Lines Matching +full:enable +full:- +full:ssl +full:- +full:trace

5 migration_guide - OpenSSL migration guide
37 licenses|https://www.openssl.org/source/license-openssl-ssleay.txt>
39 L<Apache License v2|https://www.openssl.org/source/apache-license-2.0.txt>.
56 at configuration time using the C<enable-fips> option. If it is enabled,
103 See L<OSSL_PROVIDER-legacy(7)> for a complete list of algorithms.
131 Engine-backed keys can be loaded via custom B<OSSL_STORE> implementation.
136 To prefer the provider-based hardware offload, you can specify the default
160 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_certreq(3)> as starting points.
165 ASN.1-encoded contents, proxies, and timeouts.
171 Previously KDF algorithms had been shoe-horned into using the EVP_PKEY object
177 See also L<OSSL_PROVIDER-default(7)/Key Derivation Function (KDF)> and
178 L<OSSL_PROVIDER-FIPS(7)/Key Derivation Function (KDF)>.
189 See also L<OSSL_PROVIDER-default(7)/Message Authentication Code (MAC)>
190 and L<OSSL_PROVIDER-FIPS(7)/Message Authentication Code (MAC)>.
195 C<enable-ktls> configuration option. It must also be enabled at run time using
206 See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)>
212 See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>.
218 See L<EVP_KEM-RSA(7)>.
222 Cipher Algorithm "AES-SIV"
231 unwrapping. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
232 "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and
233 "AES-256-WRAP-PAD-INV".
239 The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS",
240 "CAMELLIA-128-CBC-CTS", "CAMELLIA-192-CBC-CTS" and "CAMELLIA-256-CBC-CTS".
251 Added CAdES-BES signature verification support.
255 Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
261 This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax.
276 with the password-based encryption iteration count. The default digest
277 algorithm for the MAC computation was changed to SHA-256. The pkcs12
278 application now supports -legacy option that restores the previous
305 =head4 Trace API
307 A new generic trace API has been added which provides support for enabling
308 instrumentation through trace output. This feature is mainly intended as an aid
310 configured with the C<enable-trace> option.
312 If the tracing API is enabled, the application can activate trace output by
313 registering BIOs as trace channels for a number of tracing and debugging
320 Previously (in 1.1.1) they would return -2. For key types that do not have
331 The type-safe wrappers are declared everywhere and implemented once.
349 The Miller-Rabin test now uses 64 rounds, which is used for all prime generation,
352 The default key generation method for the regular 2-prime RSA keys was changed
353 to the FIPS186-4 B.3.6 method (Generation of Probable Primes with Conditions
357 =head4 Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898
364 To enable or disable the checks see B<OSSL_KDF_PARAM_PKCS5> in
365 L<EVP_KDF-PBKDF2(7)>. The parameter can be set using L<EVP_KDF_derive(3)>.
388 In particular, a private scalar I<k> outside the range I<< 1 <= k < n-1 >> is
400 OpenSSL 3.0. Previously they returned a pointer to the low-level key used
413 treated as read-only. To emphasise this the value returned from
420 and L<EVP_PKEY_get1_DH(3)> functions continue to return a non-const pointer to
421 enable them to be "freed". However they should also be treated as read-only.
434 observed in 1.1.1 and 3.0. This also applies to the B<-text> output from the
443 One significant change is that controls which used to return -2 for
444 invalid inputs, now return -1 indicating a generic error condition instead.
449 result in errors. See L<EVP_PKEY-DH(7)> for further details. This affects the
450 behaviour of L<openssl-genpkey(1)> for DH parameter generation.
