[dragonfly.git] / secure / lib / libcrypto / man / BIO_f_ssl.3

.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.el \{\
.    de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_f_ssl 3"
.TH BIO_f_ssl 3 "2012-01-04" "1.0.0f" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes,
BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
BIO_ssl_shutdown \- SSL BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/bio.h>
\& #include <openssl/ssl.h>
\&
\& BIO_METHOD *BIO_f_ssl(void);
\&
\& #define BIO_set_ssl(b,ssl,c)   BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl)
\& #define BIO_get_ssl(b,sslp)    BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
\& #define BIO_set_ssl_mode(b,client)     BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
\& #define BIO_set_ssl_renegotiate_bytes(b,num) \e
\&        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
\& #define BIO_set_ssl_renegotiate_timeout(b,seconds) \e
\&        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
\& #define BIO_get_num_renegotiates(b) \e
\&        BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
\&
\& BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
\& BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
\& BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
\& int BIO_ssl_copy_session_id(BIO *to,BIO *from);
\& void BIO_ssl_shutdown(BIO *bio);
\&
\& #define BIO_do_handshake(b)    BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fIBIO_f_ssl()\fR returns the \s-1SSL\s0 \s-1BIO\s0 method. This is a filter \s-1BIO\s0 which
is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO\s0 \*(L"flavour\*(R" to
\&\s-1SSL\s0 I/O.
.PP
I/O performed on an \s-1SSL\s0 \s-1BIO\s0 communicates using the \s-1SSL\s0 protocol with
the SSLs read and write BIOs. If an \s-1SSL\s0 connection is not established
then an attempt is made to establish one on the first I/O call.
.PP
If a \s-1BIO\s0 is appended to an \s-1SSL\s0 \s-1BIO\s0 using \fIBIO_push()\fR it is automatically
used as the \s-1SSL\s0 BIOs read and write BIOs.
.PP
Calling \fIBIO_reset()\fR on an \s-1SSL\s0 \s-1BIO\s0 closes down any current \s-1SSL\s0 connection
by calling \fISSL_shutdown()\fR. \fIBIO_reset()\fR is then sent to the next \s-1BIO\s0 in
the chain: this will typically disconnect the underlying transport.
The \s-1SSL\s0 \s-1BIO\s0 is then reset to the initial accept or connect state.
.PP
If the close flag is set when an \s-1SSL\s0 \s-1BIO\s0 is freed then the internal
\&\s-1SSL\s0 structure is also freed using \fISSL_free()\fR.
.PP
\&\fIBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR to \fBssl\fR using
the close flag \fBc\fR.
.PP
\&\fIBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR, it can then be
manipulated using the standard \s-1SSL\s0 library functions.
.PP
\&\fIBIO_set_ssl_mode()\fR sets the \s-1SSL\s0 \s-1BIO\s0 mode to \fBclient\fR. If \fBclient\fR
is 1 client mode is set. If \fBclient\fR is 0 server mode is set.
.PP
\&\fIBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count
to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write) 
the \s-1SSL\s0 session is automatically renegotiated. \fBnum\fR must be at
least 512 bytes.
.PP
\&\fIBIO_set_ssl_renegotiate_timeout()\fR sets the renegotiate timeout to
\&\fBseconds\fR. When the renegotiate timeout elapses the session is
automatically renegotiated.
.PP
\&\fIBIO_get_num_renegotiates()\fR returns the total number of session
renegotiations due to I/O or timeout.
.PP
\&\fIBIO_new_ssl()\fR allocates an \s-1SSL\s0 \s-1BIO\s0 using \s-1SSL_CTX\s0 \fBctx\fR and using
client mode if \fBclient\fR is non zero.
.PP
\&\fIBIO_new_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting of an
\&\s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) followed by a connect \s-1BIO\s0.
.PP
\&\fIBIO_new_buffer_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting
of a buffering \s-1BIO\s0, an \s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) and a connect
\&\s-1BIO\s0.
.PP
\&\fIBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between 
\&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the
\&\s-1SSL\s0 BIOs in each chain and calling \fISSL_copy_session_id()\fR on
the internal \s-1SSL\s0 pointer.
.PP
\&\fIBIO_ssl_shutdown()\fR closes down an \s-1SSL\s0 connection on \s-1BIO\s0
chain \fBbio\fR. It does this by locating the \s-1SSL\s0 \s-1BIO\s0 in the
chain and calling \fISSL_shutdown()\fR on its internal \s-1SSL\s0
pointer.
