From: Matt Caswell Date: Thu, 1 Nov 2018 11:53:49 +0000 (+0000) Subject: Merge the CA list documentation for clarity X-Git-Tag: openssl-3.0.0-alpha1~2907 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6e68dae85a8f91944370125561c7ec0d5da46c20;p=oweals%2Fopenssl.git Merge the CA list documentation for clarity Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/7503) --- diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod index 37a4cee9ca..d7ed89775b 100644 --- a/doc/man3/SSL_CTX_set0_CA_list.pod +++ b/doc/man3/SSL_CTX_set0_CA_list.pod @@ -2,14 +2,32 @@ =head1 NAME -SSL_set0_CA_list, SSL_CTX_set0_CA_list, SSL_get0_CA_list, -SSL_CTX_get0_CA_list, SSL_add1_to_CA_list, SSL_CTX_add1_to_CA_list, -SSL_get0_peer_CA_list - get or set CA list +SSL_CTX_set_client_CA_list, +SSL_set_client_CA_list, +SSL_get_client_CA_list, +SSL_CTX_get_client_CA_list, +SSL_CTX_add_client_CA, +SSL_add_client_CA, +SSL_set0_CA_list, +SSL_CTX_set0_CA_list, +SSL_get0_CA_list, +SSL_CTX_get0_CA_list, +SSL_add1_to_CA_list, +SSL_CTX_add1_to_CA_list, +SSL_get0_peer_CA_list +- get or set CA list =head1 SYNOPSIS #include + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); + void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); + STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); + int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); + int SSL_add_client_CA(SSL *ssl, X509 *cacert); + void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx); @@ -21,6 +39,70 @@ SSL_get0_peer_CA_list - get or set CA list =head1 DESCRIPTION +The functions described here set and manage the list of CA names that are sent +between two communicating peers. + +For TLS versions 1.2 and earlier the list of CA names is only sent from the +server to the client when requesting a client certificate. So any list of CA +names set is never sent from client to server and the list of CA names retrieved +by SSL_get0_peer_CA_list() is always B. + +For TLS 1.3 the list of CA names is sent using the B +extension and may be sent by a client (in the ClientHello message) or by +a server (when requesting a certificate). + +In most cases it is not necessary to set CA names on the client side. The list +of CA names that are acceptable to the client will be sent in plaintext to the +server. This has privacy implications and may also have performance implications +if the list is large. This optional capability was introduced as part of TLSv1.3 +and therefore setting CA names on the client side will have no impact if that +protocol version has been disabled. Most servers do not need this and so this +should be avoided unless required. + +The "client CA list" functions below only have an effect when called on the +server side. + +SSL_CTX_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for B. Ownership of B is transferred +to B and it should not be freed by the caller. + +SSL_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for the chosen B, overriding the +setting valid for B's SSL_CTX object. Ownership of B is transferred +to B and it should not be freed by the caller. + +SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for +B using SSL_CTX_set_client_CA_list(). The returned list should not be freed +by the caller. + +SSL_get_client_CA_list() returns the list of client CAs explicitly +set for B using SSL_set_client_CA_list() or B's SSL_CTX object with +SSL_CTX_set_client_CA_list(), when in server mode. In client mode, +SSL_get_client_CA_list returns the list of client CAs sent from the server, if +any. The returned list should not be freed by the caller. + +SSL_CTX_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +B. + +SSL_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +the chosen B, overriding the setting valid for B's SSL_CTX object. + +SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer +has sent. This can be called on either the server or the client side. The +returned list should not be freed by the caller. + +The "generic CA list" functions below are very similar to the "client CA +list" functions except that they have an effect on both the server and client +sides. The lists of CA names managed are separate - so you cannot (for example) +set CA names using the "client CA list" functions and then get them using the +"generic CA list" functions. Where a mix of the two types of functions has been +used on the server side then the "client CA list" functions take precedence. +Typically, on the server side, the "client CA list " functions should be used in +preference. As noted above in most cases it is not necessary to set CA names on +the client side. + SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to B. Ownership of B is transferred to B and it should not be freed by the caller. @@ -30,10 +112,11 @@ overriding any list set in the parent B of B. Ownership of B is transferred to B and it should not be freed by the caller. SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for -B. +B. The returned list should not be freed by the caller. -SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for -B or if none are set the list from the parent B is retrieved. +SSL_get0_CA_list() retrieves any previously set list of CAs set for +B or if none are set the list from the parent B is retrieved. The +returned list should not be freed by the caller. SSL_CTX_add1_to_CA_list() appends the CA subject name extracted from B to the list of CAs sent to peer for B. @@ -42,50 +125,60 @@ SSL_add1_to_CA_list() appends the CA subject name extracted from B to the list of CAs sent to the peer for B, overriding the setting in the parent B. -SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer -has sent. - =head1 NOTES -These functions are generalised versions of the client authentication -CA list functions such as L. If both these -and L or similar functions are used, then the -latter functions take priority on the server side (they are ignored on the -client side). +When a TLS/SSL server requests a client certificate (see +B), it sends a list of CAs, for which it will accept +certificates, to the client. -For TLS versions before 1.3 the list of CA names is only sent from the server -to client when requesting a client certificate. So any list of CA names set -is never sent from client to server and the list of CA names retrieved by -SSL_get0_peer_CA_list() is always B. +This list must explicitly be set using SSL_CTX_set_client_CA_list() or +SSL_CTX_set0_CA_list() for B and SSL_set_client_CA_list() or +SSL_set0_CA_list() for the specific B. The list specified +overrides the previous