diff options
Diffstat (limited to 'doc/ssl')
34 files changed, 126 insertions, 144 deletions
diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod index 00b7118021..2e82f05241 100644 --- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod +++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod @@ -20,7 +20,7 @@ to B<prefix>. If B<prefix> is B<NULL> it is restored to the default value. Command prefixes alter the commands recognised by subsequent SSL_CTX_cmd() calls. For example for files, if the prefix "SSL" is set then command names such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol" -and "Options". Similarly for command lines if the prefix is "--ssl-" then +and "Options". Similarly for command lines if the prefix is "--ssl-" then "--ssl-no_tls1_2" is recognised instead of "-no_tls1_2". If the B<SSL_CONF_FLAG_CMDLINE> flag is set then prefix checks are case diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod index 4d4c32746e..fd782b3344 100644 --- a/doc/ssl/SSL_CTX_add_session.pod +++ b/doc/ssl/SSL_CTX_add_session.pod @@ -59,7 +59,7 @@ The following values are returned by all functions: session was not found in the cache. =item Z<>1 - + The operation succeeded. =back diff --git a/doc/ssl/SSL_CTX_flush_sessions.pod b/doc/ssl/SSL_CTX_flush_sessions.pod index 4c90016dab..e16775b7b8 100644 --- a/doc/ssl/SSL_CTX_flush_sessions.pod +++ b/doc/ssl/SSL_CTX_flush_sessions.pod @@ -26,7 +26,7 @@ As sessions will not be reused ones they are expired, they should be removed from the cache to save resources. This can either be done automatically whenever 255 new sessions were established (see L<SSL_CTX_set_session_cache_mode(3)>) -or manually by calling SSL_CTX_flush_sessions(). +or manually by calling SSL_CTX_flush_sessions(). The parameter B<tm> specifies the time which should be used for the expiration test, in most cases the actual time given by time(0) @@ -37,8 +37,6 @@ cache. When a session is found and removed, the remove_session_cb is however called to synchronize with the external cache (see L<SSL_CTX_sess_set_get_cb(3)>). -=head1 RETURN VALUES - =head1 SEE ALSO L<ssl(3)>, diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 19924da3ca..e8aa8ee937 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -9,11 +9,11 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS #include <openssl/ssl.h> void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*new_session_cb)(SSL *, SSL_SESSION *)); + int (*new_session_cb)(SSL *, SSL_SESSION *)); void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); + SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); @@ -22,7 +22,7 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, - int len, int *copy); + int len, int *copy); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod index 5e99d65167..2429dfbe06 100644 --- a/doc/ssl/SSL_CTX_set1_curves.pod +++ b/doc/ssl/SSL_CTX_set1_curves.pod @@ -23,7 +23,7 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve - EC supported curve SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen> curves in the array B<clist>. The array consist of all NIDs of curves in preference order. For a TLS client the curves are used directly in the -supported curves extension. For a TLS server the curves are used to +supported curves extension. For a TLS server the curves are used to determine the set of shared curves. SSL_CTX_set1_curves_list() sets the supported curves for B<ctx> to @@ -34,7 +34,7 @@ SSL_set1_curves() and SSL_set1_curves_list() are similar except they set supported curves for the SSL structure B<ssl>. SSL_get1_curves() returns the set of supported curves sent by a client -in the supported curves extension. It returns the total number of +in the supported curves extension. It returns the total number of supported curves. The B<curves> parameter can be B<NULL> to simply return the number of curves for memory allocation purposes. The B<curves> array is in the form of a set of curve NIDs in preference diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index 5343aa09df..fa6ce5611e 100644 --- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod @@ -54,7 +54,7 @@ any client certificate chain. The chain store is used to build the certificate chain. If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set or a certificate chain is -configured already (for example using the functions such as +configured already (for example using the functions such as L<SSL_CTX_add1_chain_cert(3)> or L<SSL_CTX_add_extra_chain_cert(3)>) then automatic chain building is disabled. diff --git a/doc/ssl/SSL_CTX_set_cert_store.pod b/doc/ssl/SSL_CTX_set_cert_store.pod index d53bf4fde4..27243f3ad5 100644 --- a/doc/ssl/SSL_CTX_set_cert_store.pod +++ b/doc/ssl/SSL_CTX_set_cert_store.pod @@ -46,7 +46,7 @@ X509_STORE object and its handling becomes