{-# LINE 1 "OpenSSL/SSL/Option.hsc" #-} {-# LANGUAGE DeriveDataTypeable #-} -- | See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html module OpenSSL.SSL.Option ( SSLOption(..) , optionToIntegral ) where import Data.Typeable -- | The behaviour of the SSL library can be changed by setting -- several options. During a handshake, the option settings of the -- 'OpenSSL.Session.SSL' object are used. When a new -- 'OpenSSL.Session.SSL' object is created from a -- 'OpenSSL.Session.SSLContext', the current option setting is -- copied. Changes to 'OpenSSL.Session.SSLContext' do not affect -- already created 'OpenSSL.Session.SSL' objects. data SSLOption = -- | As of OpenSSL 1.0.0 this option has no effect. SSL_OP_MICROSOFT_SESS_ID_BUG -- | As of OpenSSL 1.0.0 this option has no effect. | SSL_OP_NETSCAPE_CHALLENGE_BUG -- | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. | SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER {-# LINE 29 "OpenSSL/SSL/Option.hsc" #-} -- | Don't prefer ECDHE-ECDSA ciphers when the client appears to -- be Safari on OS X. OS X 10.8..10.8.3 has broken support for -- ECDHE-ECDSA ciphers. | SSL_OP_SAFARI_ECDHE_ECDSA_BUG {-# LINE 34 "OpenSSL/SSL/Option.hsc" #-} | SSL_OP_SSLEAY_080_CLIENT_DH_BUG | SSL_OP_TLS_D5_BUG | SSL_OP_TLS_BLOCK_PADDING_BUG {-# LINE 38 "OpenSSL/SSL/Option.hsc" #-} -- | Disables a countermeasure against a SSL 3.0/TLS 1.0 -- protocol vulnerability affecting CBC ciphers, which cannot be -- handled by some broken SSL implementations. This option has -- no effect for connections using other ciphers. | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS {-# LINE 44 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 50 "OpenSSL/SSL/Option.hsc" #-} -- | All of the above bug workarounds. | SSL_OP_ALL {-# LINE 53 "OpenSSL/SSL/Option.hsc" #-} -- | Disable version rollback attack detection. -- -- During the client key exchange, the client must send the same -- information about acceptable SSL/TLS protocol levels as -- during the first hello. Some clients violate this rule by -- adapting to the server's answer. (Example: the client sends a -- SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only -- understands up to SSLv3. In this case the client must still -- use the same SSLv3.1=TLSv1 announcement. Some clients step -- down to SSLv3 with respect to the server's answer and violate -- the version rollback protection.) | SSL_OP_TLS_ROLLBACK_BUG {-# LINE 66 "OpenSSL/SSL/Option.hsc" #-} -- | Always create a new key when using temporary/ephemeral DH -- parameters. This option must be used to prevent small -- subgroup attacks, when the DH parameters were not generated -- using \"strong\" primes (e.g. when using DSA-parameters). If -- \"strong\" primes were used, it is not strictly necessary to -- generate a new DH key during each handshake but it is also -- recommended. 'SSL_OP_SINGLE_DH_USE' should therefore be enabled -- whenever temporary/ephemeral DH parameters are used. | SSL_OP_SINGLE_DH_USE -- | Always use ephemeral (temporary) RSA key when doing RSA -- operations. According to the specifications this is only -- done, when a RSA key can only be used for signature -- operations (namely under export ciphers with restricted RSA -- keylength). By setting this option, ephemeral RSA keys are -- always used. This option breaks compatibility with the -- SSL/TLS specifications and may lead to interoperability -- problems with clients and should therefore never be -- used. Ciphers with DHE (ephemeral Diffie-Hellman) key -- exchange should be used instead. | SSL_OP_EPHEMERAL_RSA {-# LINE 87 "OpenSSL/SSL/Option.hsc" #-} -- | When choosing a cipher, use the server's preferences -- instead of the client preferences. When not set, the SSL -- server will always follow the clients preferences. When set, -- the SSLv3/TLSv1 server will choose following its own -- preferences. Because of the different protocol, for SSLv2 the -- server will send its list of preferences to the client and -- the client chooses. | SSL_OP_CIPHER_SERVER_PREFERENCE {-# LINE 96 "OpenSSL/SSL/Option.hsc" #-} | SSL_OP_PKCS1_CHECK_1 | SSL_OP_PKCS1_CHECK_2 -- | If we accept a netscape connection, demand a client cert, -- have a non-self-signed CA which does not have its CA in -- netscape, and the browser has a cert, it will -- crash/hang. Works for 3.x and 4.xbeta | SSL_OP_NETSCAPE_CA_DN_BUG | SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG -- | Do not use the SSLv2 protocol. | SSL_OP_NO_SSLv2 -- | Do not use the