]>
Commit | Line | Data |
---|---|---|
eeb15452 DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, | |
7b6b246f RS |
6 | SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, |
7 | SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, | |
8 | SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain, | |
9 | SSL_build_cert_chain, SSL_CTX_select_current_cert, | |
0f78819c DSH |
10 | SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert - extra |
11 | chain certificate processing | |
eeb15452 DSH |
12 | |
13 | =head1 SYNOPSIS | |
14 | ||
15 | #include <openssl/ssl.h> | |
16 | ||
17 | int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); | |
18 | int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk); | |
7b6b246f | 19 | int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); |
eeb15452 | 20 | int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); |
7b6b246f RS |
21 | int SSL_CTX_get0_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **sk); |
22 | int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); | |
eeb15452 DSH |
23 | |
24 | int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *sk); | |
25 | int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *sk); | |
7b6b246f | 26 | int SSL_add0_chain_cert(SSL *ssl, X509 *x509); |
eeb15452 | 27 | int SSL_add1_chain_cert(SSL *ssl, X509 *x509); |
7b6b246f RS |
28 | int SSL_get0_chain_certs(SSL *ssl, STACK_OF(X509) **sk); |
29 | int SSL_clear_chain_certs(SSL *ssl); | |
eeb15452 DSH |
30 | |
31 | int SSL_CTX_build_cert_chain(SSL_CTX *ctx, flags); | |
7b6b246f RS |
32 | int SSL_build_cert_chain(SSL *ssl, flags); |
33 | ||
34 | int SSL_CTX_select_current_cert(SSL_CTX *ctx, X509 *x509); | |
35 | int SSL_select_current_cert(SSL *ssl, X509 *x509); | |
0f78819c DSH |
36 | int SSL_CTX_set_current_cert(SSL_CTX *ctx, long op); |
37 | int SSL_set_current_cert(SSL *ssl, long op); | |
eeb15452 DSH |
38 | |
39 | =head1 DESCRIPTION | |
40 | ||
41 | SSL_CTX_set0_chain() and SSL_CTX_set1_chain() set the certificate chain | |
7b6b246f | 42 | associated with the current certificate of B<ctx> to B<sk>. |
eeb15452 DSH |
43 | |
44 | SSL_CTX_add0_chain_cert() and SSL_CTX_add1_chain_cert() append the single | |
45 | certificate B<x509> to the chain associated with the current certificate of | |
46 | B<ctx>. | |
47 | ||
7b6b246f RS |
48 | SSL_CTX_get0_chain_certs() retrieves the chain associated with the current |
49 | certificate of B<ctx>. | |
50 | ||
51 | SSL_CTX_clear_chain_certs() clears any existing chain associated with the | |
52 | current certificate of B<ctx>. (This is implemented by calling | |
53 | SSL_CTX_set0_chain() with B<sk> set to B<NULL>). | |
54 | ||
13dc3ce9 DSH |
55 | SSL_CTX_build_cert_chain() builds the certificate chain for B<ctx> normally |
56 | this uses the chain store or the verify store if the chain store is not set. | |
eeb15452 | 57 | If the function is successful the built chain will replace any existing chain. |
13dc3ce9 DSH |
58 | The B<flags> parameter can be set to B<SSL_BUILD_CHAIN_FLAG_UNTRUSTED> to use |
59 | existing chain certificates as untrusted CAs, B<SSL_BUILD_CHAIN_FLAG_NO_ROOT> | |
60 | to omit the root CA from the built chain, B<SSL_BUILD_CHAIN_FLAG_CHECK> to | |
61 | use all existing chain certificates only to build the chain (effectively | |
62 | sanity checking and rearranging them if necessary), the flag | |
63 | B<SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR> ignores any errors during verification. | |
eeb15452 | 64 | |
7b6b246f RS |
65 | Each of these functions operates on the I<current> end entity |
66 | (i.e. server or client) certificate. This is the last certificate loaded or | |
67 | selected on the corresponding B<ctx> structure. | |
68 | ||
69 | SSL_CTX_select_current_cert() selects B<x509> as the current end entity | |