.PP
\&\fIBIO_do_handshake()\fR attempts to complete an \s-1SSL\s0 handshake on the
supplied \s-1BIO\s0 and establish the \s-1SSL\s0 connection. It returns 1
if the connection was established successfully. A zero or negative
value is returned if the connection could not be established, the
call \fIBIO_should_retry()\fR should be used for non blocking connect BIOs
to determine if the call should be retried. If an \s-1SSL\s0 connection has
already been established this call has no effect.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1SSL\s0 BIOs are exceptional in that if the underlying transport
is non blocking they can still request a retry in exceptional
circumstances. Specifically this will happen if a session
renegotiation takes place during a \fIBIO_read()\fR operation, one
case where this happens is when \s-1SGC\s0 or step up occurs.
.PP
In OpenSSL 0.9.6 and later the \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be
set to disable this behaviour. That is when this flag is set
an \s-1SSL\s0 \s-1BIO\s0 using a blocking transport will never request a
retry.
.PP
Since unknown \fIBIO_ctrl()\fR operations are sent through filter
BIOs the servers name and port can be set using \fIBIO_set_host()\fR
on the \s-1BIO\s0 returned by \fIBIO_new_ssl_connect()\fR without having
to locate the connect \s-1BIO\s0 first.
.PP
Applications do not have to call \fIBIO_do_handshake()\fR but may wish
to do so to separate the handshake process from other I/O
processing.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1TBA\s0
.SH "EXAMPLE"
.IX Header "EXAMPLE"
This \s-1SSL/TLS\s0 client example, attempts to retrieve a page from an
\&\s-1SSL/TLS\s0 web server. The I/O routines are identical to those of the
unencrypted example in \fIBIO_s_connect\fR\|(3).
.PP
.Vb 5
\& BIO *sbio, *out;
\& int len;
\& char tmpbuf[1024];
\& SSL_CTX *ctx;
\& SSL *ssl;
\&
\& ERR_load_crypto_strings();
\& ERR_load_SSL_strings();
\& OpenSSL_add_all_algorithms();
\&
\& /* We would seed the PRNG here if the platform didn\*(Aqt
\&  * do it automatically
\&  */
\&
\& ctx = SSL_CTX_new(SSLv23_client_method());
\&
\& /* We\*(Aqd normally set some stuff like the verify paths and
\&  * mode here because as things stand this will connect to
\&  * any server whose certificate is signed by any CA.
\&  */
\&
\& sbio = BIO_new_ssl_connect(ctx);
\&
\& BIO_get_ssl(sbio, &ssl);
\&
\& if(!ssl) {
\&   fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
\&   /* whatever ... */
\& }
\&
\& /* Don\*(Aqt want any retries */
\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
\&
\& /* We might want to do other things with ssl here */
\&
\& BIO_set_conn_hostname(sbio, "localhost:https");
\&
\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
\& if(BIO_do_connect(sbio) <= 0) {
\&        fprintf(stderr, "Error connecting to server\en");
\&        ERR_print_errors_fp(stderr);
\&        /* whatever ... */
\& }
\&
\& if(BIO_do_handshake(sbio) <= 0) {
\&        fprintf(stderr, "Error establishing SSL connection\en");
\&        ERR_print_errors_fp(stderr);
\&        /* whatever ... */
\& }
\&
\& /* Could examine ssl here to get connection info */
\&
\& BIO_puts(sbio, "GET / HTTP/1.0\en\en");
\& for(;;) {      
\&        len = BIO_read(sbio, tmpbuf, 1024);
\&        if(len <= 0) break;
\&        BIO_write(out, tmpbuf, len);
\& }
\& BIO_free_all(sbio);
\& BIO_free(out);
.Ve
.PP
Here is a simple server example. It makes use of a buffering
\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL\s0 \s-1BIO\s0 using BIO_gets.
It creates a pseudo web page containing the actual request from
a client and also echoes the request to standard output.