setting. The CAs listed do not become trusted (B +only contains the names, not the complete certificates); use +L to additionally load them for verification. -For TLS 1.3 the list of CA names is sent using the B -extension and will be sent by a client (in the ClientHello message) or by -a server (when requesting a certificate). +If the list of acceptable CAs is compiled in a file, the +L function can be used to help to import the +necessary data. + +SSL_CTX_add_client_CA(), SSL_CTX_add1_to_CA_list(), SSL_add_client_CA() and +SSL_add1_to_CA_list() can be used to add additional items the list of CAs. If no +list was specified before using SSL_CTX_set_client_CA_list(), +SSL_CTX_set0_CA_list(), SSL_set_client_CA_list() or SSL_set0_CA_list(), a +new CA list for B or B (as appropriate) is opened. =head1 RETURN VALUES -SSL_CTX_set0_CA_list() and SSL_set0_CA_list() do not return a value. +SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), +SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_set0_CA_list() +and SSL_set0_CA_list() do not return a value. -SSL_CTX_get0_CA_list() and SSL_get0_CA_list() return a stack of CA names -or B is no CA names are set. +SSL_CTX_get_client_CA_list(), SSL_get_client_CA_list(), SSL_CTX_get0_CA_list() +and SSL_get0_CA_list() return a stack of CA names or B is no CA names are +set. -SSL_CTX_add1_to_CA_list() and SSL_add1_to_CA_list() return 1 for success and 0 -for failure. +SSL_CTX_add_client_CA(),SSL_add_client_CA(), SSL_CTX_add1_to_CA_list() and +SSL_add1_to_CA_list() return 1 for success and 0 for failure. SSL_get0_peer_CA_list() returns a stack of CA names sent by the peer or B or an empty stack if no list was sent. +=head1 EXAMPLES + +Scan all certificates in B and list them as acceptable CAs: + + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); + =head1 SEE ALSO L, -L, -L, L, L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_client_CA_list.pod b/doc/man3/SSL_CTX_set_client_CA_list.pod deleted file mode 100644 index e23999aaae..0000000000 --- a/doc/man3/SSL_CTX_set_client_CA_list.pod +++ /dev/null @@ -1,108 +0,0 @@ -=pod - -=head1 NAME - -SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, -SSL_add_client_CA - set list of CAs sent to the client when requesting a -client certificate - -=head1 SYNOPSIS - - #include - - void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); - void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); - int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); - int SSL_add_client_CA(SSL *ssl, X509 *cacert); - -=head1 DESCRIPTION - -SSL_CTX_set_client_CA_list() sets the B of CAs sent to the client when -requesting a client certificate for B. - -SSL_set_client_CA_list() sets the B of CAs sent to the client when -requesting a client certificate for the chosen B, overriding the -setting valid for B's SSL_CTX object. - -SSL_CTX_add_client_CA() adds the CA name extracted from B to the -list of CAs sent to the client when requesting a client certificate for -B. - -SSL_add_client_CA() adds the CA name extracted from B to the -list of CAs sent to the client when requesting a client certificate for -the chosen B, overriding the setting valid for B's SSL_CTX object. - -=head1 NOTES - -These functions are similar to L and similar functions -but only have an effect on the server side. These functions are present for -backwards compatibility. L and similar functions should -be used in preference. - -When a TLS/SSL server requests a client certificate (see -B), it sends a list of CAs, for which -it will accept certificates, to the client. - -This list must explicitly be set using SSL_CTX_set_client_CA_list() for -B and SSL_set_client_CA_list() for the specific B. The list -specified overrides the previous setting. The CAs listed do not become -trusted (B only contains the names, not the complete certificates); use -L -to additionally load them for verification. - -If the list of acceptable CAs is compiled in a file, the -L -function can be used to help importing the necessary data. - -SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional -items the list of client CAs. If no list was specified before using -SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client -CA list for B or B (as appropriate) is opened. - -These functions are only useful for TLS/SSL servers. - -=head1 RETURN VALUES - -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return -diagnostic information. - -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return -values: - -=over 4 - -=item Z<>0 - -A failure while manipulating the STACK_OF(X509_NAME) object occurred or -the X509_NAME could not be extracted from B. Check the error stack -to find out the reason. - -=item Z<>1 - -The operation succeeded. - -=back - -=head1 EXAMPLES - -Scan all certificates in B and list them as acceptable CAs: - - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); - -=head1 SEE ALSO - -L, -L, -L, -L - -=head1 COPYRIGHT - -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the OpenSSL license (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut diff --git a/doc/man3/SSL_get_client_CA_list.pod b/doc/man3/SSL_get_client_CA_list.pod deleted file mode 100644 index 40c3561efc..0000000000 --- a/doc/man3/SSL_get_client_CA_list.pod +++ /dev/null @@ -1,62 +0,0 @@ -=pod - -=head1 NAME - -SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs - -=head1 SYNOPSIS - - #include - - STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); - -=head1 DESCRIPTION - -SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for -B using L. - -SSL_get_client_CA_list() returns the list of client CAs explicitly -set for B using SSL_set_client_CA_list() or B's SSL_CTX object with -L, when in -server mode. In client mode, SSL_get_client_CA_list returns the list of -client CAs sent from the server, if any. - -=head1 RETURN VALUES - -SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return -diagnostic information. - -SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return -values: - -=over 4 - -=item STACK_OF(X509_NAMES) - -List of CA names explicitly set (for B or in server mode) or send -by the server (client mode). - -=item NULL - -No client CA list was explicitly set (for B or in server mode) or -the server did not send a list of CAs (client mode). - -=back - -=head1 SEE ALSO - -L, -L, -L - -=head1 COPYRIGHT - -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. - -Licensed under the OpenSSL license (the "License"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file LICENSE in the source distribution or at -L. - -=cut