diff options
| author | Todd Short <tshort@akamai.com> | 2021-08-09 22:56:50 +0200 |
|---|---|---|
| committer | Todd Short <todd.short@me.com> | 2022-10-18 15:30:22 +0200 |
| commit | b67cb09f8ddf258cf326f3e7b20be095fb53457c (patch) | |
| tree | b31a978e8c71e972e84fd03b4de92491deff032a /doc/man3/SSL_CONF_cmd.pod | |
| parent | Convert ZLIB defines to OPENSSL_NO_ZLIB (diff) | |
| download | openssl-b67cb09f8ddf258cf326f3e7b20be095fb53457c.tar.xz openssl-b67cb09f8ddf258cf326f3e7b20be095fb53457c.zip | |
Add support for compressed certificates (RFC8879)
* Compressed Certificate extension (server/client)
* Server certificates (send/receive)
* Client certificate (send/receive)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
Diffstat (limited to 'doc/man3/SSL_CONF_cmd.pod')
| -rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 400bd223c6..c20df37e3b 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -162,6 +162,24 @@ This is a synonym for the B<-groups> command. This sets the temporary curve used for ephemeral ECDH modes. Only used by servers. +=item B<-tx_cert_comp> + +Enables support for sending TLSv1.3 compressed certificates. + +=item B<-no_tx_cert_comp> + +Disables support for sending TLSv1.3 compressed certificates. + +=item B<-rx_cert_comp> + +Enables support for receiving TLSv1.3 compressed certificates. + +=item B<-no_rx_cert_comp> + +Disables support for receiving TLSv1.3 compressed certificates. + +=item B<-comp> + The B<groups> argument is a curve name or the special value B<auto> which picks an appropriate curve based on client and server preferences. The curve can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name @@ -535,6 +553,14 @@ B<SSL_OP_ENABLE_KTLS>. B<StrictCertCheck>: Enable strict certificate checking. Equivalent to setting B<SSL_CERT_FLAG_TLS_STRICT> with SSL_CTX_set_cert_flags(). +B<TxCertificateCompression>: support sending compressed certificates, enabled by +default. Inverse of B<SSL_OP_NO_TX_CERTIFICATE_COMPRESSION>: that is, +B<-TxCertificateCompression> is the same as setting B<SSL_OP_NO_TX_CERTIFICATE_COMPRESSION>. + +B<RxCertificateCompression>: support receiving compressed certificates, enabled by +default. Inverse of B<SSL_OP_NO_RX_CERTIFICATE_COMPRESSION>: that is, +B<-RxCertificateCompression> is the same as setting B<SSL_OP_NO_RX_CERTIFICATE_COMPRESSION>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. @@ -736,6 +762,9 @@ B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1. The B<UnsafeLegacyServerConnect> option is no longer set by default from OpenSSL 3.0. +The B<TxCertificateCompression> and B<RxCertificateCompression> options were +added in OpenSSL 3.2. + =head1 COPYRIGHT Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. |