OpenSSL 选项
有关详细信息,请参阅 SSL OP 标志列表。
常量 | 描述 |
---|---|
SSL_OP_ALL |
在 OpenSSL 中应用多个错误解决方法。 详情请参阅 https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html。 |
SSL_OP_ALLOW_NO_DHE_KEX |
指示 OpenSSL 允许 TLS v1.3 的非基于 [EC]DHE 的密钥交换模式 |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
允许在 OpenSSL 和未打补丁的客户端或服务器之间进行旧版的不安全重新协商。 详情请参阅 https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html。 |
SSL_OP_CIPHER_SERVER_PREFERENCE |
在选择密码时尝试使用服务器的首选项而不是客户端的首选项。 行为取决于协议版本。 详情请参阅 https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html。 |
SSL_OP_CISCO_ANYCONNECT |
指示 OpenSSL 使用思科的 "speshul" 版本的 DTLSBADVER。 |
SSL_OP_COOKIE_EXCHANGE |
指示 OpenSSL 打开 cookie 交换。 |
SSL_OP_CRYPTOPRO_TLSEXT_BUG |
指示 OpenSSL 从早期版本的 cryptopro 草案中添加 server-hello 扩展。 |
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
指示 OpenSSL 禁用在 OpenSSL 0.9.6d 中添加的 SSL 3.0/TLS 1.0 漏洞解决方法。 |
SSL_OP_EPHEMERAL_RSA |
指示 OpenSSL 在执行 RSA 操作时始终使用 tmp_rsa 密钥。 |
SSL_OP_LEGACY_SERVER_CONNECT |
允许初始连接到不支持 RI 的服务器。 |
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
|
SSL_OP_MICROSOFT_SESS_ID_BUG |
|
SSL_OP_MSIE_SSLV2_RSA_PADDING |
指示 OpenSSL 禁用 SSL 2.0 服务器实现中的中间人协议版本漏洞的解决方法。 |
SSL_OP_NETSCAPE_CA_DN_BUG |
|
SSL_OP_NETSCAPE_CHALLENGE_BUG |
|
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
|
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
|
SSL_OP_NO_COMPRESSION |
指示 OpenSSL 禁用对 SSL/TLS 压缩的支持。 |
SSL_OP_NO_ENCRYPT_THEN_MAC |
指示 OpenSSL 禁用 encrypt-then-MAC。 |
SSL_OP_NO_QUERY_MTU |
|
SSL_OP_NO_RENEGOTIATION |
指示 OpenSSL 禁用重新协商。 |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
指示 OpenSSL 在执行重新协商时始终启动新会话。 |
SSL_OP_NO_SSLv2 |
指示 OpenSSL 关闭 SSL v2 |
SSL_OP_NO_SSLv3 |
指示 OpenSSL 关闭 SSL v3 |
SSL_OP_NO_TICKET |
指示 OpenSSL 禁用 RFC4507bis 票证的使用。 |
SSL_OP_NO_TLSv1 |
指示 OpenSSL 关闭 TLS v1 |
SSL_OP_NO_TLSv1_1 |
指示 OpenSSL 关闭 TLS v1.1 |
SSL_OP_NO_TLSv1_2 |
指示 OpenSSL 关闭 TLS v1.2 |
SSL_OP_NO_TLSv1_3 |
指示 OpenSSL 关闭 TLS v1.3 |
SSL_OP_PKCS1_CHECK_1 |
|
SSL_OP_PKCS1_CHECK_2 |
|
SSL_OP_PRIORITIZE_CHACHA |
当客户端这样做时,指示 OpenSSL 服务器优先考虑 ChaCha20-Poly1305。
如果 SSL_OP_CIPHER_SERVER_PREFERENCE 未启用,则此选项无效。 |
SSL_OP_SINGLE_DH_USE |
指示 OpenSSL 在使用临时/短暂 DH 参数时始终创建新密钥。 |
SSL_OP_SINGLE_ECDH_USE |
指示 OpenSSL 在使用临时/短暂 ECDH 参数时始终创建新密钥。 |
SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
|
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
|
SSL_OP_TLS_BLOCK_PADDING_BUG |
|
SSL_OP_TLS_D5_BUG |
|
SSL_OP_TLS_ROLLBACK_BUG |
指示 OpenSSL 禁用版本回滚攻击检测。 |
See the list of SSL OP Flags for details.