SSLv3 protocol. | SSL_OP_NO_SSLv3 -- | Do not use the TLSv1 protocol. | SSL_OP_NO_TLSv1 {-# LINE 111 "OpenSSL/SSL/Option.hsc" #-} -- | When performing renegotiation as a server, always start a -- new session (i.e., session resumption requests are only -- accepted in the initial handshake). This option is not needed -- for clients. | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION {-# LINE 117 "OpenSSL/SSL/Option.hsc" #-} -- | Normally clients and servers will, where possible, -- transparently make use of -- <http://tools.ietf.org/html/rfc4507 RFC 4507> tickets for -- stateless session resumption. -- -- If this option is set this functionality is disabled and -- tickets will not be used by clients or servers. | SSL_OP_NO_TICKET {-# LINE 126 "OpenSSL/SSL/Option.hsc" #-} -- | Allow legacy insecure renegotiation between OpenSSL and -- unpatched clients or servers. See -- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION> -- for more details. | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION {-# LINE 132 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 133 "OpenSSL/SSL/Option.hsc" #-} -- | Allow legacy insecure renegotiation between OpenSSL and -- unpatched servers _only_. See -- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION> -- for more details. | SSL_OP_LEGACY_SERVER_CONNECT {-# LINE 139 "OpenSSL/SSL/Option.hsc" #-} deriving (Eq, Ord, Show, Typeable) optionToIntegral :: Integral a => SSLOption -> a optionToIntegral SSL_OP_MICROSOFT_SESS_ID_BUG = 1 {-# LINE 143 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NETSCAPE_CHALLENGE_BUG = 2 {-# LINE 144 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 8 {-# LINE 145 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 16 {-# LINE 146 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 32 {-# LINE 147 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 148 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_SAFARI_ECDHE_ECDSA_BUG = 64 {-# LINE 149 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 150 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 128 {-# LINE 151 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_TLS_D5_BUG = 256 {-# LINE 152 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_TLS_BLOCK_PADDING_BUG = 512 {-# LINE 153 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 154 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 2048 {-# LINE 155 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 156 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 159 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_ALL = 2147486719 {-# LINE 160 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 161 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_TLS_ROLLBACK_BUG = 8388608 {-# LINE 162 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 163 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_SINGLE_DH_USE = 1048576 {-# LINE 164 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_EPHEMERAL_RSA = 0 {-# LINE 165 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 166 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_CIPHER_SERVER_PREFERENCE = 4194304 {-# LINE 167 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 168 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_PKCS1_CHECK_1 = 0 {-# LINE 169 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_PKCS1_CHECK_2 = 0 {-# LINE 170 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NETSCAPE_CA_DN_BUG = 536870912 {-# LINE 171 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 1073741824 {-# LINE 172 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NO_SSLv2 = 16777216 {-# LINE 173 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NO_SSLv3 = 33554432 {-# LINE 174 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NO_TLSv1 = 67108864 {-# LINE 175 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 176 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 65536 {-# LINE 177 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 178 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_NO_TICKET = 16384 {-# LINE 179 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 180 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = 262144 {-# LINE 181 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 182 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 183 "OpenSSL/SSL/Option.hsc" #-} optionToIntegral SSL_OP_LEGACY_SERVER_CONNECT = 4 {-# LINE 184 "OpenSSL/SSL/Option.hsc" #-} {-# LINE 185 "OpenSSL/SSL/Option.hsc" #-}