diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2014-06-22 01:38:57 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2014-06-22 20:32:35 -0400 |
commit | 8abffa4a73fcbf6536e0a42d736ed9211a8204ea (patch) | |
tree | c56ae9164778b27dc1b03008b9377b2125cedb28 /doc/crypto/X509_VERIFY_PARAM_set_flags.pod | |
parent | 66d884f06770f2daaee8016299ef7e1e3b91dfd1 (diff) |
Multiple verifier reference identities.
Implemented as STACK_OF(OPENSSL_STRING).
Diffstat (limited to 'doc/crypto/X509_VERIFY_PARAM_set_flags.pod')
-rw-r--r-- | doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 7b1f294e89..18c0f6eac9 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters =head1 SYNOPSIS @@ -28,6 +28,8 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const unsigned char *name, size_t namelen); + int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const unsigned char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, @@ -72,16 +74,26 @@ X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B<depth>. That is the maximum number of untrusted CA certificates that can appear in a chain. -X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to B<name>. If -B<name> is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> must -be set to the length of B<name>. When a hostname is specified, certificate -verification automatically invokes L<X509_check_host(3)> with flags equal to -the B<flags> argument given to B<X509_VERIFY_PARAM_set_hostflags()> (default -zero). Applications are strongly advised to use this interface in preference -to explicitly calling L<X509_check_host(3)>, hostname checks are -out of scope with the DANE-EE(3) certificate usage, and the internal -check will be suppressed as appropriate when DANE support is added -to OpenSSL. +X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to +B<name> clearing any previously specified host name or names. If +B<name> is NULL, or empty the list of hostnames is cleared, and +name checks are not performed on the peer certificate. If B<name> +is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> +must be set to the length of B<name>. When a hostname is specified, +certificate verification automatically invokes L<X509_check_host(3)> +with flags equal to the B<flags> argument given to +B<X509_VERIFY_PARAM_set_hostflags()> (default zero). Applications +are strongly advised to use this interface in preference to explicitly +calling L<X509_check_host(3)>, hostname checks are out of scope +with the DANE-EE(3) certificate usage, and the internal check will +be suppressed as appropriate when DANE support is added to OpenSSL. + +X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference +identifer that can match the peer's certificate. Any previous names +set via X509_VERIFY_PARAM_set1_host() or X509_VERIFY_PARAM_add1_host() +are retained, no change is made if B<name> is NULL or empty. When +multiple names are configured, the peer is considered verified when +any name matches. X509_VERIFY_PARAM_set1_email() sets the expected RFC822 email address to B<email>. If B<email> is NUL-terminated, B<emaillen> may be zero, otherwise |