Constant | Description |
---|---|
SSL_OP_ALL |
Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. |
SSL_OP_ALLOW_NO_DHE_KEX |
Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode for TLS v1.3 |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
Allows legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. |
SSL_OP_CIPHER_SERVER_PREFERENCE |
Attempts to use the server's preferences instead of the client's when selecting a cipher. Behavior depends on protocol version. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. |
SSL_OP_CISCO_ANYCONNECT |
Instructs OpenSSL to use Cisco's "speshul" version of DTLS_BAD_VER. |
SSL_OP_COOKIE_EXCHANGE |
Instructs OpenSSL to turn on cookie exchange. |
SSL_OP_CRYPTOPRO_TLSEXT_BUG |
Instructs OpenSSL to add server-hello extension from an early version of the cryptopro draft. |
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability workaround added in OpenSSL 0.9.6d. |
SSL_OP_EPHEMERAL_RSA |
Instructs OpenSSL to always use the tmp_rsa key when performing RSA operations. |
SSL_OP_LEGACY_SERVER_CONNECT |
Allows initial connection to servers that do not support RI. |
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
|
SSL_OP_MICROSOFT_SESS_ID_BUG |
|
SSL_OP_MSIE_SSLV2_RSA_PADDING |
Instructs OpenSSL to disable the workaround for a man-in-the-middle protocol-version vulnerability in the SSL 2.0 server implementation. |
SSL_OP_NETSCAPE_CA_DN_BUG |
|
SSL_OP_NETSCAPE_CHALLENGE_BUG |
|
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
|
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
|
SSL_OP_NO_COMPRESSION |
Instructs OpenSSL to disable support for SSL/TLS compression. |
SSL_OP_NO_ENCRYPT_THEN_MAC |
Instructs OpenSSL to disable encrypt-then-MAC. |
SSL_OP_NO_QUERY_MTU |
|
SSL_OP_NO_RENEGOTIATION |
Instructs OpenSSL to disable renegotiation. |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
Instructs OpenSSL to always start a new session when performing renegotiation. |
SSL_OP_NO_SSLv2 |
Instructs OpenSSL to turn off SSL v2 |
SSL_OP_NO_SSLv3 |
Instructs OpenSSL to turn off SSL v3 |
SSL_OP_NO_TICKET |
Instructs OpenSSL to disable use of RFC4507bis tickets. |
SSL_OP_NO_TLSv1 |
Instructs OpenSSL to turn off TLS v1 |
SSL_OP_NO_TLSv1_1 |
Instructs OpenSSL to turn off TLS v1.1 |
SSL_OP_NO_TLSv1_2 |
Instructs OpenSSL to turn off TLS v1.2 |
SSL_OP_NO_TLSv1_3 |
Instructs OpenSSL to turn off TLS v1.3 |
SSL_OP_PKCS1_CHECK_1 |
|
SSL_OP_PKCS1_CHECK_2 |
|
SSL_OP_PRIORITIZE_CHACHA |
Instructs OpenSSL server to prioritize ChaCha20-Poly1305
when the client does.
This option has no effect if
SSL_OP_CIPHER_SERVER_PREFERENCE
is not enabled. |
SSL_OP_SINGLE_DH_USE |
Instructs OpenSSL to always create a new key when using temporary/ephemeral DH parameters. |
SSL_OP_SINGLE_ECDH_USE |
Instructs OpenSSL to always create a new key when using temporary/ephemeral ECDH parameters. |
SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
|
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
|
SSL_OP_TLS_BLOCK_PADDING_BUG |
|
SSL_OP_TLS_D5_BUG |
|
SSL_OP_TLS_ROLLBACK_BUG |
Instructs OpenSSL to disable version rollback attack detection. |