TLS/SSL and crypto library
| Révision | ca1b56f3d03e4aeb729bfdb7aa32042d27770043 (tree) |
|---|---|
| l'heure | 2000-10-10 18:15:49 |
| Auteur | cvs2svn <cvs2svn> |
| Commiter | cvs2svn |
This commit was manufactured by cvs2svn to create tag 'OpenSSL_0_9_6'.
doc/ssl/SSL_CTX_load_verify_locations.pod doc/ssl/SSL_CTX_set_client_CA_list.pod doc/ssl/SSL_get_client_CA_list.pod doc/ssl/SSL_load_client_CA_file.pod| @@ -1,93 +0,0 @@ | ||
| 1 | -=pod | |
| 2 | - | |
| 3 | -=head1 NAME | |
| 4 | - | |
| 5 | -SSL_CTX_load_verify_locations - set default locations for trusted CA | |
| 6 | -certificates | |
| 7 | - | |
| 8 | -=head1 SYNOPSIS | |
| 9 | - | |
| 10 | - #include <openssl/ssl.h> | |
| 11 | - | |
| 12 | - int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, | |
| 13 | - const char *CApath); | |
| 14 | - | |
| 15 | -=head1 DESCRIPTION | |
| 16 | - | |
| 17 | -SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at | |
| 18 | -which CA certificates for verification purposes are located. The certificates | |
| 19 | -available via B<CAfile> and B<CApath> are trusted. | |
| 20 | - | |
| 21 | -=head1 NOTES | |
| 22 | - | |
| 23 | -If B<CAfile> is not NULL, it points to a file of CA certificates in PEM | |
| 24 | -format. The file can contain several CA certificates identified by | |
| 25 | - | |
| 26 | - -----BEGIN CERTIFICATE----- | |
| 27 | - ... (CA certificate in base64 encoding) ... | |
| 28 | - -----END CERTIFICATE----- | |
| 29 | - | |
| 30 | -sequences. Before, between, and after the certificates text is allowed | |
| 31 | -which can be used e.g. for descriptions of the certificates. | |
| 32 | - | |
| 33 | -The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations() | |
| 34 | -function. | |
| 35 | - | |
| 36 | -If on an TLS/SSL server no special setting is perfomed using *client_CA_list() | |
| 37 | -functions, the certificates contained in B<CAfile> are listed to the client | |
| 38 | -as available CAs during the TLS/SSL handshake. | |
| 39 | - | |
| 40 | -If B<CApath> is not NULL, it points to a directory containing CA certificates | |
| 41 | -in PEM format. The files each contain one CA certificate. The files are | |
| 42 | -looked up by the CA subject name hash value, which must hence be available. | |
| 43 | -Use the B<c_rehash> utility to create the necessary links. | |
| 44 | - | |
| 45 | -The certificates in B<CAfile> are only looked up when required, e.g. when | |
| 46 | -building the certificate chain or when actually performing the verification | |
| 47 | -of a peer certificate. | |
| 48 | - | |
| 49 | -On a server, the certificates in B<CApath> are not listed as available | |
| 50 | -CA certificates to a client during a TLS/SSL handshake. | |
| 51 | - | |
| 52 | -=head1 EXAMPLES | |
| 53 | - | |
| 54 | -Generate a CA certificate file with descriptive text from the CA certificates | |
| 55 | -ca1.pem ca2.pem ca3.pem: | |
| 56 | - | |
| 57 | - #!/bin/sh | |
| 58 | - rm CAfile.pem | |
| 59 | - for i in ca1.pem ca2.pem ca3.pem ; do | |
| 60 | - openssl x509 -in $i -text >> CAfile.pem | |
| 61 | - done | |
| 62 | - | |
| 63 | -Prepare the directory /some/where/certs containing several CA certificates | |
| 64 | -for use as B<CApath>: | |
| 65 | - | |
| 66 | - cd /some/where/certs | |
| 67 | - c_rehash . | |
| 68 | - | |
| 69 | -=head1 RETURN VALUES | |
| 70 | - | |
| 71 | -The following return values can occur: | |
| 72 | - | |
| 73 | -=over 4 | |
| 74 | - | |
| 75 | -=item 0 | |
| 76 | - | |
| 77 | -The operation failed because B<CAfile> and B<CApath> are NULL or the | |
| 78 | -processing at one of the locations specified failed. Check the error | |
| 79 | -stack to find out the reason. | |
| 80 | - | |
| 81 | -=item 1 | |
| 82 | - | |
| 83 | -The operation succeeded. | |
| 84 | - | |
| 85 | -=back | |
| 86 | - | |
| 87 | -=head1 SEE ALSO | |
| 88 | - | |
| 89 | -L<ssl(3)|ssl(3)>, | |
| 90 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, | |
