{-# LINE 1 "OpenSSL/SSL/Option.hsc" #-}
{-# LANGUAGE DeriveDataTypeable #-}
{-# LINE 2 "OpenSSL/SSL/Option.hsc" #-}
-- | See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
module OpenSSL.SSL.Option
    ( SSLOption(..)
    , optionToIntegral
    )
    where
import Data.Typeable


{-# LINE 11 "OpenSSL/SSL/Option.hsc" #-}

-- | The behaviour of the SSL library can be changed by setting
-- several options. During a handshake, the option settings of the
-- 'OpenSSL.Session.SSL' object are used. When a new
-- 'OpenSSL.Session.SSL' object is created from a
-- 'OpenSSL.Session.SSLContext', the current option setting is
-- copied. Changes to 'OpenSSL.Session.SSLContext' do not affect
-- already created 'OpenSSL.Session.SSL' objects.
data SSLOption
    = -- | As of OpenSSL 1.0.0 this option has no effect.
      SSL_OP_MICROSOFT_SESS_ID_BUG
      -- | As of OpenSSL 1.0.0 this option has no effect.
    | SSL_OP_NETSCAPE_CHALLENGE_BUG
      -- | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
    | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    | SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
    | SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER

{-# LINE 29 "OpenSSL/SSL/Option.hsc" #-}
      -- | Don't prefer ECDHE-ECDSA ciphers when the client appears to
      -- be Safari on OS X. OS X 10.8..10.8.3 has broken support for
      -- ECDHE-ECDSA ciphers.
    | SSL_OP_SAFARI_ECDHE_ECDSA_BUG

{-# LINE 34 "OpenSSL/SSL/Option.hsc" #-}
    | SSL_OP_SSLEAY_080_CLIENT_DH_BUG
    | SSL_OP_TLS_D5_BUG
    | SSL_OP_TLS_BLOCK_PADDING_BUG

{-# LINE 38 "OpenSSL/SSL/Option.hsc" #-}
      -- | Disables a countermeasure against a SSL 3.0/TLS 1.0
      -- protocol vulnerability affecting CBC ciphers, which cannot be
      -- handled by some broken SSL implementations. This option has
      -- no effect for connections using other ciphers.
    | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

{-# LINE 44 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 50 "OpenSSL/SSL/Option.hsc" #-}
      -- | All of the above bug workarounds.
    | SSL_OP_ALL

{-# LINE 53 "OpenSSL/SSL/Option.hsc" #-}
      -- | Disable version rollback attack detection.
      --
      -- During the client key exchange, the client must send the same
      -- information about acceptable SSL/TLS protocol levels as
      -- during the first hello. Some clients violate this rule by
      -- adapting to the server's answer. (Example: the client sends a
      -- SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only
      -- understands up to SSLv3. In this case the client must still
      -- use the same SSLv3.1=TLSv1 announcement. Some clients step
      -- down to SSLv3 with respect to the server's answer and violate
      -- the version rollback protection.)
    | SSL_OP_TLS_ROLLBACK_BUG

{-# LINE 66 "OpenSSL/SSL/Option.hsc" #-}
      -- | Always create a new key when using temporary/ephemeral DH
      -- parameters. This option must be used to prevent small
      -- subgroup attacks, when the DH parameters were not generated
      -- using \"strong\" primes (e.g. when using DSA-parameters). If
      -- \"strong\" primes were used, it is not strictly necessary to
      -- generate a new DH key during each handshake but it is also
      -- recommended. 'SSL_OP_SINGLE_DH_USE' should therefore be enabled
      -- whenever temporary/ephemeral DH parameters are used.
    | SSL_OP_SINGLE_DH_USE
      -- | Always use ephemeral (temporary) RSA key when doing RSA
      -- operations. According to the specifications this is only
      -- done, when a RSA key can only be used for signature
      -- operations (namely under export ciphers with restricted RSA
      -- keylength). By setting this option, ephemeral RSA keys are
      -- always used. This option breaks compatibility with the
      -- SSL/TLS specifications and may lead to interoperability
      -- problems with clients and should therefore never be
      -- used. Ciphers with DHE (ephemeral Diffie-Hellman) key
      -- exchange should be used instead.
    | SSL_OP_EPHEMERAL_RSA

{-# LINE 87 "OpenSSL/SSL/Option.hsc" #-}
      -- | When choosing a cipher, use the server's preferences
      -- instead of the client preferences. When not set, the SSL
      -- server will always follow the clients preferences. When set,
      -- the SSLv3/TLSv1 server will choose following its own
      -- preferences. Because of the different protocol, for SSLv2 the
      -- server will send its list of preferences to the client and
      -- the client chooses.
    | SSL_OP_CIPHER_SERVER_PREFERENCE