available. The X509_STORE structure used by an SSL_CTX is used for verifying peer certificates and building certificate chains, it is also shared by -every child SSL structure. Applications wanting finer control can use +every child SSL structure. Applications wanting finer control can use functions such as SSL_CTX_set1_verify_cert_store() instead. =head1 RETURN VALUES diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod index 018335f00a..2eda8006c7 100644 --- a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod +++ b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod @@ -26,7 +26,7 @@ SSL_CTX_set_cert_verify_callback(), the supplied callback function is called instead. By setting I<callback> to NULL, the default behaviour is restored. When the verification must be performed, I<callback> will be called with -the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The +the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The argument I<arg> is specified by the application when setting I<callback>. I<callback> should return 1 to indicate verification success and 0 to @@ -35,7 +35,7 @@ returns 0, the handshake will fail. As the verification procedure may allow to continue the connection in case of failure (by always returning 1) the verification result must be set in any case using the B<error> member of I<x509_store_ctx> so that the calling application will be informed -about the detailed result of the verification procedure! +about the detailed result of the verification procedure! Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> function set using L<SSL_CTX_set_verify(3)>. @@ -54,8 +54,6 @@ the B<verify_callback> function. =head1 BUGS -=head1 RETURN VALUES - SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. =head1 SEE ALSO diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 57d3f0a5d0..c0656abbf2 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -9,7 +9,7 @@ client certificate =head1 SYNOPSIS #include <openssl/ssl.h> - + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); @@ -42,7 +42,7 @@ This list must explicitly be set using SSL_CTX_set_client_CA_list() for B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list specified overrides the previous setting. The CAs listed do not become trusted (B<list> only contains the names, not the complete certificates); use -L<SSL_CTX_load_verify_locations(3)> +L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification. If the list of acceptable CAs is compiled in a file, the diff --git a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod index 670ed4b6c1..07b5e94f25 100644 --- a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod +++ b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod @@ -9,41 +9,41 @@ SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext - custom TLS extens #include <openssl/ssl.h> int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_extension_supported(unsigned int ext_type); typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, - const unsigned char **out, - size_t *outlen, int *al, - void *add_arg); + const unsigned char **out, + size_t *outlen, int *al, + void *add_arg); typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, - const unsigned char *out, - void *add_arg); + const unsigned char *out, + void *add_arg); typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, - const unsigned char *in, - size_t inlen, int *al, - void *parse_arg); + const unsigned char *in, + size_t inlen, int *al, + void *parse_arg); =head1 DESCRIPTION -SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client +SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. -SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server +SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. @@ -55,7 +55,7 @@ internally by OpenSSL and 0 otherwise. =head1 EXTENSION CALLBACKS -The callback B<add_cb> is called to send custom extension data to be +The callback B<add_cb> is called to send custom extension data to be included in ClientHello for TLS clients or ServerHello for servers. The B<ext_type> parameter is set to the extension type which will be added and B<add_arg> to the value set when the extension handler was added. diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod index 968be766bb..170f743f4e 100644 --- a/doc/ssl/SSL_CTX_set_generate_session_id.pod +++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod @@ -14,7 +14,7 @@ SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_s int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb); int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb); int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, - unsigned int id_len); + unsigned int id_len); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set_info_callback.pod b/doc/ssl/SSL_CTX_set_info_callback.pod index