1Behaviour of SSL functions on QUIC SSL objects 2============================================== 3 4This document is a companion to the [QUIC API Overview](./quic-api.md) which 5lists all SSL functions and controls and notes their behaviour with QUIC SSL 6objects. 7 8The Category column is as follows: 9 10- **Global**: 11 These API items do not relate to SSL objects. They may be stateless or may 12 relate only to global state. 13 14 Can also be used for APIs implemented only in terms of other public libssl APIs. 15- **Object**: 16 Object management APIs. Some of these may require QUIC-specific implementation. 17- **HL**: Handshake layer API. 18 19 These calls should generally be dispatched to the handshake layer, unless 20 they are not applicable to QUIC. Modifications inside the handshake layer 21 for the QUIC case may or may not be required. 22- **CSSM**: Connection/Stream State Machine. API related to lifecycle of a 23 connection or stream. Needs QUIC-specific implementation. 24- **ADP**: App Data Path. Application-side data path API. QUIC-specific 25 implementation. 26- **NDP**: Net Data Path. Network-side data path control API. Also includes I/O 27 ticking and timeout handling. 28- **RL**: Record layer related API. If these API items only relate to the TLS 29 record layer, they must be disabled for QUIC; if they are also relevant to the 30 QUIC record layer, they will require QUIC-specific implementation. 31- **Async**: Relates to the async functionality. 32- **0-RTT**: Relates to early data/0-RTT functionality. 33- **Special**: Other calls which defy classification. 34 35The Semantics column is as follows: 36 37- **��U**: Unchanged. The semantics of the API are not changed for QUIC. 38- **��C**: Changed. The semantics of the API are changed for QUIC. 39- **��N**: New. The API is new for QUIC. 40- **��TBD**: Yet to be determined if semantic changes will be required. 41 42The Applicability column is as follows: 43 44- **��U**: Unrelated. Not applicable to QUIC — fully unrelated (e.g. functions for 45 other SSL methods). 46- **��FC**: Not applicable to QUIC (or not currently supported) — fail closed. 47- **��NO**: Not applicable to QUIC (nor not currently supported) — no-op. 48- **��A**: Applicable. 49 50The Implementation Requirements column is as follows: 51 52- **��NC**: No changes are expected to be needed (where marked **\***, dispatch 53 to handshake layer). 54 55 **Note**: Where this value is used with an applicability of **FC** or **NO**, 56 this means that the desired behaviour is already an emergent consequence of the 57 existing code. 58- **��C**: Modifications are expected to be needed (where marked **\***, 59 dispatch to handshake layer with changes inside the handshake layer). 60- **��QSI**: QUIC specific implementation. 61- **��QSA**: QUIC specific API. 62 63The Status column is as follows: 64 65- **��Pending Triage**: Have not determined the classification of this API item yet. 66- **��Design TBD**: It has not yet been determined how this API item will work for 67 QUIC. 68- **��TODO**: It has been determined how this API item should work for QUIC but it 69 has not yet been implemented. 70- **��Done**: No further work is anticipated to be needed for this API item. 71 72Notes: 73 74- †1: Must restrict which ciphers can be used with QUIC; otherwise, no changes. 75- †2: ALPN usage must be mandated; otherwise, no changes. 76- †3: NPN usage should be forced off as it should never be used with QUIC; 77 otherwise, no changes. 78- †4: Controls needing changes are listed separately. 79- †5: TLS compression and renegotiation must not be used with QUIC, but these 80 features are already forbidden in 81 TLS 1.3, which is a requirement for QUIC, thus no changes should be needed. 82- †6: Callback specified is called for handshake layer messages (TLSv1.3). 83- †7: Tickets are issued using `NEW_TOKEN` frames in QUIC and this will 84 require handshake layer changes. However these APIs as such do not require 85 changes. 86- †8: Use of post-handshake authentication is prohibited by QUIC. 87- †9: QUIC always uses AES-128-GCM initially. We need to determine when and 88 what ciphers we report as being in use. 89- †10: Not supporting async for now. 90- †11: Since these functions only configure cipher suite lists used for TLSv1.2, 91 which is never used for QUIC, they do not require changes, and we can allow 92 applications to configure these lists freely, as they will be ignored. 93 94| API Item | Cat. | Sema. | Appl. | Impl. Req. | Status | 95|----------------------------------------------|---------|-------|-------|------------|--------------| 96| **⇒ Global Information and Functions** | | | | | | 97| `OSSL_default_cipher_list` | Global | ��U | ��U | ��NC | ��Done | 98| `OSSL_default_ciphersuites` | Global | ��U | ��U | ��NC | ��Done | 99| `ERR_load_SSL_strings` | Global | ��U | ��U | ��NC | ��Done | 100| `OPENSSL_init_ssl` | Global | ��U | ��U | ��NC | ��Done | 101| `OPENSSL_cipher_name` | Global | ��U | ��U | ��NC | ��Done | 102| `SSL_alert_desc_string` | Global | ��U | ��U | ��NC | ��Done | 103| `SSL_alert_desc_string_long` | Global | ��U | ��U | ��NC | ��Done | 104| `SSL_alert_type_string` | Global | ��U | ��U | ��NC | ��Done | 105| `SSL_alert_type_string_long` | Global | ��U | ��U | ��NC | ��Done | 106| `SSL_extension_supported` | Global | ��U | ��U | ��NC | ��Done | 107| `SSL_add_ssl_module` | Global | ��U | ��U | ��NC | ��Done | 108| `SSL_test_functions` | Global | ��U | ��U | ��NC | ��Done | 109| `SSL_select_next_proto` | Global | ��U | ��U | ��NC | ��Done | 110| **⇒ Methods** | | | | | | 111| `SSLv3_method` | Global | ��U | ��U | ��NC | ��Done | 112| `SSLv3_client_method` | Global | ��U | ��U | ��NC | ��Done | 113| `SSLv3_server_method` | Global | ��U | ��U | ��NC | ��Done | 114| `TLS_method` | Global | ��U | ��U | ��NC | ��Done | 115| `TLS_client_method` | Global | ��U | ��U | ��NC | ��Done | 116| `TLS_server_method` | Global | ��U | ��U | ��NC | ��Done | 117| `TLSv1_method` | Global | ��U | ��U | ��NC | ��Done | 118| `TLSv1_client_method` | Global | ��U | ��U | ��NC | ��Done | 119| `TLSv1_server_method` | Global | ��U | ��U | ��NC | ��Done | 120| `TLSv1_1_method` | Global | ��U | ��U | ��NC | ��Done | 121| `TLSv1_1_client_method` | Global | ��U | ��U | ��NC | ��Done | 122| `TLSv1_1_server_method` | Global | ��U | ��U | ��NC | ��Done | 123| `TLSv1_2_client_method` | Global | ��U | ��U | ��NC | ��Done | 124| `TLSv1_2_server_method` | Global | ��U | ��U | ��NC | ��Done | 125| `TLSv1_2_method` | Global | ��U | ��U | ��NC | ��Done | 126| `DTLS_method` | Global | ��U | ��U | ��NC | ��Done | 127| `DTLS_client_method` | Global | ��U | ��U | ��NC | ��Done | 128| `DTLS_server_method` | Global | ��U | ��U | ��NC | ��Done | 129| `DTLSv1_client_method` | Global | ��U | ��U | ��NC | ��Done | 130| `DTLSv1_server_method` | Global | ��U | ��U | ��NC | ��Done | 131| `DTLSv1_method` | Global | ��U | ��U | ��NC | ��Done | 132| `DTLSv1_2_method` | Global | ��U | ��U | ��NC | ��Done | 133| `DTLSv1_2_client_method` | Global | ��U | ��U | ��NC | ��Done | 134| `DTLSv1_2_server_method` | Global | ��U | ��U | ��NC | ��Done | 135| `OSSL_QUIC_client_method` | Global | ��U | ��U | ��QSA | ��Done | 136| `OSSL_QUIC_client_thread_method` | Global | ��U | ��U | ��QSA | ��Done | 137| `OSSL_QUIC_server_method` | Global | ��U | ��U | ��QSA | ��Design TBD | 138| **⇒ Instantiation** | | | | | | 139| `BIO_f_ssl` | Object | ��U | ��A | ��NC | ��Done | 140| `BIO_new_ssl` | Object | ��U | ��A | ��NC | ��Done | 141| `SSL_CTX_new` | Object | ��U | ��A | ��NC | ��Done | 142| `SSL_CTX_new_ex` | Object | ��U | ��A | ��NC | ��Done | 