List of SSL OP Flags

From OpenSSLWiki
Revision as of 20:51, 5 August 2021 by Tmshort (talk | contribs) (Update for 3.0)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Option Flags[edit]

This page lists all the SSL_OP flags available in OpenSSL. These values are passed to the SSL_CTX_set_options(), SSL_CTX_clear_options() functions and returned by the SSL_CTX_get_options() function (and corresponding SSL-equivalents).

Options with a value of 0 have no effect.

OpenSSL 3.0 changed the type of the option value to be uint64_t, to support more than 32 options. In addition, the definitions were changed to use the SSL_OP_BIT() macro.

Table of Options[edit]

Option Name Description 1.0.2 value 1.1.0 value 1.1.1 value 3.0 value
SSL_OP_MICROSOFT_SESS_ID_BUG No effect. 0x00000001 0 0** 0
SSL_OP_NO_EXTENDED_MASTER_SECRET Disables (RFC7627) Extended Master Secret support. Not defined Not defined Not defined SSL_OP_BIT(0)
SSL_OP_NETSCAPE_CHALLENGE_BUG No effect. 0x00000002 0 0** 0
SSL_OP_CLEANSE_PLAINTEXT Cleanse plaintext copies of data delivered to the application. Not defined Not defined Not defined SSL_OP_BIT(1)
SSL_OP_LEGACY_SERVER_CONNECT Allow legacy insecure renegotiation between OpenSSL and unpatched servers only. 0x00000004 0x00000004 0x00000004U SSL_OP_BIT(2)
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG No effect. 0x00000008 0 0** 0
SSL_OP_ENABLE_KTLS KTLS (Linux Kernel TLS) Support Not defined Not defined Not defined SSL_OP_BIT(3)
SSL_OP_TLSEXT_PADDING Adds a padding extension to ensure the ClientHello size is never between 256 and 511 bytes in length. 0x00000010 0x00000010 0x00000010U SSL_OP_BIT(4)
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER Accept large records (18K+) from Microsoft servers/clients. 0x00000020 0 0** 0
SSL_OP_SAFARI_ECDHE_ECDSA_BUG Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. OS X 10.8...10.8.3 has broken support for ECDHE-ECDSA ciphers. 0x00000040 0x00000040 0x00000040U SSL_OP_BIT(6)
SSL_OP_SSLEAY_080_CLIENT_DH_BUG Allow invalid client DH parameters during client key exchange. 0x00000080 0 0** 0
SSL_OP_IGNORE_UNEXPECTED_EOF Ignore missing close-notify alerts. Not defined Not defined Not defined SSL_OP_BIT(7)
SSL_OP_TLS_D5_BUG Allow invalid RSA encrypted length from client during client key exchange. 0x00000100 0 0** 0
SSL_OP_ALLOW_CLIENT_RENEGOTIATION Allow the use of client renegotiation. Not defined Not defined Not defined SSL_OP_BIT(8)
SSL_OP_TLS_BLOCK_PADDING_BUG Compensate for incorrect padding. 0x00000200 0 0** 0
SSL_OP_DISABLE_TLSEXT_CA_NAMES Disable TLS extension CA names for Windows compatibility. Not defined Not defined Not defined SSL_OP_BIT(9)
SSL_OP_ALLOW_NO_DHE_KEX In TLSv1.3 allow a non-(EC)DHE-based key exchange mode Not defined Not defined 0x00000400U SSL_OP_BIT(10)
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS Disables a counter-measure against a SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers, which cannot be handled by some broken (Microsoft) SSL implementations. 0x00000800 0x00000800 0x00000800U SSL_OP_BIT(11)
SSL_OP_NO_QUERY_MTU DTLS PMTU option. 0x00001000 0x00001000 0x00001000U SSL_OP_BIT(12)
SSL_OP_COOKIE_EXCHANGE Turn on Cookie Exchange (on relevant for servers). 0x00002000 0x00002000 0x00002000U SSL_OP_BIT(13)
SSL_OP_NO_TICKET Don't use RFC4507 ticket extension. 0x00004000 0x00004000 0x00004000U SSL_OP_BIT(14)
SSL_OP_CISCO_ANYCONNECT Use Cisco's version identifier of DTLS_BAD_VER (only with deprecated DTLSv1_client_method()). 0x00008000 0x00008000 0x00008000U SSL_OP_BIT(15)
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION As server, disallow session resumption on renegotiation. 0x00010000 0x00010000 0x00010000U SSL_OP_BIT(16)