.PP
.Vb 5
\& BIO *sbio, *bbio, *acpt, *out;
\& int len;
\& char tmpbuf[1024];
\& SSL_CTX *ctx;
\& SSL *ssl;
\&
\& ERR_load_crypto_strings();
\& ERR_load_SSL_strings();
\& OpenSSL_add_all_algorithms();
\&
\& /* Might seed PRNG here */
\&
\& ctx = SSL_CTX_new(SSLv23_server_method());
\&
\& if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
\&        || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
\&        || !SSL_CTX_check_private_key(ctx)) {
\&
\&        fprintf(stderr, "Error setting up SSL_CTX\en");
\&        ERR_print_errors_fp(stderr);
\&        return 0;
\& }
\&
\& /* Might do other things here like setting verify locations and
\&  * DH and/or RSA temporary key callbacks
\&  */
\&
\& /* New SSL BIO setup as server */
\& sbio=BIO_new_ssl(ctx,0);
\&
\& BIO_get_ssl(sbio, &ssl);
\&
\& if(!ssl) {
\&   fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
\&   /* whatever ... */
\& }
\&
\& /* Don\*(Aqt want any retries */
\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
\&
\& /* Create the buffering BIO */
\&
\& bbio = BIO_new(BIO_f_buffer());
\&
\& /* Add to chain */
\& sbio = BIO_push(bbio, sbio);
\&
\& acpt=BIO_new_accept("4433");
\&
\& /* By doing this when a new connection is established
\&  * we automatically have sbio inserted into it. The
\&  * BIO chain is now \*(Aqswallowed\*(Aq by the accept BIO and
\&  * will be freed when the accept BIO is freed. 
\&  */
\& 
\& BIO_set_accept_bios(acpt,sbio);
\&
\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
\&
\& /* Setup accept BIO */
\& if(BIO_do_accept(acpt) <= 0) {
\&        fprintf(stderr, "Error setting up accept BIO\en");
\&        ERR_print_errors_fp(stderr);
\&        return 0;
\& }
\&
\& /* Now wait for incoming connection */
\& if(BIO_do_accept(acpt) <= 0) {
\&        fprintf(stderr, "Error in connection\en");
\&        ERR_print_errors_fp(stderr);
\&        return 0;
\& }
\&
\& /* We only want one connection so remove and free
\&  * accept BIO
\&  */
\&
\& sbio = BIO_pop(acpt);
\&
\& BIO_free_all(acpt);
\&
\& if(BIO_do_handshake(sbio) <= 0) {
\&        fprintf(stderr, "Error in SSL handshake\en");
\&        ERR_print_errors_fp(stderr);
\&        return 0;
\& }
\&
\& BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent\-type: text/plain\er\en\er\en");
\& BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en");
\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
\&
\& for(;;) {
\&        len = BIO_gets(sbio, tmpbuf, 1024);
\&        if(len <= 0) break;
\&        BIO_write(sbio, tmpbuf, len);
\&        BIO_write(out, tmpbuf, len);
\&        /* Look for blank line signifying end of headers*/
\&        if((tmpbuf[0] == \*(Aq\er\*(Aq) || (tmpbuf[0] == \*(Aq\en\*(Aq)) break;
\& }
\&
\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
\& BIO_puts(sbio, "\er\en");
\&
\& /* Since there is a buffering BIO present we had better flush it */
\& BIO_flush(sbio);
\&
\& BIO_free_all(sbio);
.Ve
.SH "BUGS"
.IX Header "BUGS"
In OpenSSL versions before 1.0.0 the \fIBIO_pop()\fR call was handled incorrectly,
the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of
decremented) and dissociated with the \s-1SSL\s0 \s-1BIO\s0 even if the \s-1SSL\s0 \s-1BIO\s0 was not
explicitly being popped (e.g. a pop higher up the chain). Applications which
included workarounds for this bug (e.g. freeing BIOs more than once) should
be modified to handle this fix or they may free up an already freed \s-1BIO\s0.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1TBA\s0
Commit	Line	Data
e3261593	1	.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb JR	2	.\"
	3	.\" Standard preamble:
	4	.\" ========================================================================
8b0cefbb	5	.de Sp \" Vertical space (when we can't use .PP)
984263bc MD	6	.if t .sp .5v
	7	.if n .sp
	8	..
8b0cefbb	9	.de Vb \" Begin verbatim text
984263bc MD	10	.ft CW
	11	.nf
	12	.ne \\$1
	13	..
8b0cefbb	14	.de Ve \" End verbatim text
984263bc	15	.ft R
984263bc MD	16	.fi
984263bc MD	17	..
8b0cefbb JR	18	.\" Set up some character translations and predefined strings. \*(-- will
8b0cefbb JR	19	.\" give an unbreakable dash, \(PI will give pi, \(L" will give a left
e257b235 PA	20	.\" double quote, and \(R" will give a right double quote. \(C+ will
	21	.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
	22	.\" therefore won't be available. \(C` and \(C' expand to `' in nroff,
	23	.\" nothing in troff, for use with C<>.