70 | certificate, but only if B<x509> has already been loaded into B<ctx> using a | |
71 | function such as SSL_CTX_use_certificate(). | |
72 | ||
73 | SSL_set0_chain(), SSL_set1_chain(), SSL_add0_chain_cert(), | |
74 | SSL_add1_chain_cert(), SSL_get0_chain_certs(), SSL_clear_chain_certs(), | |
0f78819c DSH |
75 | SSL_build_cert_chain(), SSL_select_current_cert() and SSL_set_current_cert() |
76 | are similar except they apply to SSL structure B<ssl>. | |
77 | ||
78 | SSL_CTX_set_current_cert() changes the current certificate to a value based | |
79 | on the B<op> argument. Currently B<op> can be B<SSL_CERT_SET_FIRST> to use | |
80 | the first valid certificate or B<SSL_CERT_SET_NEXT> to set the next valid | |
81 | certificate after the current certificate. These two operations can be | |
82 | used to iterate over all certificates in an B<SSL_CTX> structure. | |
eeb15452 | 83 | |
daddd9a9 DSH |
84 | SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>. |
85 | If B<ssl> is a server and has sent a certificate to a connected client | |
86 | this option sets that certificate to the current certificate and returns 1. | |
87 | If the negotiated ciphersuite is anonymous (and thus no certificate will | |
88 | be sent) 2 is returned and the current certificate is unchanged. If B<ssl> | |
89 | is not a server or a certificate has not been sent 0 is returned and | |
90 | the current certificate is unchanged. | |
91 | ||
eeb15452 DSH |
92 | All these functions are implemented as macros. Those containing a B<1> |
93 | increment the reference count of the supplied certificate or chain so it must | |
94 | be freed at some point after the operation. Those containing a B<0> do | |
95 | not increment reference counts and the supplied certificate or chain | |
96 | B<MUST NOT> be freed after the operation. | |
97 | ||
98 | =head1 NOTES | |
99 | ||
100 | The chains associate with an SSL_CTX structure are copied to any SSL | |
101 | structures when SSL_new() is called. SSL structures will not be affected | |
102 | by any chains subsequently changed in the parent SSL_CTX. | |
103 | ||
eeb15452 DSH |
104 | One chain can be set for each key type supported by a server. So, for example, |
105 | an RSA and a DSA certificate can (and often will) have different chains. | |
106 | ||
107 | The functions SSL_CTX_build_cert_chain() and SSL_build_cert_chain() can | |
108 | be used to check application configuration and to ensure any necessary | |
109 | subordinate CAs are sent in the correct order. Misconfigured applications | |
110 | sending incorrect certificate chains often cause problems with peers. | |
111 | ||
13dc3ce9 DSH |
112 | For example an application can add any set of certificates using |
113 | SSL_CTX_use_certificate_chain_file() then call SSL_CTX_build_cert_chain() | |
114 | with the option B<SSL_BUILD_CHAIN_FLAG_CHECK> to check and reorder them. | |
115 | ||
eeb15452 DSH |
116 | Calling SSL_CTX_build_cert_chain() or SSL_build_cert_chain() is more |
117 | efficient than the automatic chain building as it is only performed once. | |
118 | Automatic chain building is performed on each new session. | |
119 | ||
120 | If any certificates are added using these functions no certificates added | |
121 | using SSL_CTX_add_extra_chain_cert() will be used. | |
122 | ||
123 | =head1 RETURN VALUES | |
124 | ||
13dc3ce9 DSH |
125 | SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if |
126 | no server certificate is used because the ciphersuites is anonymous and 0 | |
127 | for failure. | |
128 | ||
129 | All other functions return 1 for success and 0 for failure. | |
eeb15452 | 130 | |
eeb15452 DSH |
131 | =head1 SEE ALSO |
132 | ||
133 | L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)> | |
134 | ||
135 | =head1 HISTORY | |
136 | ||
137 | These functions were first added to OpenSSL 1.0.2. | |
138 | ||
139 | =cut |