[thirdparty/openssl.git] / doc / man3 / SSL_CTX_set_client_cert_cb.pod

=pod

=head1 NAME

SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
                                 int (*client_cert_cb)(SSL *ssl, X509 **x509,
                                                       EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
                                                 EVP_PKEY **pkey);
 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);

=head1 DESCRIPTION

SSL_CTX_set_client_cert_cb() sets the client_cert_cb() callback, that is
called when a client certificate is requested by a server and no certificate
was yet set for the SSL object.

When client_cert_cb() is NULL, no callback function is used.

SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback
function.

client_cert_cb() is the application defined callback. If it wants to
set a certificate, a certificate/private key combination must be set
using the B<x509> and B<pkey> arguments and "1" must be returned. The
certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
If no certificate should be set, "0" has to be returned and no certificate
will be sent. A negative return value will suspend the handshake and the
handshake function will return immediately. L<SSL_get_error(3)>
will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
suspended. The next call to the handshake function will again lead to the call
of client_cert_cb(). It is the job of the client_cert_cb() to store information
about the state of the last call, if required to continue.

=head1 NOTES

During a handshake (or renegotiation) a server may request a certificate
from the client. A client certificate must only be sent, when the server
did send the request.

When a certificate was set using the
L<SSL_CTX_use_certificate(3)> family of functions,
it will be sent to the server. The TLS standard requires that only a
certificate is sent, if it matches the list of acceptable CAs sent by the
server. This constraint is violated by the default behavior of the OpenSSL
library. Using the callback function it is possible to implement a proper
selection routine or to allow a user interaction to choose the certificate to
be sent.

If a callback function is defined and no certificate was yet defined for the
SSL object, the callback function will be called.
If the callback function returns a certificate, the OpenSSL library
will try to load the private key and certificate data into the SSL
object using the SSL_use_certificate() and SSL_use_private_key() functions.
Thus it will permanently install the certificate and key for this SSL
object. It will not be reset by calling L<SSL_clear(3)>.
If the callback returns no certificate, the OpenSSL library will not send
a certificate.

=head1 RETURN VALUES

SSL_CTX_get_client_cert_cb() returns function pointer of client_cert_cb() or
NULL if the callback is not set.

=head1 BUGS

The client_cert_cb() cannot return a complete certificate chain, it can
only return one client certificate. If the chain only has a length of 2,
the root CA certificate may be omitted according to the TLS standard and
thus a standard conforming answer can be sent to the server. For a
longer chain, the client must send the complete chain (with the option
to leave out the root CA certificate). This can only be accomplished by
either adding the intermediate CA certificates into the trusted
certificate store for the SSL_CTX object (resulting in having to add
CA certificates that otherwise maybe would not be trusted), or by adding
the chain certificates using the
L<SSL_CTX_add_extra_chain_cert(3)>
function, which is only available for the SSL_CTX object as a whole and that
therefore probably can only apply for one client certificate, making
the concept of the callback function (to allow the choice from several
certificates) questionable.

Once the SSL object has been used in conjunction with the callback function,
the certificate will be set for the SSL object and will not be cleared
even when L<SSL_clear(3)> is being called. It is therefore
mandatory to destroy the SSL object using L<SSL_free(3)>
and create a new one to return to the previous state.

=head1 SEE ALSO

L<ssl(7)>, L<SSL_CTX_use_certificate(3)>,
L<SSL_CTX_add_extra_chain_cert(3)>,
L<SSL_get_client_CA_list(3)>,
L<SSL_clear(3)>, L<SSL_free(3)>

