xref: /openssl/doc/man3/SSL_CTX_new.pod (revision a82c2bf5)
1=pod
2
3=head1 NAME
4
5TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
6SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_up_ref, SSLv3_method,
7SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method,
8TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method,
9TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method,
10SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method,
11DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method,
12DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method,
13DTLSv1_2_client_method
14- create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled
15functions
16
17=head1 SYNOPSIS
18
19 #include <openssl/ssl.h>
20
21 SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
22                         const SSL_METHOD *method);
23 SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
24 int SSL_CTX_up_ref(SSL_CTX *ctx);
25
26 const SSL_METHOD *TLS_method(void);
27 const SSL_METHOD *TLS_server_method(void);
28 const SSL_METHOD *TLS_client_method(void);
29
30 const SSL_METHOD *SSLv23_method(void);
31 const SSL_METHOD *SSLv23_server_method(void);
32 const SSL_METHOD *SSLv23_client_method(void);
33
34 #ifndef OPENSSL_NO_SSL3_METHOD
35 const SSL_METHOD *SSLv3_method(void);
36 const SSL_METHOD *SSLv3_server_method(void);
37 const SSL_METHOD *SSLv3_client_method(void);
38 #endif
39
40 #ifndef OPENSSL_NO_TLS1_METHOD
41 const SSL_METHOD *TLSv1_method(void);
42 const SSL_METHOD *TLSv1_server_method(void);
43 const SSL_METHOD *TLSv1_client_method(void);
44 #endif
45
46 #ifndef OPENSSL_NO_TLS1_1_METHOD
47 const SSL_METHOD *TLSv1_1_method(void);
48 const SSL_METHOD *TLSv1_1_server_method(void);
49 const SSL_METHOD *TLSv1_1_client_method(void);
50 #endif
51
52 #ifndef OPENSSL_NO_TLS1_2_METHOD
53 const SSL_METHOD *TLSv1_2_method(void);
54 const SSL_METHOD *TLSv1_2_server_method(void);
55 const SSL_METHOD *TLSv1_2_client_method(void);
56 #endif
57
58 const SSL_METHOD *DTLS_method(void);
59 const SSL_METHOD *DTLS_server_method(void);
60 const SSL_METHOD *DTLS_client_method(void);
61
62 #ifndef OPENSSL_NO_DTLS1_METHOD
63 const SSL_METHOD *DTLSv1_method(void);
64 const SSL_METHOD *DTLSv1_server_method(void);
65 const SSL_METHOD *DTLSv1_client_method(void);
66 #endif
67
68 #ifndef OPENSSL_NO_DTLS1_2_METHOD
69 const SSL_METHOD *DTLSv1_2_method(void);
70 const SSL_METHOD *DTLSv1_2_server_method(void);
71 const SSL_METHOD *DTLSv1_2_client_method(void);
72 #endif
73
74=head1 DESCRIPTION
75
76SSL_CTX_new_ex() creates a new B<SSL_CTX> object, which holds various
77configuration and data relevant to SSL/TLS or DTLS session establishment.
78These are later inherited by the B<SSL> object representing an active session.
79The I<method> parameter specifies whether the context will be used for the
80client or server side or both - for details see the L</NOTES> below.
81The library context I<libctx> (see L<OSSL_LIB_CTX(3)>) is used to provide the
82cryptographic algorithms needed for the session. Any cryptographic algorithms
83that are used by any B<SSL> objects created from this B<SSL_CTX> will be fetched
84from the I<libctx> using the property query string I<propq> (see
85L<crypto(7)/ALGORITHM FETCHING>. Either or both the I<libctx> or I<propq>
86parameters may be NULL.
87
88SSL_CTX_new() does the same as SSL_CTX_new_ex() except that the default
89library context is used and no property query string is specified.
90
91An B<SSL_CTX> object is reference counted. Creating an B<SSL_CTX> object for the
92first time increments the reference count. Freeing the B<SSL_CTX> (using
93SSL_CTX_free) decrements it. When the reference count drops to zero, any memory
94or resources allocated to the B<SSL_CTX> object are freed. SSL_CTX_up_ref()
95increments the reference count for an existing B<SSL_CTX> structure.
96
97An B<SSL_CTX> object should not be changed after it is used to create any B<SSL>
98objects or from multiple threads concurrently, since the implementation does not
99provide serialization of access for these cases.
100
101=head1 NOTES
102
103On session establishment, by default, no peer credentials verification is done.
104This must be explicitly requested, typically using L<SSL_CTX_set_verify(3)>.
105For verifying peer certificates many options can be set using various functions
106such as L<SSL_CTX_load_verify_locations(3)> and L<SSL_CTX_set1_param(3)>.
107
108The SSL/(D)TLS implementation uses the L<X509_STORE_CTX_set_default(3)>
109function to prepare checks for B<X509_PURPOSE_SSL_SERVER> on the client side
110and B<X509_PURPOSE_SSL_CLIENT> on the server side.
111The L<X509_VERIFY_PARAM_set_purpose(3)> function can be used, also in conjunction
112with L<SSL_CTX_get0_param(3)>, to override the default purpose of the session.
113
114The SSL_CTX object uses I<method> as the connection method.
115Three method variants are available: a generic method (for either client or
116server use), a server-only method, and a client-only method.
