|
SSL_CTX_set_cipher_list(3)
Contents
|
SSL_CTX_set_cipher_list, SSL_set_cipher_list - Choose list
of available SSL_CIPHERs
#include <openssl/ssl.h>
int SSL_CTX_set_cipher_list(
SSL_CTX *ctx,
const char *str ); int SSL_set_cipher_list(
SSL *ssl,
const char *str );
The SSL_CTX_set_cipher_list() function sets the list of
available ciphers for ctx using the control string str.
The format of the string is described in ciphers(1). The
list of ciphers is inherited by all ssl objects created
from ctx.
The SSL_set_cipher_list() function sets the list of
ciphers only for ssl.
The control string str should be universally usable and
not depend on details of the library configuration
(ciphers compiled in). Thus no syntax checking takes
place. Items that are not recognized, because the corresponding
ciphers are not compiled in or because they are
mistyped, are ignored. Failure is only flagged if no
ciphers could be collected.
Inclusion of a cipher to be used into the list is a necessary
condition. On the client side, the inclusion into
the list is also sufficient. On the server side, additional
restrictions apply. All ciphers have additional
requirements. ADH ciphers do not need a certificate, but
DH-parameters must have been set. All other ciphers need
a corresponding certificate and key.
An RSA cipher can only be chosen when an RSA certificate
is available. RSA export ciphers with a keylength of 512
bits. The RSA key requires a temporary 512-bit RSA key,
and typically the supplied key has a length of 1024 bit.
(See SSL_CTX_set_tmp_rsa_callback(3)). RSA ciphers using
EDH need a certificate and key and additional DH-parameters.
(See SSL_CTX_set_tmp_dh_callback(3)).
A DSA cipher can only be chosen when a DSA certificate is
available. DSA ciphers always use DH key exchange and
therefore need DH-parameters. (See
SSL_CTX_set_tmp_dh_callback(3)).
When these conditions are not met for any cipher in the
list (e.g. a client only supports export RSA ciphers with
an asymmetric key length of 512 bits and the server is
not configured to use temporary RSA keys), the
SSL_R_NO_SHARED_CIPHER error is generated and the handshake
will fail.
The SSL_CTX_set_cipher_list() and SSL_set_cipher_list()
functions return 1 if any cipher could be selected and 0
on complete failure.
Commands: ciphers(1)
Functions: ssl(3), SSL_get_ciphers(3), SSL_CTX_use_certificate(3), SSL_CTX_set_tmp_rsa_callback(3),
SSL_CTX_set_tmp_dh_callback(3)
SSL_CTX_set_cipher_list(3)
[ Back ] |