SSL_OP_NO_COMPRESSION Don't use compression even if supported. This is on by default, but not in SSL_OP_ALL. 0x00020000 0x00020000 0x00020000U SSL_OP_BIT(17)
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Permit unsafe legacy renegotiation. 0x00040000 0x00040000 0x00040000U SSL_OP_BIT(18)
SSL_OP_SINGLE_ECDH_USE If set, always create a new key when using tmp_ecdh parameters. 0x00080000 0 0 0
SSL_OP_NO_ENCRYPT_THEN MAC Disable encrypt-then-MAC Not defined Not defined 0x00080000U SSL_OP_BIT(19)
SSL_OP_SINGLE_DH_USE If set, always create a new key when using tmp_dh parameters (In recent 1.0.2, does nothing: retained for compatibility). 0x00100000 0 0 0
SSL_OP_ENABLE_MIDDLEBOX_COMPAT Enable TLSv1.3 Compatibility mode. This is on by default, but not in SSL_OP_ALL. Not defined Not defined 0x00100000 SSL_OP_BIT(20)
SSL_OP_PRIORITIZE_CHACHA Prioritize ChaCha20Poly1305 on servers when client does. Not defined Not defined 0x00200000U SSL_OP_BIT(21)
SSL_OP_CIPHER_SERVER_PREFERENCE Set on servers to choose the cipher according to the server's preferences 0x00400000 0x00400000 0x00400000U SSL_OP_BIT(22)
SSL_OP_TLS_ROLLBACK_BUG Allow a client to specify SSLv3.0 in the pre-master secret even if TLSv1.0 was specified in the ClientHello. 0x00800000 0x00800000 0x00800000U SSL_OP_BIT(23)
SSL_OP_NO_SSLv2 Disable SSLv2. 0x01000000 0 0 0
SSL_OP_NO_ANTI_REPLAY Disable anti-replay support Not defined Not defined 0x01000000U SSL_OP_BIT(24)
SSL_OP_NO_SSLv3 Disable SSLv3. 0x02000000 0x02000000 0x02000000U SSL_OP_BIT(25)
SSL_OP_NO_TLSv1/SSL_OP_NO_DTLSv1 Disable TLSv1/DTLSv1. 0x04000000 0x04000000 0x04000000U SSL_OP_BIT(26)
SSL_OP_NO_TLSv1_2/SSL_OP_NO_DTLSv1_2 Disable TLSv1.2/DTLSv1.2. 0x08000000 0x08000000 0x08000000U SSL_OP_BIT(27)
SSL_OP_NO_TLSv1_1 Disable TLSv1.1. 0x10000000 0x10000000 0x10000000U SSL_OP_BIT(28)
SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000 0 0 0
SSL_OP_NO_TLSv1_3 Diable TLSv1.3 Not defined Not defined 0x20000000U SSL_OP_BIT(29)
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000 0 0 0
SSL_OP_NO_RENEGOTIATION Disallow all renegotiation Not defined Not defined 0x40000000U SSL_OP_BIT(30)
SSL_OP_CRYPTOPRO_TLSEXT_BUG Adds a ServerHello TLSEXT when using a GOST cipher. 0x80000000 0x80000000 0x80000000U SSL_OP_BIT(31)
SSL_OP_PKCS1_CHECK_1 No effect. 0 0 0 0
SSL_OP_PKCS1_CHECK_2 No effect. 0 0 0 0
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG No effect. 0 0 0 0
SSL_OP_MSIE_SSLV2_RSA_PADDING No effect. 0 0 0 0
SSL_OP_EPHEMERAL_RSA No effect. 0 0 0 0
SSL_OP_NO_SSL_MASK SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 0x1F000000 0x1E000000 0x3E000000U (See description)
SSL_OP_NO_DTLS_MASK SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 Not defined Not defined 0x0C000000U (See description)
SSL_OP_ALL Default set of options. 0x80000BFF 0x80000BFF 0x80000854U (See below)

Note: ** In this version, the original bit value (non-zero) is available for re-use in the next version.

SSL_OP_ALL[edit]

OpenSSL 3.0[edit]

In OpenSSL 3.0, the number of options contained within SSL_OP_ALL has been reduced:

  • SSL_OP_CRYPTOPRO_TLSEXT_BUG
  • SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
  • SSL_OP_TLSEXT_PADDING
  • SSL_OP_SAFARI_ECDHE_ECDSA_BUG

OpenSSL 1.1.1[edit]

In OpenSSL 1.1.1, the SSL_OP_ALL option changed value to include only those bits that have a defintion. This means that 1.1.0 and 1.1.1, although ABI compatible, have different values for default enabled options. The result of this is that several option bits marked by ** cannot be re-assigned until 3.0.0.

