC'', curve = ``prime256v1'' \})}. For OpenSSL versions >= 1.0.2, see \fn{context:setGroups} instead. To achieve Perfect Forward Secrecy for ECDHE-*, applications must also do \texttt{ctx:setOptions(context.OP\_SINGLE\_ECDH\_USE)}. The \texttt{ctx} object must then be used to configure each SSL session, such as by passing it to \fn{cqueues.socket:starttls()}.}.} \emph{In addition, to attain Perfect Forward Secrecy the options \texttt{OP\_SINGLE\_DH\_USE} and \texttt{OP\_SINGLE\_ECDH\_USE} must be set so that OpenSSL discards and regenerates the secret keying parameters for each key exchange.} @@ -1357,18 +1358,18 @@ Returns the SSL/TLS version supported by the client, which should be greater tha Sets the allowed public key and private key algorithm(s). See \fn{openssl.ssl.context:setCipherList}. -\subsubsection[\fn{ssl:setCurvesList}]{\fn{ssl:setCurvesList($string$ [, ...])}} - -Sets the supported curves for this SSL connection instance. See \fn{openssl.ssl.context:setCurvesList}. - -\emph{Only supported since OpenSSL 1.0.2.} - \subsubsection[\fn{ssl:setCipherSuites}]{\fn{ssl:setCipherSuites($string$ [, ...])}} Sets the supported TLS 1.3 cipher suites for this SSL connection instance. See \fn{openssl.ssl.context:setCipherSuites}. \emph{Only supported since OpenSSL 1.1.1.} +\subsubsection[\fn{ssl:setGroups}]{\fn{ssl:setGroups($string$ [, ...])}} + +Sets the supported groups for this SSL connection instance. See \fn{openssl.ssl.context:setGroups}. + +\emph{Only supported since OpenSSL 1.0.2.} + \subsubsection[\fn{ssl:getAlpnSelected}]{\fn{ssl:getAlpnSelected()}} Returns the negotiated ALPN protocol as a string. -- cgit v1.2.3-59-g8ed1b