SSL_CTX_set_cert_cb.pod 2.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_cert_cb, SSL_set_cert_cb - handle certificate callback function
  4. =head1 SYNOPSIS
  5. #include <openssl/ssl.h>
  6. void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
  7. void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
  8. int (*cert_cb)(SSL *ssl, void *arg);
  9. =head1 DESCRIPTION
  10. SSL_CTX_set_cert_cb() and SSL_set_cert_cb() sets the B<cert_cb()> callback,
  11. B<arg> value is pointer which is passed to the application callback.
  12. When B<cert_cb()> is NULL, no callback function is used.
  13. cert_cb() is the application defined callback. It is called before a
  14. certificate will be used by a client or server. The callback can then inspect
  15. the passed B<ssl> structure and set or clear any appropriate certificates. If
  16. the callback is successful it B<MUST> return 1 even if no certificates have
  17. been set. A zero is returned on error which will abort the handshake with a
  18. fatal internal error alert. A negative return value will suspend the handshake
  19. and the handshake function will return immediately.
  20. L<SSL_get_error(3)|SSL_get_error(3)> will return SSL_ERROR_WANT_X509_LOOKUP to
  21. indicate, that the handshake was suspended. The next call to the handshake
  22. function will again lead to the call of cert_cb(). It is the job of the
  23. cert_cb() to store information about the state of the last call,
  24. if required to continue.
  25. =head1 NOTES
  26. An application will typically call SSL_use_certificate() and
  27. SSL_use_PrivateKey() to set the end entity certificate and private key.
  28. It can add intermediate and optionally the root CA certificates using
  29. SSL_add1_chain_cert().
  30. It might also call SSL_certs_clear() to delete any certificates associated
  31. with the B<SSL> object.
  32. The certificate callback functionality supercedes the (largely broken)
  33. functionality provided by the old client certificate callback interface.
  34. It is B<always> called even is a certificate is already set so the callback
  35. can modify or delete the existing certificate.
  36. A more advanced callback might examine the handshake parameters and set
  37. whatever chain is appropriate. For example a legacy client supporting only
  38. TLS v1.0 might receive a certificate chain signed using SHA1 whereas a
  39. TLS v1.2 client which advertises support for SHA256 could receive a chain
  40. using SHA256.
  41. Normal server sanity checks are performed on any certificates set
  42. by the callback. So if an EC chain is set for a curve the client does not
  43. support it will B<not> be used.
  44. =head1 SEE ALSO
  45. L<ssl(3)|ssl(3)>, L<SSL_use_certificate(3)|SSL_use_certificate(3)>,
  46. L<SSL_add1_chain_cert(3)|SSL_add1_chain_cert(3)>,
  47. L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
  48. L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
  49. =cut