SSL_CTX_set_tlsext_status_cb.pod 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_tlsext_status_cb,
  4. SSL_CTX_get_tlsext_status_cb,
  5. SSL_CTX_set_tlsext_status_arg,
  6. SSL_CTX_get_tlsext_status_arg,
  7. SSL_CTX_set_tlsext_status_type,
  8. SSL_CTX_get_tlsext_status_type,
  9. SSL_set_tlsext_status_type,
  10. SSL_get_tlsext_status_type,
  11. SSL_get_tlsext_status_ocsp_resp,
  12. SSL_set_tlsext_status_ocsp_resp
  13. - OCSP Certificate Status Request functions
  14. =head1 SYNOPSIS
  15. #include <openssl/tls1.h>
  16. long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));
  17. long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));
  18. long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
  19. long SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg);
  20. long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
  21. long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx);
  22. long SSL_set_tlsext_status_type(SSL *s, int type);
  23. long SSL_get_tlsext_status_type(SSL *s);
  24. long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
  25. long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
  26. =head1 DESCRIPTION
  27. A client application may request that a server send back an OCSP status response
  28. (also known as OCSP stapling). To do so the client should call the
  29. SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL
  30. objects. Alternatively an application can call the SSL_set_tlsext_status_type()
  31. function on an individual SSL object prior to the start of the handshake.
  32. Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value
  33. should be passed in the B<type> argument. Calling
  34. SSL_CTX_get_tlsext_status_type() will return the type B<TLSEXT_STATUSTYPE_ocsp>
  35. previously set via SSL_CTX_set_tlsext_status_type() or -1 if not set.
  36. The client should additionally provide a callback function to decide what to do
  37. with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The
  38. callback function should determine whether the returned OCSP response is
  39. acceptable or not. The callback will be passed as an argument the value
  40. previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
  41. callback will not be called in the event of a handshake where session resumption
  42. occurs (because there are no Certificates exchanged in such a handshake).
  43. The callback previously set via SSL_CTX_set_tlsext_status_cb() can be retrieved
  44. by calling SSL_CTX_get_tlsext_status_cb(), and the argument by calling
  45. SSL_CTX_get_tlsext_status_arg().
  46. On the client side SSL_get_tlsext_status_type() can be used to determine whether
  47. the client has previously called SSL_set_tlsext_status_type(). It will return
  48. B<TLSEXT_STATUSTYPE_ocsp> if it has been called or -1 otherwise. On the server
  49. side SSL_get_tlsext_status_type() can be used to determine whether the client
  50. requested OCSP stapling. If the client requested it then this function will
  51. return B<TLSEXT_STATUSTYPE_ocsp>, or -1 otherwise.
  52. The response returned by the server can be obtained via a call to
  53. SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
  54. to the OCSP response data and the return value will be the length of that data.
  55. Typically a callback would obtain an OCSP_RESPONSE object from this data via a
  56. call to the d2i_OCSP_RESPONSE() function. If the server has not provided any
  57. response data then B<*resp> will be NULL and the return value from
  58. SSL_get_tlsext_status_ocsp_resp() will be -1.
  59. A server application must also call the SSL_CTX_set_tlsext_status_cb() function
  60. if it wants to be able to provide clients with OCSP Certificate Status
  61. responses. Typically the server callback would obtain the server certificate
  62. that is being sent back to the client via a call to SSL_get_certificate();
  63. obtain the OCSP response to be sent back; and then set that response data by
  64. calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should
  65. be provided in the B<resp> argument, and the length of that data should be in
  66. the B<len> argument.
  67. =head1 RETURN VALUES
  68. The callback when used on the client side should return a negative value on
  69. error; 0 if the response is not acceptable (in which case the handshake will
  70. fail) or a positive value if it is acceptable.
  71. The callback when used on the server side should return with either
  72. SSL_TLSEXT_ERR_OK (meaning that the OCSP response that has been set should be
  73. returned), SSL_TLSEXT_ERR_NOACK (meaning that an OCSP response should not be
  74. returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has
  75. occurred).
  76. SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(),
  77. SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and
  78. SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success.
  79. SSL_CTX_get_tlsext_status_type() returns the value previously set by
  80. SSL_CTX_set_tlsext_status_type(), or -1 if not set.
  81. SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data
  82. or -1 if there is no OCSP response data.
  83. SSL_get_tlsext_status_type() returns B<TLSEXT_STATUSTYPE_ocsp> on the client
  84. side if SSL_set_tlsext_status_type() was previously called, or on the server
  85. side if the client requested OCSP stapling. Otherwise -1 is returned.
  86. =head1 SEE ALSO
  87. L<ssl(7)>
  88. =head1 HISTORY
  89. The SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type()
  90. and SSL_CTX_set_tlsext_status_type() functions were added in OpenSSL 1.1.0.
  91. =head1 COPYRIGHT
  92. Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  93. Licensed under the Apache License 2.0 (the "License"). You may not use
  94. this file except in compliance with the License. You can obtain a copy
  95. in the file LICENSE in the source distribution or at
  96. L<https://www.openssl.org/source/license.html>.
  97. =cut