| 91 | -L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> | |
| 92 | - | |
| 93 | -=cut |
| @@ -1,90 +0,0 @@ | ||
| 1 | -=pod | |
| 2 | - | |
| 3 | -=head1 NAME | |
| 4 | - | |
| 5 | -SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, | |
| 6 | -SSL_add_client_CA - set list of CAs sent to the client when requesting a | |
| 7 | -client certificate | |
| 8 | - | |
| 9 | -=head1 SYNOPSIS | |
| 10 | - | |
| 11 | - #include <openssl/ssl.h> | |
| 12 | - | |
| 13 | - void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); | |
| 14 | - void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); | |
| 15 | - int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); | |
| 16 | - int SSL_add_client_CA(SSL *ssl, X509 *cacert); | |
| 17 | - | |
| 18 | -=head1 DESCRIPTION | |
| 19 | - | |
| 20 | -SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when | |
| 21 | -requesting a client certificate for B<ctx>. | |
| 22 | - | |
| 23 | -SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when | |
| 24 | -requesting a client certificate for the chosen B<ssl>, overriding the | |
| 25 | -setting valid for B<ssl>'s SSL_CTX object. | |
| 26 | - | |
| 27 | -SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the | |
| 28 | -list of CAs sent to the client when requesting a client certificate for | |
| 29 | -B<ctx>. | |
| 30 | - | |
| 31 | -SSL_add_client_CA() adds the CA name extracted from B<cacert> to the | |
| 32 | -list of CAs sent to the client when requesting a client certificate for | |
| 33 | -the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. | |
| 34 | - | |
| 35 | -=head1 NOTES | |
| 36 | - | |
| 37 | -When a TLS/SSL server requests a client certificate (see | |
| 38 | -B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which | |
| 39 | -it will accept certificates, to the client. If no special list is provided, | |
| 40 | -the CAs available using the B<CAfile> option in | |
| 41 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
| 42 | -are sent. | |
| 43 | - | |
| 44 | -This list can be explicitely set using the SSL_CTX_set_client_CA_list() for | |
| 45 | -B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list | |
| 46 | -specified overrides the previous setting. The CAs listed do not become | |
| 47 | -trusted (B<list> only contains the names, not the complete certificates); use | |
| 48 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
| 49 | -to additionally load them for verification. | |
| 50 | - | |
| 51 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional | |
| 52 | -items the list of client CAs. If no list was specified before using | |
| 53 | -SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client | |
| 54 | -CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly | |
| 55 | -specified using | |
| 56 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
| 57 | -are no longer used automatically. | |
| 58 | - | |
| 59 | -These functions are only useful for TLS/SSL servers. | |
| 60 | - | |
| 61 | -=head1 RETURN VALUES | |
| 62 | - | |
| 63 | -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return | |
| 64 | -diagnostic information. | |
| 65 | - | |
| 66 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return | |
| 67 | -values: | |
| 68 | - | |
| 69 | -=over 4 | |
| 70 | - | |
| 71 | -=item 1 | |
| 72 | - | |
| 73 | -The operation succeeded. | |
| 74 | - | |
| 75 | -=item 0 | |
| 76 | - | |
| 77 | -A failure while manipulating the STACK_OF(X509_NAME) object occured or | |
| 78 | -the X509_NAME could not be extracted from B<cacert>. Check the error stack | |
| 79 | -to find out the reason. | |
| 80 | - | |
| 81 | -=back | |
| 82 | - | |
| 83 | -=head1 SEE ALSO | |
| 84 | - | |
| 85 | -L<ssl(3)|ssl(3)>, | |
| 86 | -L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, | |
| 87 | -L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> | |
| 88 | -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> | |