fd1dee90e9..f20284f506 100644 --- a/doc/ssl/SSL_CTX_set_info_callback.pod +++ b/doc/ssl/SSL_CTX_set_info_callback.pod @@ -110,40 +110,40 @@ The following example callback function prints state strings, information about alerts being handled and error messages to the B<bio_err> BIO. void apps_ssl_info_callback(SSL *s, int where, int ret) - { - const char *str; - int w; - - w=where& ~SSL_ST_MASK; - - if (w & SSL_ST_CONNECT) str="SSL_connect"; - else if (w & SSL_ST_ACCEPT) str="SSL_accept"; - else str="undefined"; - - if (where & SSL_CB_LOOP) - { - BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); - } - else if (where & SSL_CB_ALERT) - { - str=(where & SSL_CB_READ)?"read":"write"; - BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", - str, - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); - } - else if (where & SSL_CB_EXIT) - { - if (ret == 0) - BIO_printf(bio_err,"%s:failed in %s\n", - str,SSL_state_string_long(s)); - else if (ret < 0) - { - BIO_printf(bio_err,"%s:error in %s\n", - str,SSL_state_string_long(s)); - } - } - } + { + const char *str; + int w; + + w=where& ~SSL_ST_MASK; + + if (w & SSL_ST_CONNECT) str="SSL_connect"; + else if (w & SSL_ST_ACCEPT) str="SSL_accept"; + else str="undefined"; + + if (where & SSL_CB_LOOP) + { + BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); + } + else if (where & SSL_CB_ALERT) + { + str=(where & SSL_CB_READ)?"read":"write"; + BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", + str, + SSL_alert_type_string_long(ret), + SSL_alert_desc_string_long(ret)); + } + else if (where & SSL_CB_EXIT) + { + if (ret == 0) + BIO_printf(bio_err,"%s:failed in %s\n", + str,SSL_state_string_long(s)); + else if (ret < 0) + { + BIO_printf(bio_err,"%s:error in %s\n", + str,SSL_state_string_long(s)); + } + } + } =head1 SEE ALSO diff --git a/doc/ssl/SSL_CTX_set_psk_client_callback.pod b/doc/ssl/SSL_CTX_set_psk_client_callback.pod index 6895152856..c780bec7c3 100644 --- a/doc/ssl/SSL_CTX_set_psk_client_callback.pod +++ b/doc/ssl/SSL_CTX_set_psk_client_callback.pod @@ -9,13 +9,13 @@ SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback - set PSK client ca #include <openssl/ssl.h> void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); void SSL_set_psk_client_callback(SSL *ssl, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set_security_level.pod b/doc/ssl/SSL_CTX_set_security_level.pod index 446ab1a15b..60c3e44213 100644 --- a/doc/ssl/SSL_CTX_set_security_level.pod +++ b/doc/ssl/SSL_CTX_set_security_level.pod @@ -15,12 +15,12 @@ SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, int SSL_get_security_level(const SSL *s); void SSL_CTX_set_security_callback(SSL_CTX *ctx, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); void SSL_set_security_callback(SSL *s, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod index d891372295..d7a4c1cce7 100644 --- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -26,7 +26,7 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX object. In order to reuse a session, a client must send the session's id to the -server. It can only send exactly one id. The server then either +server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session). diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod index 4ae381861a..4d9cd5e19e 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -10,13 +10,13 @@ SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, int (*cb)(SSL *s, unsigned char key_name[16], - unsigned char iv[EVP_MAX_IV_LENGTH], - EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); + unsigned char iv[EVP_MAX_IV_LENGTH], + EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); =head1 DESCRIPTION SSL_CTX_set_tlsext_ticket_key_cb() sets a callback function I<cb> for handling -session tickets for the ssl context I<sslctx>. Session tickets, defined in +session tickets for the ssl context I<sslctx>. Session tickets, defined in RFC5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state. It only applies to TLS and there is no SSLv3 implementation. @@ -26,9 +26,9 @@ session when session ticket extension is presented in the TLS hello message. It is the responsibility of this function to create or retrieve the cryptographic parameters and to maintain their state. -The OpenSSL library uses your callback function to help implement a common TLS +The OpenSSL library uses your callback function to help implement a common TLS ticket construction state according to RFC5077 Section 4 such that per session -state is unnecessary and a small set of cryptographic variables needs to be +state is unnecessary and a small set of cryptographic variables needs to be maintained by the callback function implementation. In order to reuse a session, a TLS client must send the a session ticket @@ -56,7 +56,7 @@ I<ctx> should use the initialisation