143| `SSL_CTX_up_ref` | Object | ��U | ��A | ��NC | ��Done | 144| `SSL_CTX_free` | Object | ��U | ��A | ��NC | ��Done | 145| `SSL_new` | Object | ��U | ��A | ��QSI | ��Done | 146| `SSL_dup` | Object | ��U | ��A | ��FC | ��Done | 147| `SSL_up_ref` | Object | ��U | ��A | ��NC | ��Done | 148| `SSL_free` | Object | ��U | ��A | ��QSI | ��Done | 149| `SSL_is_dtls` | Object | ��U | ��A | ��NC | ��Done | 150| `SSL_CTX_get_ex_data` | Object | ��U | ��A | ��NC | ��Done | 151| `SSL_CTX_set_ex_data` | Object | ��U | ��A | ��NC | ��Done | 152| `SSL_get_ex_data` | Object | ��U | ��A | ��NC | ��Done | 153| `SSL_set_ex_data` | Object | ��U | ��A | ��NC | ��Done | 154| `SSL_get_SSL_CTX` | Object | ��U | ��A | ��NC | ��Done | 155| `SSL_set_SSL_CTX` | Object | ��U | ��A | ��NC | ��Done | 156| **⇒ Method Manipulation** | | | | | | 157| `SSL_CTX_get_ssl_method` | Object | ��U | ��A | ��NC | ��Done | 158| `SSL_get_ssl_method` | Object | ��U | ��A | ��NC | ��Done | 159| `SSL_set_ssl_method` | Object | ��U | ��FC | ��QSI | ��Done | 160| **⇒ SRTP** | | | | | | 161| `SSL_get_selected_srtp_profile` | HL | ��U | ��NO | ��C\* | ��Done | 162| `SSL_get_srtp_profiles` | HL | ��U | ��NO | ��C\* | ��Done | 163| `SSL_CTX_set_tlsext_use_srtp` | HL | ��U | ��FC | ��C\* | ��Done | 164| `SSL_set_tlsext_use_srtp` | HL | ��U | ��FC | ��NC\* | ��Done | 165| **⇒ Ciphersuite Configuration** | | | | | | 166| `SSL_CTX_set_cipher_list` | HL | ��U | ��A | ��NC\* †11 | ��Done | 167| `SSL_CTX_set_ciphersuites` | HL | ��U | ��A | ��C\* †1 | ��Done | 168| `SSL_CTX_get_ciphers` | HL | ��U | ��A | ��NC\* | ��Done | 169| `SSL_set_ciphersuites` | HL | ��U | ��A | ��NC\* | ��Done | 170| `SSL_get1_supported_ciphers` | HL | ��U | ��A | ��C\* †1 | ��Done | 171| `SSL_bytes_to_cipher_list` | HL | ��U | ��A | ��NC\* | ��Done | 172| `SSL_get_ciphers` | HL | ��U | ��A | ��NC\* | ��Done | 173| `SSL_get_cipher_list` | HL | ��U | ��A | ��NC\* †11 | ��Done | 174| `SSL_set_cipher_list` | HL | ��U | ��A | ��NC\* †11 | ��Done | 175| **⇒ Negotiated Ciphersuite Queries** | | | | | | 176| `SSL_get_current_cipher` | HL | ��U | ��A | ��NC\* †9 | ��Done | 177| `SSL_get_pending_cipher` | HL | ��U | ��A | ��NC\* †9 | ��Done | 178| `SSL_get_shared_ciphers` | HL | ��U | ��A | ��NC\* †9 | ��Done | 179| `SSL_get_client_ciphers` | HL | ��U | ��A | ��NC\* †9 | ��Done | 180| `SSL_get_current_compression` | HL | ��U | ��A | ��HLNC | ��Done | 181| `SSL_get_current_expansion` | HL | ��U | ��A | ��NC\* | ��Done | 182| `SSL_get_shared_sigalgs` | HL | ��U | ��A | ��NC\* | ��Done | 183| `SSL_get_sigalgs` | HL | ��U | ��A | ��NC\* | ��Done | 184| `SSL_get_peer_signature_nid` | HL | ��U | ��A | ��NC\* | ��Done | 185| `SSL_get_peer_signature_type_nid` | HL | ��U | ��A | ��NC\* | ��Done | 186| `SSL_get_signature_nid` | HL | ��U | ��A | ��NC\* | ��Done | 187| `SSL_get_signature_type_nid` | HL | ��U | ��A | ��NC\* | ��Done | 188| **⇒ ALPN** | †2 | | | | | 189| `SSL_SESSION_set1_alpn_selected` | HL | ��U | ��A | ��C\* †2 | ��Done | 190| `SSL_SESSION_get0_alpn_selected` | HL | ��U | ��A | ��C\* †2 | ��Done | 191| `SSL_CTX_set_alpn_select_cb` | HL | ��U | ��A | ��C\* †2 | ��Done | 192| `SSL_set_alpn_protos` | HL | ��U | ��A | ��C\* †2 | ��Done | 193| `SSL_get0_alpn_selected` | HL | ��U | ��A | ��C\* †2 | ��Done | 194| `SSL_CTX_set_alpn_protos` | HL | ��U | ��A | ��C\* †2 | ��Done | 195| **⇒ NPN** | †3 | | | | | 196| `SSL_CTX_set_next_proto_select_cb` | HL | ��U | ��FC | ��C\* †3 | ��Done | 197| `SSL_CTX_set_next_protos_advertised_cb` | HL | ��U | ��FC | ��C\* †3 | ��Done | 198| `SSL_get0_next_proto_negotiated` | HL | ��U | ��FC | ��NC\* †3 | ��Done | 199| **⇒ Narrow Waist Interface** | †4 | | | | | 200| `SSL_CTX_ctrl` | Object | ��U | ��A | ��NC\* †4 | ��Done | 201| `SSL_ctrl` | Object | ��U | ��A | ��NC\* †4 | ��Done | 202| `SSL_CTX_callback_ctrl` | Object | ��U | ��A | ��NC\* †4 | ��Done | 203| `SSL_callback_ctrl` | Object | ��U | ��A | ��NC\* †4 | ��Done | 204| **⇒ Miscellaneous Accessors** | | | | | | 205| `SSL_get_server_random` | HL | ��U | ��A | ��NC\* | ��Done | 206| `SSL_get_client_random` | HL | ��U | ��A | ��NC\* | ��Done | 207| `SSL_get_finished` | HL | ��U | ��A | ��NC\* | ��Done | 208| `SSL_get_peer_finished` | HL | ��U | ��A | ��NC\* | ��Done | 209| **⇒ Ciphersuite Information** | | | | | | 210| `SSL_CIPHER_description` | Global | ��U | ��A | ��NC\* | ��Done | 211| `SSL_CIPHER_find` | Global | ��U | ��A | ��NC\* | ��Done | 212| `SSL_CIPHER_get_auth_nid` | Global | ��U | ��A | ��NC\* | ��Done | 213| `SSL_CIPHER_get_bits` | Global | ��U | ��A | ��NC\* | ��Done | 214| `SSL_CIPHER_get_cipher_nid` | Global | ��U | ��A | ��NC\* | ��Done | 215| `SSL_CIPHER_get_digest_nid` | Global | ��U | ��A | ��NC\* | ��Done | 216| `SSL_CIPHER_get_handshake_digest` | Global | ��U | ��A | ��NC\* | ��Done | 217| `SSL_CIPHER_get_id` | Global | ��U | ��A | ��NC\* | ��Done | 218| `SSL_CIPHER_get_kx_nid` | Global | ��U | ��A | ��NC\* | ��Done | 219| `SSL_CIPHER_get_name` | Global | ��U | ��A | ��NC\* | ��Done | 220| `SSL_CIPHER_get_protocol_id` | Global | ��U | ��A | ��NC\* | ��Done | 221| `SSL_CIPHER_get_version` | Global | ��U | ��A | ��NC\* | ��Done | 222| `SSL_CIPHER_is_aead` | Global | ��U | ��A | ��NC\* | ��Done | 223| `SSL_CIPHER_standard_name` | Global | ��U | ��A | ��NC\* | ��Done | 224| `SSL_group_to_name` | Global | ��U | ��U | ��NC\* | ��Done | 225| **⇒ Version Queries** | | | | | | 226| `SSL_get_version` | HL | ��U | ��A | ��NC\* | ��Done | 227| `SSL_version` | HL | ��U | ��A | ��NC\* | ��Done | 228| `SSL_client_version` | HL | ��U | ��A | ��NC\* | ��Done | 229| **⇒ Certificate Chain Management** | | | | | | 230| `SSL_get_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 231| `SSL_use_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 232| `SSL_CTX_use_certificate_chain_file` | HL | ��U | ��A | ��NC\* | ��Done | 233| `SSL_use_certificate_chain_file` | HL | ��U | ��A | ��NC\* | ��Done | 234| `SSL_use_certificate_file` | HL | ��U | ��A | ��NC\* | ��Done | 235| `SSL_CTX_load_verify_file` | HL | ��U | ��A | ��NC\* | ��Done | 236| `SSL_CTX_load_verify_dir` | HL | ��U | ��A | ��NC\* | ��Done | 237| `SSL_CTX_load_verify_store` | HL | ��U | ��A | ��NC\* | ��Done | 238| `SSL_CTX_load_verify_locations` | HL | ��U | ��A | ��NC\* | ��Done | 239| `CertSSL_use_cert_and_key` | HL | ��U | ��A | ��NC\* | ��Done | 240| `SSL_use_certificate_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 241| `SSL_use_PrivateKey` | HL | ��U | ��A | ��NC\* | ��Done | 242| `SSL_use_PrivateKey_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 243| `SSL_use_PrivateKey_file` | HL | ��U | ��A | ��NC\* | ��Done | 244| `SSL_use_RSAPrivateKey` | HL | ��U | ��A | ��NC\* | ��Done | 245| `SSL_use_RSAPrivateKey_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 246| `SSL_use_RSAPrivateKey_file` | HL | ��U | ��A | ��NC\* | ��Done | 247| `SSL_CTX_set_default_verify_dir` | HL | ��U | ��A | ��NC\* | ��Done | 248| `SSL_CTX_set_default_verify_file` | HL | ��U | ��A | ��NC\* | ��Done | 249| `SSL_CTX_set_default_verify_paths` | HL | ��U | ��A | ��NC\* | ��Done | 250| `SSL_CTX_set_default_verify_store` | HL | ��U | ��A | ��NC\* | ��Done | 251| `SSL_CTX_use_cert_and_key` | HL | ��U | ��A | ��NC\* | ��Done | 252| `SSL_CTX_use_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 253| `SSL_CTX_use_certificate_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 254| `SSL_CTX_use_certificate_file` | HL | ��U | ��A | ��NC\* | ��Done | 255| `SSL_CTX_use_PrivateKey` | HL | ��U | ��A | ��NC\* | ��Done | 256| `SSL_CTX_use_PrivateKey_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 257| `SSL_CTX_use_PrivateKey_file` | HL | ��U | ��A | ��NC\* | ��Done | 258| `SSL_CTX_use_RSAPrivateKey` | HL | ��U | ��A | ��NC\* | ��Done | 259| `SSL_CTX_use_RSAPrivateKey_ASN1` | HL | ��U | ��A | ��NC\* | ��Done | 260| `SSL_CTX_use_RSAPrivateKey_file` | HL | ��U | ��A | ��NC\* | ��Done | 261| `SSL_check_chain` | HL | ��U | ��A | ��NC\* | ��Done | 262| `SSL_check_private_key` | HL | ��U | ��A | ��NC\* | ��Done | 263| `SSL_CTX_check_private_key` | HL | ��U | ��A | ��NC\* | ��Done | 264| `SSL_add_client_CA` | HL | ��U | ��A | ��NC\* | ��Done | 265| `SSL_add1_to_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 266| `SSL_add_dir_cert_subjects_to_stack` | HL | ��U | ��A | ��NC\* | ��Done | 267| `SSL_add_file_cert_subjects_to_stack` | HL | ��U | ��A | ��NC\* | ��Done | 268| `SSL_add_store_cert_subjects_to_stack` | HL | ��U | ��A | ��NC\* | ��Done | 269| `SSL_load_client_CA_file` | HL | ��U | ��A | ��NC\* | ��Done | 270| `SSL_load_client_CA_file_ex` | HL | ��U | ��A | ��NC\* | ��Done | 271| `SSL_dup_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 272| `SSL_set0_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 273| `SSL_get0_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 274| `SSL_set_client_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 275| `SSL_CTX_add_client_CA` | HL | ��U | ��A | ��NC\* | ��Done | 276| `SSL_CTX_get0_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 277| `SSL_CTX_get0_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 278| `SSL_CTX_get0_privatekey` | HL | ��U | ��A | ��NC\* | ��Done | 279| `SSL_CTX_get_cert_store` | HL | ��U | ��A | ��NC\* | ��Done | 280| `SSL_CTX_set1_cert_store` | HL | ��U | ��A | ��NC\* | ��Done | 281| `SSL_CTX_get_client_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 282| `SSL_CTX_add1_to_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 283| `SSL_CTX_set0_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 284| `SSL_CTX_get_client_cert_cb` | HL | ��U | ��A | ��NC\* | ��Done | 285| `SSL_CTX_get_default_passwd_cb` | HL | ��U | ��A | ��NC\* | ��Done | 286| `SSL_CTX_get_default_passwd_cb_userdata` | HL | ��U | ��A | ��NC\* | ��Done | 287| `SSL_get_client_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 288| `SSL_get_privatekey` | HL | ��U | ��A | ��NC\* | ��Done | 289| **⇒ Certificate Compression** | | | | | | 290| `SSL_CTX_set1_cert_comp_preference` | HL | ��U | ��A | ��NC\* | ��Done | 291| `SSL_set1_cert_comp_preference` | HL | ��U | ��A | ��NC\* | ��Done | 292| `SSL_CTX_compress_certs` | HL | ��U | ��A | ��NC\* | ��Done | 293| `SSL_compress_certs` | HL | ��U | ��A | ��NC\* | ��Done | 294| `SSL_CTX_set1_compressed_cert` | HL | ��U | ��A | ��NC\* | ��Done | 295| `SSL_set1_compressed_cert` | HL | ��U | ��A | ��NC\* | ��Done | 296| `SSL_CTX_get1_compressed_cert` | HL | ��U | ��A | ��NC\* | ��Done | 297| `SSL_get1_compressed_cert` | HL | ��U | ��A | ��NC\* | ��Done | 298| **⇒ Certificate Verification** | | | | | | 299| `SSL_set1_host` | HL | ��U | ��A | ��NC\* | ��Done | 300| `SSL_add1_host` | HL | ��U | ��A | ��NC\* | ��Done | 301| `SSL_set_hostflags` | HL | ��U | ��A | ��NC\* | ��Done | 302| `SSL_set_verify` | HL | ��U | ��A | ��NC\* | ��Done | 303| `SSL_CTX_set_verify` | HL | ��U | ��A | ��NC\* | ��Done | 304| `SSL_set_verify_depth` | HL | ��U | ��A | ��NC\* | ��Done | 305| `SSL_set_verify_result` | HL | ��U | ��A | ��NC\* | ��Done | 306| `SSL_get_verify_callback` | HL | ��U | ��A | ��NC\* | ��Done | 307| `SSL_get_verify_depth` | HL | ��U | ��A | ��NC\* | ��Done | 308| `SSL_get_verify_mode` | HL | ��U | ��A | ��NC\* | ��Done | 309| `SSL_get_verify_result` | HL | ��U | ��A | ��NC\* | ��Done | 310| `SSL_get0_peer_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 311| `SSL_get0_peer_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 312| `SSL_get0_verified_chain` | HL | ��U | ��A | ��NC\* | ��Done | 313| `SSL_get1_peer_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 314| `SSL_get_peer_cert_chain` | HL | ��U | ��A | ��NC\* | ��Done | 315| `SSL_get_peer_certificate` | HL | ��U | ��A | ��NC\* | ��Done | 316| `SSL_certs_clear` | HL | ��U | ��A | ��NC\* | ��Done | 317| `SSL_CTX_get0_param` | HL | ��U | ��A | ��NC\* | ��Done | 318| `SSL_get0_param` | HL | ��U | ��A | ��NC\* | ��Done | 319| `SSL_CTX_get_verify_mode` | HL | ��U | ��A | ��NC\* | ��Done | 320| `SSL_CTX_get_verify_depth` | HL | ��U | ��A | ��NC\* | ��Done | 321| `SSL_CTX_set_verify_depth` | HL | ��U | ��A | ��NC\* | ��Done | 322| `SSL_get0_peername` | HL | ��U | ��A | ��NC\* | ��Done | 323| `SSL_CTX_set1_param` | HL | ��U | ��A | ��NC\* | ��Done | 324| `SSL_set1_param` | HL | ��U | ��A | ��NC\* | ��Done | 325| `SSL_CTX_get0_param` | HL | ��U | ��A | ��NC\* | ��Done | 326| `SSL_get0_param` | HL | ��U | ��A | ��NC\* | ��Done | 327| `SSL_CTX_set_purpose` | HL | ��U | ��A | ��NC\* | ��Done | 328| `SSL_set_purpose` | HL | ��U | ��A | ��NC\* | ��Done | 329| `SSL_CTX_set_trust` | HL | ��U | ��A | ��NC\* | ��Done | 330| `SSL_set_trust` | HL | ��U | ��A | ��NC\* | ��Done | 331| **⇒ PSK** | | | | | | 332| `SSL_use_psk_identity_hint` | HL | ��U | ��A | ��NC\* | ��Done | 333| `SSL_CTX_use_psk_identity_hint` | HL | ��U | ��A | ��NC\* | ��Done | 334| `SSL_set_psk_client_callback` | HL | ��U | ��A | ��NC\* | ��Done | 335| `SSL_set_psk_find_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 336| `SSL_set_psk_server_callback` | HL | ��U | ��A | ��NC\* | ��Done | 337| `SSL_set_psk_use_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 338| `SSL_get_psk_identity` | HL | ��U | ��A | ��NC\* | ��Done | 339| `SSL_get_psk_identity_hint` | HL | ��U | ��A | ��NC\* | ��Done | 340| **⇒ SRP** | | | | | | 341| `SSL_SRP_CTX_init` | HL | ��U | ��A | ��NC\* | ��Done | 342| `SSL_CTX_SRP_CTX_init` | HL | ��U | ��A | ��NC\* | ��Done | 343| `SSL_CTX_SRP_CTX_free` | HL | ��U | ��A | ��NC\* | ��Done | 344| `SSL_SRP_CTX_free` | HL | ��U | ��A | ��NC\* | ��Done | 345| `SSL_CTX_set_srp_client_pwd_callback` | HL | ��U | ��A | ��NC\* | ��Done | 346| `SSL_CTX_set_srp_password` | HL | ��U | ��A | ��NC\* | ��Done | 347| `SSL_get_srp_g` | HL | ��U | ��A | ��NC\* | ��Done | 348| `SSL_CTX_set_srp_cb_arg` | HL | ��U | ��A | ��NC\* | ��Done | 349| `SSL_get_srp_N` | HL | ��U | ��A | ��NC\* | ��Done | 350| `SSL_CTX_set_srp_username_callback` | HL | ��U | ��A | ��NC\* | ��Done | 351| `SSL_get_srp_username` | HL | ��U | ��A | ��NC\* | ��Done | 352| `SSL_set_srp_server_param` | HL | ��U | ��A | ��NC\* | ��Done | 353| `SSL_get_srp_userinfo` | HL | ��U | ��A | ��NC\* | ��Done | 354| `SSL_srp_server_param_with_username` | HL | ��U | ��A | ��NC\* | ��Done | 355| `SSL_CTX_set_srp_strength` | HL | ��U | ��A | ��NC\* | ��Done | 356| `SSL_CTX_set_srp_verify_param_callback` | HL | ��U | ��A | ��NC\* | ��Done | 357| `SSL_set_srp_server_param_pw` | HL | ��U | ��A | ��NC\* | ��Done | 358| `SSL_CTX_set_srp_username` | HL | ��U | ��A | ��NC\* | ��Done | 359| `SRP_Calc_A_param` | HL | ��U | ��A | ��NC\* | ��Done | 360| **⇒ DANE** | | | | | | 361| `SSL_CTX_dane_enable` | HL | ��U | ��A | ��NC\* | ��Done | 362| `SSL_get0_dane_tlsa` | HL | ��U | ��A | ��NC\* | ��Done | 363| `SSL_CTX_dane_set_flags` | HL | ��U | ��A | ��NC\* | ��Done | 364| `SSL_dane_set_flags` | HL | ��U | ��A | ��NC\* | ��Done | 365| `SSL_CTX_dane_clear_flags` | HL | ��U | ��A | ��NC\* | ��Done | 366| `SSL_dane_clear_flags` | HL | ��U | ��A | ��NC\* | ��Done | 367| `SSL_get0_dane` | HL | ��U | ��A | ��NC\* | ��Done | 368| `SSL_dane_enable` | HL | ��U | ��A | ��NC\* | ��Done | 369| `SSL_get0_dane_authority` | HL | ��U | ��A | ��NC\* | ��Done | 370| `SSL_CTX_dane_mtype_set` | HL | ��U | ��A | ��NC\* | ��Done | 371| `SSL_dane_tlsa_add` | HL | ��U | ��A | ��NC\* | ��Done | 372| **⇒ Certificate