diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2014-03-27 14:20:16 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-03-27 14:24:40 +0000 |
| commit | e970f63dc028e32df50fa7135e5e0334afa24d83 (patch) | |
| tree | e3a3465657051ce151207a138d77a789d8b11a07 /doc/ssl | |
| parent | 7c5718be271d9a47e8538adfde1909cd58943244 (diff) | |
Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.
If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.
(cherry picked from commit 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
Diffstat (limited to 'doc/ssl')
| -rw-r--r-- | doc/ssl/SSL_CTX_add1_chain_cert.pod | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/doc/ssl/SSL_CTX_add1_chain_cert.pod b/doc/ssl/SSL_CTX_add1_chain_cert.pod index b508a342a5..786f31e4f6 100644 --- a/doc/ssl/SSL_CTX_add1_chain_cert.pod +++ b/doc/ssl/SSL_CTX_add1_chain_cert.pod @@ -60,7 +60,9 @@ existing chain certificates as untrusted CAs, B<SSL_BUILD_CHAIN_FLAG_NO_ROOT> to omit the root CA from the built chain, B<SSL_BUILD_CHAIN_FLAG_CHECK> to use all existing chain certificates only to build the chain (effectively sanity checking and rearranging them if necessary), the flag -B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification. +B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification: +if flag B<SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR> is also set verification errors +are cleared from the error queue. Each of these functions operates on the I<current> end entity (i.e. server or client) certificate. This is the last certificate loaded or @@ -113,6 +115,10 @@ For example an application can add any set of certificates using SSL_CTX_use_certificate_chain_file() then call SSL_CTX_build_cert_chain() with the option B<SSL_BUILD_CHAIN_FLAG_CHECK> to check and reorder them. +Applications can issue non fatal warnings when checking chains by setting +the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS> and checking the return +value. + Calling SSL_CTX_build_cert_chain() or SSL_build_cert_chain() is more efficient than the automatic chain building as it is only performed once. Automatic chain building is performed on each new session. @@ -126,6 +132,10 @@ SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if no server certificate is used because the ciphersuites is anonymous and 0 for failure. +SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success +and 0 for failure. If the flag B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> and +a verification error occurs then 2 is returned. + All other functions return 1 for success and 0 for failure. =head1 SEE ALSO |