diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-07-14 14:18:37 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-07-21 13:56:24 +0100 |
commit | 429261d0d836fa44213eae99abbf19dbb6194daf (patch) | |
tree | bd6fe33c9dea7683f2fe92db6e40b77e33d4a3a0 /doc | |
parent | 7e5363abe3c00d9db037f464f3c121e194bb5bb6 (diff) |
SSL_CONF additions.
Add support for loading verify and chain stores in SSL_CONF.
Commands to set verify mode and client CA names.
Add documentation.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ssl/SSL_CONF_cmd.pod | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index dbdacd1f73..16b368a6f3 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -195,6 +195,12 @@ context. This option is only supported if certificate operations are permitted. Note: if no B<PrivateKey> option is set then a private key is not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set. +=item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath> + +These options indicate a file or directory used for building certificate +chains or verifying certificate chains. These options are only supported +if certificate operations are permitted. + =item B<ServerInfoFile> Attempts to use the file B<value> in the "serverinfo" extension using the @@ -306,6 +312,27 @@ B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>. Set by default. +=item B<VerifyMode> + +The B<value> argument is a comma separated list of flags to set. + +B<Peer> enables peer verification: for clients only. + +B<Request> requests but does not require a certificate from the client. +Servers only. + +B<Require> requests and requires a certificate from the client: an error +occurs if the client does not present a certificate. Servers only. + +B<Once> requests a certificate from a client only on the initial connection: +not when renegotiating. Servers only. + +=item B<ClientCAFile>, B<ClientCAPath> + +A file or directory of certificates in PEM format whose names are used as the +set of acceptable names for client CAs. Servers only. This option is only +supported if certificate operations are permitted. + =back =head1 SUPPORTED COMMAND TYPES |