vector I<iv>. The cipher context can be set using L<EVP_EncryptInit_ex(3)>. The hmac context can be set using L<HMAC_Init_ex(3)>. -When the client presents a session ticket, the callback function with be called +When the client presents a session ticket, the callback function with be called with I<enc> set to 0 indicating that the I<cb> function should retrieve a set of parameters. In this case I<name> and I<iv> have already been parsed out of the session ticket. The OpenSSL library expects that the I<name> will be used @@ -76,7 +76,7 @@ further processing will occur. The following return values have meaning: =item Z<>2 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. Additionally it indicates that the session ticket is in a renewal period and should be replaced. The OpenSSL library will call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 @@ -84,12 +84,12 @@ call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 =item Z<>1 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. =item Z<>0 -This indicates that it was not possible to set/retrieve a session ticket and +This indicates that it was not possible to set/retrieve a session ticket and the SSL/TLS session will continue by negotiating a set of cryptographic parameters or using the alternate SSL/TLS resumption mechanism, session ids. @@ -133,7 +133,7 @@ Reference Implementation: if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) { return -1; /* insufficient random */ } - + key = currentkey(); /* something that you need to implement */ if ( !key ) { /* current key doesn't exist or isn't valid */ @@ -146,19 +146,19 @@ Reference Implementation: } } memcpy(key_name, key->name, 16); - + EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - + return 1; - + } else { /* retrieve session */ key = findkey(name); - + if (!key || key->expire < now() ) { return 0; } - + HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv ); @@ -167,7 +167,7 @@ Reference Implementation: return 2; } return 1; - + } } diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index e1cd4d2b2f..60b0d179b0 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -208,7 +208,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). preverify_ok = 0; err = X509_V_ERR_CERT_CHAIN_TOO_LONG; X509_STORE_CTX_set_error(ctx, err); - } + } if (!preverify_ok) { printf("verify error:num=%d:%s:depth=%d:%s\n", err, X509_verify_cert_error_string(err), depth, buf); @@ -258,7 +258,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). SSL_set_ex_data(ssl, mydata_index, &mydata); ... - SSL_accept(ssl); /* check of success left out for clarity */ + SSL_accept(ssl); /* check of success left out for clarity */ if (peer = SSL_get_peer_certificate(ssl)) { if (SSL_get_verify_result(ssl) == X509_V_OK) diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod index 79b13873e1..4f39abb2d8 100644 --- a/doc/ssl/SSL_CTX_use_certificate.pod +++ b/doc/ssl/SSL_CTX_use_certificate.pod @@ -20,7 +20,7 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, - long len); + long len); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); @@ -67,7 +67,7 @@ SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>. See the NOTES section on why SSL_CTX_use_certificate_chain_file() should be preferred. -SSL_CTX_use_certificate_chain_file() loads a certificate chain from +SSL_CTX_use_certificate_chain_file() loads a certificate chain from B<file> into B<ctx>. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and @@ -82,7 +82,7 @@ If a certificate has already been set and the private does not belong to the certificate an error is returned. To change a certificate, private key pair the new certificate needs to be set with SSL_use_certificate() or SSL_CTX_use_certificate() before setting the private key with -SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). +SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk> @@ -109,14 +109,14 @@ the same check for B<ssl>. If no key/certificate was explicitly added for this B<ssl>, the last item added into B<ctx> will be checked. =head1 NOTES - + The internal certificate store of OpenSSL can hold several private key/certificate pairs at a time. The certificate used depends on the cipher selected, see also L<SSL_CTX_set_cipher_list(3)>. When reading certificates and private keys from file, files of type SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain -one certificate or private key, consequently +one certificate or private key, consequently SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. Files of type SSL_FILETYPE_PEM can contain more than one item. @@ -124,7 +124,7 @@ SSL_CTX_use_certificate_chain_file() adds the first certificate found in the file to the certificate store. The other certificates are added to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single certificat |