diff options
author | Matt Caswell <matt@openssl.org> | 2018-07-05 16:53:56 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-07-06 09:26:39 +0100 |
commit | 2ce71b60272325c4453914b501a2c2ff1b75c80d (patch) | |
tree | 5e739c4611256c139c907796d6c5027e07c7ce62 /doc | |
parent | bafe9cf5e34e194f299762c270843781003a84ca (diff) | |
download | openssl-2ce71b60272325c4453914b501a2c2ff1b75c80d.zip openssl-2ce71b60272325c4453914b501a2c2ff1b75c80d.tar.gz openssl-2ce71b60272325c4453914b501a2c2ff1b75c80d.tar.bz2 |
Document SSL_CTX_set_recv_max_early_data() etc
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6655)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_read_early_data.pod | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod index cf6f757..27c127d 100644 --- a/doc/man3/SSL_read_early_data.pod +++ b/doc/man3/SSL_read_early_data.pod @@ -6,6 +6,10 @@ SSL_set_max_early_data, SSL_CTX_set_max_early_data, SSL_get_max_early_data, SSL_CTX_get_max_early_data, +SSL_set_recv_max_early_data, +SSL_CTX_set_recv_max_early_data, +SSL_get_recv_max_early_data, +SSL_CTX_get_recv_max_early_data, SSL_SESSION_get_max_early_data, SSL_SESSION_set_max_early_data, SSL_write_early_data, @@ -24,6 +28,12 @@ SSL_set_allow_early_data_cb uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx); int SSL_set_max_early_data(SSL *s, uint32_t max_early_data); uint32_t SSL_get_max_early_data(const SSL *s); + + int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data); + uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx); + int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data); + uint32_t SSL_get_recv_max_early_data(const SSL *s); + uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s); int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data); @@ -195,9 +205,26 @@ since there is no practical benefit from using only one of them. If the maximum early data setting for a server is non-zero then replay protection is automatically enabled (see L</REPLAY PROTECTION> below). -In the event that the current maximum early data setting for the server is -different to that originally specified in a session that a client is resuming -with then the lower of the two values will apply. +If the server rejects the early data sent by a client then it will skip over +the data that is sent. The maximum amount of received early data that is skipped +is controlled by the recv_max_early_data setting. If a client sends more than +this then the connection will abort. This value can be set by calling +SSL_CTX_set_recv_max_early_data() or SSL_set_recv_max_early_data(). The current +value for this setting can be obtained by calling +SSL_CTX_get_recv_max_early_data() or SSL_get_recv_max_early_data(). The default +value for this setting is 16,384 bytes. + +The recv_max_early_data value also has an impact on early data that is accepted. +The amount of data that is accepted will always be the lower of the +max_early_data for the session and the recv_max_early_data setting for the +server. If a client sends more data than this then the connection will abort. + +The configured value for max_early_data on a server may change over time as +required. However clients may have tickets containing the previously configured +max_early_data value. The recv_max_early_data should always be equal to or +higher than any recently configured max_early_data value in order to avoid +aborted connections. The recv_max_early_data should never be set to less than +the current configured max_early_data value. Some server applications may wish to have more control over whether early data is accepted or not, for example to mitigate replay risks (see L</REPLAY PROTECTION> |