TLS/SSL and crypto library
Révision | ca1b56f3d03e4aeb729bfdb7aa32042d27770043 (tree) |
---|---|
l'heure | 2000-10-10 18:15:49 |
Auteur | cvs2svn <cvs2svn> |
Commiter | cvs2svn |
This commit was manufactured by cvs2svn to create tag 'OpenSSL_0_9_6'.
@@ -1,93 +0,0 @@ | ||
1 | -=pod | |
2 | - | |
3 | -=head1 NAME | |
4 | - | |
5 | -SSL_CTX_load_verify_locations - set default locations for trusted CA | |
6 | -certificates | |
7 | - | |
8 | -=head1 SYNOPSIS | |
9 | - | |
10 | - #include <openssl/ssl.h> | |
11 | - | |
12 | - int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | |
13 | - const char *CApath); | |
14 | - | |
15 | -=head1 DESCRIPTION | |
16 | - | |
17 | -SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at | |
18 | -which CA certificates for verification purposes are located. The certificates | |
19 | -available via B<CAfile> and B<CApath> are trusted. | |
20 | - | |
21 | -=head1 NOTES | |
22 | - | |
23 | -If B<CAfile> is not NULL, it points to a file of CA certificates in PEM | |
24 | -format. The file can contain several CA certificates identified by | |
25 | - | |
26 | - -----BEGIN CERTIFICATE----- | |
27 | - ... (CA certificate in base64 encoding) ... | |
28 | - -----END CERTIFICATE----- | |
29 | - | |
30 | -sequences. Before, between, and after the certificates text is allowed | |
31 | -which can be used e.g. for descriptions of the certificates. | |
32 | - | |
33 | -The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations() | |
34 | -function. | |
35 | - | |
36 | -If on an TLS/SSL server no special setting is perfomed using *client_CA_list() | |
37 | -functions, the certificates contained in B<CAfile> are listed to the client | |
38 | -as available CAs during the TLS/SSL handshake. | |
39 | - | |
40 | -If B<CApath> is not NULL, it points to a directory containing CA certificates | |
41 | -in PEM format. The files each contain one CA certificate. The files are | |
42 | -looked up by the CA subject name hash value, which must hence be available. | |
43 | -Use the B<c_rehash> utility to create the necessary links. | |
44 | - | |
45 | -The certificates in B<CAfile> are only looked up when required, e.g. when | |
46 | -building the certificate chain or when actually performing the verification | |
47 | -of a peer certificate. | |
48 | - | |
49 | -On a server, the certificates in B<CApath> are not listed as available | |
50 | -CA certificates to a client during a TLS/SSL handshake. | |
51 | - | |
52 | -=head1 EXAMPLES | |
53 | - | |
54 | -Generate a CA certificate file with descriptive text from the CA certificates | |
55 | -ca1.pem ca2.pem ca3.pem: | |
56 | - | |
57 | - #!/bin/sh | |
58 | - rm CAfile.pem | |
59 | - for i in ca1.pem ca2.pem ca3.pem ; do | |
60 | - openssl x509 -in $i -text >> CAfile.pem | |
61 | - done | |
62 | - | |
63 | -Prepare the directory /some/where/certs containing several CA certificates | |
64 | -for use as B<CApath>: | |
65 | - | |
66 | - cd /some/where/certs | |
67 | - c_rehash . | |
68 | - | |
69 | -=head1 RETURN VALUES | |
70 | - | |
71 | -The following return values can occur: | |
72 | - | |
73 | -=over 4 | |
74 | - | |
75 | -=item 0 | |
76 | - | |
77 | -The operation failed because B<CAfile> and B<CApath> are NULL or the | |
78 | -processing at one of the locations specified failed. Check the error | |
79 | -stack to find out the reason. | |
80 | - | |
81 | -=item 1 | |
82 | - | |
83 | -The operation succeeded. | |
84 | - | |
85 | -=back | |
86 | - | |
87 | -=head1 SEE ALSO | |
88 | - | |
89 | -L<ssl(3)|ssl(3)>, | |
90 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, | |
91 | -L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> | |
92 | - | |
93 | -=cut |
@@ -1,90 +0,0 @@ | ||
1 | -=pod | |
2 | - | |
3 | -=head1 NAME | |
4 | - | |
5 | -SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, | |
6 | -SSL_add_client_CA - set list of CAs sent to the client when requesting a | |
7 | -client certificate | |
8 | - | |
9 | -=head1 SYNOPSIS | |
10 | - | |
11 | - #include <openssl/ssl.h> | |
12 | - | |
13 | - void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); | |
14 | - void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); | |
15 | - int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); | |
16 | - int SSL_add_client_CA(SSL *ssl, X509 *cacert); | |
17 | - | |
18 | -=head1 DESCRIPTION | |
19 | - | |
20 | -SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when | |
21 | -requesting a client certificate for B<ctx>. | |
22 | - | |
23 | -SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when | |
24 | -requesting a client certificate for the chosen B<ssl>, overriding the | |
25 | -setting valid for B<ssl>'s SSL_CTX object. | |
26 | - | |
27 | -SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the | |
28 | -list of CAs sent to the client when requesting a client certificate for | |
29 | -B<ctx>. | |
30 | - | |
31 | -SSL_add_client_CA() adds the CA name extracted from B<cacert> to the | |
32 | -list of CAs sent to the client when requesting a client certificate for | |
33 | -the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. | |
34 | - | |
35 | -=head1 NOTES | |
36 | - | |
37 | -When a TLS/SSL server requests a client certificate (see | |
38 | -B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which | |
39 | -it will accept certificates, to the client. If no special list is provided, | |
40 | -the CAs available using the B<CAfile> option in | |
41 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
42 | -are sent. | |
