HTY1024/dockerfile
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7555429db6
dockerfile/examples/openssl/openssl-3.2.1-src/doc/designs/quic-design/quic-api-ssl-funcs.md

90 KiB
Raw Blame History

Behaviour of SSL functions on QUIC SSL objects

This document is a companion to the QUIC API Overview which lists all SSL functions and controls and notes their behaviour with QUIC SSL objects.

The Category column is as follows:

  • Global: These API items do not relate to SSL objects. They may be stateless or may relate only to global state.

    Can also be used for APIs implemented only in terms of other public libssl APIs.

  • Object: Object management APIs. Some of these may require QUIC-specific implementation.

  • HL: Handshake layer API.

    These calls should generally be dispatched to the handshake layer, unless they are not applicable to QUIC. Modifications inside the handshake layer for the QUIC case may or may not be required.

  • CSSM: Connection/Stream State Machine. API related to lifecycle of a connection or stream. Needs QUIC-specific implementation.

  • ADP: App Data Path. Application-side data path API. QUIC-specific implementation.

  • NDP: Net Data Path. Network-side data path control API. Also includes I/O ticking and timeout handling.

  • RL: Record layer related API. If these API items only relate to the TLS record layer, they must be disabled for QUIC; if they are also relevant to the QUIC record layer, they will require QUIC-specific implementation.

  • Async: Relates to the async functionality.

  • 0-RTT: Relates to early data/0-RTT functionality.

  • Special: Other calls which defy classification.

The Semantics column is as follows:

  • 🟩U: Unchanged. The semantics of the API are not changed for QUIC.
  • 🟧C: Changed. The semantics of the API are changed for QUIC.
  • 🟦N: New. The API is new for QUIC.
  • 🟥TBD: Yet to be determined if semantic changes will be required.

The Applicability column is as follows:

  • 🟦U: Unrelated. Not applicable to QUIC — fully unrelated (e.g. functions for other SSL methods).
  • 🟥FC: Not applicable to QUIC (or not currently supported) — fail closed.
  • 🟧NO: Not applicable to QUIC (nor not currently supported) — no-op.
  • 🟩A: Applicable.

The Implementation Requirements column is as follows:

  • 🟩NC: No changes are expected to be needed (where marked *, dispatch to handshake layer).

    Note: Where this value is used with an applicability of FC or NO, this means that the desired behaviour is already an emergent consequence of the existing code.

  • 🟨C: Modifications are expected to be needed (where marked *, dispatch to handshake layer with changes inside the handshake layer).

  • 🟧QSI: QUIC specific implementation.

  • 🟥QSA: QUIC specific API.

The Status column is as follows:

  • 🔴Pending Triage: Have not determined the classification of this API item yet.
  • 🟠Design TBD: It has not yet been determined how this API item will work for QUIC.
  • 🟡TODO: It has been determined how this API item should work for QUIC but it has not yet been implemented.
  • 🟢Done: No further work is anticipated to be needed for this API item.

Notes:

