HsOpenSSL-0.11.1: OpenSSL/SSL/Option.hsc
-- See https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
module OpenSSL.SSL.Option
( SSLOption(..)
, optionToIntegral
)
where
import Data.Typeable
#include <openssl/ssl.h>
-- | The behaviour of the SSL library can be changed by setting
-- several options. During a handshake, the option settings of the
-- 'OpenSSL.Session.SSL' object are used. When a new
-- 'OpenSSL.Session.SSL' object is created from a
-- 'OpenSSL.Session.SSLContext', the current option setting is
-- copied. Changes to 'OpenSSL.Session.SSLContext' do not affect
-- already created 'OpenSSL.Session.SSL' objects.
data SSLOption
= -- | As of OpenSSL 1.0.0 this option has no effect.
SSL_OP_MICROSOFT_SESS_ID_BUG
-- | As of OpenSSL 1.0.0 this option has no effect.
| SSL_OP_NETSCAPE_CHALLENGE_BUG
-- | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
| SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
| SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
| SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
-- | Don't prefer ECDHE-ECDSA ciphers when the client appears to
-- be Safari on OS X. OS X 10.8..10.8.3 has broken support for
-- ECDHE-ECDSA ciphers.
| SSL_OP_SAFARI_ECDHE_ECDSA_BUG
| SSL_OP_SSLEAY_080_CLIENT_DH_BUG
| SSL_OP_TLS_D5_BUG
| SSL_OP_TLS_BLOCK_PADDING_BUG
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-- | Disables a countermeasure against a SSL 3.0/TLS 1.0
-- protocol vulnerability affecting CBC ciphers, which cannot be
-- handled by some broken SSL implementations. This option has
-- no effect for connections using other ciphers.
| SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
#endif
#if defined(SSL_OP_TLSEXT_PADDING)
-- | Adds a padding extension to ensure the ClientHello size is
-- never between 256 and 511 bytes in length. This is needed as
-- a workaround for some implementations.
| SSL_OP_TLSEXT_PADDING
#endif
-- | All of the above bug workarounds.
| SSL_OP_ALL
#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-- | Disable version rollback attack detection.
--
-- During the client key exchange, the client must send the same
-- information about acceptable SSL/TLS protocol levels as
-- during the first hello. Some clients violate this rule by
-- adapting to the server's answer. (Example: the client sends a
-- SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only
-- understands up to SSLv3. In this case the client must still
-- use the same SSLv3.1=TLSv1 announcement. Some clients step
-- down to SSLv3 with respect to the server's answer and violate
-- the version rollback protection.)
| SSL_OP_TLS_ROLLBACK_BUG
#endif
-- | Always create a new key when using temporary/ephemeral DH
-- parameters. This option must be used to prevent small
-- subgroup attacks, when the DH parameters were not generated
-- using \"strong\" primes (e.g. when using DSA-parameters). If
-- \"strong\" primes were used, it is not strictly necessary to
-- generate a new DH key during each handshake but it is also
-- recommended. 'SSL_OP_SINGLE_DH_USE' should therefore be enabled
-- whenever temporary/ephemeral DH parameters are used.
| SSL_OP_SINGLE_DH_USE
-- | Always use ephemeral (temporary) RSA key when doing RSA
-- operations. According to the specifications this is only
-- done, when a RSA key can only be used for signature
-- operations (namely under export ciphers with restricted RSA
-- keylength). By setting this option, ephemeral RSA keys are
-- always used. This option breaks compatibility with the
-- SSL/TLS specifications and may lead to interoperability
-- problems with clients and should therefore never be
-- used. Ciphers with DHE (ephemeral Diffie-Hellman) key
-- exchange should be used instead.
| SSL_OP_EPHEMERAL_RSA
#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
-- | When choosing a cipher, use the server's preferences
-- instead of the client preferences. When not set, the SSL
-- server will always follow the clients preferences. When set,
-- the SSLv3/TLSv1 server will choose following its own
-- preferences. Because of the different protocol, for SSLv2 the
-- server will send its list of preferences to the client and
-- the client chooses.
| SSL_OP_CIPHER_SERVER_PREFERENCE
#endif
| SSL_OP_PKCS1_CHECK_1
| SSL_OP_PKCS1_CHECK_2
-- | If we accept a netscape connection, demand a client cert,
-- have a non-self-signed CA which does not have its CA in
-- netscape, and the browser has a cert, it will
-- crash/hang. Works for 3.x and 4.xbeta
| SSL_OP_NETSCAPE_CA_DN_BUG
| SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
-- | Do not use the SSLv2 protocol.
