SSL_CONF additions.

Add support for loading verify and chain stores in SSL_CONF.

Commands to set verify mode and client CA names.

Add documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

1 files changed, 27 insertions, 0 deletions

diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index dbdacd1f73..16b368a6f3 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -195,6 +195,12 @@ context. This option is only supported if certificate operations
 are permitted. Note: if no B<PrivateKey> option is set then a private key is
 not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
 
+=item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath>
+
+These options indicate a file or directory used for building certificate
+chains or verifying certificate chains. These options are only supported
+if certificate operations are permitted.
+
 =item B<ServerInfoFile>
 
 Attempts to use the file B<value> in the "serverinfo" extension using the
@@ -306,6 +312,27 @@ B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
 for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
 Set by default.
 
+=item B<VerifyMode>
+
+The B<value> argument is a comma separated list of flags to set.
+
+B<Peer> enables peer verification: for clients only.
+
+B<Request> requests but does not require a certificate from the client.
+Servers only.
+
+B<Require> requests and requires a certificate from the client: an error
+occurs if the client does not present a certificate. Servers only.
+
+B<Once> requests a certificate from a client only on the initial connection:
+not when renegotiating. Servers only.
+
+=item B<ClientCAFile>, B<ClientCAPath>
+
+A file or directory of certificates in PEM format whose names are used as the
+set of acceptable names for client CAs. Servers only. This option is only
+supported if certificate operations are permitted.
+
 =back
 
 =head1 SUPPORTED COMMAND TYPES