  • †1: Must restrict which ciphers can be used with QUIC; otherwise, no changes.
  • †2: ALPN usage must be mandated; otherwise, no changes.
  • †3: NPN usage should be forced off as it should never be used with QUIC; otherwise, no changes.
  • †4: Controls needing changes are listed separately.
  • †5: TLS compression and renegotiation must not be used with QUIC, but these features are already forbidden in TLS 1.3, which is a requirement for QUIC, thus no changes should be needed.
  • †6: Callback specified is called for handshake layer messages (TLSv1.3).
  • †7: Tickets are issued using NEW_TOKEN frames in QUIC and this will require handshake layer changes. However these APIs as such do not require changes.
  • †8: Use of post-handshake authentication is prohibited by QUIC.
  • †9: QUIC always uses AES-128-GCM initially. We need to determine when and what ciphers we report as being in use.
  • †10: Not supporting async for now.
  • †11: Since these functions only configure cipher suite lists used for TLSv1.2, which is never used for QUIC, they do not require changes, and we can allow applications to configure these lists freely, as they will be ignored.
API Item Cat. Sema. Appl. Impl. Req. Status
⇒ Global Information and Functions
OSSL_default_cipher_list Global 🟩U 🟦U 🟩NC 🟢Done
OSSL_default_ciphersuites Global 🟩U 🟦U 🟩NC 🟢Done
ERR_load_SSL_strings Global 🟩U 🟦U 🟩NC 🟢Done
OPENSSL_init_ssl Global 🟩U 🟦U 🟩NC 🟢Done
OPENSSL_cipher_name Global 🟩U 🟦U 🟩NC 🟢Done
SSL_alert_desc_string Global 🟩U 🟦U 🟩NC 🟢Done
SSL_alert_desc_string_long Global 🟩U 🟦U 🟩NC 🟢Done
SSL_alert_type_string Global 🟩U 🟦U 🟩NC 🟢Done
SSL_alert_type_string_long Global 🟩U 🟦U 🟩NC 🟢Done
SSL_extension_supported Global 🟩U 🟦U 🟩NC 🟢Done
SSL_add_ssl_module Global 🟩U 🟦U 🟩NC 🟢Done
SSL_test_functions Global 🟩U 🟦U 🟩NC 🟢Done
SSL_select_next_proto Global 🟩U 🟦U 🟩NC 🟢Done
⇒ Methods
SSLv3_method Global 🟩U 🟦U 🟩NC 🟢Done
SSLv3_client_method Global 🟩U 🟦U 🟩NC 🟢Done
SSLv3_server_method Global 🟩U 🟦U 🟩NC 🟢Done
TLS_method Global 🟩U 🟦U 🟩NC 🟢Done
TLS_client_method Global 🟩U 🟦U 🟩NC 🟢Done
TLS_server_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_client_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_server_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_1_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_1_client_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_1_server_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_2_client_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_2_server_method Global 🟩U 🟦U 🟩NC 🟢Done
TLSv1_2_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLS_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLS_client_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLS_server_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_client_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_server_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_2_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_2_client_method Global 🟩U 🟦U 🟩NC 🟢Done
DTLSv1_2_server_method Global 🟩U 🟦U 🟩NC 🟢Done
OSSL_QUIC_client_method Global 🟩U 🟦U 🟥QSA 🟢Done
OSSL_QUIC_client_thread_method Global 🟩U 🟦U 🟥QSA 🟢Done
OSSL_QUIC_server_method Global 🟩U 🟦U 🟥QSA 🟠Design TBD
⇒ Instantiation
BIO_f_ssl Object 🟩U 🟩A 🟩NC 🟢Done
BIO_new_ssl Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_new Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_new_ex Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_up_ref Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_free Object 🟩U 🟩A 🟩NC 🟢Done
SSL_new Object 🟩U 🟩A 🟧QSI 🟢Done
SSL_dup Object 🟩U 🟩A 🟥FC 🟢Done
SSL_up_ref Object 🟩U 🟩A 🟩NC 🟢Done
SSL_free Object 🟩U 🟩A 🟧QSI 🟢Done
SSL_is_dtls Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_get_ex_data Object 🟩U 🟩A 🟩NC 🟢Done
SSL_CTX_set_ex_data Object 🟩U 🟩A 🟩NC 🟢Done
SSL_get_ex_data Object 🟩U 🟩A 🟩NC 🟢Done
SSL_set_ex_data Object 🟩U 🟩A 🟩NC 🟢Done
SSL_get_SSL_CTX Object 🟩U 🟩A 🟩NC 🟢Done
SSL_set_SSL_CTX Object 🟩U 🟩A 🟩NC 🟢Done
⇒ Method Manipulation
SSL_CTX_get_ssl_method Object 🟩U 🟩A 🟩NC 🟢Done
SSL_get_ssl_method Object 🟩U 🟩A 🟩NC 🟢Done
SSL_set_ssl_method Object 🟩U 🟥FC 🟧QSI 🟢Done
⇒ SRTP
SSL_get_selected_srtp_profile HL 🟩U 🟧NO 🟨C* 🟢Done
SSL_get_srtp_profiles HL 🟩U 🟧NO 🟨C* 🟢Done
SSL_CTX_set_tlsext_use_srtp HL 🟩U 🟥FC 🟨C* 🟢Done
SSL_set_tlsext_use_srtp HL 🟩U 🟥FC 🟩NC* 🟢Done
⇒ Ciphersuite Configuration
SSL_CTX_set_cipher_list HL 🟩U 🟩A 🟩NC* †11 🟢Done
SSL_CTX_set_ciphersuites HL 🟩U 🟩A 🟨C* †1 🟢Done
SSL_CTX_get_ciphers HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_ciphersuites HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get1_supported_ciphers HL 🟩U 🟩A 🟨C* †1 🟢Done
SSL_bytes_to_cipher_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_ciphers HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_cipher_list HL 🟩U 🟩A 🟩NC* †11 🟢Done
SSL_set_cipher_list HL 🟩U 🟩A 🟩NC* †11 🟢Done
⇒ Negotiated Ciphersuite Queries
SSL_get_current_cipher HL 🟩U 🟩A 🟩NC* †9 🟢Done
SSL_get_pending_cipher HL 🟩U 🟩A 🟩NC* †9 🟢Done
SSL_get_shared_ciphers HL 🟩U 🟩A 🟩NC* †9 🟢Done
SSL_get_client_ciphers HL 🟩U 🟩A 🟩NC* †9 🟢Done
SSL_get_current_compression HL 🟩U 🟩A 🟩HLNC 🟢Done
SSL_get_current_expansion HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_shared_sigalgs HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_sigalgs HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_peer_signature_nid HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_peer_signature_type_nid HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_signature_nid HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_signature_type_nid HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ ALPN †2
SSL_SESSION_set1_alpn_selected HL 🟩U 🟩A 🟨C* †2 🟢Done
SSL_SESSION_get0_alpn_selected HL 🟩U 🟩A 🟨C* †2 🟢Done
SSL_CTX_set_alpn_select_cb HL 🟩U 🟩A 🟨C* †2 🟢Done
SSL_set_alpn_protos HL 🟩U 🟩A 🟨C* †2 🟢Done
SSL_get0_alpn_selected HL 🟩U 🟩A 🟨C* †2 🟢Done
SSL_CTX_set_alpn_protos HL 🟩U 🟩A 🟨C* †2 🟢Done
⇒ NPN †3
SSL_CTX_set_next_proto_select_cb HL 🟩U 🟥FC 🟨C* †3 🟢Done
SSL_CTX_set_next_protos_advertised_cb HL 🟩U 🟥FC 🟨C* †3 🟢Done
SSL_get0_next_proto_negotiated HL 🟩U 🟥FC 🟩NC* †3 🟢Done
⇒ Narrow Waist Interface †4
SSL_CTX_ctrl Object 🟩U 🟩A 🟩NC* †4 🟢Done
SSL_ctrl Object 🟩U 🟩A 🟩NC* †4 🟢Done
SSL_CTX_callback_ctrl Object 🟩U 🟩A 🟩NC* †4 🟢Done
SSL_callback_ctrl Object 🟩U 🟩A 🟩NC* †4 🟢Done
⇒ Miscellaneous Accessors
SSL_get_server_random HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_client_random HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_finished HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_peer_finished HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Ciphersuite Information
SSL_CIPHER_description Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_find Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_auth_nid Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_bits Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_cipher_nid Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_digest_nid Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_handshake_digest Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_id Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_kx_nid Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_name Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_protocol_id Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_get_version Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_is_aead Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CIPHER_standard_name Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_group_to_name Global 🟩U 🟦U 🟩NC* 🟢Done
