aboutsummaryrefslogtreecommitdiffstats
path: root/doc/ssl/SSL_CTX_set_mode.pod
blob: 2a5aaa555e13ab058d81737f2ac5ec61350a2f87 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
=pod

=head1 NAME

SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
 long SSL_set_mode(SSL *ssl, long mode);

 long SSL_CTX_get_mode(SSL_CTX *ctx);
 long SSL_get_mode(SSL *ssl);

=head1 DESCRIPTION

SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
Options already set before are not cleared.

SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
Options already set before are not cleared.

SSL_CTX_get_mode() returns the mode set for B<ctx>.

SSL_get_mode() returns the mode set for B<ssl>.

=head1 NOTES

The following mode changes are available:

=over 4

=item SSL_MODE_ENABLE_PARTIAL_WRITE

Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
when just a single record has been written). When not set (the default),
SSL_write() will only report success once the complete chunk was written.
Once SSL_write() returns with r, r bytes have been successfully written
and the next call to SSL_write() must only send the n-r bytes left,
imitating the behaviour of write().

=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

Make it possible to retry SSL_write() with changed buffer location
(the buffer contents must stay the same). This is not the default to avoid
the misconception that non-blocking SSL_write() behaves like
non-blocking write().

=item SSL_MODE_AUTO_RETRY

Never bother the application with retries if the transport is blocking.
If a renegotiation take place during normal operation, a
L<SSL_read(3)|SSL_read(3)> or L<SSL_write(3)|SSL_write(3)> would return
with -1 and indicate the need to retry with SSL_ERROR_WANT_READ.
In a non-blocking environment applications must be prepared to handle
incomplete read/write operations.
In a blocking environment, applications are not always prepared to
deal with read/write operations returning without success report. The
flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
return after the handshake and successful completion.

=item SSL_MODE_RELEASE_BUFFERS

When we no longer need a read buffer or a write buffer for a given SSL,
then release the memory we were using to hold it.  Released memory is
either appended to a list of unused RAM chunks on the SSL_CTX, or simply
freed if the list of unused chunks would become longer than 
SSL_CTX->freelist_max_len, which defaults to 32.  Using this flag can
save around 34k per idle SSL connection.
This flag has no effect on SSL v2 connections, or on DTLS connections.

=item SSL_MODE_SEND_FALLBACK_SCSV

Send TLS_FALLBACK_SCSV in the ClientHello.
To be set only by applications that reconnect with a downgraded protocol
version; see draft-ietf-tls-downgrade-scsv-00 for details.

DO NOT ENABLE THIS if your application attempts a normal handshake.
Only use this in explicit fallback retries, following the guidance
in draft-ietf-tls-downgrade-scsv-00.

=back

=head1 RETURN VALUES

SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
after adding B<mode>.

SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.

=head1 SEE ALSO

L<ssl(3)|ssl(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_write(3)|SSL_write(3)>

=head1 HISTORY

SSL_MODE_AUTO_RETRY as been added in OpenSSL 0.9.6.

=cut