=head1 COPYRIGHT

Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
f0d6ee6b LJ	1	=pod
	2
	3	=head1 NAME
	4
	5	SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function
	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ssl.h>
	10
e9b77246 BB	11	void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
	12	int (client_cert_cb)(SSL ssl, X509 **x509,
	13	EVP_PKEY **pkey));
	14	int (SSL_CTX_get_client_cert_cb(SSL_CTX ctx))(SSL ssl, X509 *x509,
	15	EVP_PKEY **pkey);
f0d6ee6b LJ	16	int (client_cert_cb)(SSL ssl, X509 x509, EVP_PKEY pkey);
	17
	18	=head1 DESCRIPTION
	19
35cb565a	20	SSL_CTX_set_client_cert_cb() sets the client_cert_cb() callback, that is
8586df1e LJ	21	called when a client certificate is requested by a server and no certificate
	22	was yet set for the SSL object.
	23
35cb565a	24	When client_cert_cb() is NULL, no callback function is used.
f0d6ee6b LJ	25
	26	SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback
	27	function.
	28
	29	client_cert_cb() is the application defined callback. If it wants to
	30	set a certificate, a certificate/private key combination must be set
	31	using the B<x509> and B<pkey> arguments and "1" must be returned. The
	32	certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
8586df1e LJ	33	If no certificate should be set, "0" has to be returned and no certificate
8586df1e LJ	34	will be sent. A negative return value will suspend the handshake and the
9b86974e	35	handshake function will return immediately. L<SSL_get_error(3)>
8586df1e LJ	36	will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
	37	suspended. The next call to the handshake function will again lead to the call
	38	of client_cert_cb(). It is the job of the client_cert_cb() to store information
	39	about the state of the last call, if required to continue.
f0d6ee6b LJ	40
	41	=head1 NOTES
	42
	43	During a handshake (or renegotiation) a server may request a certificate
	44	from the client. A client certificate must only be sent, when the server
	45	did send the request.
	46
8586df1e	47	When a certificate was set using the
9b86974e	48	L<SSL_CTX_use_certificate(3)> family of functions,
8586df1e LJ	49	it will be sent to the server. The TLS standard requires that only a
	50	certificate is sent, if it matches the list of acceptable CAs sent by the
	51	server. This constraint is violated by the default behavior of the OpenSSL
	52	library. Using the callback function it is possible to implement a proper
	53	selection routine or to allow a user interaction to choose the certificate to
	54	be sent.
	55
	56	If a callback function is defined and no certificate was yet defined for the
	57	SSL object, the callback function will be called.
f0d6ee6b LJ	58	If the callback function returns a certificate, the OpenSSL library
f0d6ee6b LJ	59	will try to load the private key and certificate data into the SSL
8586df1e LJ	60	object using the SSL_use_certificate() and SSL_use_private_key() functions.
8586df1e LJ	61	Thus it will permanently install the certificate and key for this SSL
9b86974e	62	object. It will not be reset by calling L<SSL_clear(3)>.
8586df1e LJ	63	If the callback returns no certificate, the OpenSSL library will not send
8586df1e LJ	64	a certificate.
f0d6ee6b	65
1f13ad31 PY	66	=head1 RETURN VALUES
	67
	68	SSL_CTX_get_client_cert_cb() returns function pointer of client_cert_cb() or
	69	NULL if the callback is not set.
	70
f0d6ee6b LJ	71	=head1 BUGS
	72
	73	The client_cert_cb() cannot return a complete certificate chain, it can
	74	only return one client certificate. If the chain only has a length of 2,
	75	the root CA certificate may be omitted according to the TLS standard and
	76	thus a standard conforming answer can be sent to the server. For a
	77	longer chain, the client must send the complete chain (with the option
	78	to leave out the root CA certificate). This can only be accomplished by
	79	either adding the intermediate CA certificates into the trusted
	80	certificate store for the SSL_CTX object (resulting in having to add
	81	CA certificates that otherwise maybe would not be trusted), or by adding
	82	the chain certificates using the
9b86974e	83	L<SSL_CTX_add_extra_chain_cert(3)>
f0d6ee6b LJ	84	function, which is only available for the SSL_CTX object as a whole and that
	85	therefore probably can only apply for one client certificate, making
	86	the concept of the callback function (to allow the choice from several
	87	certificates) questionable.
	88
	89	Once the SSL object has been used in conjunction with the callback function,
	90	the certificate will be set for the SSL object and will not be cleared
9b86974e RS	91	even when L<SSL_clear(3)> is being called. It is therefore
9b86974e RS	92	mandatory to destroy the SSL object using L<SSL_free(3)>
f0d6ee6b LJ	93	and create a new one to return to the previous state.
	94
	95	=head1 SEE ALSO
	96
b97fdb57	97	L<ssl(7)>, L<SSL_CTX_use_certificate(3)>,
9b86974e RS	98	L<SSL_CTX_add_extra_chain_cert(3)>,
	99	L<SSL_get_client_CA_list(3)>,
	100	L<SSL_clear(3)>, L<SSL_free(3)>
f0d6ee6b	101
e2f92610 RS	102	=head1 COPYRIGHT
e2f92610 RS	103
61f805c1	104	Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	105
4746f25a	106	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	107	this file except in compliance with the License. You can obtain a copy
	108	in the file LICENSE in the source distribution or at
	109	L<https://www.openssl.org/source/license.html>.
	110
	111	=cut