⇒ Version Queries
SSL_get_version HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_version HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_version HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Certificate Chain Management
SSL_get_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_certificate_chain_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_certificate_chain_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_certificate_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_load_verify_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_load_verify_dir HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_load_verify_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_load_verify_locations HL 🟩U 🟩A 🟩NC* 🟢Done
CertSSL_use_cert_and_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_certificate_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_PrivateKey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_PrivateKey_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_PrivateKey_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_RSAPrivateKey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_RSAPrivateKey_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_use_RSAPrivateKey_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_verify_dir HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_verify_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_verify_paths HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_verify_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_cert_and_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_certificate_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_certificate_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_PrivateKey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_PrivateKey_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_PrivateKey_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_RSAPrivateKey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_RSAPrivateKey_ASN1 HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_RSAPrivateKey_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_check_chain HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_check_private_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_check_private_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add_client_CA HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add1_to_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add_dir_cert_subjects_to_stack HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add_file_cert_subjects_to_stack HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add_store_cert_subjects_to_stack HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_load_client_CA_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_load_client_CA_file_ex HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_dup_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set0_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_client_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_add_client_CA HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_privatekey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_cert_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set1_cert_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_client_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_add1_to_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set0_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_client_cert_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_default_passwd_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_default_passwd_cb_userdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_client_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_privatekey HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Certificate Compression
SSL_CTX_set1_cert_comp_preference HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set1_cert_comp_preference HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_compress_certs HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_compress_certs HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set1_compressed_cert HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set1_compressed_cert HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get1_compressed_cert HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get1_compressed_cert HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Certificate Verification
SSL_set1_host HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_add1_host HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_hostflags HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_verify HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_verify HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_verify_depth HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_verify_result HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_verify_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_verify_depth HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_verify_mode HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_verify_result HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_peer_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_peer_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_verified_chain HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get1_peer_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_peer_cert_chain HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_peer_certificate HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_certs_clear HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_verify_mode HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_verify_depth HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_verify_depth HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_peername HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set1_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set1_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_purpose HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_purpose HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_trust HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_trust HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ PSK
SSL_use_psk_identity_hint HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_psk_identity_hint HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_psk_client_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_psk_find_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_psk_server_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_psk_use_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_psk_identity HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_psk_identity_hint HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ SRP