| SSL_OP_NO_SSLv2
-- | Do not use the SSLv3 protocol.
| SSL_OP_NO_SSLv3
-- | Do not use the TLSv1 protocol.
| SSL_OP_NO_TLSv1
#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
-- | When performing renegotiation as a server, always start a
-- new session (i.e., session resumption requests are only
-- accepted in the initial handshake). This option is not needed
-- for clients.
| SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
#endif
-- | Normally clients and servers will, where possible,
-- transparently make use of
-- <http://tools.ietf.org/html/rfc4507 RFC 4507> tickets for
-- stateless session resumption.
--
-- If this option is set this functionality is disabled and
-- tickets will not be used by clients or servers.
| SSL_OP_NO_TICKET
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-- | Allow legacy insecure renegotiation between OpenSSL and
-- unpatched clients or servers. See
-- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION>
-- for more details.
| SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
#endif
#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-- | Allow legacy insecure renegotiation between OpenSSL and
-- unpatched servers _only_. See
-- <https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#secure_renegotiation SECURE RENEGOTIATION>
-- for more details.
| SSL_OP_LEGACY_SERVER_CONNECT
#endif
deriving (Eq, Ord, Show, Typeable)
optionToIntegral :: Integral a => SSLOption -> a
optionToIntegral SSL_OP_MICROSOFT_SESS_ID_BUG = #const SSL_OP_MICROSOFT_SESS_ID_BUG
optionToIntegral SSL_OP_NETSCAPE_CHALLENGE_BUG = #const SSL_OP_NETSCAPE_CHALLENGE_BUG
optionToIntegral SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = #const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
optionToIntegral SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = #const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
optionToIntegral SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = #const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
optionToIntegral SSL_OP_SAFARI_ECDHE_ECDSA_BUG = #const SSL_OP_SAFARI_ECDHE_ECDSA_BUG
optionToIntegral SSL_OP_SSLEAY_080_CLIENT_DH_BUG = #const SSL_OP_SSLEAY_080_CLIENT_DH_BUG
optionToIntegral SSL_OP_TLS_D5_BUG = #const SSL_OP_TLS_D5_BUG
optionToIntegral SSL_OP_TLS_BLOCK_PADDING_BUG = #const SSL_OP_TLS_BLOCK_PADDING_BUG
#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
optionToIntegral SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = #const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
#endif
#if defined(SSL_OP_TLSEXT_PADDING)
optionToIntegral SSL_OP_TLSEXT_PADDING = #const SSL_OP_TLSEXT_PADDING
#endif
optionToIntegral SSL_OP_ALL = #const SSL_OP_ALL
#if defined(SSL_OP_TLS_ROLLBACK_BUG)
optionToIntegral SSL_OP_TLS_ROLLBACK_BUG = #const SSL_OP_TLS_ROLLBACK_BUG
#endif
optionToIntegral SSL_OP_SINGLE_DH_USE = #const SSL_OP_SINGLE_DH_USE
optionToIntegral SSL_OP_EPHEMERAL_RSA = #const SSL_OP_EPHEMERAL_RSA
#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
optionToIntegral SSL_OP_CIPHER_SERVER_PREFERENCE = #const SSL_OP_CIPHER_SERVER_PREFERENCE
#endif
optionToIntegral SSL_OP_PKCS1_CHECK_1 = #const SSL_OP_PKCS1_CHECK_1
optionToIntegral SSL_OP_PKCS1_CHECK_2 = #const SSL_OP_PKCS1_CHECK_2
optionToIntegral SSL_OP_NETSCAPE_CA_DN_BUG = #const SSL_OP_NETSCAPE_CA_DN_BUG
optionToIntegral SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = #const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
optionToIntegral SSL_OP_NO_SSLv2 = #const SSL_OP_NO_SSLv2
optionToIntegral SSL_OP_NO_SSLv3 = #const SSL_OP_NO_SSLv3
optionToIntegral SSL_OP_NO_TLSv1 = #const SSL_OP_NO_TLSv1
#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
optionToIntegral SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = #const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
#endif
optionToIntegral SSL_OP_NO_TICKET = #const SSL_OP_NO_TICKET
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
optionToIntegral SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = #const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
#endif
#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
optionToIntegral SSL_OP_LEGACY_SERVER_CONNECT = #const SSL_OP_LEGACY_SERVER_CONNECT
#endif