| =pod |
| |
| =head1 NAME |
| |
| SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs |
| |
| =head1 SYNOPSIS |
| |
| #include <openssl/ssl.h> |
| |
| int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); |
| int SSL_set_cipher_list(SSL *ssl, const char *str); |
| |
| =head1 DESCRIPTION |
| |
| SSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx> |
| using the control string B<str>. The format of the string is described |
| in L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all |
| B<ssl> objects created from B<ctx>. |
| |
| SSL_set_cipher_list() sets the list of ciphers only for B<ssl>. |
| |
| =head1 NOTES |
| |
| The control string B<str> should be universally usable and not depend |
| on details of the library configuration (ciphers compiled in). Thus no |
| syntax checking takes place. Items that are not recognized, because the |
| corresponding ciphers are not compiled in or because they are mistyped, |
| are simply ignored. Failure is only flagged if no ciphers could be collected |
| at all. |
| |
| It should be noted, that inclusion of a cipher to be used into the list is |
| a necessary condition. On the client side, the inclusion into the list is |
| also sufficient. On the server side, additional restrictions apply. All ciphers |
| have additional requirements. ADH ciphers don't need a certificate, but |
| DH-parameters must have been set. All other ciphers need a corresponding |
| certificate and key. |
| |
| A RSA cipher can only be chosen, when a RSA certificate is available. |
| RSA export ciphers with a keylength of 512 bits for the RSA key require |
| a temporary 512 bit RSA key, as typically the supplied key has a length |
| of 1024 bit (see |
| L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). |
| RSA ciphers using EDH need a certificate and key and additional DH-parameters |
| (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
| |
| A DSA cipher can only be chosen, when a DSA certificate is available. |
| DSA ciphers always use DH key exchange and therefore need DH-parameters |
| (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). |
| |
| When these conditions are not met for any cipher in the list (e.g. a |
| client only supports export RSA ciphers with a asymmetric key length |
| of 512 bits and the server is not configured to use temporary RSA |
| keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated |
| and the handshake will fail. |
| |
| =head1 RETURN VALUES |
| |
| SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher |
| could be selected and 0 on complete failure. |
| |
| =head1 SEE ALSO |
| |
| L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, |
| L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>, |
| L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>, |
| L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>, |
| L<ciphers(1)|ciphers(1)> |
| |
| =cut |