	24	.tr \(*W-
8b0cefbb	25	.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc	26	.ie n \{\
8b0cefbb JR	27	. ds -- \(*W-
	28	. ds PI pi
	29	. if (\n(.H=4u)&(1m=24u) .ds -- \(W\h'-12u'\(W\h'-12u'-\" diablo 10 pitch
	30	. if (\n(.H=4u)&(1m=20u) .ds -- \(W\h'-12u'\(W\h'-8u'-\" diablo 12 pitch
	31	. ds L" ""
	32	. ds R" ""
	33	. ds C` ""
	34	. ds C' ""
984263bc MD	35	'br\}
984263bc MD	36	.el\{\
8b0cefbb JR	37	. ds -- \\|\(em\\|
	38	. ds PI \(*p
	39	. ds L" ``
	40	. ds R" ''
984263bc	41	'br\}
8b0cefbb	42	.\"
e257b235 PA	43	.\" Escape single quotes in literal strings from groff's Unicode transform.
	44	.ie \n(.g .ds Aq \(aq
	45	.el .ds Aq '
	46	.\"
8b0cefbb	47	.\" If the F register is turned on, we'll generate index entries on stderr for
01185282	48	.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb JR	49	.\" entries marked with X<> in POD. Of course, you'll have to process the
8b0cefbb JR	50	.\" output yourself in some meaningful fashion.
e257b235	51	.ie \nF \{\
8b0cefbb JR	52	. de IX
8b0cefbb JR	53	. tm Index:\\$1\t\\n%\t"\\$2"
984263bc	54	..
8b0cefbb JR	55	. nr % 0
8b0cefbb JR	56	. rr F
984263bc	57	.\}
e257b235 PA	58	.el \{\
	59	. de IX
	60	..
	61	.\}
aac4ff6f	62	.\"
8b0cefbb JR	63	.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
	64	.\" Fear. Run. Save yourself. No user-serviceable parts.
	65	. \" fudge factors for nroff and troff
984263bc	66	.if n \{\
8b0cefbb JR	67	. ds #H 0
	68	. ds #V .8m
	69	. ds #F .3m
	70	. ds #[ \f1
	71	. ds #] \fP
984263bc MD	72	.\}
984263bc MD	73	.if t \{\
8b0cefbb JR	74	. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
	75	. ds #V .6m
	76	. ds #F 0
	77	. ds #[ \&
	78	. ds #] \&
984263bc	79	.\}
8b0cefbb	80	. \" simple accents for nroff and troff
984263bc	81	.if n \{\
8b0cefbb JR	82	. ds ' \&
	83	. ds ` \&
	84	. ds ^ \&
	85	. ds , \&
	86	. ds ~ ~
	87	. ds /
984263bc MD	88	.\}
984263bc MD	89	.if t \{\
8b0cefbb JR	90	. ds ' \\k:\h'-(\\n(.wu8/10-\(#H)'\'\h"\|\\n:u"
	91	. ds ` \\k:\h'-(\\n(.wu8/10-\(#H)'\`\h'\|\\n:u'
	92	. ds ^ \\k:\h'-(\\n(.wu10/11-\(#H)'^\h'\|\\n:u'
	93	. ds , \\k:\h'-(\\n(.wu*8/10)',\h'\|\\n:u'
	94	. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'\|\\n:u'
	95	. ds / \\k:\h'-(\\n(.wu8/10-\(#H)'\z\(sl\h'\|\\n:u'
984263bc	96	.\}
8b0cefbb	97	. \" troff and (daisy-wheel) nroff accents
984263bc MD	98	.ds : \\k:\h'-(\\n(.wu8/10-\(#H+.1m+\(#F)'\v'-\(#V'\z.\h'.2m+\(#F'.\h'\|\\n:u'\v'\(#V'
	99	.ds 8 \h'\(#H'\(b\h'-\*(#H'
	100	.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\(#H)/2u'\v'-.3n'\(#[\z\(de\v'.3n'\h'\|\\n:u'\*(#]
	101	.ds d- \h'\(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\(#H'
	102	.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'\|\\n:u'
	103	.ds th \(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u2/3)'\s-1o\s+1\*(#]
	104	.ds Th \(#[\s+2I\s-2\h'-\w'I'u3/5'\v'-.3m'o\v'.3m'\*(#]
	105	.ds ae a\h'-(\w'a'u*4/10)'e
	106	.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb	107	. \" corrections for vroff
984263bc MD	108	.if v .ds ~ \\k:\h'-(\\n(.wu9/10-\(#H)'\s-2\u~\d\s+2\h'\|\\n:u'
984263bc MD	109	.if v .ds ^ \\k:\h'-(\\n(.wu10/11-\(#H)'\v'-.4m'^\v'.4m'\h'\|\\n:u'
8b0cefbb	110	. \" for low resolution devices (crt and lpr)
984263bc MD	111	.if \n(.H>23 .if \n(.V>19 \
984263bc MD	112	\{\
8b0cefbb JR	113	. ds : e
	114	. ds 8 ss
	115	. ds o a
	116	. ds d- d\h'-1'\(ga
	117	. ds D- D\h'-1'\(hy
	118	. ds th \o'bp'
	119	. ds Th \o'LP'
	120	. ds ae ae
	121	. ds Ae AE
984263bc MD	122	.\}
984263bc MD	123	.rm #[ #] #H #V #F C
8b0cefbb JR	124	.\" ========================================================================
	125	.\"
	126	.IX Title "BIO_f_ssl 3"
e3261593	127	.TH BIO_f_ssl 3 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235 PA	128	.\" For nroff, turn off justification. Always turn off hyphenation; it makes
	129	.\" way too many mistakes in technical documents.
