diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-07-09 18:43:30 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-12-22 15:14:14 +0000 |
commit | 913592d2c58571a39540d8e4aeb3ea3b4db6a9f0 (patch) | |
tree | 84c82e89d6a78026f28fbdb09e45651eedb7b5c6 /doc | |
parent | 43d956fa65c66629f335b7bb7d4e190da5e99da7 (diff) |
SSL configuration module docs
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/config.pod | 28 | ||||
-rw-r--r-- | doc/ssl/SSL_CTX_config.pod | 84 |
2 files changed, 112 insertions, 0 deletions
diff --git a/doc/apps/config.pod b/doc/apps/config.pod index 9547bc53bb..474b4787af 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -208,6 +208,34 @@ For example: fips_mode = on +=head2 SSL CONFIGURATION MODULE + +This module has the name B<ssl_conf> which points to a section containing +SSL configurations. + +Each line in the SSL configuration section contains the name of the +configuration and the section containing it. + +Each configuration section consists of command value pairs for B<SSL_CONF>. +Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls +SSL_CTX_config() or SSL_config() with the appropriate configuration name. + +Note: any characters before an initial dot in the configuration section are +ignored so the same command can be used multiple times. + +For example: + + ssl_conf = ssl_sect + + [ssl_sect] + + server = server_section + + [server_section] + + RSA.Certificate = server-rsa.pem + ECDSA.Certificate = server-ecdsa.pem + Ciphers = ALL:!RC4 =head1 NOTES diff --git a/doc/ssl/SSL_CTX_config.pod b/doc/ssl/SSL_CTX_config.pod new file mode 100644 index 0000000000..0cf93dd99a --- /dev/null +++ b/doc/ssl/SSL_CTX_config.pod @@ -0,0 +1,84 @@ +=pod + +=head1 NAME + +SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure. + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_config(SSL_CTX *ctx, const char *name); + int SSL_config(SSL *s, const char *name); + +=head1 DESCRIPTION + +The functions SSL_CTX_config() and SSL_config() configure an B<SSL_CTX> or +B<SSL> structure using the configuration B<name>. + +=head1 NOTES + +By calling SSL_CTX_config() or SSL_config() an application can perform many +complex tasks based on the contents of the configuration file: greatly +simplifying application configuration code. A degree of future proofing +can also be achieved: an application can support configuration features +in newer versions of OpenSSL automatically. + +A configuration file must have been previously loaded, for example using +CONF_modules_load_file(). See L<config(3)> for details of the configuration +file syntax. + +=head1 RETURN VALUES + +SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error +occurred. + +=head1 EXAMPLE + +If the file "config.cnf" contains the following: + + testapp = test_sect + + [test_sect] + # list of confuration modules + + ssl_conf = ssl_sect + + [ssl_sect] + + server = server_section + + [server_section] + + RSA.Certificate = server-rsa.pem + ECDSA.Certificate = server-ecdsa.pem + Ciphers = ALL:!RC4 + +An application could call: + + if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) { + fprintf(stderr, "Error processing config file\n"); + goto err; + } + + ctx = SSL_CTX_new(TLS_server_method()); + + if (SSL_CTX_config(ctx, "server") == 0) { + fprintf(stderr, "Error configuring server.\n"); + goto err; + } + +In this example two certificates and the cipher list are configured without +the need for any additional application code. + +=head1 SEE ALSO + +L<config(3)>, +L<SSL_CONF_cmd(3)>, +L<CONF_modules_load_file(3)> + +=head1 HISTORY + +SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0 + +=cut |