SSL_SRP_CTX_init HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_SRP_CTX_init HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_SRP_CTX_free HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SRP_CTX_free HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_client_pwd_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_password HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_srp_g HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_cb_arg HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_srp_N HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_username_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_srp_username HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_srp_server_param HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_srp_userinfo HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_srp_server_param_with_username HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_strength HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_verify_param_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_srp_server_param_pw HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_srp_username HL 🟩U 🟩A 🟩NC* 🟢Done
SRP_Calc_A_param HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ DANE
SSL_CTX_dane_enable HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_dane_tlsa HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_dane_set_flags HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_dane_set_flags HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_dane_clear_flags HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_dane_clear_flags HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_dane HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_dane_enable HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_dane_authority HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_dane_mtype_set HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_dane_tlsa_add HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Certificate Transparency
SSL_CTX_enable_ct HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_ct_is_enabled HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_ctlog_list_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_ctlog_list_file HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_ct_validation_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set0_ctlog_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_ctlog_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_enable_ct HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_ct_is_enabled HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_peer_scts HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_ct_validation_callback HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Compression
SSL_COMP_add_compression_method HL 🟩U 🟩A 🟩NC* †5 🟢Done
SSL_COMP_get0_name HL 🟩U 🟩A 🟩NC* †5 🟢Done
SSL_COMP_get_compression_methods HL 🟩U 🟩A 🟩NC* †5 🟢Done
SSL_COMP_get_id HL 🟩U 🟩A 🟩NC* †5 🟢Done
SSL_COMP_get_name HL 🟩U 🟩A 🟩NC* †5 🟢Done
SSL_COMP_set0_compression_methods HL 🟩U 🟩A 🟩NC* †5 🟢Done
⇒ Exporters
SSL_export_keying_material HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_export_keying_material_early HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Renegotiation
SSL_renegotiate HL 🟩U 🟥FC 🟩NC* †5 🟢Done
SSL_renegotiate_abbreviated HL 🟩U 🟥FC 🟩NC* †5 🟢Done
SSL_renegotiate_pending HL 🟩U 🟧NO 🟩NC* †5 🟢Done
⇒ Options
SSL_CTX_clear_options HL 🟩U 🟩A 🟨C* 🟢Done
SSL_CTX_set_options HL 🟩U 🟩A 🟨C* 🟢Done
SSL_CTX_get_options HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_clear_options HL 🟩U 🟩A 🟨C* 🟢Done
SSL_set_options HL 🟩U 🟩A 🟨C* 🟢Done
SSL_get_options HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Configuration
SSL_CONF_CTX_new Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_free Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_set_ssl Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_set_ssl_ctx Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_set1_prefix Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_set_flags Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_clear_flags Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_CTX_finish Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_cmd Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_cmd_argv Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_CONF_cmd_value_type Global 🟩U 🟩A 🟩NC* 🟢Done
SSL_config HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_config HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Callbacks
SSL_CTX_set_cert_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_cert_store HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_cert_verify_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_client_CA_list HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_client_cert_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_client_cert_engine HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_client_hello_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_cookie_generate_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_cookie_verify_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_passwd_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_passwd_cb_userdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_default_read_buffer_len HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_info_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_info_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_info_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_info_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_msg_callback HL 🟩U 🟩A 🟩NC* †6 🟢Done
SSL_set_cert_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_default_passwd_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_default_passwd_cb_userdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_default_passwd_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_default_passwd_cb_userdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_keylog_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_keylog_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_psk_client_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_psk_find_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_psk_server_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_psk_use_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_verify_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_not_resumable_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_not_resumable_session_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_session_secret_cb HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Session Management
d2i_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
i2d_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
PEM_read_bio_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
PEM_read_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
