[thirdparty/openssl.git] / doc / man3 / SSL_CTX_set_cert_store.pod

=pod

=head1 NAME

SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
 void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);

=head1 DESCRIPTION

SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. If another X509_STORE object is currently
set in B<ctx>, it will be X509_STORE_free()ed.

SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. The B<store>'s reference count is incremented.
If another X509_STORE object is currently set in B<ctx>, it will be X509_STORE_free()ed.

SSL_CTX_get_cert_store() returns a pointer to the current certificate
verification storage.

=head1 NOTES

In order to verify the certificates presented by the peer, trusted CA
certificates must be accessed. These CA certificates are made available
via lookup methods, handled inside the X509_STORE. From the X509_STORE
the X509_STORE_CTX used when verifying certificates is created.

Typically the trusted certificate store is handled indirectly via using
L<SSL_CTX_load_verify_locations(3)>.
Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
it is possible to manipulate the X509_STORE object beyond the
L<SSL_CTX_load_verify_locations(3)>
call.

Currently no detailed documentation on how to use the X509_STORE
object is available. Not all members of the X509_STORE are used when
the verification takes place. So will e.g. the verify_callback() be
overridden with the verify_callback() set via the
L<SSL_CTX_set_verify(3)> family of functions.
This document must therefore be updated when documentation about the
X509_STORE object and its handling becomes available.

SSL_CTX_set_cert_store() does not increment the B<store>'s reference
count, so it should not be used to assign an X509_STORE that is owned
by another SSL_CTX.

To share X509_STOREs between two SSL_CTXs, use SSL_CTX_get_cert_store()
to get the X509_STORE from the first SSL_CTX, and then use
SSL_CTX_set1_cert_store() to assign to the second SSL_CTX and
increment the reference count of the X509_STORE.

=head1 RESTRICTIONS

The X509_STORE structure used by an SSL_CTX is used for verifying peer
certificates and building certificate chains, it is also shared by
every child SSL structure. Applications wanting finer control can use
functions such as SSL_CTX_set1_verify_cert_store() instead.

=head1 RETURN VALUES

SSL_CTX_set_cert_store() does not return diagnostic output.

SSL_CTX_set1_cert_store() does not return diagnostic output.

SSL_CTX_get_cert_store() returns the current setting.

=head1 SEE ALSO

L<ssl(7)>,
L<SSL_CTX_load_verify_locations(3)>,
L<SSL_CTX_set_verify(3)>

=head1 COPYRIGHT

Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
141e5849 LJ	1	=pod
	2
	3	=head1 NAME
	4
b50052db	5	SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
141e5849 LJ	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ssl.h>
	10
	11	void SSL_CTX_set_cert_store(SSL_CTX ctx, X509_STORE store);
b50052db	12	void SSL_CTX_set1_cert_store(SSL_CTX ctx, X509_STORE store);
c3e64028	13	X509_STORE SSL_CTX_get_cert_store(const SSL_CTX ctx);
141e5849 LJ	14
	15	=head1 DESCRIPTION
	16
	17	SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
a5200a1b	18	of B<ctx> to/with B<store>. If another X509_STORE object is currently
141e5849 LJ	19	set in B<ctx>, it will be X509_STORE_free()ed.
141e5849 LJ	20
b50052db TS	21	SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage
	22	of B<ctx> to/with B<store>. The B<store>'s reference count is incremented.
	23	If another X509_STORE object is currently set in B<ctx>, it will be X509_STORE_free()ed.
	24
141e5849 LJ	25	SSL_CTX_get_cert_store() returns a pointer to the current certificate
	26	verification storage.
	27
	28	=head1 NOTES
	29
	30	In order to verify the certificates presented by the peer, trusted CA
	31	certificates must be accessed. These CA certificates are made available
	32	via lookup methods, handled inside the X509_STORE. From the X509_STORE
	33	the X509_STORE_CTX used when verifying certificates is created.
	34
	35	Typically the trusted certificate store is handled indirectly via using
9b86974e	36	L<SSL_CTX_load_verify_locations(3)>.
141e5849 LJ	37	Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
141e5849 LJ	38	it is possible to manipulate the X509_STORE object beyond the
9b86974e	39	L<SSL_CTX_load_verify_locations(3)>
141e5849 LJ	40	call.
	41
	42	Currently no detailed documentation on how to use the X509_STORE
	43	object is available. Not all members of the X509_STORE are used when
	44	the verification takes place. So will e.g. the verify_callback() be
	45	overridden with the verify_callback() set via the
9b86974e	46	L<SSL_CTX_set_verify(3)> family of functions.
141e5849 LJ	47	This document must therefore be updated when documentation about the
	48	X509_STORE object and its handling becomes available.
	49
b50052db TS	50	SSL_CTX_set_cert_store() does not increment the B<store>'s reference
	51	count, so it should not be used to assign an X509_STORE that is owned
	52	by another SSL_CTX.
	53
	54	To share X509_STOREs between two SSL_CTXs, use SSL_CTX_get_cert_store()
	55	to get the X509_STORE from the first SSL_CTX, and then use
	56	SSL_CTX_set1_cert_store() to assign to the second SSL_CTX and
	57	increment the reference count of the X509_STORE.
	58
eeb15452 DSH	59	=head1 RESTRICTIONS
	60
	61	The X509_STORE structure used by an SSL_CTX is used for verifying peer
	62	certificates and building certificate chains, it is also shared by
1bc74519	63	every child SSL structure. Applications wanting finer control can use
eeb15452 DSH	64	functions such as SSL_CTX_set1_verify_cert_store() instead.
eeb15452 DSH	65
141e5849 LJ	66	=head1 RETURN VALUES
	67
	68	SSL_CTX_set_cert_store() does not return diagnostic output.
	69
b50052db TS	70	SSL_CTX_set1_cert_store() does not return diagnostic output.
b50052db TS	71
141e5849 LJ	72	SSL_CTX_get_cert_store() returns the current setting.
	73
	74	=head1 SEE ALSO
	75
b97fdb57	76	L<ssl(7)>,
9b86974e RS	77	L<SSL_CTX_load_verify_locations(3)>,
9b86974e RS	78	L<SSL_CTX_set_verify(3)>
141e5849	79
e2f92610 RS	80	=head1 COPYRIGHT
	81
	82	Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
	83
4746f25a	84	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	85	this file except in compliance with the License. You can obtain a copy
	86	in the file LICENSE in the source distribution or at
	87	L<https://www.openssl.org/source/license.html>.
	88
	89	=cut