OpenSSL 1.1.0[edit]

As of 1.1.0, these options are enabled by default via SSL_OP_ALL:

  • SSL_OP_CRYPTOPRO_TLSEXT_BUG
  • SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
  • SSL_OP_LEGACY_SERVER_CONNECT
  • SSL_OP_TLSEXT_PADDING
  • SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Enabled by Default[edit]

The following options are enabled by default (1.1.1 and 3.0), but are not included in SSL_OP_ALL:

  • SSL_OP_NO_COMPRESSION
  • SSL_OP_ENABLE_MIDDLEBOX_COMPAT

They can be disabled via SSL_clear_options(). A future version of OpenSSL may not set these by default.

Protocol Version Options[edit]

The following options control the protocols enabled on an SSL or SSL_CTX:

  • SSL_OP_NO_SSLv2
  • SSL_OP_NO_SSLv3
  • SSL_OP_NO_TLSv1
  • SSL_OP_NO_TLSv1_1
  • SSL_OP_NO_TLSv1_2
  • SSL_OP_NO_TLSv1_3
  • SSL_OP_NO_DTLSv1
  • SSL_OP_NO_DTLSv1_2

These options are deprecated as of 1.1.0, use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() instead.

Available Bits[edit]

The the change from unsigned long to uin64_t, many more options are now available.

As of this writing (just before 3.0 is released), the following bits are available (i.e. unused):

  • SSL_OP_BIT(5)
  • SSL_OP_BIT(32) through SSL_OP_BIT(63)

Bit values greater than 63 are not permitted and may cause undefined behavior.

Historical Options and Notes[edit]

SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG[edit]

This option does nothing, but was retained for compatibility. In 1.0.1 this option had a value of 0x00000010, but that was taken over by SSL_OP_TLS_PADDING in 1.0.2; this option's value was changed to 0 in 1.0.2. It was included in SSL_OP_ALL. The defintion was removed from 1.1.0.

SSL_OP_MSIE_SSLV2_RSA_PADDING[edit]

This option does nothing, but was retained for compatibility. In 1.0.1, this option had a value of 0x00000040; this option's value was changed to 0 in 1.0.2.

SSL_OP_SINGLE_DH_USE[edit]

If set, always create a new key when using tmp_dh parameters. As of 1.0.2f single-DH key use is always on, and this option does nothing, and is retained for compatibility.

SSL_OP_EPHEMERAL_RSA[edit]

This option does nothing, but was retained for compatibility. In 1.0.1, this option had a value of 0x00200000; this option's value was changed to 0 in 1.0.2. This option always used the tmp_rsa key when doing RSA operations, even when this violated protocol specs.

SSL_OP_PRIORITIZE_CHACHA[edit]

This option has no effect if SSL_OP_CIPHER_SERVER_PREFERENCE is not enabled.

SSL_OP_TLS_ROLLBACK_BUG[edit]

This option had a value of 0x00000400 in 0.9.6. If set, a server will allow a client to issue a SSLv3.0 version number as latest version supported in the premaster secret, even when TLSv1.0 (version 3.1) was announced in the client hello. Normally this is forbidden to prevent version rollback attacks.

Added in 0.9.6 and was automatically enabled via SSL_OP_ALL. In 0.9.7, it was removed from SSL_OP_ALL and must be explicitly set.

SSL_OP_PKCS1_CHECK_1[edit]

This option does nothing, but was retained for compatibility. Prior to 1.0.1, this option had a value of 0x08000000. The option would deliberately change the ciphertext, this is a check for the PKCS#1 attack.

SSL_OP_PKCS1_CHECK_2[edit]

This option does nothing, but was retained for compatibility. Prior to 1.0.1, this option had a value of 0x10000000. The option would deliberately change the ciphertext, this is a check for the PKCS#1 attack.

SSL_OP_CIPHER_SERVER_PREFERENCE[edit]

Added in 0.9.7.

SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION[edit]

Added in 0.9.7.

SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS[edit]

Added in 0.9.6e to disable the fragment insertion that was added in 0.9.6d (where it was always enabled). Versions up to 0.9.6c do not include the countermeasure.

SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION[edit]

Added in 0.9.8m.

SSL_OP_LEGACY_SERVER_CONNECT[edit]

Added in 0.9.8m.