PEM_write_bio_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
PEM_write_SSL_SESSION HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_new HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_up_ref HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_dup HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_free HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_print HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_print_fp HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_print_keylog HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_cipher HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set_cipher HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_hostname HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set1_hostname HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_id_context HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set1_id_context HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_peer HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_ticket HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_ticket_appdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set1_ticket_appdata HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_has_ticket HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_protocol_version HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set_protocol_version HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_compress_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set1_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_time HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set_time HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_timeout HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set_timeout HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get0_hostname HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_set1_hostname HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_master_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_master_key HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_is_resumable HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_max_early_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_max_early_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_max_fragment_length HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_SESSION_get_ticket_lifetime_hint HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_add_session HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_remove_session HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get1_session HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_session HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_session HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_get_get_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_set_get_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_get_new_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_set_new_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_get_remove_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sess_set_remove_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_session_id_context HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_session_id_context HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_generate_session_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_generate_session_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_has_matching_session_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_flush_sessions HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_session_reused HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_timeout HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_timeout HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_default_timeout HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_sessions HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Session Ticket Management
SSL_get_num_tickets HL 🟩U 🟩A 🟩NC* †7 🟢Done
SSL_set_num_tickets HL 🟩U 🟩A 🟩NC* †7 🟢Done
SSL_CTX_get_num_tickets HL 🟩U 🟩A 🟩NC* †7 🟢Done
SSL_CTX_set_num_tickets HL 🟩U 🟩A 🟩NC* †7 🟢Done
SSL_new_session_ticket HL 🟩U 🟩A 🟩NC* †7 🟢Done
SSL_set_session_ticket_ext HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_session_ticket_ext_cb HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_tlsext_ticket_key_evp_cb HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Security Levels
SSL_CTX_get_security_level HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_security_level HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_security_level HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_security_level HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get_security_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_security_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_security_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_security_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_get0_security_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set0_security_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get0_security_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set0_security_ex_data HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Custom Extensions
SSL_CTX_add_custom_ext HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_add_client_custom_ext HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_add_server_custom_ext HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_has_client_custom_ext HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Early ClientHello Processing
SSL_client_hello_get_extension_order HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_ciphers HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_compression_methods HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_ext HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_legacy_version HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_random HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get0_session_id HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_get1_extensions_present HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_client_hello_isv2 HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ SNI
SSL_get_servername HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_servername_type HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Server Info
SSL_CTX_use_serverinfo HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_serverinfo_ex HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_use_serverinfo_file HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Post-Handshake Authentication
SSL_verify_client_post_handshake HL 🟩U 🟥FC 🟨C* †8 🟢Done
SSL_CTX_set_post_handshake_auth HL 🟩U 🟥FC 🟨C* †8 🟢Done
SSL_set_post_handshake_auth HL 🟩U 🟥FC 🟨C* †8 🟢Done
⇒ DH Parameters
