Initial import from FreeBSD RELENG_4:
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_client_CA_list.3
CommitLineData
984263bc
MD
1.\" Automatically generated by Pod::Man version 1.15
2.\" Wed Feb 19 16:47:40 2003
3.\"
4.\" Standard preamble:
5.\" ======================================================================
6.de Sh \" Subsection heading
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
14.de Sp \" Vertical space (when we can't use .PP)
15.if t .sp .5v
16.if n .sp
17..
18.de Ip \" List item
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
24.de Vb \" Begin verbatim text
25.ft CW
26.nf
27.ne \\$1
28..
29.de Ve \" End verbatim text
30.ft R
31
32.fi
33..
34.\" Set up some character translations and predefined strings. \*(-- will
35.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36.\" double quote, and \*(R" will give a right double quote. | will give a
37.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38.\" to do unbreakable dashes and therefore won't be available. \*(C` and
39.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
40.tr \(*W-|\(bv\*(Tr
41.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
42.ie n \{\
43. ds -- \(*W-
44. ds PI pi
45. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47. ds L" ""
48. ds R" ""
49. ds C` ""
50. ds C' ""
51'br\}
52.el\{\
53. ds -- \|\(em\|
54. ds PI \(*p
55. ds L" ``
56. ds R" ''
57'br\}
58.\"
59.\" If the F register is turned on, we'll generate index entries on stderr
60.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61.\" index entries marked with X<> in POD. Of course, you'll have to process
62.\" the output yourself in some meaningful fashion.
63.if \nF \{\
64. de IX
65. tm Index:\\$1\t\\n%\t"\\$2"
66..
67. nr % 0
68. rr F
69.\}
70.\"
71.\" For nroff, turn off justification. Always turn off hyphenation; it
72.\" makes way too many mistakes in technical documents.
73.hy 0
74.if n .na
75.\"
76.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77.\" Fear. Run. Save yourself. No user-serviceable parts.
78.bd B 3
79. \" fudge factors for nroff and troff
80.if n \{\
81. ds #H 0
82. ds #V .8m
83. ds #F .3m
84. ds #[ \f1
85. ds #] \fP
86.\}
87.if t \{\
88. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89. ds #V .6m
90. ds #F 0
91. ds #[ \&
92. ds #] \&
93.\}
94. \" simple accents for nroff and troff
95.if n \{\
96. ds ' \&
97. ds ` \&
98. ds ^ \&
99. ds , \&
100. ds ~ ~
101. ds /
102.\}
103.if t \{\
104. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
110.\}
111. \" troff and (daisy-wheel) nroff accents
112.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119.ds ae a\h'-(\w'a'u*4/10)'e
120.ds Ae A\h'-(\w'A'u*4/10)'E
121. \" corrections for vroff
122.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
124. \" for low resolution devices (crt and lpr)
125.if \n(.H>23 .if \n(.V>19 \
126\{\
127. ds : e
128. ds 8 ss
129. ds o a
130. ds d- d\h'-1'\(ga
131. ds D- D\h'-1'\(hy
132. ds th \o'bp'
133. ds Th \o'LP'
134. ds ae ae
135. ds Ae AE
136.\}
137.rm #[ #] #H #V #F C
138.\" ======================================================================
139.\"
140.IX Title "SSL_CTX_set_client_CA_list 3"
141.TH SSL_CTX_set_client_CA_list 3 "0.9.7a" "2003-02-19" "OpenSSL"
142.UC
143.SH "NAME"
144SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
145SSL_add_client_CA \- set list of CAs sent to the client when requesting a
146client certificate
147.SH "SYNOPSIS"
148.IX Header "SYNOPSIS"
149.Vb 1
150\& #include <openssl/ssl.h>
151.Ve
152.Vb 4
153\& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
154\& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
155\& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
156\& int SSL_add_client_CA(SSL *ssl, X509 *cacert);
157.Ve
158.SH "DESCRIPTION"
159.IX Header "DESCRIPTION"
160\&\fISSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
161requesting a client certificate for \fBctx\fR.
162.PP
163\&\fISSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
164requesting a client certificate for the chosen \fBssl\fR, overriding the
165setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
166.PP
167\&\fISSL_CTX_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
168list of CAs sent to the client when requesting a client certificate for
169\&\fBctx\fR.
170.PP
171\&\fISSL_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
172list of CAs sent to the client when requesting a client certificate for
173the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
174.SH "NOTES"
175.IX Header "NOTES"
176When a \s-1TLS/SSL\s0 server requests a client certificate (see
177\&\fB\f(BISSL_CTX_set_verify_options()\fB\fR), it sends a list of CAs, for which
178it will accept certificates, to the client.
179.PP
180This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for
181\&\fBctx\fR and \fISSL_set_client_CA_list()\fR for the specific \fBssl\fR. The list
182specified overrides the previous setting. The CAs listed do not become
183trusted (\fBlist\fR only contains the names, not the complete certificates); use
184SSL_CTX_load_verify_locations(3)
185to additionally load them for verification.
186.PP
187If the list of acceptable CAs is compiled in a file, the
188SSL_load_client_CA_file(3)
189function can be used to help importing the necessary data.
190.PP
191\&\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR can be used to add additional
192items the list of client CAs. If no list was specified before using
193\&\fISSL_CTX_set_client_CA_list()\fR or \fISSL_set_client_CA_list()\fR, a new client
194\&\s-1CA\s0 list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
195.PP
196These functions are only useful for \s-1TLS/SSL\s0 servers.
197.SH "RETURN VALUES"
198.IX Header "RETURN VALUES"
199\&\fISSL_CTX_set_client_CA_list()\fR and \fISSL_set_client_CA_list()\fR do not return
200diagnostic information.
201.PP
202\&\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR have the following return
203values:
204.Ip "1" 4
205.IX Item "1"
206The operation succeeded.
207.Ip "0" 4
208A failure while manipulating the STACK_OF(X509_NAME) object occurred or
209the X509_NAME could not be extracted from \fBcacert\fR. Check the error stack
210to find out the reason.
211.SH "EXAMPLES"
212.IX Header "EXAMPLES"
213Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
214.PP
215.Vb 1
216\& SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
217.Ve
218.SH "SEE ALSO"
219.IX Header "SEE ALSO"
220ssl(3),
221SSL_get_client_CA_list(3),
222SSL_load_client_CA_file(3),
223SSL_CTX_load_verify_locations(3)