511 Password-protected keys may deserve special attention. If only some errors
564 This has a number of implications for SSL/TLS applications. See the
583 See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details.
589 L<README-FIPS|https://github.com/openssl/openssl/blob/master/README-FIPS.md> file.
610 =head4 Using a Library Context - Old functions that should be changed
980 =head4 Providers are a replacement for engines and low-level method overrides
989 =head4 Deprecated i2d and d2i functions for low-level key types
991 Any i2d and d2i functions such as d2i_DHparams() that take a low-level key type
996 =head4 Deprecated low-level key object getters and setters
998 Applications that set or get low-level key objects (such as EVP_PKEY_set1_DH()
1003 =head4 Deprecated low-level key parameter getters
1005 Functions that access low-level objects directly such as L<RSA_get0_n(3)> are now
1010 Gettable parameters are listed in L<EVP_PKEY-RSA(7)/Common RSA parameters>,
1011 L<EVP_PKEY-DH(7)/DH parameters>, L<EVP_PKEY-DSA(7)/DSA parameters>,
1012 L<EVP_PKEY-FFC(7)/FFC parameters>, L<EVP_PKEY-EC(7)/Common EC parameters> and
1013 L<EVP_PKEY-X25519(7)/Common X25519, X448, ED25519 and ED448 parameters>.
1016 =head4 Deprecated low-level key parameter setters
1018 Functions that access low-level objects directly such as L<RSA_set0_crt_params(3)>
1023 See L<EVP_PKEY-DH(7)/Examples> for more information.
1024 See L</Deprecated low-level key generation functions> for information on
1027 =head4 Deprecated low-level object creation
1029 Low-level objects were created using methods such as L<RSA_new(3)>,
1031 high-level EVP_PKEY APIs, e.g. L<EVP_PKEY_new(3)>, L<EVP_PKEY_up_ref(3)> and
1036 See also L</Deprecated low-level key generation functions>,
1037 L</Deprecated low-level key reading and writing functions> and
1038 L</Deprecated low-level key parameter setters>.
1040 =head4 Deprecated low-level encryption functions
1042 Low-level encryption functions such as L<AES_encrypt(3)> and L<AES_decrypt(3)>
1048 =head4 Deprecated low-level digest functions
1050 Use of low-level digest functions such as L<SHA1_Init(3)> have been
1053 and L<EVP_DigestFinal_ex(3)>, or the quick one-shot L<EVP_Q_digest(3)>.
1058 =head4 Deprecated low-level signing functions
1060 Use of low-level signing functions such as L<DSA_sign(3)> have been
1063 See also L<EVP_SIGNATURE-RSA(7)>, L<EVP_SIGNATURE-DSA(7)>,
1064 L<EVP_SIGNATURE-ECDSA(7)> and L<EVP_SIGNATURE-ED25519(7)>.
1066 =head4 Deprecated low-level MAC functions
1068 Low-level mac functions such as L<CMAC_Init(3)> are deprecated.
1071 L<EVP_MAC_update(3)> and L<EVP_MAC_final(3)> or the single-shot MAC function
1073 See L<EVP_MAC(3)>, L<EVP_MAC-HMAC(7)>, L<EVP_MAC-CMAC(7)>, L<EVP_MAC-GMAC(7)>,
1074 L<EVP_MAC-KMAC(7)>, L<EVP_MAC-BLAKE2(7)>, L<EVP_MAC-Poly1305(7)> and
1075 L<EVP_MAC-Siphash(7)> for additional information.
1077 Note that the one-shot method HMAC() is still available for compatability purposes.
1079 =head4 Deprecated low-level validation functions
1081 Low-level validation functions such as L<DH_check(3)> have been informally
1082 discouraged from use for a long time. Applications should instead use the high-level