SSL_CTX_set_dh_auto HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_dh_auto HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set0_tmp_dh_pkey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set0_tmp_dh_pkey HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_tmp_dh_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_tmp_dh_callback HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTX_set_tmp_dh HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_tmp_dh HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ State Queries
SSL_in_init HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_in_before HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_is_init_finished HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_get_state HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_rstate_string HL 🟩U 🟩A 🟧QSI 🟢Done
SSL_rstate_string_long HL 🟩U 🟩A 🟧QSI 🟢Done
SSL_state_string HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_state_string_long HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Data Path and CSSM
SSL_set_connect_state CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_set_accept_state CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_is_server CSSM 🟩U 🟩A 🟩NC* 🟢Done
SSL_peek ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_peek_ex ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_read ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_read_ex ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_write ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_write_ex ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_sendfile ADP 🟩U 🟥FC 🟩NC* 🟢Done
SSL_pending ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_has_pending ADP 🟧C 🟩A 🟧QSI 🟢Done
SSL_accept CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_connect CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_do_handshake CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_set0_wbio NDP 🟩U 🟩A 🟧QSI 🟢Done
SSL_set0_rbio NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_set_bio NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_get_wbio NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_get_rbio NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_get_error NDP 🟩U 🟩A 🟧QSI 🟢Done
SSL_get_rfd NDP 🟩U 🟩A 🟩NC 🟢Done
SSL_get_wfd NDP 🟩U 🟩A 🟩NC 🟢Done
SSL_get_fd NDP 🟩U 🟩A 🟩NC 🟢Done
SSL_set_rfd NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_set_wfd NDP 🟧C 🟩A 🟧QSI 🟢Done
SSL_set_fd NDP 🟩U 🟩A 🟧QSI 🟢Done
SSL_key_update RL 🟩U 🟩A 🟧QSI 🟢Done
SSL_get_key_update_type RL 🟩U 🟩A 🟧QSI 🟢Done
SSL_clear (connection) CSSM 🟩U 🟥FC 🟧QSI 🟢Done
SSL_clear (stream) CSSM 🟩U 🟥FC 🟧QSI 🟢Done
SSL_shutdown CSSM 🟧C 🟩A 🟧QSI 🟢Done
SSL_want ADP 🟧C 🟩A 🟧QSI 🟢Done
BIO_new_ssl_connect Global 🟩U 🟩A 🟧QSI 🟢Done
BIO_new_buffer_ssl_connect Global 🟩U 🟦U 🟧QSI 🟢Done
SSL_get_shutdown CSSM 🟩U 🟩A 🟧QSI 🟢Done
SSL_set_shutdown CSSM 🟩U 🟩A 🟧QSI 🟢Done
⇒ New APIs
SSL_is_tls CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_is_quic CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_handle_events CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_event_timeout CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_blocking_mode CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_set_blocking_mode CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_rpoll_descriptor CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_wpoll_descriptor CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_net_read_desired CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_net_write_desired CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_set1_initial_peer_addr CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_shutdown_ex CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_stream_conclude CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_stream_reset CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_read_state CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_write_state CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_read_error_code CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_write_error_code CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_conn_close_info CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_inject_net_dgram NDP 🟦N 🟩A 🟥QSA 🟢Done
⇒ New APIs for Multi-Stream
SSL_get0_connection CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_is_connection CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_id CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_stream_type CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_is_stream_local CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_new_stream CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_accept_stream CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_get_accept_stream_queue_len CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_set_default_stream_mode CSSM 🟦N 🟩A 🟥QSA 🟢Done
SSL_set_incoming_stream_policy CSSM 🟦N 🟩A 🟥QSA 🟢Done
⇒ Currently Not Supported
SSL_copy_session_id Special 🟩U 🟥FC 🟨C* 🟢Done
BIO_ssl_copy_session_id Special 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_set_quiet_shutdown CSSM 🟩U 🟦U 🟩NC 🟢Done
SSL_CTX_get_quiet_shutdown CSSM 🟩U 🟦U 🟩NC 🟢Done
SSL_set_quiet_shutdown CSSM 🟩U 🟥FC 🟨C 🟢Done
SSL_get_quiet_shutdown CSSM 🟩U 🟧NO 🟨C 🟢Done
SSL_CTX_set_ssl_version HL 🟩U 🟥FC 🟨C 🟢Done
⇒ Async
SSL_CTX_set_async_callback Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_set_async_callback Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_CTX_set_async_callback_arg Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_set_async_callback_arg Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_waiting_for_async Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_get_async_status Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_get_all_async_fds Async 🟩U 🟧NO 🟩NC* †10 🟢Done
SSL_get_changed_async_fds Async 🟩U 🟧NO 🟩NC* †10 🟢Done
⇒ Readahead
SSL_CTX_get_default_read_ahead RL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTX_get_read_ahead RL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTX_set_read_ahead RL 🟩U 🟧NO 🟨C* 🟢Done
SSL_get_read_ahead RL 🟩U 🟧NO 🟨C* 🟢Done
SSL_set_read_ahead RL 🟩U 🟧NO 🟨C* 🟢Done
SSL_CTX_set_default_read_buffer_len RL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_set_default_read_buffer_len RL 🟩U 🟧NO 🟨C* 🟢Done
⇒ Record Padding and Fragmentation
SSL_CTX_set_record_padding_callback RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_record_padding_callback RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_get_record_padding_callback_arg RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTX_set_record_padding_callback_arg RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_get_record_padding_callback_arg RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_record_padding_callback_arg RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTX_set_block_padding RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_block_padding RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_set_tlsext_max_fragment_length RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_tlsext_max_fragment_length RL 🟩U 🟥FC 🟨C* 🟢Done
⇒ Stateless/HelloRetryRequest
SSL_stateless RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_set_stateless_cookie_generate_cb RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTX_set_stateless_cookie_verify_cb RL 🟩U 🟥FC 🟩NC* 🟢Done
