diff options
| author | Michael Baentsch <57787676+baentsch@users.noreply.github.com> | 2024-05-27 08:12:31 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2024-05-29 09:38:48 +0200 |
| commit | 90e7c12f1b238ed714786fafc26d05b59a63752b (patch) | |
| tree | 946f255772587425594106d7395045ead7036183 /doc/man3/SSL_CONF_cmd.pod | |
| parent | threads_pthread.c: change inline to ossl_inline (diff) | |
| download | openssl-90e7c12f1b238ed714786fafc26d05b59a63752b.tar.xz openssl-90e7c12f1b238ed714786fafc26d05b59a63752b.zip | |
Update configurable sigalgs documentation for providers
also adding to SignatureAlgorithms section
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/24499)
Diffstat (limited to 'doc/man3/SSL_CONF_cmd.pod')
| -rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 5dc468dc2e..d9596b8231 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -118,15 +118,18 @@ algorithms to support. The B<algs> argument should be a colon separated list of signature algorithms in order of decreasing preference of the form B<algorithm+hash> -or B<signature_scheme>. B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and +or B<signature_scheme>. For the default providers shipped with OpenSSL, +B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm OID short name such as B<SHA1>, B<SHA224>, -B<SHA256>, B<SHA384> of B<SHA512>. Note: algorithm and hash names are case +B<SHA256>, B<SHA384> or B<SHA512>. Note: algorithm and hash names are case sensitive. B<signature_scheme> is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, -B<ed25519>, or B<rsa_pss_pss_sha256>. +B<ed25519>, or B<rsa_pss_pss_sha256>. Additional providers may make available +further algorithms via the TLS_SIGALG capability. +See L<provider-base(7)/CAPABILITIES>. -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. +If this option is not set then all signature algorithms supported by all +activated providers are permissible. Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> @@ -369,16 +372,19 @@ servers it is used to determine which signature algorithms to support. The B<value> argument should be a colon separated list of signature algorithms in order of decreasing preference of the form B<algorithm+hash> or -B<signature_scheme>. B<algorithm> -is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm -OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>. +B<signature_scheme>. For the default providers shipped with OpenSSL, +B<algorithm> is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported +algorithm OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> +or B<SHA512>. Note: algorithm and hash names are case sensitive. B<signature_scheme> is one of the signature schemes defined in TLSv1.3, specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>, or B<rsa_pss_pss_sha256>. +Additional providers may make available further algorithms via the TLS_SIGALG +capability. See L<provider-base(7)/CAPABILITIES>. -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. +If this option is not set then all signature algorithms supported by all +activated providers are permissible. Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*> |