| 89 | - | |
| 90 | -=cut |
| @@ -1,52 +0,0 @@ | ||
| 1 | -=pod | |
| 2 | - | |
| 3 | -=head1 NAME | |
| 4 | - | |
| 5 | -SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs | |
| 6 | - | |
| 7 | -=head1 SYNOPSIS | |
| 8 | - | |
| 9 | - #include <openssl/ssl.h> | |
| 10 | - | |
| 11 | - STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); | |
| 12 | - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); | |
| 13 | - | |
| 14 | -=head1 DESCRIPTION | |
| 15 | - | |
| 16 | -SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for | |
| 17 | -B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>. | |
| 18 | - | |
| 19 | -SSL_get_client_CA_list() returns the list of client CAs explicitely | |
| 20 | -set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with | |
| 21 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in | |
| 22 | -server mode. In client mode, SSL_get_client_CA_list returns the list of | |
| 23 | -client CAs sent from the server, if any. | |
| 24 | - | |
| 25 | -=head1 RETURN VALUES | |
| 26 | - | |
| 27 | -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return | |
| 28 | -diagnostic information. | |
| 29 | - | |
| 30 | -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return | |
| 31 | -values: | |
| 32 | - | |
| 33 | -=over 4 | |
| 34 | - | |
| 35 | -=item STACK_OF(X509_NAMES) | |
| 36 | - | |
| 37 | -List of CA names explicitely set (for B<ctx> or in server mode) or send | |
| 38 | -by the server (client mode). | |
| 39 | - | |
| 40 | -=item NULL | |
| 41 | - | |
| 42 | -No client CA list was explicitely set (for B<ctx> or in server mode) or | |
| 43 | -the server did not send a list of CAs (client mode). | |
| 44 | - | |
| 45 | -=back | |
| 46 | - | |
| 47 | -=head1 SEE ALSO | |
| 48 | - | |
| 49 | -L<ssl(3)|ssl(3)>, | |
| 50 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> | |
| 51 | - | |
| 52 | -=cut |
| @@ -1,62 +0,0 @@ | ||
| 1 | -=pod | |
| 2 | - | |
| 3 | -=head1 NAME | |
| 4 | - | |
| 5 | -SSL_load_client_CA_file - load certificate names from file | |
| 6 | - | |
| 7 | -=head1 SYNOPSIS | |
| 8 | - | |
| 9 | - #include <openssl/ssl.h> | |
| 10 | - | |
| 11 | - STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); | |
| 12 | - | |
| 13 | -=head1 DESCRIPTION | |
| 14 | - | |
| 15 | -SSL_load_client_CA_file() reads certificates from B<file> and returns | |
| 16 | -a STACK_OF(X509_NAME) with the subject names found. | |
| 17 | - | |
| 18 | -=head1 NOTES | |
| 19 | - | |
| 20 | -SSL_load_client_CA_file() reads a file of PEM formatted certificates and | |
| 21 | -extracts the X509_NAMES of the certificates found. While the name suggests | |
| 22 | -the specific usage as support function for | |
| 23 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, | |
| 24 | -it is not limited to CA certificates. | |
| 25 | - | |
| 26 | -=head1 EXAMPLES | |
| 27 | - | |
| 28 | -Load names of CAs from file and use it as a client CA list: | |
| 29 | - | |
| 30 | - SSL_CTX *ctx; | |
| 31 | - STACK_OF(X509_NAME) *cert_names; | |
| 32 | - | |
| 33 | - ... | |
| 34 | - cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); | |
| 35 | - if (cert_names != NULL) | |
| 36 | - SSL_CTX_set_client_CA_list(ctx, cert_names); | |
| 37 | - else | |
| 38 | - error_handling(); | |
| 39 | - ... | |
| 40 | - | |
| 41 | -=head1 RETURN VALUES | |
| 42 | - | |
| 43 | -The following return values can occur: | |
| 44 | - | |
| 45 | -=over 4 | |
| 46 | - | |
| 47 | -=item NULL | |
| 48 | - | |
| 49 | -The operation failed, check out the error stack for the reason. | |
| 50 | - | |
| 51 | -=item Pointer to STACK_OF(X509_NAME) | |
| 52 | - | |
| 53 | -Pointer to the subject names of the successfully read certificates. | |
| 54 | - | |
| 55 | -=back | |
| 56 | - | |
| 57 | -=head1 SEE ALSO | |
| 58 | - | |
| 59 | -L<ssl(3)|ssl(3)>, | |
| 60 | -L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> | |
| 61 | - | |
| 62 | -=cut |
Fork
bdcloud2020/openssl