⇒ Early Data/0-RTT
SSL_CTX_set_allow_early_data_cb 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_allow_early_data_cb 0-RTT 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_get_recv_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTX_set_recv_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_get_recv_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_recv_max_early_data 0-RTT 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTX_get_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTX_set_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_get_max_early_data 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
SSL_set_max_early_data 0-RTT 🟩U 🟥FC 🟨C* 🟢Done
SSL_read_early_data 0-RTT 🟩U 🟥FC 🟨C* 🟢Done
SSL_write_early_data 0-RTT 🟩U 🟥FC 🟨C* 🟢Done
SSL_get_early_data_status 0-RTT 🟩U 🟥FC 🟩NC* 🟢Done
⇒ Miscellaneous
DTLSv1_listen RL 🟩U 🟦U 🟩NC 🟢Done
DTLS_set_timer_cb NDP 🟩U 🟦U 🟩NC 🟢Done
DTLS_get_data_mtu NDP 🟩U 🟦U 🟩NC 🟢Done
SSL_get_ex_data_X509_STORE_CTX_idx Global 🟩U 🟦U 🟩NC 🟢Done
BIO_ssl_shutdown Global 🟩U 🟩A 🟩NC 🟢Done
SSL_alloc_buffers HL 🟩U 🟩A 🟨C* 🟢Done
SSL_free_buffers HL 🟩U 🟩A 🟨C* 🟢Done
SSL_trace HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_set_debug HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ Controls
SSL_CTRL_MODE Special 🟩U 🟩A 🟧QSI 🟢Done
SSL_CTRL_CLEAR_MODE Special 🟩U 🟩A 🟧QSI 🟢Done
SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS HL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTRL_GET_NUM_RENEGOTIATIONS HL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTRL_GET_TOTAL_RENEGOTIATIONS HL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTRL_GET_RI_SUPPORT HL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTRL_GET_READ_AHEAD HL 🟩U 🟧NO 🟩NC* 🟢Done
SSL_CTRL_SET_READ_AHEAD HL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTRL_SET_MAX_PIPELINES RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTRL_SET_MAX_SEND_FRAGMENT RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTRL_SET_SPLIT_SEND_FRAGMENT RL 🟩U 🟥FC 🟨C* 🟢Done
SSL_CTRL_SET_MTU RL 🟩U 🟥FC 🟩NC* 🟢Done
SSL_CTRL_SET_MAX_PROTO_VERSION HL 🟩U 🟩A 🟨C* 🟢Done
SSL_CTRL_SET_MIN_PROTO_VERSION HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_MAX_PROTO_VERSION HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_MIN_PROTO_VERSION HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_BUILD_CERT_CHAIN HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_CERT_FLAGS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_CHAIN HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_CHAIN_CERT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_CLEAR_CERT_FLAGS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_EXTRA_CHAIN_CERT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_CHAIN_CERTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_CHAIN_CERT_STORE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_CLIENT_CERT_REQUEST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_CLIENT_CERT_TYPES HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_EC_POINT_FORMATS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_EXTMS_SUPPORT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_EXTRA_CHAIN_CERTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_FLAGS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_GROUPS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_IANA_GROUPS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_MAX_CERT_LIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_NEGOTIATED_GROUP HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_PEER_SIGNATURE_NID HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_PEER_TMP_KEY HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_RAW_CIPHERLIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_SESS_CACHE_MODE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_SESS_CACHE_SIZE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_SHARED_GROUP HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_SIGNATURE_NID HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TLSEXT_TICKET_KEYS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_TMP_KEY HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_GET_VERIFY_CERT_STORE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SELECT_CURRENT_CERT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_ACCEPT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_ACCEPT_GOOD HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_ACCEPT_RENEGOTIATE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_CACHE_FULL HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_CB_HIT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_CONNECT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_CONNECT_GOOD HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_CONNECT_RENEGOTIATE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_HIT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_MISSES HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_NUMBER HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SESS_TIMEOUTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_CHAIN_CERT_STORE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_CLIENT_CERT_TYPES HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_CLIENT_SIGALGS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_CLIENT_SIGALGS_LIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_CURRENT_CERT HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_DH_AUTO HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_GROUPS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_GROUPS_LIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_MAX_CERT_LIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_MSG_CALLBACK HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_MSG_CALLBACK_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_RETRY_VERIFY HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SESS_CACHE_MODE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SESS_CACHE_SIZE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SIGALGS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SIGALGS_LIST HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SRP_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_SRP_VERIFY_PARAM_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_DEBUG_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_DEBUG_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_HOSTNAME HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLS_EXT_SRP_USERNAME HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TLSEXT_TICKET_KEYS HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TMP_DH HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TMP_DH_CB HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_TMP_ECDH HL 🟩U 🟩A 🟩NC* 🟢Done
SSL_CTRL_SET_VERIFY_CERT_STORE HL 🟩U 🟩A 🟩NC* 🟢Done
⇒ SSL Modes
SSL_MODE_ENABLE_PARTIAL_WRITE ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER ADP 🟩U 🟩A 🟧QSI 🟢Done
SSL_MODE_RELEASE_BUFFERS ADP 🟩U 🟧NO 🟩NC 🟢Done
SSL_MODE_ASYNC ADP 🟩U 🟧NO 🟩NC 🟢Done
SSL_MODE_AUTO_RETRY ADP 🟩U 🟧NO 🟩NC 🟢Done
SSL_MODE_SEND_FALLBACK_SCSV HL 🟩U 🟩U 🟩NC 🟢Done