117
118The I<method> parameter of SSL_CTX_new_ex() and SSL_CTX_new()
119can be one of the following:
120
121=over 4
122
123=item TLS_method(), TLS_server_method(), TLS_client_method()
124
125These are the general-purpose I<version-flexible> SSL/TLS methods.
126The actual protocol version used will be negotiated to the highest version
127mutually supported by the client and the server.
128The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
129Applications should use these methods, and avoid the version-specific
130methods described below, which are deprecated.
131
132=item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()
133
134These functions do not exist anymore, they have been renamed to
135TLS_method(), TLS_server_method() and TLS_client_method() respectively.
136Currently, the old function calls are renamed to the corresponding new
137ones by preprocessor macros, to ensure that existing code which uses the
138old function names still compiles. However, using the old function names
139is deprecated and new code should call the new functions instead.
140
141=item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()
142
143A TLS/SSL connection established with these methods will only understand the
144TLSv1.2 protocol. These methods are deprecated.
145
146=item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()
147
148A TLS/SSL connection established with these methods will only understand the
149TLSv1.1 protocol.  These methods are deprecated.
150
151=item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()
152
153A TLS/SSL connection established with these methods will only understand the
154TLSv1 protocol. These methods are deprecated.
155
156=item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()
157
158A TLS/SSL connection established with these methods will only understand the
159SSLv3 protocol.
160The SSLv3 protocol is deprecated and should not be used.
161
162=item DTLS_method(), DTLS_server_method(), DTLS_client_method()
163
164These are the version-flexible DTLS methods.
165Currently supported protocols are DTLS 1.0 and DTLS 1.2.
166
167=item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()
168
169These are the version-specific methods for DTLSv1.2.
170These methods are deprecated.
171
172=item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()
173
174These are the version-specific methods for DTLSv1.
175These methods are deprecated.
176
177=back
178
179SSL_CTX_new() initializes the list of ciphers, the session cache setting, the
180callbacks, the keys and certificates and the options to their default values.
181
182TLS_method(), TLS_server_method(), TLS_client_method(), DTLS_method(),
183DTLS_server_method() and DTLS_client_method() are the I<version-flexible>
184methods.
185All other methods only support one specific protocol version.
186Use the I<version-flexible> methods instead of the version specific methods.
187
188If you want to limit the supported protocols for the version flexible
189methods you can use L<SSL_CTX_set_min_proto_version(3)>,
190L<SSL_set_min_proto_version(3)>, L<SSL_CTX_set_max_proto_version(3)> and
191L<SSL_set_max_proto_version(3)> functions.
192Using these functions it is possible to choose e.g. TLS_server_method()
193and be able to negotiate with all possible clients, but to only
194allow newer protocols like TLS 1.0, TLS 1.1, TLS 1.2 or TLS 1.3.
195
196The list of protocols available can also be limited using the
197B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>, B<SSL_OP_NO_TLSv1_1>,
198B<SSL_OP_NO_TLSv1_3>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
199options of the
200L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions, but this approach
201is not recommended. Clients should avoid creating "holes" in the set of
202protocols they support. When disabling a protocol, make sure that you also
203disable either all previous or all subsequent protocol versions.
204In clients, when a protocol version is disabled without disabling I<all>
205previous protocol versions, the effect is to also disable all subsequent
206protocol versions.
207
208The SSLv3 protocol is deprecated and should generally not be used.
209Applications should typically use L<SSL_CTX_set_min_proto_version(3)> to set
210the minimum protocol to at least B<TLS1_VERSION>.
211
212=head1 RETURN VALUES
213
214The following return values can occur:
215
216=over 4
217
218=item NULL
219
220The creation of a new SSL_CTX object failed. Check the error stack to find out
221the reason.
222
223=item Pointer to an SSL_CTX object
224
225The return value points to an allocated SSL_CTX object.
226
227SSL_CTX_up_ref() returns 1 for success and 0 for failure.
228
229=back
230
231=head1 SEE ALSO
232
233L<SSL_CTX_set_options(3)>, L<SSL_CTX_free(3)>, L<X509_STORE_CTX_set_default(3)>,
234SSL_CTX_set_verify(3), L<SSL_CTX_set1_param(3)>, L<SSL_CTX_get0_param(3)>,
235L<SSL_connect(3)>, L<SSL_accept(3)>,
236L<SSL_CTX_set_min_proto_version(3)>, L<ssl(7)>, L<SSL_set_connect_state(3)>
237
238=head1 HISTORY
239
240Support for SSLv2 and the corresponding SSLv2_method(),
241SSLv2_server_method() and SSLv2_client_method() functions where
242removed in OpenSSL 1.1.0.
243
244SSLv23_method(), SSLv23_server_method() and SSLv23_client_method()
245were deprecated and the preferred TLS_method(), TLS_server_method()
246and TLS_client_method() functions were added in OpenSSL 1.1.0.
247
248All version-specific methods were deprecated in OpenSSL 1.1.0.
249
250SSL_CTX_new_ex() was added in OpenSSL 3.0.
251
252=head1 COPYRIGHT
253
254Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
255
256Licensed under the Apache License 2.0 (the "License").  You may not use
257this file except in compliance with the License.  You can obtain a copy
258in the file LICENSE in the source distribution or at
259L<https://www.openssl.org/source/license.html>.
260
261=cut
262