1088 =head4 Deprecated low-level key exchange functions
1090 Many low-level functions have been informally discouraged from use for a long
1092 See L<EVP_KEYEXCH-DH(7)>, L<EVP_KEYEXCH-ECDH(7)> and L<EVP_KEYEXCH-X25519(7)>.
1094 =head4 Deprecated low-level key generation functions
1096 Many low-level functions have been informally discouraged from use for a long
1098 L<EVP_PKEY_generate(3)> as described in L<EVP_PKEY-DSA(7)>, L<EVP_PKEY-DH(7)>,
1099 L<EVP_PKEY-RSA(7)>, L<EVP_PKEY-EC(7)> and L<EVP_PKEY-X25519(7)>.
1100 The 'quick' one-shot function L<EVP_PKEY_Q_keygen(3)> and macros for the most
1103 =head4 Deprecated low-level key reading and writing functions
1105 Use of low-level objects (such as DSA) has been informally discouraged from use
1106 for a long time. Functions to read and write these low-level objects (such as
1110 =head4 Deprecated low-level key printing functions
1112 Use of low-level objects (such as DSA) has been informally discouraged from use
1113 for a long time. Functions to print these low-level objects such as
1134 Bi-directional IGE mode. These modes were never formally standardised and
1150 See L</Deprecated low-level encryption functions>
1178 See L</Deprecated low-level encryption functions>.
1191 Use the respective non-deprecated _ex() functions.
1198 64 rounds of the Miller-Rabin primality test.
1210 There are no replacements for these low-level functions. They were used internally
1221 See L</Deprecated low-level encryption functions>.
1228 See L</Deprecated low-level encryption functions>.
1236 See L</Deprecated low-level MAC functions>.
1242 See L</Deprecated low-level MAC functions>.
1251 Memory-leak checking has been deprecated in favor of more modern development
1265 See L<EVP_EncryptInit(3)/EXAMPLES> for a AES-256-CBC-CTS example.
1279 See L</Deprecated i2d and d2i functions for low-level key types>
1293 See L</Deprecated low-level encryption functions>.
1294 Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
1295 "DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
1309 See L</Deprecated low-level validation functions>
1324 See L</Deprecated low-level key exchange functions>.
1330 See L</Deprecated low-level object creation>
1336 See L</Deprecated low-level key generation functions>.
1343 See L</Deprecated low-level key parameter getters>
1350 L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
1365 See L</Providers are a replacement for engines and low-level method overrides>
1371 See L</Deprecated low-level key printing functions>
1377 See L</Deprecated low-level key parameter setters>
1397 See L</Deprecated low-level key generation functions>.
1405 See L</Providers are a replacement for engines and low-level method overrides>.
1412 See L</Deprecated low-level key parameter getters>.
1418 See L</Deprecated low-level object creation>
1431 See L</Deprecated low-level key printing functions>
1437 See L</Deprecated low-level key parameter setters>
1449 See L</Deprecated low-level signing functions>.
1455 See L</Deprecated low-level key exchange functions>.
1463 "kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES>
1470 See L</Deprecated low-level signing functions>.
1513 EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
1527 See L</Deprecated low-level validation functions>
1533 See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as seperate
1538 See also L<EVP_PKEY-EC(7)/EXAMPLES>
1557 See L</Deprecated low-level key generation functions>.
1564 See L</Deprecated low-level key parameter getters>.
1573 See L</Providers are a replacement for engines and low-level method overrides>
1580 See L</Providers are a replacement for engines and low-level method overrides>
1593 See L</Deprecated low-level object creation>
1599 See L</Deprecated low-level key printing functions>
1605 See L</Deprecated low-level key parameter setters>.
1612 See L</Deprecated low-level key parameter setters>.
1619 See L</Deprecated low-level key printing functions>
1626 formats are not individual big-endian integers.
1669 See L</Providers are a replacement for engines and low-level method overrides>.
1703 See L</Providers are a replacement for engines and low-level method overrides>.
1719 See the "kdf-ukm" item in L<EVP_KEYEXCH-DH(7)/DH key exchange parameters> and
1720 L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>.
1761 See L</Providers are a replacement for engines and low-level method overrides>.
1767 See L</Deprecated low-level MAC functions>.
1774 See L</Deprecated low-level key object getters and setters>
1791 See L</Providers are a replacement for engines and low-level method overrides>.
1804 See L</Deprecated low-level MAC functions>.
1811 See L</Deprecated low-level MAC functions>.
1817 See L</Deprecated low-level key reading and writing functions>
1826 See L</Deprecated low-level key reading and writing functions>
1835 See L</Deprecated low-level key reading and writing functions>
1844 See L</Deprecated low-level key reading and writing functions>
1853 See L</Deprecated low-level encryption functions>.
1866 See L</Deprecated low-level encryption functions>.
1879 See L</Deprecated low-level encryption functions>.
1886 See L</Deprecated low-level encryption functions>.
1893 See L</Deprecated low-level encryption functions>.
1939 provider implementations, see L<provider-storemgmt(7)>.
