SSL_CTX_set0_CA_list.pod 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_client_CA_list,
  4. SSL_set_client_CA_list,
  5. SSL_get_client_CA_list,
  6. SSL_CTX_get_client_CA_list,
  7. SSL_CTX_add_client_CA,
  8. SSL_add_client_CA,
  9. SSL_set0_CA_list,
  10. SSL_CTX_set0_CA_list,
  11. SSL_get0_CA_list,
  12. SSL_CTX_get0_CA_list,
  13. SSL_add1_to_CA_list,
  14. SSL_CTX_add1_to_CA_list,
  15. SSL_get0_peer_CA_list
  16. - get or set CA list
  17. =head1 SYNOPSIS
  18. #include <openssl/ssl.h>
  19. void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
  20. void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
  21. STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
  22. STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
  23. int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
  24. int SSL_add_client_CA(SSL *ssl, X509 *cacert);
  25. void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
  26. void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
  27. const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
  28. const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
  29. int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x);
  30. int SSL_add1_to_CA_list(SSL *ssl, const X509 *x);
  31. const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
  32. =head1 DESCRIPTION
  33. The functions described here set and manage the list of CA names that are sent
  34. between two communicating peers.
  35. For TLS versions 1.2 and earlier the list of CA names is only sent from the
  36. server to the client when requesting a client certificate. So any list of CA
  37. names set is never sent from client to server and the list of CA names retrieved
  38. by SSL_get0_peer_CA_list() is always B<NULL>.
  39. For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
  40. extension and may be sent by a client (in the ClientHello message) or by
  41. a server (when requesting a certificate).
  42. In most cases it is not necessary to set CA names on the client side. The list
  43. of CA names that are acceptable to the client will be sent in plaintext to the
  44. server. This has privacy implications and may also have performance implications
  45. if the list is large. This optional capability was introduced as part of TLSv1.3
  46. and therefore setting CA names on the client side will have no impact if that
  47. protocol version has been disabled. Most servers do not need this and so this
  48. should be avoided unless required.
  49. The "client CA list" functions below only have an effect when called on the
  50. server side.
  51. SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
  52. requesting a client certificate for B<ctx>. Ownership of B<list> is transferred
  53. to B<ctx> and it should not be freed by the caller.
  54. SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
  55. requesting a client certificate for the chosen B<ssl>, overriding the
  56. setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
  57. to B<s> and it should not be freed by the caller.
  58. SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
  59. B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed
  60. by the caller.
  61. SSL_get_client_CA_list() returns the list of client CAs explicitly
  62. set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
  63. SSL_CTX_set_client_CA_list(), when in server mode. In client mode,
  64. SSL_get_client_CA_list returns the list of client CAs sent from the server, if
  65. any. The returned list should not be freed by the caller.
  66. SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
  67. list of CAs sent to the client when requesting a client certificate for
  68. B<ctx>.
  69. SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
  70. list of CAs sent to the client when requesting a client certificate for
  71. the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
  72. SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
  73. has sent. This can be called on either the server or the client side. The
  74. returned list should not be freed by the caller.
  75. The "generic CA list" functions below are very similar to the "client CA
  76. list" functions except that they have an effect on both the server and client
  77. sides. The lists of CA names managed are separate - so you cannot (for example)
  78. set CA names using the "client CA list" functions and then get them using the
  79. "generic CA list" functions. Where a mix of the two types of functions has been
  80. used on the server side then the "client CA list" functions take precedence.
  81. Typically, on the server side, the "client CA list " functions should be used in
  82. preference. As noted above in most cases it is not necessary to set CA names on
  83. the client side.
  84. SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to
  85. B<name_list>. Ownership of B<name_list> is transferred to B<ctx> and
  86. it should not be freed by the caller.
  87. SSL_set0_CA_list() sets the list of CAs to be sent to the peer to B<name_list>
  88. overriding any list set in the parent B<SSL_CTX> of B<s>. Ownership of
  89. B<name_list> is transferred to B<s> and it should not be freed by the caller.
  90. SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
  91. B<ctx>. The returned list should not be freed by the caller.
  92. SSL_get0_CA_list() retrieves any previously set list of CAs set for
  93. B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved. The
  94. returned list should not be freed by the caller.
  95. SSL_CTX_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
  96. list of CAs sent to peer for B<ctx>.
  97. SSL_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
  98. list of CAs sent to the peer for B<s>, overriding the setting in the parent
  99. B<SSL_CTX>.
  100. =head1 NOTES
  101. When a TLS/SSL server requests a client certificate (see
  102. B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept
  103. certificates, to the client.
  104. This list must explicitly be set using SSL_CTX_set_client_CA_list() or
  105. SSL_CTX_set0_CA_list() for B<ctx> and SSL_set_client_CA_list() or
  106. SSL_set0_CA_list() for the specific B<ssl>. The list specified
  107. overrides the previous setting. The CAs listed do not become trusted (B<list>
  108. only contains the names, not the complete certificates); use
  109. L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification.
  110. If the list of acceptable CAs is compiled in a file, the
  111. L<SSL_load_client_CA_file(3)> function can be used to help to import the
  112. necessary data.
  113. SSL_CTX_add_client_CA(), SSL_CTX_add1_to_CA_list(), SSL_add_client_CA() and
  114. SSL_add1_to_CA_list() can be used to add additional items the list of CAs. If no
  115. list was specified before using SSL_CTX_set_client_CA_list(),
  116. SSL_CTX_set0_CA_list(), SSL_set_client_CA_list() or SSL_set0_CA_list(), a
  117. new CA list for B<ctx> or B<ssl> (as appropriate) is opened.
  118. =head1 RETURN VALUES
  119. SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(),
  120. SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_set0_CA_list()
  121. and SSL_set0_CA_list() do not return a value.
  122. SSL_CTX_get_client_CA_list(), SSL_get_client_CA_list(), SSL_CTX_get0_CA_list()
  123. and SSL_get0_CA_list() return a stack of CA names or B<NULL> is no CA names are
  124. set.
  125. SSL_CTX_add_client_CA(),SSL_add_client_CA(), SSL_CTX_add1_to_CA_list() and
  126. SSL_add1_to_CA_list() return 1 for success and 0 for failure.
  127. SSL_get0_peer_CA_list() returns a stack of CA names sent by the peer or
  128. B<NULL> or an empty stack if no list was sent.
  129. =head1 EXAMPLES
  130. Scan all certificates in B<CAfile> and list them as acceptable CAs:
  131. SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
  132. =head1 SEE ALSO
  133. L<ssl(7)>,
  134. L<SSL_load_client_CA_file(3)>,
  135. L<SSL_CTX_load_verify_locations(3)>
  136. =head1 COPYRIGHT
  137. Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
  138. Licensed under the Apache License 2.0 (the "License"). You may not use
  139. this file except in compliance with the License. You can obtain a copy
  140. in the file LICENSE in the source distribution or at
  141. L<https://www.openssl.org/source/license.html>.
  142. =cut