{-# LINE 96 "OpenSSL/SSL/Option.hsc" #-}
    | SSL_OP_PKCS1_CHECK_1
    | SSL_OP_PKCS1_CHECK_2
      -- | If we accept a netscape connection, demand a client cert,
      -- have a non-self-signed CA which does not have its CA in
      -- netscape, and the browser has a cert, it will
      -- crash/hang. Works for 3.x and 4.xbeta
    | SSL_OP_NETSCAPE_CA_DN_BUG
    | SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
      -- | Do not use the SSLv2 protocol.
    | SSL_OP_NO_SSLv2
      -- | Do not use the SSLv3 protocol.
    | SSL_OP_NO_SSLv3
      -- | Do not use the TLSv1 protocol.
    | SSL_OP_NO_TLSv1

{-# LINE 111 "OpenSSL/SSL/Option.hsc" #-}
      -- | When performing renegotiation as a server, always start a
      -- new session (i.e., session resumption requests are only
      -- accepted in the initial handshake). This option is not needed
      -- for clients.
    | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

{-# LINE 117 "OpenSSL/SSL/Option.hsc" #-}
      -- | Normally clients and servers will, where possible,
      -- transparently make use of
      -- <http://tools.ietf.org/html/rfc4507 RFC 4507> tickets for
      -- stateless session resumption.
      --
      -- If this option is set this functionality is disabled and
      -- tickets will not be used by clients or servers.
    | SSL_OP_NO_TICKET

{-# LINE 126 "OpenSSL/SSL/Option.hsc" #-}
      -- | Allow legacy insecure renegotiation between OpenSSL and
      -- unpatched clients or servers. See
      -- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION>
      -- for more details.
    | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

{-# LINE 132 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 133 "OpenSSL/SSL/Option.hsc" #-}
      -- | Allow legacy insecure renegotiation between OpenSSL and
      -- unpatched servers _only_. See
      -- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION>
      -- for more details.
    | SSL_OP_LEGACY_SERVER_CONNECT

{-# LINE 139 "OpenSSL/SSL/Option.hsc" #-}
      deriving (Eq, Ord, Show, Typeable)

optionToIntegral :: Integral a => SSLOption -> a
optionToIntegral SSL_OP_MICROSOFT_SESS_ID_BUG                  = 1
{-# LINE 143 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NETSCAPE_CHALLENGE_BUG                 = 2
{-# LINE 144 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG       = 8
{-# LINE 145 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG            = 16
{-# LINE 146 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER             = 32
{-# LINE 147 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 148 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_SAFARI_ECDHE_ECDSA_BUG                 = 64
{-# LINE 149 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 150 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_SSLEAY_080_CLIENT_DH_BUG               = 128
{-# LINE 151 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_TLS_D5_BUG                             = 256
{-# LINE 152 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_TLS_BLOCK_PADDING_BUG                  = 512
{-# LINE 153 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 154 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS            = 2048
{-# LINE 155 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 156 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 159 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_ALL                                    = 2147486719
{-# LINE 160 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 161 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_TLS_ROLLBACK_BUG                       = 8388608
{-# LINE 162 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 163 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_SINGLE_DH_USE                          = 1048576
{-# LINE 164 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_EPHEMERAL_RSA                          = 2097152
{-# LINE 165 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 166 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_CIPHER_SERVER_PREFERENCE               = 4194304
{-# LINE 167 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 168 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_PKCS1_CHECK_1                          = 0
{-# LINE 169 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_PKCS1_CHECK_2                          = 0
{-# LINE 170 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NETSCAPE_CA_DN_BUG                     = 536870912
{-# LINE 171 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG        = 1073741824
{-# LINE 172 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NO_SSLv2                               = 16777216
{-# LINE 173 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NO_SSLv3                               = 33554432
{-# LINE 174 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NO_TLSv1                               = 67108864
{-# LINE 175 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 176 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 65536
{-# LINE 177 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 178 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_NO_TICKET                              = 16384
{-# LINE 179 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 180 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION      = 262144
{-# LINE 181 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 182 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 183 "OpenSSL/SSL/Option.hsc" #-}
optionToIntegral SSL_OP_LEGACY_SERVER_CONNECT                  = 4
{-# LINE 184 "OpenSSL/SSL/Option.hsc" #-}

{-# LINE 185 "OpenSSL/SSL/Option.hsc" #-}