Merge from vendor branch OPENSSL:
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_max_cert_list.3
CommitLineData
2eaa1526 1.\" Automatically generated by Pod::Man 2.12 (Pod::Simple 3.05)
e056f0e0
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
e056f0e0 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
e056f0e0 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
e056f0e0 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
e056f0e0
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
2eaa1526
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
e056f0e0 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
e056f0e0
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
e056f0e0
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
e056f0e0
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
e056f0e0
JR
59. nr % 0
60. rr F
984263bc 61.\}
e056f0e0 62.\"
e056f0e0
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
e056f0e0
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
e056f0e0
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
e056f0e0 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
e056f0e0
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
e056f0e0
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
e056f0e0 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
e056f0e0 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
e056f0e0 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
e056f0e0
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
e056f0e0
JR
124.\" ========================================================================
125.\"
126.IX Title "SSL_CTX_set_max_cert_list 3"
2eaa1526
PA
127.TH SSL_CTX_set_max_cert_list 3 "2007-10-24" "0.9.8g" "OpenSSL"
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, \- manipulate allowed for the peer's certificate chain
134.SH "SYNOPSIS"
e056f0e0 135.IX Header "SYNOPSIS"
984263bc
MD
136.Vb 1
137\& #include <openssl/ssl.h>
2eaa1526 138\&
984263bc
MD
139\& long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
140\& long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
2eaa1526 141\&
984263bc
MD
142\& long SSL_set_max_cert_list(SSL *ssl, long size);
143\& long SSL_get_max_cert_list(SSL *ctx);
144.Ve
145.SH "DESCRIPTION"
e056f0e0
JR
146.IX Header "DESCRIPTION"
147\&\fISSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
148certificate chain for all \s-1SSL\s0 objects created from \fBctx\fR to be <size> bytes.
149The \s-1SSL\s0 objects inherit the setting valid for \fBctx\fR at the time
150\&\fISSL_new\fR\|(3) is being called.
984263bc 151.PP
e056f0e0 152\&\fISSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
984263bc 153.PP
e056f0e0 154\&\fISSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's
984263bc
MD
155certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
156until a new value is set.
157.PP
e056f0e0 158\&\fISSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
984263bc 159.SH "NOTES"
e056f0e0 160.IX Header "NOTES"
984263bc 161During the handshake process, the peer may send a certificate chain.
e056f0e0 162The \s-1TLS/SSL\s0 standard does not give any maximum size of the certificate chain.
984263bc
MD
163The OpenSSL library handles incoming data by a dynamically allocated buffer.
164In order to prevent this buffer from growing without bounds due to data
165received from a faulty or malicious peer, a maximum size for the certificate
166chain is set.
167.PP
168The default value for the maximum certificate chain size is 100kB (30kB
e056f0e0 169on the 16bit \s-1DOS\s0 platform). This should be sufficient for usual certificate
984263bc 170chains (OpenSSL's default maximum chain length is 10, see
e056f0e0
JR
171\&\fISSL_CTX_set_verify\fR\|(3), and certificates
172without special extensions have a typical size of 1\-2kB).
984263bc
MD
173.PP
174For special applications it can be necessary to extend the maximum certificate
175chain size allowed to be sent by the peer, see e.g. the work on
e056f0e0
JR
176\&\*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
177and \*(L"\s-1TLS\s0 Delegation Protocol\*(R" at http://www.ietf.org/ and
984263bc
MD
178http://www.globus.org/ .
179.PP
180Under normal conditions it should never be necessary to set a value smaller
181than the default, as the buffer is handled dynamically and only uses the
182memory actually required by the data sent by the peer.
183.PP
184If the maximum certificate chain size allowed is exceeded, the handshake will
e056f0e0 185fail with a \s-1SSL_R_EXCESSIVE_MESSAGE_SIZE\s0 error.
984263bc 186.SH "RETURN VALUES"
e056f0e0
JR
187.IX Header "RETURN VALUES"
188\&\fISSL_CTX_set_max_cert_list()\fR and \fISSL_set_max_cert_list()\fR return the previously
984263bc
MD
189set value.
190.PP
e056f0e0 191\&\fISSL_CTX_get_max_cert_list()\fR and \fISSL_get_max_cert_list()\fR return the currently
984263bc
MD
192set value.
193.SH "SEE ALSO"
a7d27d5a 194.IX Header "SEE ALSO"
e056f0e0
JR
195\&\fIssl\fR\|(3), \fISSL_new\fR\|(3),
196\&\fISSL_CTX_set_verify\fR\|(3)
197.SH "HISTORY"
a7d27d5a 198.IX Header "HISTORY"
e056f0e0 199SSL*_set/\fIget_max_cert_list()\fR have been introduced in OpenSSL 0.9.7.