From f0d6ee6be8b2faac9fa37be0086fafbc001307f3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 15 Feb 2002 07:41:42 +0000 Subject: [PATCH] Even though it is not really practical people should know about it. --- doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 1 + doc/ssl/SSL_CTX_set_client_cert_cb.pod | 90 ++++++++++++++++++++++++ doc/ssl/SSL_CTX_use_certificate.pod | 1 + doc/ssl/SSL_clear.pod | 3 +- doc/ssl/SSL_get_client_CA_list.pod | 3 +- doc/ssl/ssl.pod | 1 + 6 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_client_cert_cb.pod diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod index 21a9db0e2a..ee28f5ccc3 100644 --- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod +++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod @@ -33,6 +33,7 @@ error stack to find out the reason for failure otherwise. L, L, +L, L =cut diff --git a/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/doc/ssl/SSL_CTX_set_client_cert_cb.pod new file mode 100644 index 0000000000..53e1827713 --- /dev/null +++ b/doc/ssl/SSL_CTX_set_client_cert_cb.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); + int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + +=head1 DESCRIPTION + +SSL_CTX_set_client_cert_cb() sets the B callback, that is +called when a client certificate is requested by a server. +When B is NULL, not callback function is used. + +SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback +function. + +client_cert_cb() is the application defined callback. If it wants to +set a certificate, a certificate/private key combination must be set +using the B and B arguments and "1" must be returned. The +certificate will be installed into B, see the NOTES and BUGS sections. +If no certificate should be set, "0" has to be returned and the default +certificate will be sent. A fatal error can be indicated by returning +a negative value, in which case the handshake will be canceled. + +=head1 NOTES + +During a handshake (or renegotiation) a server may request a certificate +from the client. A client certificate must only be sent, when the server +did send the request. + +When no callback function is set, an OpenSSL client will send the certificate +that was set using the +L family of functions. +The TLS standard requires that only a certificate is sent, if it matches +the list of acceptable CAs sent by the server. This constraint is +violated by the default behavior of the OpenSSL library. Using the +callback function it is possible to implement a proper selection routine +or to allow a user interaction to choose the certificate to be sent. +The callback function can obtain the list of acceptable CAs using the +L function. + +If a callback function is defined, the callback function will be called. +If the callback function returns a certificate, the OpenSSL library +will try to load the private key and certificate data into the SSL +object using SSL_use_certificate() and SSL_use_private_key() functions. +Thus it will permanently override the certificate and key previously +installed and will not be reset by calling L. +If the callback returns no certificate, the OpenSSL library will send +the certificate previously installed for the SSL_CTX object or the specific +certificate of the SSL object, if available. + +=head1 BUGS + +The client_cert_cb() cannot return a complete certificate chain, it can +only return one client certificate. If the chain only has a length of 2, +the root CA certificate may be omitted according to the TLS standard and +thus a standard conforming answer can be sent to the server. For a +longer chain, the client must send the complete chain (with the option +to leave out the root CA certificate). This can only be accomplished by +either adding the intermediate CA certificates into the trusted +certificate store for the SSL_CTX object (resulting in having to add +CA certificates that otherwise maybe would not be trusted), or by adding +the chain certificates using the +L +function, which is only available for the SSL_CTX object as a whole and that +therefore probably can only apply for one client certificate, making +the concept of the callback function (to allow the choice from several +certificates) questionable. + +Once the SSL object has been used in conjunction with the callback function, +the certificate will be set for the SSL object and will not be cleared +even when L is being called. It is therefore +mandatory to destroy the SSL object using L +and create a new one to return to the previous state. + +=head1 SEE ALSO + +L, L, +L, +L, +L, L + +=cut diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod index 3b2fe6fc50..b8868f18bf 100644 --- a/doc/ssl/SSL_CTX_use_certificate.pod +++ b/doc/ssl/SSL_CTX_use_certificate.pod @@ -149,6 +149,7 @@ L, L, L, L, L, L, +L, L =cut diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod index 8b735d81dc..f0aa5e94eb 100644 --- a/doc/ssl/SSL_clear.pod +++ b/doc/ssl/SSL_clear.pod @@ -44,6 +44,7 @@ The SSL_clear() operation was successful. L, L, L, L, -L, L +L, L, +L =cut diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod index 40e01cf9c8..5693fdebb2 100644 --- a/doc/ssl/SSL_get_client_CA_list.pod +++ b/doc/ssl/SSL_get_client_CA_list.pod @@ -47,6 +47,7 @@ the server did not send a list of CAs (client mode). =head1 SEE ALSO L, -L +L, +L =cut diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index b948d59e59..d0525582b0 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -675,6 +675,7 @@ L, L, L, L, +L, L, L, L, -- 2.25.1