22  int SSL_get1_groups(SSL *ssl, int *groups);
41 For all of the functions below that set the supported groups there must be at
42 least one group in the list. A number of these functions identify groups via a
43 unique integer NID value. However, support for some groups may be added by
45 When setting such groups applications should use the "list" form of these
48 SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
49 groups in the array B<glist>. The array consist of all NIDs of supported groups.
50 The supported groups for B<TLSv1.3> include:
65 whether the groups are used in a client or server.
67 For a TLS client, the groups are used directly in the supported groups
71 For a TLS 1.2 server, the groups determine the selected group. If
76 For a TLS 1.3 server, the groups determine the selected group, but
78 predicted subset of groups. Choosing a group outside the predicted subset incurs
80 not be predicted. OpenSSL considers all supported groups in I<clist> to be comparable
87 SSL_CTX_set1_groups_list() sets the supported groups for B<ctx> to
89 groups, rather than their NIDs, are used.
91 The commands below list the available groups for TLS 1.2 and TLS 1.3,
94     $ openssl list -tls1_2 -tls-groups
95     $ openssl list -tls1_3 -tls-groups
105 (listing unknown groups otherwise results in error).
106 It is also possible to specify the built-in default set of groups, and to explicitly
124 will be removed from the list of groups if present (including not sending a
126 C<DEFAULT> can be used to select the OpenSSL built-in default list of groups.
128 For a TLS 1.3 client, all the groups in the string I<list> are added to the
129 supported groups extension of a C<ClientHello>, in the order in which they are listed,
136 of the OpenSSL built-in default list of groups. If no C<*> is used anywhere in the list,
139 supported groups extension in a C<ClientHello> and will send key shares for P-256 and P-384.
141 For a TLS 1.3 server, the groups in the string I<list> will be used to determine which group
143 by the order of the tuples in the array, and the preference order of the groups within
144 a group tuple is determined by the order of the groups in the tuple. Server preference
155          FOR each client supported groups
159              IF current group is also part of client key-share groups: SH, return success
161              IF current group is also part of client supported groups: HRR, return success
182 supported groups for the SSL structure B<ssl>.
184 SSL_get1_groups() returns the set of supported groups sent by a client
185 in the supported groups extension. It returns the total number of
186 supported groups. The B<groups> parameter can be B<NULL> to simply
187 return the number of groups for memory allocation purposes. The
188 B<groups> array is in the form of a set of group NIDs in preference
189 order. It can return zero if the client did not send a supported groups
193 SSL_get0_iana_groups() retrieves the list of groups sent by the
197 that was received in the ClientHello.  The return value is the number of groups,
201 server-side SSL B<ssl>. If B<n> is -1 then the total number of shared groups is
220 groups that are compatible with the TLS version of the B<ctx> argument.
223 only the preferred IANA names of the groups, but also any associated aliases.
224 If the SSL_CTX is version-flexible, the groups will be those compatible
228 The B<-tls-groups> and B<-all-tls-groups> options of the
237 groups, and extended to include Diffie Hellman groups. The group functions
252 SSL_get1_groups() returns the number of groups, which may be zero.
254 SSL_get0_iana_groups() returns the number of (uint16_t) groups, which may be zero.
257 is no shared group B<n>; or the total number of shared groups if B<n>
277 Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and
286 supported groups as comparable in security.

Last Index update Sun Feb 16 20:04:31 UTC 2025

Dedicated to & Maintained by Room-11