Q&A For TLS-Related Calls

What should SSL_get_current_cipher, SSL_get_pending_cipher, etc. do?

QUIC always uses AES-128-GCM for Initial packets. At this time the handshake layer has not negotiated a ciphersuite so it has no “current” cipher. We could return AES-128-GCM here, but it seems reasonable to just return NULL as the encryption is mostly for protection against accidental modification and not “real” encryption. From the perspective of the Handshake layer encryption is not active yet. An application using QUIC can always interpret NULL as meaning AES-128-GCM is being used if needed as this is implied by using QUIC.

A. We return NULL here, because it allows applications to detect if a ciphersuite has been negotiated and NULL can be used to infer that Initial encryption is still being used. This also minimises the changes needed to the implementation.

What should SSL_CTX_set_cipher_list do?

Since this function configures the cipher list for TLSv1.2 and below only, there is no need to restrict it as TLSv1.3 is required for QUIC. For the sake of application compatibility, applications can still configure the TLSv1.2 cipher list; it will always be ignored. This function can still be used to set the SECLEVEL; no changes are needed to facilitate this.

What SSL options should be supported?

Options we explicitly want to support:

  • SSL_OP_CIPHER_SERVER_PREFERENCE
  • SSL_OP_DISABLE_TLSEXT_CA_NAMES
  • SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
  • SSL_OP_NO_RX_CERTIFICATE_COMPRESSION
  • SSL_OP_PRIORITIZE_CHACHA
  • SSL_OP_NO_TICKET
  • SSL_OP_CLEANSE_PLAINTEXT

Options we do not yet support but could support in the future, currently no-ops:

  • SSL_OP_NO_QUERY_MTU
  • SSL_OP_NO_ANTI_REPLAY

The following options must be explicitly forbidden:

  • SSL_OP_NO_TLSv1_3 — TLSv1.3 is required for QUIC
  • SSL_OP_ENABLE_MIDDLEBOX_COMPAT — forbidden by QUIC RFCs
  • SSL_OP_ENABLE_KTLS — not currently supported for QUIC
  • SSL_OP_SAFARI_ECDHE_ECDSA_BUG
  • SSL_OP_TLSEXT_PADDING
  • SSL_OP_TLS_ROLLBACK_BUG
  • SSL_OP_IGNORE_UNEXPECTED_EOF
  • SSL_OP_ALLOW_NO_DHE_KEX

The following options are ignored for TLSv1.3 or otherwise not applicable and may therefore be settable but ignored. We take this approach on the grounds that it is harmless and applications might want to see that options have been correctly set for protocols unrelated to QUIC.

  • SSL_OP_CRYPTOPRO_TLSEXT_BUG
  • SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
  • SSL_OP_ALLOW_CLIENT_RENEGOTIATION
  • SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  • SSL_OP_CISCO_ANYCONNECT
  • SSL_OP_COOKIE_EXCHANGE
  • SSL_OP_LEGACY_SERVER_CONNECT
  • SSL_OP_NO_COMPRESSION
  • SSL_OP_NO_ENCRYPT_THEN_MAC
  • SSL_OP_NO_EXTENDED_MASTER_SECRET
  • SSL_OP_NO_RENEGOTIATION
  • SSL_OP_NO_RESSION_RESUMPTION_ON_NEGOTIATION
  • SSL_OP_NO_SSLv3
  • SSL_OP_NO_TLSv1
  • SSL_OP_NO_TLSv1_1
  • SSL_OP_NO_TLSv1_2
  • SSL_OP_NO_DTLSv1
  • SSL_OP_NO_DTLSv1_2

What should SSL_rstate_string and SSL_state_string do?

SSL_state_string is highly handshake layer specific, so it makes sense to just forward to the handshake layer.

SSL_rstate_string is record layer specific. A cursory evaluation of usage via GitHub code search did not appear to identify much usage of this function other than for debug output; i.e., there seems to be little usage of this in a way that depends on the output for the purposes of control flow. Since there is not really any direct correspondence to the QUIC record layer, we conservatively define the output of this function as "unknown".

TODO: forbid NPN TODO: enforce TLSv1.3 TODO: forbid PHA - DONE TODO: forbid middlebox compat mode in a deeper way? TODO: new_session_ticket doesn't need modifying as such, but ticket machinery will

What should SSL_pending and SSL_has_pending do?

SSL_pending traditionally yields the number of bytes buffered inside a SSL object available for immediate reading. For QUIC, we can just make this report the current size of the receive stream buffer.

SSL_has_pending returns a boolean value indicating whether there is processed or unprocessed incoming data pending. There is no direct correspondence to QUIC, so there are various implementation options:

  • SSL_pending() > 0
  • SSL_pending() > 0 || pending URXEs or RXEs exist

The latter can probably be viewed as more of a direct correspondence to the design intent of the API, so we go with this.

What should SSL_alloc_buffers and SSL_free_buffers do?

These do not really correspond to our internal architecture for QUIC. Since internal buffers are always available, SSL_alloc_buffers can simply always return 1. SSL_free_buffers can always return 0, as though the buffers are in use, which they generally will be.

What should SSL_key_update and SSL_get_key_update_type?

SSL_key_update can trigger a TX record layer key update, which will cause the peer to respond with a key update in turn. The update occurs asynchronously at next transmission, not immediately.

SSL_get_key_update_type returns an enumerated value which is only relevant to the TLSv1.3 protocol; for QUIC, it will always return SSL_KEY_UPDATE_NONE.

What should SSL_MODE_AUTO_RETRY do?

The absence of SSL_MODE_AUTO_RETRY causes SSL_read/SSL_write on a normal TLS connection to potentially return due to internal handshake message processing. This does not really make sense for our QUIC implementation, therefore we always act as though SSL_MODE_AUTO_RETRY is on, and this mode is ignored.

What should SSL_MODE_SEND_FALLBACK_SCSV do?

This is not relevant to QUIC because this functionality relates to protocol version downgrade attack protection and QUIC only supports TLSv1.3. Thus, it is ignored.

What should SSL_CTX_set_ssl_version do?

This is a deprecated function, so it needn't be supported for QUIC. Fail closed.

What should SSL_set_ssl_method do?

We do not currently support this for QUIC.

What should SSL_set_shutdown do?

This is not supported and is a no-op for QUIC.

What should SSL_dup and SSL_clear do?

These may be tricky to support. Currently they are blocked.