BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which
is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to
-SSL I/O.
+SSL I/O.
I/O performed on an SSL BIO communicates using the SSL protocol with
the SSLs read and write BIOs. If an SSL connection is not established
is 1 client mode is set. If B<client> is 0 server mode is set.
BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
-to B<num>. When set after every B<num> bytes of I/O (read and write)
+to B<num>. When set after every B<num> bytes of I/O (read and write)
the SSL session is automatically renegotiated. B<num> must be at
least 512 bytes.
of a buffering BIO, an SSL BIO (using B<ctx>) and a connect
BIO.
-BIO_ssl_copy_session_id() copies an SSL session id between
+BIO_ssl_copy_session_id() copies an SSL session id between
BIO chains B<from> and B<to>. It does this by locating the
SSL BIOs in each chain and calling SSL_copy_session_id() on
the internal SSL pointer.
/* Could examine ssl here to get connection info */
BIO_puts(sbio, "GET / HTTP/1.0\n\n");
- for(;;) {
+ for(;;) {
len = BIO_read(sbio, tmpbuf, 1024);
if(len <= 0) break;
BIO_write(out, tmpbuf, len);
/* By doing this when a new connection is established
* we automatically have sbio inserted into it. The
* BIO chain is now 'swallowed' by the accept BIO and
- * will be freed when the accept BIO is freed.
+ * will be freed when the accept BIO is freed.
*/
-
+
BIO_set_accept_bios(acpt,sbio);
out = BIO_new_fp(stdout, BIO_NOCLOSE);
session was not found in the cache.
=item C<1>
-
+
The operation succeeded.
=back
removed from the cache to save resources. This can either be done
automatically whenever 255 new sessions were established (see
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
-or manually by calling SSL_CTX_flush_sessions().
+or manually by calling SSL_CTX_flush_sessions().
The parameter B<tm> specifies the time which should be used for the
expiration test, in most cases the actual time given by time(0)
instead. By setting I<callback> to NULL, the default behaviour is restored.
When the verification must be performed, I<callback> will be called with
-the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
+the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
argument I<arg> is specified by the application when setting I<callback>.
I<callback> should return 1 to indicate verification success and 0 to
allow to continue the connection in case of failure (by always returning 1)
the verification result must be set in any case using the B<error>
member of I<x509_store_ctx> so that the calling application will be informed
-about the detailed result of the verification procedure!
+about the detailed result of the verification procedure!
Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
=head1 SYNOPSIS
#include <openssl/ssl.h>
-
+
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
specified overrides the previous setting. The CAs listed do not become
trusted (B<list> only contains the names, not the complete certificates); use
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
to additionally load them for verification.
If the list of acceptable CAs is compiled in a file, the
When we no longer need a read buffer or a write buffer for a given SSL,
then release the memory we were using to hold it. Released memory is
either appended to a list of unused RAM chunks on the SSL_CTX, or simply
-freed if the list of unused chunks would become longer than
+freed if the list of unused chunks would become longer than
SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can
save around 34k per idle SSL connection.
This flag has no effect on SSL v2 connections, or on DTLS connections.
If we accept a netscape connection, demand a client cert, have a
non-self-signed CA which does not have its CA in netscape, and the
-browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
+browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
object.
In order to reuse a session, a client must send the session's id to the
-server. It can only send exactly one id. The server then either
+server. It can only send exactly one id. The server then either
agrees to reuse the session or it starts a full handshake (to create a new
session).
dh_tmp = dh_512;
break;
case 1024:
- if (!dh_1024)
+ if (!dh_1024)
dh_1024 = get_dh1024();
dh_tmp = dh_1024;
break;
preverify_ok = 0;
err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
X509_STORE_CTX_set_error(ctx, err);
- }
+ }
if (!preverify_ok) {
printf("verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf);
*/
mydata.verify_depth = verify_depth; ...
SSL_set_ex_data(ssl, mydata_index, &mydata);
-
+
...
SSL_accept(ssl); /* check of success left out for clarity */
if (peer = SSL_get_peer_certificate(ssl))
See the NOTES section on why SSL_CTX_use_certificate_chain_file()
should be preferred.
-SSL_CTX_use_certificate_chain_file() loads a certificate chain from
+SSL_CTX_use_certificate_chain_file() loads a certificate chain from
B<file> into B<ctx>. The certificates must be in PEM format and must
be sorted starting with the subject's certificate (actual client or server
certificate), followed by intermediate CA certificates if applicable, and
to the certificate an error is returned. To change a certificate, private
key pair the new certificate needs to be set with SSL_use_certificate()
or SSL_CTX_use_certificate() before setting the private key with
-SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey().
+SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey().
SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
this B<ssl>, the last item added into B<ctx> will be checked.
=head1 NOTES
-
+
The internal certificate store of OpenSSL can hold two private key/certificate
pairs at a time: one key/certificate of type RSA and one key/certificate
of type DSA. The certificate used depends on the cipher select, see
When reading certificates and private keys from file, files of type
SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
-one certificate or private key, consequently
+one certificate or private key, consequently
SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting.
Files of type SSL_FILETYPE_PEM can contain more than one item.
SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success.
-If any of the function is passed the NULL pointer for the session B<s>,
+If any of the function is passed the NULL pointer for the session B<s>,
0 is returned.
=head1 SEE ALSO
=head1 NOTES
-The behaviour of SSL_accept() depends on the underlying BIO.
+The behaviour of SSL_accept() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_accept() will only return once the
handshake has been finished or an error occurred, except for SGC (Server
=item "UP"/"unknown PSK identity"
Sent by the server to indicate that it does not recognize a PSK
-identity or an SRP identity.
+identity or an SRP identity.
=item "UK"/"unknown"
=head1 NOTES
-The behaviour of SSL_connect() depends on the underlying BIO.
+The behaviour of SSL_connect() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_connect() will only return once the
handshake has been finished or an error occurred.
#include <openssl/ssl.h>
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
=head1 DESCRIPTION
SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the
name of the currently used cipher. SSL_get_cipher_bits() is a
-macro to obtain the number of secret/algorithm bits used and
+macro to obtain the number of secret/algorithm bits used and
SSL_get_cipher_version() returns the protocol name.
See L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)> for more details.
=head1 NOTES
SSL_library_init() must be called before any other action takes place.
-SSL_library_init() is not reentrant.
+SSL_library_init() is not reentrant.
=head1 WARNING
SSL_CTX *ctx;
STACK_OF(X509_NAME) *cert_names;
- ...
+ ...
cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(ctx, cert_names);
L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_read() operation. The behaviour of SSL_read() depends on the
-underlying BIO.
+underlying BIO.
For the transparent negotiation to succeed, the B<ssl> must have been
initialized to client or server mode. This is being done by calling
If the underlying BIO is B<blocking>, SSL_read() will only return, once the
read operation has been finished or an error occurred, except when a
-renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
=head1 DESCRIPTION
-SSL_shutdown() shuts down an active TLS/SSL connection. It sends the
+SSL_shutdown() shuts down an active TLS/SSL connection. It sends the
"close notify" shutdown alert to the peer.
=head1 NOTES
specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on
the first call.
-The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
+The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
handshake step has been finished or an error occurred.
L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_write() operation. The behaviour of SSL_write() depends on the
-underlying BIO.
+underlying BIO.
For the transparent negotiation to succeed, the B<ssl> must have been
initialized to client or server mode. This is being done by calling
If the underlying BIO is B<blocking>, SSL_write() will only return, once the
write operation has been finished or an error occurred, except when a
-renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
projects / openbsd / commitdiff