Transparency** | | | | | | 373| `SSL_CTX_enable_ct` | HL | ��U | ��A | ��NC\* | ��Done | 374| `SSL_CTX_ct_is_enabled` | HL | ��U | ��A | ��NC\* | ��Done | 375| `SSL_CTX_set_ctlog_list_file` | HL | ��U | ��A | ��NC\* | ��Done | 376| `SSL_CTX_set_default_ctlog_list_file` | HL | ��U | ��A | ��NC\* | ��Done | 377| `SSL_CTX_set_ct_validation_callback` | HL | ��U | ��A | ��NC\* | ��Done | 378| `SSL_CTX_set0_ctlog_store` | HL | ��U | ��A | ��NC\* | ��Done | 379| `SSL_CTX_get0_ctlog_store` | HL | ��U | ��A | ��NC\* | ��Done | 380| `SSL_enable_ct` | HL | ��U | ��A | ��NC\* | ��Done | 381| `SSL_ct_is_enabled` | HL | ��U | ��A | ��NC\* | ��Done | 382| `SSL_get0_peer_scts` | HL | ��U | ��A | ��NC\* | ��Done | 383| `SSL_set_ct_validation_callback` | HL | ��U | ��A | ��NC\* | ��Done | 384| **⇒ Compression** | | | | | | 385| `SSL_COMP_add_compression_method` | HL | ��U | ��A | ��NC\* †5 | ��Done | 386| `SSL_COMP_get0_name` | HL | ��U | ��A | ��NC\* †5 | ��Done | 387| `SSL_COMP_get_compression_methods` | HL | ��U | ��A | ��NC\* †5 | ��Done | 388| `SSL_COMP_get_id` | HL | ��U | ��A | ��NC\* †5 | ��Done | 389| `SSL_COMP_get_name` | HL | ��U | ��A | ��NC\* †5 | ��Done | 390| `SSL_COMP_set0_compression_methods` | HL | ��U | ��A | ��NC\* †5 | ��Done | 391| **⇒ Exporters** | | | | | | 392| `SSL_export_keying_material` | HL | ��U | ��A | ��NC\* | ��Done | 393| `SSL_export_keying_material_early` | HL | ��U | ��A | ��NC\* | ��Done | 394| **⇒ Renegotiation** | | | | | | 395| `SSL_renegotiate` | HL | ��U | ��FC | ��NC\* †5 | ��Done | 396| `SSL_renegotiate_abbreviated` | HL | ��U | ��FC | ��NC\* †5 | ��Done | 397| `SSL_renegotiate_pending` | HL | ��U | ��NO | ��NC\* †5 | ��Done | 398| **⇒ Options** | | | | | | 399| `SSL_CTX_clear_options` | HL | ��U | ��A | ��C\* | ��Done | 400| `SSL_CTX_set_options` | HL | ��U | ��A | ��C\* | ��Done | 401| `SSL_CTX_get_options` | HL | ��U | ��A | ��NC\* | ��Done | 402| `SSL_clear_options` | HL | ��U | ��A | ��C\* | ��Done | 403| `SSL_set_options` | HL | ��U | ��A | ��C\* | ��Done | 404| `SSL_get_options` | HL | ��U | ��A | ��NC\* | ��Done | 405| **⇒ Configuration** | | | | | | 406| `SSL_CONF_CTX_new` | Global | ��U | ��A | ��NC\* | ��Done | 407| `SSL_CONF_CTX_free` | Global | ��U | ��A | ��NC\* | ��Done | 408| `SSL_CONF_CTX_set_ssl` | Global | ��U | ��A | ��NC\* | ��Done | 409| `SSL_CONF_CTX_set_ssl_ctx` | Global | ��U | ��A | ��NC\* | ��Done | 410| `SSL_CONF_CTX_set1_prefix` | Global | ��U | ��A | ��NC\* | ��Done | 411| `SSL_CONF_CTX_set_flags` | Global | ��U | ��A | ��NC\* | ��Done | 412| `SSL_CONF_CTX_clear_flags` | Global | ��U | ��A | ��NC\* | ��Done | 413| `SSL_CONF_CTX_finish` | Global | ��U | ��A | ��NC\* | ��Done | 414| `SSL_CONF_cmd` | Global | ��U | ��A | ��NC\* | ��Done | 415| `SSL_CONF_cmd_argv` | Global | ��U | ��A | ��NC\* | ��Done | 416| `SSL_CONF_cmd_value_type` | Global | ��U | ��A | ��NC\* | ��Done | 417| `SSL_config` | HL | ��U | ��A | ��NC\* | ��Done | 418| `SSL_CTX_config` | HL | ��U | ��A | ��NC\* | ��Done | 419| **⇒ Callbacks** | | | | | | 420| `SSL_CTX_set_cert_cb` | HL | ��U | ��A | ��NC\* | ��Done | 421| `SSL_CTX_set_cert_store` | HL | ��U | ��A | ��NC\* | ��Done | 422| `SSL_CTX_set_cert_verify_callback` | HL | ��U | ��A | ��NC\* | ��Done | 423| `SSL_CTX_set_client_CA_list` | HL | ��U | ��A | ��NC\* | ��Done | 424| `SSL_CTX_set_client_cert_cb` | HL | ��U | ��A | ��NC\* | ��Done | 425| `SSL_CTX_set_client_cert_engine` | HL | ��U | ��A | ��NC\* | ��Done | 426| `SSL_CTX_set_client_hello_cb` | HL | ��U | ��A | ��NC\* | ��Done | 427| `SSL_CTX_set_cookie_generate_cb` | HL | ��U | ��A | ��NC\* | ��Done | 428| `SSL_CTX_set_cookie_verify_cb` | HL | ��U | ��A | ��NC\* | ��Done | 429| `SSL_CTX_set_default_passwd_cb` | HL | ��U | ��A | ��NC\* | ��Done | 430| `SSL_CTX_set_default_passwd_cb_userdata` | HL | ��U | ��A | ��NC\* | ��Done | 431| `SSL_CTX_set_default_read_buffer_len` | HL | ��U | ��A | ��NC\* | ��Done | 432| `SSL_CTX_get_info_callback` | HL | ��U | ��A | ��NC\* | ��Done | 433| `SSL_CTX_set_info_callback` | HL | ��U | ��A | ��NC\* | ��Done | 434| `SSL_get_info_callback` | HL | ��U | ��A | ��NC\* | ��Done | 435| `SSL_set_info_callback` | HL | ��U | ��A | ��NC\* | ��Done | 436| `SSL_set_msg_callback` | HL | ��U | ��A | ��NC\* †6 | ��Done | 437| `SSL_set_cert_cb` | HL | ��U | ��A | ��NC\* | ��Done | 438| `SSL_set_default_passwd_cb` | HL | ��U | ��A | ��NC\* | ��Done | 439| `SSL_set_default_passwd_cb_userdata` | HL | ��U | ��A | ��NC\* | ��Done | 440| `SSL_get_default_passwd_cb` | HL | ��U | ��A | ��NC\* | ��Done | 441| `SSL_get_default_passwd_cb_userdata` | HL | ��U | ��A | ��NC\* | ��Done | 442| `SSL_CTX_set_keylog_callback` | HL | ��U | ��A | ��NC\* | ��Done | 443| `SSL_CTX_get_keylog_callback` | HL | ��U | ��A | ��NC\* | ��Done | 444| `SSL_CTX_set_psk_client_callback` | HL | ��U | ��A | ��NC\* | ��Done | 445| `SSL_CTX_set_psk_find_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 446| `SSL_CTX_set_psk_server_callback` | HL | ��U | ��A | ��NC\* | ��Done | 447| `SSL_CTX_set_psk_use_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 448| `SSL_CTX_get_verify_callback` | HL | ��U | ��A | ��NC\* | ��Done | 449| `SSL_CTX_set_not_resumable_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 450| `SSL_set_not_resumable_session_callback` | HL | ��U | ��A | ��NC\* | ��Done | 451| `SSL_set_session_secret_cb` | HL | ��U | ��A | ��NC* | ��Done | 452| **⇒ Session Management** | | | | | | 453| `d2i_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 454| `i2d_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 455| `PEM_read_bio_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 456| `PEM_read_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 457| `PEM_write_bio_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 458| `PEM_write_SSL_SESSION` | HL | ��U | ��A | ��NC\* | ��Done | 459| `SSL_SESSION_new` | HL | ��U | ��A | ��NC\* | ��Done | 460| `SSL_SESSION_up_ref` | HL | ��U | ��A | ��NC\* | ��Done | 461| `SSL_SESSION_dup` | HL | ��U | ��A | ��NC\* | ��Done | 462| `SSL_SESSION_free` | HL | ��U | ��A | ��NC\* | ��Done | 463| `SSL_SESSION_print` | HL | ��U | ��A | ��NC\* | ��Done | 464| `SSL_SESSION_print_fp` | HL | ��U | ��A | ��NC\* | ��Done | 465| `SSL_SESSION_print_keylog` | HL | ��U | ��A | ��NC\* | ��Done | 466| `SSL_SESSION_get0_cipher` | HL | ��U | ��A | ��NC\* | ��Done | 467| `SSL_SESSION_set_cipher` | HL | ��U | ��A | ��NC\* | ��Done | 468| `SSL_SESSION_get0_hostname` | HL | ��U | ��A | ��NC\* | ��Done | 469| `SSL_SESSION_set1_hostname` | HL | ��U | ��A | ��NC\* | ��Done | 470| `SSL_SESSION_get0_id_context` | HL | ��U | ��A | ��NC\* | ��Done | 471| `SSL_SESSION_set1_id_context` | HL | ��U | ��A | ��NC\* | ��Done | 472| `SSL_SESSION_get0_peer` | HL | ��U | ��A | ��NC\* | ��Done | 473| `SSL_SESSION_get0_ticket` | HL | ��U | ��A | ��NC\* | ��Done | 474| `SSL_SESSION_get0_ticket_appdata` | HL | ��U | ��A | ��NC\* | ��Done | 475| `SSL_SESSION_set1_ticket_appdata` | HL | ��U | ��A | ��NC\* | ��Done | 476| `SSL_SESSION_has_ticket` | HL | ��U | ��A | ��NC\* | ��Done | 477| `SSL_SESSION_get_protocol_version` | HL | ��U | ��A | ��NC\* | ��Done | 478| `SSL_SESSION_set_protocol_version` | HL | ��U | ��A | ��NC\* | ��Done | 479| `SSL_SESSION_get_compress_id` | HL | ��U | ��A | ��NC\* | ��Done | 480| `SSL_SESSION_get_id` | HL | ��U | ��A | ��NC\* | ��Done | 481| `SSL_SESSION_set1_id` | HL | ��U | ��A | ��NC\* | ��Done | 482| `SSL_SESSION_get_time` | HL | ��U | ��A | ��NC\* | ��Done | 483| `SSL_SESSION_set_time` | HL | ��U | ��A | ��NC\* | ��Done | 484| `SSL_SESSION_get_timeout` | HL | ��U | ��A | ��NC\* | ��Done | 485| `SSL_SESSION_set_timeout` | HL | ��U | ��A | ��NC\* | ��Done | 486| `SSL_SESSION_get_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 487| `SSL_SESSION_set_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 488| `SSL_SESSION_get0_hostname` | HL | ��U | ��A | ��NC\* | ��Done | 489| `SSL_SESSION_set1_hostname` | HL | ��U | ��A | ��NC\* | ��Done | 490| `SSL_SESSION_get_master_key` | HL | ��U | ��A | ��NC\* | ��Done | 491| `SSL_SESSION_get_master_key` | HL | ��U | ��A | ��NC\* | ��Done | 492| `SSL_SESSION_is_resumable` | HL | ��U | ��A | ��NC\* | ��Done | 493| `SSL_SESSION_get_max_early_data` | HL | ��U | ��A | ��NC\* | ��Done | 494| `SSL_SESSION_get_max_early_data` | HL | ��U | ��A | ��NC\* | ��Done | 495| `SSL_SESSION_get_max_fragment_length` | HL | ��U | ��A | ��NC\* | ��Done | 496| `SSL_SESSION_get_ticket_lifetime_hint` | HL | ��U | ��A | ��NC\* | ��Done | 497| `SSL_CTX_add_session` | HL | ��U | ��A | ��NC\* | ��Done | 498| `SSL_CTX_remove_session` | HL | ��U | ��A | ��NC\* | ��Done | 499| `SSL_get1_session` | HL | ��U | ��A | ��NC\* | ��Done | 500| `SSL_get_session` | HL | ��U | ��A | ��NC\* | ��Done | 501| `SSL_set_session` | HL | ��U | ��A | ��NC\* | ��Done | 502| `SSL_CTX_sess_get_get_cb` | HL | ��U | ��A | ��NC\* | ��Done | 503| `SSL_CTX_sess_set_get_cb` | HL | ��U | ��A | ��NC\* | ��Done | 504| `SSL_CTX_sess_get_new_cb` | HL | ��U | ��A | ��NC\* | ��Done | 505| `SSL_CTX_sess_set_new_cb` | HL | ��U | ��A | ��NC\* | ��Done | 506| `SSL_CTX_sess_get_remove_cb` | HL | ��U | ��A | ��NC\* | ��Done | 507| `SSL_CTX_sess_set_remove_cb` | HL | ��U | ��A | ��NC\* | ��Done | 508| `SSL_CTX_set_session_id_context` | HL | ��U | ��A | ��NC\* | ��Done | 509| `SSL_set_session_id_context` | HL | ��U | ��A | ��NC\* | ��Done | 510| `SSL_set_generate_session_id` | HL | ��U | ��A | ��NC\* | ��Done | 511| `SSL_CTX_set_generate_session_id` | HL | ��U | ��A | ��NC\* | ��Done | 512| `SSL_has_matching_session_id` | HL | ��U | ��A | ��NC\* | ��Done | 513| `SSL_CTX_flush_sessions` | HL | ��U | ��A | ��NC\* | ��Done | 514| `SSL_session_reused` | HL | ��U | ��A | ��NC\* | ��Done | 515| `SSL_CTX_get_timeout` | HL | ��U | ��A | ��NC\* | ��Done | 516| `SSL_CTX_set_timeout` | HL | ��U | ��A | ��NC\* | ��Done | 517| `SSL_get_default_timeout` | HL | ��U | ��A | ��NC\* | ��Done | 518| `SSL_CTX_sessions` | HL | ��U | ��A | ��NC\* | ��Done | 519| **⇒ Session Ticket Management** | | | | | | 520| `SSL_get_num_tickets` | HL | ��U | ��A | ��NC\* †7 | ��Done | 521| `SSL_set_num_tickets` | HL | ��U | ��A | ��NC\* †7 | ��Done | 522| `SSL_CTX_get_num_tickets` | HL | ��U | ��A | ��NC\* †7 | ��Done | 523| `SSL_CTX_set_num_tickets` | HL | ��U | ��A | ��NC\* †7 | ��Done | 524| `SSL_new_session_ticket` | HL | ��U | ��A | ��NC\* †7 | ��Done | 525| `SSL_set_session_ticket_ext` | HL | ��U | ��A | ��NC\* | ��Done | 526| `SSL_set_session_ticket_ext_cb` | HL | ��U | ��A | ��NC\* | ��Done | 527| `SSL_CTX_set_tlsext_ticket_key_evp_cb` | HL | ��U | ��A | ��NC\* | ��Done | 528| **⇒ Security Levels** | | | | | | 529| `SSL_CTX_get_security_level` | HL | ��U | ��A | ��NC\* | ��Done | 530| `SSL_CTX_set_security_level` | HL | ��U | ��A | ��NC\* | ��Done | 531| `SSL_get_security_level` | HL | ��U | ��A | ��NC\* | ��Done | 532| `SSL_set_security_level` | HL | ��U | ��A | ��NC\* | ��Done | 533| `SSL_CTX_get_security_callback` | HL | ��U | ��A | ��NC\* | ��Done | 534| `SSL_CTX_set_security_callback` | HL | ��U | ��A | ��NC\* | ��Done | 535| `SSL_get_security_callback` | HL | ��U | ��A | ��NC\* | ��Done | 536| `SSL_set_security_callback` | HL | ��U | ��A | ��NC\* | ��Done | 537| `SSL_CTX_get0_security_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 538| `SSL_CTX_set0_security_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 539| `SSL_get0_security_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 540| `SSL_set0_security_ex_data` | HL | ��U | ��A | ��NC\* | ��Done | 541| **⇒ Custom Extensions** | | | | | | 542| `SSL_CTX_add_custom_ext` | HL | ��U | ��A | ��NC\* | ��Done | 543| `SSL_CTX_add_client_custom_ext` | HL | ��U | ��A | ��NC\* | ��Done | 544| `SSL_CTX_add_server_custom_ext` | HL | ��U | ��A | ��NC\* | ��Done | 545| `SSL_CTX_has_client_custom_ext` | HL | ��U | ��A | ��NC\* | ��Done | 546| **⇒ Early ClientHello Processing** | | | | | | 547| `SSL_client_hello_get_extension_order` | HL | ��U | ��A | ��NC\* | ��Done | 548| `SSL_client_hello_get0_ciphers` | HL | ��U | ��A | ��NC\* | ��Done | 549| `SSL_client_hello_get0_compression_methods` | HL | ��U | ��A | ��NC\* | ��Done | 550| `SSL_client_hello_get0_ext` | HL | ��U | ��A | ��NC\* | ��Done | 551| `SSL_client_hello_get0_legacy_version` | HL | ��U | ��A | ��NC\* | ��Done | 552| `SSL_client_hello_get0_random` | HL | ��U | ��A | ��NC\* | ��Done | 553| `SSL_client_hello_get0_session_id` | HL | ��U | ��A | ��NC\* | ��Done | 554| `SSL_client_hello_get1_extensions_present` | HL | ��U | ��A | ��NC\* | ��Done | 555| `SSL_client_hello_isv2` | HL | ��U | ��A | ��NC\* | ��Done | 556| **⇒ SNI** | | | | | | 557| `SSL_get_servername` | HL | ��U | ��A | ��NC\* | ��Done | 558| `SSL_get_servername_type` | HL | ��U | ��A | ��NC\* | ��Done | 559| **⇒ Server Info** | | | | | | 560| `SSL_CTX_use_serverinfo` | HL | ��U | ��A | ��NC\* | ��Done | 561| `SSL_CTX_use_serverinfo_ex` | HL | ��U | ��A | ��NC\* | ��Done | 562| `SSL_CTX_use_serverinfo_file` | HL | ��U | ��A | ��NC\* | ��Done | 563| **⇒ Post-Handshake Authentication** | | | | | | 564| `SSL_verify_client_post_handshake` | HL | ��U | ��FC | ��C* †8 | ��Done | 565| `SSL_CTX_set_post_handshake_auth` | HL | ��U | ��FC | ��C* †8 | ��Done | 566| `SSL_set_post_handshake_auth` | HL | ��U | ��FC | ��C* †8 | ��Done | 567| **⇒ DH Parameters** | | | | | | 568| `SSL_CTX_set_dh_auto` | HL | ��U | ��A | ��NC\* | ��Done | 569| `SSL_set_dh_auto` | HL | ��U | ��A | ��NC\* | ��Done | 570| `SSL_CTX_set0_tmp_dh_pkey` | HL | ��U | ��A | ��NC\* | ��Done | 571| `SSL_set0_tmp_dh_pkey` | HL | ��U | ��A | ��NC\* | ��Done | 572| `SSL_CTX_set_tmp_dh_callback` | HL | ��U | ��A | ��NC\* | ��Done | 573| `SSL_set_tmp_dh_callback` | HL | ��U | ��A | ��NC\* | ��Done | 574| `SSL_CTX_set_tmp_dh` | HL | ��U | ��A | ��NC\* | ��Done | 575| `SSL_set_tmp_dh` | HL | ��U | ��A | ��NC\* | ��Done | 576| **⇒ State Queries** | | | | | | 577| `SSL_in_init` | HL | ��U | ��A | ��NC\* | ��Done | 578| `SSL_in_before` | HL | ��U | ��A | ��NC\* | ��Done | 579| `SSL_is_init_finished` | HL | ��U | ��A | ��NC\* | ��Done | 580| `SSL_get_state` | HL | ��U | ��A | ��NC\* | ��Done | 581| `SSL_rstate_string` | HL | ��U | ��A | ��QSI | ��Done | 582| `SSL_rstate_string_long` | HL | ��U | ��A | ��QSI | ��Done | 583| `SSL_state_string` | HL | ��U | ��A | ��NC\* | ��Done | 584| `SSL_state_string_long` | HL | ��U | ��A | ��NC\* | ��Done | 585| **⇒ Data Path and CSSM** | | | | | | 586| `SSL_set_connect_state` | CSSM | ��U | ��A | ��QSI | ��Done | 587| `SSL_set_accept_state` | CSSM | ��U | ��A | ��QSI | ��Done | 588| `SSL_is_server` | CSSM | ��U | ��A | ��NC\* | ��Done | 589| `SSL_peek` | ADP | ��U | ��A | ��QSI | ��Done | 590| `SSL_peek_ex` | ADP | ��U | ��A | ��QSI | ��Done | 591| `SSL_read` | ADP | ��U | ��A | ��QSI | ��Done | 592| `SSL_read_ex` | ADP | ��U | ��A | ��QSI | ��Done | 593| `SSL_write` | ADP | ��U | ��A | ��QSI | ��Done | 594| `SSL_write_ex` | ADP | ��U | ��A | ��QSI | ��Done | 595| `SSL_sendfile` | ADP | ��U | ��FC | ��NC\* | ��Done | 596| `SSL_pending` | ADP | ��U | ��A | ��QSI | ��Done | 597| `SSL_has_pending` | ADP | ��C | ��A | ��QSI | ��Done | 598| `SSL_accept` | CSSM | ��U | ��A | ��QSI | ��Done | 599| `SSL_connect` | CSSM | ��U | ��A | ��QSI | ��Done | 600| `SSL_do_handshake` | CSSM | ��U | ��A | ��QSI | ��Done | 601| `SSL_set0_wbio` | NDP | ��U | ��A | ��QSI | ��Done | 602| `SSL_set0_rbio` | NDP | ��C | ��A | ��QSI | ��Done | 603| `SSL_set_bio` | NDP | ��C | ��A | ��QSI | ��Done | 604| `SSL_get_wbio` | NDP | ��C | ��A | ��QSI | ��Done | 605| `SSL_get_rbio` | NDP | ��C | ��A | ��QSI | ��Done | 606| `SSL_get_error` | NDP | ��U | ��A | ��QSI | ��Done | 607| `SSL_get_rfd` | NDP | ��U | ��A | ��NC | ��Done | 608| `SSL_get_wfd` | NDP | ��U | ��A | ��NC | ��Done | 609| `SSL_get_fd` | NDP | ��U | ��A | ��NC | ��Done | 610| `SSL_set_rfd` | NDP | ��C | ��A | ��QSI | ��Done | 611| `SSL_set_wfd` | NDP | ��C | ��A | ��QSI | ��Done | 612| `SSL_set_fd` | NDP | ��U | ��A | ��QSI | ��Done | 613| `SSL_key_update` | RL | ��U | ��A | ��QSI | ��Done | 614| `SSL_get_key_update_type` | RL | ��U | ��A | ��QSI | ��Done | 615| `SSL_clear` (connection) | CSSM | ��U | ��FC | ��QSI | ��Done | 616| `SSL_clear` (stream) | CSSM | ��U | ��FC | ��QSI | ��Done | 617| `SSL_shutdown` | CSSM | ��C | ��A | ��QSI | ��Done | 618| `SSL_want` | ADP | ��C | ��A | ��QSI | ��Done | 619| `BIO_new_ssl_connect` | Global | ��U | ��A | ��QSI | ��Done | 620| `BIO_new_buffer_ssl_connect` | Global | ��U | ��U | ��QSI | ��Done | 621| `SSL_get_shutdown` | CSSM | ��U | ��A | ��QSI | ��Done | 622| `SSL_set_shutdown` | CSSM | ��U | ��A | ��QSI | ��Done | 623| **⇒ New APIs** | | | | | | 624| `SSL_is_tls` | CSSM | ��N | ��A | ��QSA | ��Done | 625| `SSL_is_quic` | CSSM | ��N | ��A | ��QSA | ��Done | 626| `SSL_handle_events` | CSSM | ��N | ��A | ��QSA | ��Done | 627| `SSL_get_event_timeout` | CSSM | ��N | ��A | ��QSA | ��Done | 628| `SSL_get_blocking_mode` | CSSM | ��N | ��A | ��QSA | ��Done | 629| `SSL_set_blocking_mode` | CSSM | ��N | ��A | ��QSA | ��Done | 630| `SSL_get_rpoll_descriptor` | CSSM | ��N | ��A | ��QSA | ��Done | 631| `SSL_get_wpoll_descriptor` | CSSM | ��N | ��A | ��QSA | ��Done | 632| `SSL_net_read_desired` | CSSM | ��N | ��A | ��QSA | ��Done | 633| `SSL_net_write_desired` | CSSM | ��N | ��A | ��QSA | ��Done | 634| `SSL_set1_initial_peer_addr` | CSSM | ��N | ��A | ��QSA | ��Done | 635| `SSL_shutdown_ex` | CSSM | ��N | ��A | ��QSA | ��Done | 636| `SSL_stream_conclude` | CSSM | ��N | ��A | ��QSA | ��Done | 637| `SSL_stream_reset` | CSSM | ��N | ��A | ��QSA | ��Done | 638| `SSL_get_stream_read_state` | CSSM | ��N | ��A | ��QSA | ��Done | 639| `SSL_get_stream_write_state` | CSSM | ��N | ��A | ��QSA | ��Done | 640| `SSL_get_stream_read_error_code` | CSSM | ��N | ��A | ��QSA | ��Done | 641| `SSL_get_stream_write_error_code` | CSSM | ��N | ��A | ��QSA | ��Done | 642| `SSL_get_conn_close_info` | CSSM | ��N | ��A | ��QSA | ��Done | 643| `SSL_inject_net_dgram` | NDP | ��N | ��A | ��QSA | ��Done | 644| **⇒ New APIs for Multi-Stream** | | | | | | 645| `SSL_get0_connection` | CSSM | ��N | ��A | ��QSA | ��Done | 646| `SSL_is_connection` | CSSM | ��N | ��A | ��QSA | ��Done | 647| `SSL_get_stream_id` | CSSM | ��N | ��A | ��QSA | ��Done | 648| `SSL_get_stream_type` | CSSM | ��N | ��A | ��QSA | ��Done | 649| `SSL_is_stream_local` | CSSM | ��N | ��A | ��QSA | ��Done | 650| `SSL_new_stream` | CSSM | ��N | ��A | ��QSA | ��Done | 651| `SSL_accept_stream` | CSSM | ��N | ��A | ��QSA | ��Done | 652| `SSL_get_accept_stream_queue_len` | CSSM | ��N | ��A | ��QSA | ��Done | 653| `SSL_set_default_stream_mode` | CSSM | ��N | ��A | ��QSA | ��Done | 654| `SSL_set_incoming_stream_policy` | CSSM | ��N | ��A | ��QSA | ��Done | 655| **⇒ Currently Not Supported** | | | | | | 656| `SSL_copy_session_id` | Special | ��U | ��FC | ��C* | ��Done | 657| `BIO_ssl_copy_session_id` | Special | ��U | ��FC | ��C* | ��Done | 658| `SSL_CTX_set_quiet_shutdown` | CSSM | ��U | ��U | ��NC | ��Done | 659| `SSL_CTX_get_quiet_shutdown` | CSSM | ��U | ��U | ��NC | ��Done | 660| `SSL_set_quiet_shutdown` | CSSM | ��U | ��FC | ��C | ��Done | 661| `SSL_get_quiet_shutdown` | CSSM | ��U | ��NO | ��C | ��Done | 662| `SSL_CTX_set_ssl_version` | HL | ��U | ��FC | ��C | ��Done | 663| **⇒ Async** | | | | | | 664| `SSL_CTX_set_async_callback` | Async | ��U | ��NO | ��NC* †10 | ��Done | 665| `SSL_set_async_callback` | Async | ��U | ��NO | ��NC* †10 | ��Done | 666| `SSL_CTX_set_async_callback_arg` | Async | ��U | ��NO | ��NC* †10 | ��Done | 667| `SSL_set_async_callback_arg` | Async | ��U | ��NO | ��NC* †10 | ��Done | 668| `SSL_waiting_for_async` | Async | ��U | ��NO | ��NC* †10 | ��Done | 669| `SSL_get_async_status` | Async | ��U | ��NO | ��NC* †10 | ��Done | 670| `SSL_get_all_async_fds` | Async | ��U | ��NO | ��NC* †10 | ��Done | 671| `SSL_get_changed_async_fds` | Async | ��U | ��NO | ��NC* †10 | ��Done | 672| **⇒ Readahead** | | | | | | 673| `SSL_CTX_get_default_read_ahead` | RL | ��U | ��NO | ��NC* | ��Done | 674| `SSL_CTX_get_read_ahead` | RL | ��U | ��NO | ��NC* | ��Done | 675| `SSL_CTX_set_read_ahead` | RL | ��U | ��NO | ��C* | ��Done | 676| `SSL_get_read_ahead` | RL | ��U | ��NO | ��C* | ��Done | 677| `SSL_set_read_ahead` | RL | ��U | ��NO | ��C* | ��Done | 678| `SSL_CTX_set_default_read_buffer_len` | RL | ��U | ��NO | ��NC* | ��Done | 679| `SSL_set_default_read_buffer_len` | RL | ��U | ��NO | ��C* | ��Done | 680| **⇒ Record Padding and Fragmentation** | | | | | | 681| `SSL_CTX_set_record_padding_callback` | RL | ��U | ��FC | ��NC* | ��Done | 682| `SSL_set_record_padding_callback` | RL | ��U | ��FC | ��C* | ��Done | 683| `SSL_CTX_get_record_padding_callback_arg` | RL | ��U | ��FC | ��NC* | ��Done | 684| `SSL_CTX_set_record_padding_callback_arg` | RL | ��U | ��FC | ��NC* | ��Done | 685| `SSL_get_record_padding_callback_arg` | RL | ��U | ��FC | ��NC* | ��Done | 686| `SSL_set_record_padding_callback_arg` | RL | ��U | ��FC | ��NC* | ��Done | 687| `SSL_CTX_set_block_padding` | RL | ��U | ��FC | ��NC* | ��Done | 688| `SSL_set_block_padding` | RL | ��U | ��FC | ��C* | ��Done | 689| `SSL_CTX_set_tlsext_max_fragment_length` | RL | ��U | ��FC | ��NC* | ��Done | 690| `SSL_set_tlsext_max_fragment_length` | RL | ��U | ��FC | ��C* | ��Done | 691| **⇒ Stateless/HelloRetryRequest** | | | | | | 692| `SSL_stateless` | RL | ��U | ��FC | ��C* | ��Done | 693| `SSL_CTX_set_stateless_cookie_generate_cb` | RL | ��U | ��FC | ��NC* | ��Done | 694| `SSL_CTX_set_stateless_cookie_verify_cb` | RL | ��U | ��FC | ��NC* | ��Done | 695| **⇒ Early Data/0-RTT** | | | | | | 696| `SSL_CTX_set_allow_early_data_cb` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 697| `SSL_set_allow_early_data_cb` | 0-RTT | ��U | ��FC | ��C* | ��Done | 698| `SSL_CTX_get_recv_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 699| `SSL_CTX_set_recv_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 700| `SSL_get_recv_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 701| `SSL_set_recv_max_early_data` | 0-RTT | ��U | ��FC | ��C* | ��Done | 702| `SSL_CTX_get_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 703| `SSL_CTX_set_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 704| `SSL_get_max_early_data` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 705| `SSL_set_max_early_data` | 0-RTT | ��U | ��FC | ��C* | ��Done | 706| `SSL_read_early_data` | 0-RTT | ��U | ��FC | ��C* | ��Done | 707| `SSL_write_early_data` | 0-RTT | ��U | ��FC | ��C* | ��Done | 708| `SSL_get_early_data_status` | 0-RTT | ��U | ��FC | ��NC* | ��Done | 709| **⇒ Miscellaneous** | | | | | | 710| `DTLSv1_listen` | RL | ��U | ��U | ��NC | ��Done | 711| `DTLS_set_timer_cb` | NDP | ��U | ��U | ��NC | ��Done | 712| `DTLS_get_data_mtu` | NDP | ��U | ��U | ��NC | ��Done | 713| `SSL_get_ex_data_X509_STORE_CTX_idx` | Global | ��U | ��U | ��NC | ��Done | 714| `BIO_ssl_shutdown` | Global | ��U | ��A | ��NC | ��Done | 715| `SSL_alloc_buffers` | HL | ��U | ��A | ��C\* | ��Done | 716| `SSL_free_buffers` | HL | ��U | ��A | ��C\* | ��Done | 717| `SSL_trace` | HL | ��U | ��A | ��NC\* | ��Done | 718| `SSL_set_debug` | HL | ��U | ��A | ��NC\* | ��Done | 719| **⇒ Controls** | | | | | | 720| `SSL_CTRL_MODE` | Special | ��U | ��A | ��QSI | ��Done | 721| `SSL_CTRL_CLEAR_MODE` | Special | ��U | ��A | ��QSI | ��Done | 722| `SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS` | HL | ��U | ��NO | ��NC* | ��Done | 723| `SSL_CTRL_GET_NUM_RENEGOTIATIONS` | HL | ��U | ��NO | ��NC* | ��Done | 724| `SSL_CTRL_GET_TOTAL_RENEGOTIATIONS` | HL | ��U | ��NO | ��NC* | ��Done | 725| `SSL_CTRL_GET_RI_SUPPORT` | HL | ��U | ��NO | ��NC* | ��Done | 726| `SSL_CTRL_GET_READ_AHEAD` | HL | ��U | ��NO | ��NC* | ��Done | 727| `SSL_CTRL_SET_READ_AHEAD` | HL | ��U | ��FC | ��C* | ��Done | 728| `SSL_CTRL_SET_MAX_PIPELINES` | RL | ��U | ��FC | ��C* | ��Done | 729| `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | RL | ��U | ��FC | ��C* | ��Done | 730| `SSL_CTRL_SET_SPLIT_SEND_FRAGMENT` | RL | ��U | ��FC | ��C* | ��Done | 731| `SSL_CTRL_SET_MTU` | RL | ��U | ��FC | ��NC* | ��Done | 732| `SSL_CTRL_SET_MAX_PROTO_VERSION` | HL | ��U | ��A | ��C* | ��Done | 733| `SSL_CTRL_SET_MIN_PROTO_VERSION` | HL | ��U | ��A | ��NC* | ��Done | 734| `SSL_CTRL_GET_MAX_PROTO_VERSION` | HL | ��U | ��A | ��NC* | ��Done | 735| `SSL_CTRL_GET_MIN_PROTO_VERSION` | HL | ��U | ��A | ��NC* | ��Done | 736| `SSL_CTRL_BUILD_CERT_CHAIN` | HL | ��U | ��A | ��NC* | ��Done | 737| `SSL_CTRL_CERT_FLAGS` | HL | ��U | ��A | ��NC* | ��Done | 738| `SSL_CTRL_CHAIN` | HL | ��U | ��A | ��NC* | ��Done | 739| `SSL_CTRL_CHAIN_CERT` | HL | ��U | ��A | ��NC* | ��Done | 740| `SSL_CTRL_CLEAR_CERT_FLAGS` | HL | ��U | ��A | ��NC* | ��Done | 741| `SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS` | HL | ��U | ��A | ��NC* | ��Done | 742| `SSL_CTRL_EXTRA_CHAIN_CERT` | HL | ��U | ��A | ��NC* | ��Done | 743| `SSL_CTRL_GET_CHAIN_CERTS` | HL | ��U | ��A | ��NC* | ��Done | 744| `SSL_CTRL_GET_CHAIN_CERT_STORE` | HL | ��U | ��A | ��NC* | ��Done | 745| `SSL_CTRL_GET_CLIENT_CERT_REQUEST` | HL | ��U | ��A | ��NC* | ��Done | 746| `SSL_CTRL_GET_CLIENT_CERT_TYPES` | HL | ��U | ��A | ��NC* | ��Done | 747| `SSL_CTRL_GET_EC_POINT_FORMATS` | HL | ��U | ��A | ��NC* | ��Done | 748| `SSL_CTRL_GET_EXTMS_SUPPORT` | HL | ��U | ��A | ��NC* | ��Done | 749| `SSL_CTRL_GET_EXTRA_CHAIN_CERTS` | HL | ��U | ��A | ��NC* | ��Done | 750| `SSL_CTRL_GET_FLAGS` | HL | ��U | ��A | ��NC* | ��Done | 751| `SSL_CTRL_GET_GROUPS` | HL | ��U | ��A | ��NC* | ��Done | 752| `SSL_CTRL_GET_IANA_GROUPS` | HL | ��U | ��A | ��NC* | ��Done | 753| `SSL_CTRL_GET_MAX_CERT_LIST` | HL | ��U | ��A | ��NC* | ��Done | 754| `SSL_CTRL_GET_NEGOTIATED_GROUP` | HL | ��U | ��A | ��NC* | ��Done | 755| `SSL_CTRL_GET_PEER_SIGNATURE_NID` | HL | ��U | ��A | ��NC* | ��Done | 756| `SSL_CTRL_GET_PEER_TMP_KEY` | HL | ��U | ��A | ��NC* | ��Done | 757| `SSL_CTRL_GET_RAW_CIPHERLIST` | HL | ��U | ��A | ��NC* | ��Done | 758| `SSL_CTRL_GET_SESS_CACHE_MODE` | HL | ��U | ��A | ��NC* | ��Done | 759| `SSL_CTRL_GET_SESS_CACHE_SIZE` | HL | ��U | ��A | ��NC* | ��Done | 760| `SSL_CTRL_GET_SHARED_GROUP` | HL | ��U | ��A | ��NC* | ��Done | 761| `SSL_CTRL_GET_SIGNATURE_NID` | HL | ��U | ��A | ��NC* | ��Done | 762| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB` | HL | ��U | ��A | ��NC* | ��Done | 763| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG` | HL | ��U | ��A | ��NC* | ��Done | 764| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS` | HL | ��U | ��A | ��NC* | ��Done | 765| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS` | HL | ��U | ��A | ��NC* | ��Done | 766| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | ��U | ��A | ��NC* | ��Done | 767| `SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE` | HL | ��U | ��A | ��NC* | ��Done | 768| `SSL_CTRL_GET_TLSEXT_TICKET_KEYS` | HL | ��U | ��A | ��NC* | ��Done | 769| `SSL_CTRL_GET_TMP_KEY` | HL | ��U | ��A | ��NC* | ��Done | 770| `SSL_CTRL_GET_VERIFY_CERT_STORE` | HL | ��U | ��A | ��NC* | ��Done | 771| `SSL_CTRL_SELECT_CURRENT_CERT` | HL | ��U | ��A | ��NC* | ��Done | 772| `SSL_CTRL_SESS_ACCEPT` | HL | ��U | ��A | ��NC* | ��Done | 773| `SSL_CTRL_SESS_ACCEPT_GOOD` | HL | ��U | ��A | ��NC* | ��Done | 774| `SSL_CTRL_SESS_ACCEPT_RENEGOTIATE` | HL | ��U | ��A | ��NC* | ��Done | 775| `SSL_CTRL_SESS_CACHE_FULL` | HL | ��U | ��A | ��NC* | ��Done | 776| `SSL_CTRL_SESS_CB_HIT` | HL | ��U | ��A | ��NC* | ��Done | 777| `SSL_CTRL_SESS_CONNECT` | HL | ��U | ��A | ��NC* | ��Done | 778| `SSL_CTRL_SESS_CONNECT_GOOD` | HL | ��U | ��A | ��NC* | ��Done | 779| `SSL_CTRL_SESS_CONNECT_RENEGOTIATE` | HL | ��U | ��A | ��NC* | ��Done | 780| `SSL_CTRL_SESS_HIT` | HL | ��U | ��A | ��NC* | ��Done | 781| `SSL_CTRL_SESS_MISSES` | HL | ��U | ��A | ��NC* | ��Done | 782| `SSL_CTRL_SESS_NUMBER` | HL | ��U | ��A | ��NC* | ��Done | 783| `SSL_CTRL_SESS_TIMEOUTS` | HL | ��U | ��A | ��NC* | ��Done | 784| `SSL_CTRL_SET_CHAIN_CERT_STORE` | HL | ��U | ��A | ��NC* | ��Done | 785| `SSL_CTRL_SET_CLIENT_CERT_TYPES` | HL | ��U | ��A | ��NC* | ��Done | 786| `SSL_CTRL_SET_CLIENT_SIGALGS` | HL | ��U | ��A | ��NC* | ��Done | 787| `SSL_CTRL_SET_CLIENT_SIGALGS_LIST` | HL | ��U | ��A | ��NC* | ��Done | 788| `SSL_CTRL_SET_CURRENT_CERT` | HL | ��U | ��A | ��NC* | ��Done | 789| `SSL_CTRL_SET_DH_AUTO` | HL | ��U | ��A | ��NC* | ��Done | 790| `SSL_CTRL_SET_GROUPS` | HL | ��U | ��A | ��NC* | ��Done | 791| `SSL_CTRL_SET_GROUPS_LIST` | HL | ��U | ��A | ��NC* | ��Done | 792| `SSL_CTRL_SET_MAX_CERT_LIST` | HL | ��U | ��A | ��NC* | ��Done | 793| `SSL_CTRL_SET_MSG_CALLBACK` | HL | ��U | ��A | ��NC* | ��Done | 794| `SSL_CTRL_SET_MSG_CALLBACK_ARG` | HL | ��U | ��A | ��NC* | ��Done | 795| `SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB` | HL | ��U | ��A | ��NC* | ��Done | 796| `SSL_CTRL_SET_RETRY_VERIFY` | HL | ��U | ��A | ��NC* | ��Done | 797| `SSL_CTRL_SET_SESS_CACHE_MODE` | HL | ��U | ��A | ��NC* | ��Done | 798| `SSL_CTRL_SET_SESS_CACHE_SIZE` | HL | ��U | ��A | ��NC* | ��Done | 799| `SSL_CTRL_SET_SIGALGS` | HL | ��U | ��A | ��NC* | ��Done | 800| `SSL_CTRL_SET_SIGALGS_LIST` | HL | ��U | ��A | ��NC* | ��Done | 801| `SSL_CTRL_SET_SRP_ARG` | HL | ��U | ��A | ��NC* | ��Done | 802| `SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB` | HL | ��U | ��A | ��NC* | ��Done | 803| `SSL_CTRL_SET_SRP_VERIFY_PARAM_CB` | HL | ��U | ��A | ��NC* | ��Done | 804| `SSL_CTRL_SET_TLSEXT_DEBUG_ARG` | HL | ��U | ��A | ��NC* | ��Done | 805| `SSL_CTRL_SET_TLSEXT_DEBUG_CB` | HL | ��U | ��A | ��NC* | ��Done | 806| `SSL_CTRL_SET_TLSEXT_HOSTNAME` | HL | ��U | ��A | ��NC* | ��Done | 807| `SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG` | HL | ��U | ��A | ��NC* | ��Done | 808| `SSL_CTRL_SET_TLSEXT_SERVERNAME_CB` | HL | ��U | ��A | ��NC* | ��Done | 809| `SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD` | HL | ��U | ��A | ��NC* | ��Done | 810| `SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH` | HL | ��U | ��A | ��NC* | ��Done | 811| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME` | HL | ��U | ��A | ��NC* | ��Done | 812| `SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB` | HL | ��U | ��A | ��NC* | ��Done | 813| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB` | HL | ��U | ��A | ��NC* | ��Done | 814| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG` | HL | ��U | ��A | ��NC* | ��Done | 815| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS` | HL | ��U | ��A | ��NC* | ��Done | 816| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS` | HL | ��U | ��A | ��NC* | ��Done | 817| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP` | HL | ��U | ��A | ��NC* | ��Done | 818| `SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE` | HL | ��U | ��A | ��NC* | ��Done | 819| `SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB` | HL | ��U | ��A | ��NC* | ��Done | 820| `SSL_CTRL_SET_TLSEXT_TICKET_KEYS` | HL | ��U | ��A | ��NC* | ��Done | 821| `SSL_CTRL_SET_TMP_DH` | HL | ��U | ��A | ��NC* | ��Done | 822| `SSL_CTRL_SET_TMP_DH_CB` | HL | ��U | ��A | ��NC* | ��Done | 823| `SSL_CTRL_SET_TMP_ECDH` | HL | ��U | ��A | ��NC* | ��Done | 824| `SSL_CTRL_SET_VERIFY_CERT_STORE` | HL | ��U | ��A | ��NC* | ��Done | 825| **⇒ SSL Modes** | | | | | | 826| `SSL_MODE_ENABLE_PARTIAL_WRITE` | ADP | ��U | ��A | ��QSI | ��Done | 827| `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER` | ADP | ��U | ��A | ��QSI | ��Done | 828| `SSL_MODE_RELEASE_BUFFERS` | ADP | ��U | ��NO | ��NC | ��Done | 829| `SSL_MODE_ASYNC` | ADP | ��U | ��NO | ��NC | ��Done | 830| `SSL_MODE_AUTO_RETRY` | ADP | ��U | ��NO | ��NC | ��Done | 831| `SSL_MODE_SEND_FALLBACK_SCSV` | HL | ��U | ��U | ��NC | ��Done | 832 833Q&A For TLS-Related Calls 834------------------------- 835 836### What should `SSL_get_current_cipher`, `SSL_get_pending_cipher`, etc. do? 837 838QUIC always uses AES-128-GCM for Initial packets. At this time the handshake 839layer has not negotiated a ciphersuite so it has no “current” cipher. We could 840return AES-128-GCM here, but it seems reasonable to just return NULL as the 841encryption is mostly for protection against accidental modification and not 842“real” encryption. From the perspective of the Handshake layer encryption is not 843active yet. An application using QUIC can always interpret NULL as meaning 844AES-128-GCM is being used if needed as this is implied by using QUIC. 845 846A. We return NULL here, because it allows applications to detect if a 847ciphersuite has been negotiated and NULL can be used to infer that Initial 848encryption is still being used. This also minimises the changes needed to the 849implementation. 850 851### What should `SSL_CTX_set_cipher_list` do? 852 853Since this function configures the cipher list for TLSv1.2 and below only, there 854is no need to restrict it as TLSv1.3 is required for QUIC. For the sake of 855application compatibility, applications can still configure the TLSv1.2 cipher 856list; it will always be ignored. This function can still be used to set the 857SECLEVEL; no changes are needed to facilitate this. 858 859### What SSL options should be supported? 860 861Options we explicitly want to support: 862 863- `SSL_OP_CIPHER_SERVER_PREFERENCE` 864- `SSL_OP_DISABLE_TLSEXT_CA_NAMES` 865- `SSL_OP_NO_TX_CERTIFICATE_COMPRESSION` 866- `SSL_OP_NO_RX_CERTIFICATE_COMPRESSION` 867- `SSL_OP_PRIORITIZE_CHACHA` 868- `SSL_OP_NO_TICKET` 869- `SSL_OP_CLEANSE_PLAINTEXT` 870 871Options we do not yet support but could support in the future, currently no-ops: 872 873- `SSL_OP_NO_QUERY_MTU` 874- `SSL_OP_NO_ANTI_REPLAY` 875 876The following options must be explicitly forbidden: 877 878- `SSL_OP_NO_TLSv1_3` — TLSv1.3 is required for QUIC 879- `SSL_OP_ENABLE_MIDDLEBOX_COMPAT` — forbidden by QUIC RFCs 880- `SSL_OP_ENABLE_KTLS` — not currently supported for QUIC 881- `SSL_OP_SAFARI_ECDHE_ECDSA_BUG` 882- `SSL_OP_TLSEXT_PADDING` 883- `SSL_OP_TLS_ROLLBACK_BUG` 884- `SSL_OP_IGNORE_UNEXPECTED_EOF` 885- `SSL_OP_ALLOW_NO_DHE_KEX` 886 887The following options are ignored for TLSv1.3 or otherwise not applicable and 888may therefore be settable but ignored. We take this approach on the grounds 889that it is harmless and applications might want to see that options have been 890correctly set for protocols unrelated to QUIC. 891 892- `SSL_OP_CRYPTOPRO_TLSEXT_BUG` 893- `SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS` 894- `SSL_OP_ALLOW_CLIENT_RENEGOTIATION` 895- `SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION` 896- `SSL_OP_CISCO_ANYCONNECT` 897- `SSL_OP_COOKIE_EXCHANGE` 898- `SSL_OP_LEGACY_SERVER_CONNECT` 899- `SSL_OP_NO_COMPRESSION` 900- `SSL_OP_NO_ENCRYPT_THEN_MAC` 901- `SSL_OP_NO_EXTENDED_MASTER_SECRET` 902- `SSL_OP_NO_RENEGOTIATION` 903- `SSL_OP_NO_RESSION_RESUMPTION_ON_NEGOTIATION` 904- `SSL_OP_NO_SSLv3` 905- `SSL_OP_NO_TLSv1` 906- `SSL_OP_NO_TLSv1_1` 907- `SSL_OP_NO_TLSv1_2` 908- `SSL_OP_NO_DTLSv1` 909- `SSL_OP_NO_DTLSv1_2` 910 911### What should `SSL_rstate_string` and `SSL_state_string` do? 912 913SSL_state_string is highly handshake layer specific, so it makes sense to just 914forward to the handshake layer. 915 916SSL_rstate_string is record layer specific. A cursory evaluation of usage via 917GitHub code search did not appear to identify much usage of this function other 918than for debug output; i.e., there seems to be little usage of this in a way 919that depends on the output for the purposes of control flow. Since there is not 920really any direct correspondence to the QUIC record layer, we conservatively 921define the output of this function as "unknown". 922 923TODO: forbid NPN 924TODO: enforce TLSv1.3 925TODO: forbid PHA - DONE 926TODO: forbid middlebox compat mode in a deeper way? 927TODO: new_session_ticket doesn't need modifying as such, but ticket machinery 928 will 929 930### What should `SSL_pending` and `SSL_has_pending` do? 931 932`SSL_pending` traditionally yields the number of bytes buffered inside a SSL 933object available for immediate reading. For QUIC, we can just make this report 934the current size of the receive stream buffer. 935 936`SSL_has_pending` returns a boolean value indicating whether there is processed 937or unprocessed incoming data pending. There is no direct correspondence to 938QUIC, so there are various implementation options: 939 940- `SSL_pending() > 0` 941- `SSL_pending() > 0 || pending URXEs or RXEs exist` 942 943The latter can probably be viewed as more of a direct correspondence to the 944design intent of the API, so we go with this. 945 946### What should `SSL_alloc_buffers` and `SSL_free_buffers` do? 947 948These do not really correspond to our internal architecture for QUIC. Since 949internal buffers are always available, `SSL_alloc_buffers` can simply always 950return 1. `SSL_free_buffers` can always return 0, as though the buffers are in 951use, which they generally will be. 952 953### What should `SSL_key_update` and `SSL_get_key_update_type`? 954 955`SSL_key_update` can trigger a TX record layer key update, which will cause the 956peer to respond with a key update in turn. The update occurs asynchronously 957at next transmission, not immediately. 958 959`SSL_get_key_update_type` returns an enumerated value which is only relevant to 960the TLSv1.3 protocol; for QUIC, it will always return `SSL_KEY_UPDATE_NONE`. 961 962### What should `SSL_MODE_AUTO_RETRY` do? 963 964The absence of `SSL_MODE_AUTO_RETRY` causes `SSL_read`/`SSL_write` on a normal 965TLS connection to potentially return due to internal handshake message 966processing. This does not really make sense for our QUIC implementation, 967therefore we always act as though `SSL_MODE_AUTO_RETRY` is on, and this mode is 968ignored. 969 970### What should `SSL_MODE_SEND_FALLBACK_SCSV` do? 971 972This is not relevant to QUIC because this functionality relates to protocol 973version downgrade attack protection and QUIC only supports TLSv1.3. Thus, 974it is ignored. 975 976### What should `SSL_CTX_set_ssl_version` do? 977 978This is a deprecated function, so it needn't be supported for QUIC. Fail closed. 979 980### What should `SSL_set_ssl_method` do? 981 982We do not currently support this for QUIC. 983 984### What should `SSL_set_shutdown` do? 985 986This is not supported and is a no-op for QUIC. 987 988### What should `SSL_dup` and `SSL_clear` do? 989 990These may be tricky to support. Currently they are blocked. 991
