123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 |
- =pod
- =head1 NAME
- SSL_CTX_set_client_CA_list,
- SSL_set_client_CA_list,
- SSL_get_client_CA_list,
- SSL_CTX_get_client_CA_list,
- SSL_CTX_add_client_CA,
- SSL_add_client_CA,
- SSL_set0_CA_list,
- SSL_CTX_set0_CA_list,
- SSL_get0_CA_list,
- SSL_CTX_get0_CA_list,
- SSL_add1_to_CA_list,
- SSL_CTX_add1_to_CA_list,
- SSL_get0_peer_CA_list
- - get or set CA list
- =head1 SYNOPSIS
- #include <openssl/ssl.h>
- void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
- void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
- STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
- int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
- int SSL_add_client_CA(SSL *ssl, X509 *cacert);
- void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
- void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
- const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
- const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
- int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x);
- int SSL_add1_to_CA_list(SSL *ssl, const X509 *x);
- const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
- =head1 DESCRIPTION
- The functions described here set and manage the list of CA names that are sent
- between two communicating peers.
- For TLS versions 1.2 and earlier the list of CA names is only sent from the
- server to the client when requesting a client certificate. So any list of CA
- names set is never sent from client to server and the list of CA names retrieved
- by SSL_get0_peer_CA_list() is always B<NULL>.
- For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
- extension and may be sent by a client (in the ClientHello message) or by
- a server (when requesting a certificate).
- In most cases it is not necessary to set CA names on the client side. The list
- of CA names that are acceptable to the client will be sent in plaintext to the
- server. This has privacy implications and may also have performance implications
- if the list is large. This optional capability was introduced as part of TLSv1.3
- and therefore setting CA names on the client side will have no impact if that
- protocol version has been disabled. Most servers do not need this and so this
- should be avoided unless required.
- The "client CA list" functions below only have an effect when called on the
- server side.
- SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
- requesting a client certificate for B<ctx>. Ownership of B<list> is transferred
- to B<ctx> and it should not be freed by the caller.
- SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
- requesting a client certificate for the chosen B<ssl>, overriding the
- setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
- to B<s> and it should not be freed by the caller.
- SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
- B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed
- by the caller.
- SSL_get_client_CA_list() returns the list of client CAs explicitly
- set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
- SSL_CTX_set_client_CA_list(), when in server mode. In client mode,
- SSL_get_client_CA_list returns the list of client CAs sent from the server, if
- any. The returned list should not be freed by the caller.
- SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
- list of CAs sent to the client when requesting a client certificate for
- B<ctx>.
- SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
- list of CAs sent to the client when requesting a client certificate for
- the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
- SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
- has sent. This can be called on either the server or the client side. The
- returned list should not be freed by the caller.
- The "generic CA list" functions below are very similar to the "client CA
- list" functions except that they have an effect on both the server and client
- sides. The lists of CA names managed are separate - so you cannot (for example)
- set CA names using the "client CA list" functions and then get them using the
- "generic CA list" functions. Where a mix of the two types of functions has been
- used on the server side then the "client CA list" functions take precedence.
- Typically, on the server side, the "client CA list " functions should be used in
- preference. As noted above in most cases it is not necessary to set CA names on
- the client side.
- SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to
- B<name_list>. Ownership of B<name_list> is transferred to B<ctx> and
- it should not be freed by the caller.
- SSL_set0_CA_list() sets the list of CAs to be sent to the peer to B<name_list>
- overriding any list set in the parent B<SSL_CTX> of B<s>. Ownership of
- B<name_list> is transferred to B<s> and it should not be freed by the caller.
- SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
- B<ctx>. The returned list should not be freed by the caller.
- SSL_get0_CA_list() retrieves any previously set list of CAs set for
- B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved. The
- returned list should not be freed by the caller.
- SSL_CTX_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
- list of CAs sent to peer for B<ctx>.
- SSL_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
- list of CAs sent to the peer for B<s>, overriding the setting in the parent
- B<SSL_CTX>.
- =head1 NOTES
- When a TLS/SSL server requests a client certificate (see
- B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept
- certificates, to the client.
- This list must explicitly be set using SSL_CTX_set_client_CA_list() or
- SSL_CTX_set0_CA_list() for B<ctx> and SSL_set_client_CA_list() or
- SSL_set0_CA_list() for the specific B<ssl>. The list specified
- overrides the previous setting. The CAs listed do not become trusted (B<list>
- only contains the names, not the complete certificates); use
- L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification.
- If the list of acceptable CAs is compiled in a file, the
- L<SSL_load_client_CA_file(3)> function can be used to help to import the
- necessary data.
- SSL_CTX_add_client_CA(), SSL_CTX_add1_to_CA_list(), SSL_add_client_CA() and
- SSL_add1_to_CA_list() can be used to add additional items the list of CAs. If no
- list was specified before using SSL_CTX_set_client_CA_list(),
- SSL_CTX_set0_CA_list(), SSL_set_client_CA_list() or SSL_set0_CA_list(), a
- new CA list for B<ctx> or B<ssl> (as appropriate) is opened.
- =head1 RETURN VALUES
- SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(),
- SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_set0_CA_list()
- and SSL_set0_CA_list() do not return a value.
- SSL_CTX_get_client_CA_list(), SSL_get_client_CA_list(), SSL_CTX_get0_CA_list()
- and SSL_get0_CA_list() return a stack of CA names or B<NULL> is no CA names are
- set.
- SSL_CTX_add_client_CA(),SSL_add_client_CA(), SSL_CTX_add1_to_CA_list() and
- SSL_add1_to_CA_list() return 1 for success and 0 for failure.
- SSL_get0_peer_CA_list() returns a stack of CA names sent by the peer or
- B<NULL> or an empty stack if no list was sent.
- =head1 EXAMPLES
- Scan all certificates in B<CAfile> and list them as acceptable CAs:
- SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
- =head1 SEE ALSO
- L<ssl(7)>,
- L<SSL_load_client_CA_file(3)>,
- L<SSL_CTX_load_verify_locations(3)>
- =head1 COPYRIGHT
- Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
- Licensed under the Apache License 2.0 (the "License"). You may not use
- this file except in compliance with the License. You can obtain a copy
- in the file LICENSE in the source distribution or at
- L<https://www.openssl.org/source/license.html>.
- =cut
|