[thirdparty/openssl.git] / doc / ssl / SSL_CTX_set_cert_store.pod

=pod

=head1 NAME

SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
 X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);

=head1 DESCRIPTION

SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. If another X509_STORE object is currently
set in B<ctx>, it will be X509_STORE_free()ed.

SSL_CTX_get_cert_store() returns a pointer to the current certificate
verification storage.

=head1 NOTES

In order to verify the certificates presented by the peer, trusted CA
certificates must be accessed. These CA certificates are made available
via lookup methods, handled inside the X509_STORE. From the X509_STORE
the X509_STORE_CTX used when verifying certificates is created.

Typically the trusted certificate store is handled indirectly via using
L<SSL_CTX_load_verify_locations(3)>.
Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
it is possible to manipulate the X509_STORE object beyond the
L<SSL_CTX_load_verify_locations(3)>
call.

Currently no detailed documentation on how to use the X509_STORE
object is available. Not all members of the X509_STORE are used when
the verification takes place. So will e.g. the verify_callback() be
overridden with the verify_callback() set via the
L<SSL_CTX_set_verify(3)> family of functions.
This document must therefore be updated when documentation about the
X509_STORE object and its handling becomes available.

=head1 RESTRICTIONS

The X509_STORE structure used by an SSL_CTX is used for verifying peer
certificates and building certificate chains, it is also shared by
every child SSL structure. Applications wanting finer control can use
functions such as SSL_CTX_set1_verify_cert_store() instead.

=head1 RETURN VALUES

SSL_CTX_set_cert_store() does not return diagnostic output.

SSL_CTX_get_cert_store() returns the current setting.

=head1 SEE ALSO

L<ssl(3)>,
L<SSL_CTX_load_verify_locations(3)>,
L<SSL_CTX_set_verify(3)>

=cut

=head1 COPYRIGHT

Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
141e5849 LJ	1	=pod
	2
	3	=head1 NAME
	4
	5	SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ssl.h>
	10
	11	void SSL_CTX_set_cert_store(SSL_CTX ctx, X509_STORE store);
c3e64028	12	X509_STORE SSL_CTX_get_cert_store(const SSL_CTX ctx);
141e5849 LJ	13
	14	=head1 DESCRIPTION
	15
	16	SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
a5200a1b	17	of B<ctx> to/with B<store>. If another X509_STORE object is currently
141e5849 LJ	18	set in B<ctx>, it will be X509_STORE_free()ed.
	19
	20	SSL_CTX_get_cert_store() returns a pointer to the current certificate
	21	verification storage.
	22
	23	=head1 NOTES
	24
	25	In order to verify the certificates presented by the peer, trusted CA
	26	certificates must be accessed. These CA certificates are made available
	27	via lookup methods, handled inside the X509_STORE. From the X509_STORE
	28	the X509_STORE_CTX used when verifying certificates is created.
	29
	30	Typically the trusted certificate store is handled indirectly via using
9b86974e	31	L<SSL_CTX_load_verify_locations(3)>.
141e5849 LJ	32	Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
141e5849 LJ	33	it is possible to manipulate the X509_STORE object beyond the
9b86974e	34	L<SSL_CTX_load_verify_locations(3)>
141e5849 LJ	35	call.
	36
	37	Currently no detailed documentation on how to use the X509_STORE
	38	object is available. Not all members of the X509_STORE are used when
	39	the verification takes place. So will e.g. the verify_callback() be
	40	overridden with the verify_callback() set via the
9b86974e	41	L<SSL_CTX_set_verify(3)> family of functions.
141e5849 LJ	42	This document must therefore be updated when documentation about the
	43	X509_STORE object and its handling becomes available.
	44
eeb15452 DSH	45	=head1 RESTRICTIONS
	46
	47	The X509_STORE structure used by an SSL_CTX is used for verifying peer
	48	certificates and building certificate chains, it is also shared by
1bc74519	49	every child SSL structure. Applications wanting finer control can use
eeb15452 DSH	50	functions such as SSL_CTX_set1_verify_cert_store() instead.
eeb15452 DSH	51
141e5849 LJ	52	=head1 RETURN VALUES
	53
	54	SSL_CTX_set_cert_store() does not return diagnostic output.
	55
	56	SSL_CTX_get_cert_store() returns the current setting.
	57
	58	=head1 SEE ALSO
	59
9b86974e RS	60	L<ssl(3)>,
	61	L<SSL_CTX_load_verify_locations(3)>,
	62	L<SSL_CTX_set_verify(3)>
141e5849 LJ	63
141e5849 LJ	64	=cut
e2f92610 RS	65
	66	=head1 COPYRIGHT
	67
	68	Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
	69
	70	Licensed under the OpenSSL license (the "License"). You may not use
	71	this file except in compliance with the License. You can obtain a copy
	72	in the file LICENSE in the source distribution or at
	73	L<https://www.openssl.org/source/license.html>.
	74
	75	=cut