1960 See L</Deprecated low-level key reading and writing functions>
1966 See L</Deprecated low-level encryption functions>.
1985 See L</Deprecated low-level encryption functions>.
1993 See L</Deprecated low-level digest functions>.
2007 See L</Deprecated low-level validation functions>
2024 See L</Deprecated low-level key generation functions>.
2030 See L</Providers are a replacement for engines and low-level method overrides>
2040 See L</Deprecated low-level key parameter getters>
2046 See L</Deprecated low-level object creation>.
2052 See L</Providers are a replacement for engines and low-level method overrides>.
2064 See L</Providers are a replacement for engines and low-level method overrides>.
2070 See L</Deprecated low-level signing functions> and
2071 L</Deprecated low-level encryption functions>.
2077 See L</Deprecated low-level key printing functions>
2083 See L</Deprecated low-level encryption functions>
2090 mode of none). See L</Deprecated low-level signing functions>.
2102 See L</Deprecated low-level key reading and writing functions>
2109 See L</Deprecated low-level key parameter setters>.
2115 See L</Providers are a replacement for engines and low-level method overrides>
2123 See L</Deprecated low-level signing functions>.
2130 X931 padding can be set using L<EVP_SIGNATURE-RSA(7)/Signature Parameters>.
2138 See L</Deprecated low-level encryption functions>.
2149 See L</Deprecated low-level digest functions>.
2167 These are used to set the Diffie-Hellman (DH) parameters that are to be used by
2169 the built-in DH parameters that are available by calling L<SSL_CTX_set_dh_auto(3)>
2174 parameters for export and non-export ciphersuites. Export ciphersuites are no
2189 See L</Deprecated low-level digest functions>.
2209 See L<fips_module(7)> and L<OSSL_PROVIDER-FIPS(7)> for details.
2215 L<B<openssl kdf>|openssl-kdf(1)> uses the new L<EVP_KDF(3)> API.
2216 L<B<openssl kdf>|openssl-mac(1)> uses the new L<EVP_MAC(3)> API.
2220 B<-provider_path> and B<-provider> are available to all apps and can be used
2223 specified if required. The B<-provider_path> must be specified before the
2224 B<-provider> option.
2226 The B<list> app has many new options. See L<openssl-list(1)> for more
2229 B<-crl_lastupdate> and B<-crl_nextupdate> used by B<openssl ca> allows
2236 The B<-crypt> option used by B<openssl passwd>.
2237 The B<-c> option used by B<openssl x509>, B<openssl dhparam>,
2254 B<openssl speed> no longer uses low-level API calls.
2294 SSL and SSL_CTX options are now 64 bit instead of 32 bit.
2296 The signatures of the functions to get and set options on SSL and
2314 Added SSL option SSL_OP_CLEANSE_PLAINTEXT
2323 Client-initiated renegotiation is disabled by default.
2325 To allow it, use the B<-client_renegotiation> option,
2334 SSL or TLS connections to succeed.  Applications that require the ability
2341 Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
2346 implementations even where there are no built-in ones. Attempting to create
2349 can be disabled at compile time using the "no-tls1_3" Configure option.
2372 New SSL option SSL_OP_IGNORE_UNEXPECTED_EOF
2374 The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
2382 This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
2396 In TLS/SSL the default security level is 1. It can be set either using the cipher
2398 leaf certificate is signed with SHA-1, a call to L<SSL_CTX_use_certificate(3)>
2400 Outside TLS/SSL, the default security level is -1 (effectively 0). It can
2401 be set using L<X509_VERIFY_PARAM_set_auth_level(3)> or using the B<-auth_level>
2412 Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.