43 | - | |
44 | -This list can be explicitely set using the SSL_CTX_set_client_CA_list() for | |
45 | -B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list | |
46 | -specified overrides the previous setting. The CAs listed do not become | |
47 | -trusted (B<list> only contains the names, not the complete certificates); use | |
48 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
49 | -to additionally load them for verification. | |
50 | - | |
51 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional | |
52 | -items the list of client CAs. If no list was specified before using | |
53 | -SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client | |
54 | -CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly | |
55 | -specified using | |
56 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
57 | -are no longer used automatically. | |
58 | - | |
59 | -These functions are only useful for TLS/SSL servers. | |
60 | - | |
61 | -=head1 RETURN VALUES | |
62 | - | |
63 | -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return | |
64 | -diagnostic information. | |
65 | - | |
66 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return | |
67 | -values: | |
68 | - | |
69 | -=over 4 | |
70 | - | |
71 | -=item 1 | |
72 | - | |
73 | -The operation succeeded. | |
74 | - | |
75 | -=item 0 | |
76 | - | |
77 | -A failure while manipulating the STACK_OF(X509_NAME) object occured or | |
78 | -the X509_NAME could not be extracted from B<cacert>. Check the error stack | |
79 | -to find out the reason. | |
80 | - | |
81 | -=back | |
82 | - | |
83 | -=head1 SEE ALSO | |
84 | - | |
85 | -L<ssl(3)|ssl(3)>, | |
86 | -L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, | |
87 | -L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> | |
88 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
89 | - | |
90 | -=cut |
@@ -1,52 +0,0 @@ | ||
1 | -=pod | |
2 | - | |
3 | -=head1 NAME | |
4 | - | |
5 | -SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs | |
6 | - | |
7 | -=head1 SYNOPSIS | |
8 | - | |
9 | - #include <openssl/ssl.h> | |
10 | - | |
11 | - STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); | |
12 | - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); | |
13 | - | |
14 | -=head1 DESCRIPTION | |
15 | - | |
16 | -SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for | |
17 | -B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>. | |
18 | - | |
19 | -SSL_get_client_CA_list() returns the list of client CAs explicitely | |
20 | -set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with | |
21 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in | |
22 | -server mode. In client mode, SSL_get_client_CA_list returns the list of | |
23 | -client CAs sent from the server, if any. | |
24 | - | |
25 | -=head1 RETURN VALUES | |
26 | - | |
27 | -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return | |
28 | -diagnostic information. | |
29 | - | |
30 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return | |
31 | -values: | |
32 | - | |
33 | -=over 4 | |
34 | - | |
35 | -=item STACK_OF(X509_NAMES) | |
36 | - | |
37 | -List of CA names explicitely set (for B<ctx> or in server mode) or send | |
38 | -by the server (client mode). | |
39 | - | |
40 | -=item NULL | |
41 | - | |
42 | -No client CA list was explicitely set (for B<ctx> or in server mode) or | |
43 | -the server did not send a list of CAs (client mode). | |
44 | - | |
45 | -=back | |
46 | - | |
47 | -=head1 SEE ALSO | |
48 | - | |
49 | -L<ssl(3)|ssl(3)>, | |
50 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> | |
51 | - | |
52 | -=cut |
@@ -1,62 +0,0 @@ | ||
1 | -=pod | |
2 | - | |
3 | -=head1 NAME | |
4 | - | |
5 | -SSL_load_client_CA_file - load certificate names from file | |
6 | - | |
7 | -=head1 SYNOPSIS | |
8 | - | |
9 | - #include <openssl/ssl.h> | |
10 | - | |
11 | - STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); | |
12 | - | |
13 | -=head1 DESCRIPTION | |
14 | - | |
15 | -SSL_load_client_CA_file() reads certificates from B<file> and returns | |
16 | -a STACK_OF(X509_NAME) with the subject names found. | |
17 | - | |
18 | -=head1 NOTES | |
19 | - | |
20 | -SSL_load_client_CA_file() reads a file of PEM formatted certificates and | |
21 | -extracts the X509_NAMES of the certificates found. While the name suggests | |
22 | -the specific usage as support function for | |
23 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, | |
24 | -it is not limited to CA certificates. | |
25 | - | |
26 | -=head1 EXAMPLES | |
27 | - | |
28 | -Load names of CAs from file and use it as a client CA list: | |
29 | - | |
30 | - SSL_CTX *ctx; | |
31 | - STACK_OF(X509_NAME) *cert_names; | |
32 | - | |
33 | - ... | |
34 | - cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); | |
35 | - if (cert_names != NULL) | |
36 | - SSL_CTX_set_client_CA_list(ctx, cert_names); | |
37 | - else | |
38 | - error_handling(); | |
39 | - ... | |
40 | - | |
41 | -=head1 RETURN VALUES | |
42 | - | |
43 | -The following return values can occur: | |
44 | - | |
45 | -=over 4 | |
46 | - | |
47 | -=item NULL | |
48 | - | |
49 | -The operation failed, check out the error stack for the reason. | |
50 | - | |
51 | -=item Pointer to STACK_OF(X509_NAME) | |
52 | - | |
53 | -Pointer to the subject names of the successfully read certificates. | |
54 | - | |
55 | -=back | |
56 | - | |
57 | -=head1 SEE ALSO | |
58 | - | |
59 | -L<ssl(3)|ssl(3)>, | |
60 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> | |
61 | - | |
62 | -=cut |