]>
Commit | Line | Data |
---|---|---|
141e5849 LJ |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b50052db | 5 | SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage |
141e5849 LJ |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
11 | void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); | |
b50052db | 12 | void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); |
c3e64028 | 13 | X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); |
141e5849 LJ |
14 | |
15 | =head1 DESCRIPTION | |
16 | ||
17 | SSL_CTX_set_cert_store() sets/replaces the certificate verification storage | |
a5200a1b | 18 | of B<ctx> to/with B<store>. If another X509_STORE object is currently |
141e5849 LJ |
19 | set in B<ctx>, it will be X509_STORE_free()ed. |
20 | ||
b50052db TS |
21 | SSL_CTX_set1_cert_store() sets/replaces the certificate verification storage |
22 | of B<ctx> to/with B<store>. The B<store>'s reference count is incremented. | |
23 | If another X509_STORE object is currently set in B<ctx>, it will be X509_STORE_free()ed. | |
24 | ||
141e5849 LJ |
25 | SSL_CTX_get_cert_store() returns a pointer to the current certificate |
26 | verification storage. | |
27 | ||
28 | =head1 NOTES | |
29 | ||
30 | In order to verify the certificates presented by the peer, trusted CA | |
31 | certificates must be accessed. These CA certificates are made available | |
32 | via lookup methods, handled inside the X509_STORE. From the X509_STORE | |
33 | the X509_STORE_CTX used when verifying certificates is created. | |
34 | ||
35 | Typically the trusted certificate store is handled indirectly via using | |
9b86974e | 36 | L<SSL_CTX_load_verify_locations(3)>. |
141e5849 LJ |
37 | Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions |
38 | it is possible to manipulate the X509_STORE object beyond the | |
9b86974e | 39 | L<SSL_CTX_load_verify_locations(3)> |
141e5849 LJ |
40 | call. |
41 | ||
42 | Currently no detailed documentation on how to use the X509_STORE | |
43 | object is available. Not all members of the X509_STORE are used when | |
44 | the verification takes place. So will e.g. the verify_callback() be | |
45 | overridden with the verify_callback() set via the | |
9b86974e | 46 | L<SSL_CTX_set_verify(3)> family of functions. |
141e5849 LJ |
47 | This document must therefore be updated when documentation about the |
48 | X509_STORE object and its handling becomes available. | |
49 | ||
b50052db TS |
50 | SSL_CTX_set_cert_store() does not increment the B<store>'s reference |
51 | count, so it should not be used to assign an X509_STORE that is owned | |
52 | by another SSL_CTX. | |
53 | ||
54 | To share X509_STOREs between two SSL_CTXs, use SSL_CTX_get_cert_store() | |
55 | to get the X509_STORE from the first SSL_CTX, and then use | |
56 | SSL_CTX_set1_cert_store() to assign to the second SSL_CTX and | |
57 | increment the reference count of the X509_STORE. | |
58 | ||
eeb15452 DSH |
59 | =head1 RESTRICTIONS |
60 | ||
61 | The X509_STORE structure used by an SSL_CTX is used for verifying peer | |
62 | certificates and building certificate chains, it is also shared by | |
1bc74519 | 63 | every child SSL structure. Applications wanting finer control can use |
eeb15452 DSH |
64 | functions such as SSL_CTX_set1_verify_cert_store() instead. |
65 | ||
141e5849 LJ |
66 | =head1 RETURN VALUES |
67 | ||
68 | SSL_CTX_set_cert_store() does not return diagnostic output. | |
69 | ||
b50052db TS |
70 | SSL_CTX_set1_cert_store() does not return diagnostic output. |
71 | ||
141e5849 LJ |
72 | SSL_CTX_get_cert_store() returns the current setting. |
73 | ||
74 | =head1 SEE ALSO | |
75 | ||
b97fdb57 | 76 | L<ssl(7)>, |
9b86974e RS |
77 | L<SSL_CTX_load_verify_locations(3)>, |
78 | L<SSL_CTX_set_verify(3)> | |
141e5849 | 79 | |
e2f92610 RS |
80 | =head1 COPYRIGHT |
81 | ||
82 | Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. | |
83 | ||
4746f25a | 84 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
85 | this file except in compliance with the License. You can obtain a copy |
86 | in the file LICENSE in the source distribution or at | |
87 | L<https://www.openssl.org/source/license.html>. | |
88 | ||
89 | =cut |