	130	.if n .ad l
	131	.nh
984263bc MD	132	.SH "NAME"
	133	BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes,
	134	BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
	135	BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
74dab6c2	136	BIO_ssl_shutdown \- SSL BIO
984263bc	137	.SH "SYNOPSIS"
8b0cefbb	138	.IX Header "SYNOPSIS"
984263bc MD	139	.Vb 2
	140	\& #include <openssl/bio.h>
	141	\& #include <openssl/ssl.h>
e257b235	142	\&
984263bc	143	\& BIO_METHOD *BIO_f_ssl(void);
e257b235	144	\&
984263bc MD	145	\& #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl)
	146	\& #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
	147	\& #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
	148	\& #define BIO_set_ssl_renegotiate_bytes(b,num) \e
	149	\& BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
	150	\& #define BIO_set_ssl_renegotiate_timeout(b,seconds) \e
	151	\& BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
	152	\& #define BIO_get_num_renegotiates(b) \e
	153	\& BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
e257b235	154	\&
984263bc MD	155	\& BIO BIO_new_ssl(SSL_CTX ctx,int client);
	156	\& BIO BIO_new_ssl_connect(SSL_CTX ctx);
	157	\& BIO BIO_new_buffer_ssl_connect(SSL_CTX ctx);
	158	\& int BIO_ssl_copy_session_id(BIO to,BIO from);
	159	\& void BIO_ssl_shutdown(BIO *bio);
e257b235	160	\&
984263bc MD	161	\& #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
	162	.Ve
	163	.SH "DESCRIPTION"
8b0cefbb JR	164	.IX Header "DESCRIPTION"
	165	\&\fIBIO_f_ssl()\fR returns the \s-1SSL\s0 \s-1BIO\s0 method. This is a filter \s-1BIO\s0 which
	166	is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO\s0 \(L"flavour\(R" to
e257b235	167	\&\s-1SSL\s0 I/O.
984263bc	168	.PP
8b0cefbb JR	169	I/O performed on an \s-1SSL\s0 \s-1BIO\s0 communicates using the \s-1SSL\s0 protocol with
8b0cefbb JR	170	the SSLs read and write BIOs. If an \s-1SSL\s0 connection is not established
984263bc MD	171	then an attempt is made to establish one on the first I/O call.
984263bc MD	172	.PP
8b0cefbb JR	173	If a \s-1BIO\s0 is appended to an \s-1SSL\s0 \s-1BIO\s0 using \fIBIO_push()\fR it is automatically
8b0cefbb JR	174	used as the \s-1SSL\s0 BIOs read and write BIOs.
984263bc	175	.PP
8b0cefbb JR	176	Calling \fIBIO_reset()\fR on an \s-1SSL\s0 \s-1BIO\s0 closes down any current \s-1SSL\s0 connection
8b0cefbb JR	177	by calling \fISSL_shutdown()\fR. \fIBIO_reset()\fR is then sent to the next \s-1BIO\s0 in
984263bc	178	the chain: this will typically disconnect the underlying transport.
8b0cefbb	179	The \s-1SSL\s0 \s-1BIO\s0 is then reset to the initial accept or connect state.
984263bc	180	.PP
8b0cefbb JR	181	If the close flag is set when an \s-1SSL\s0 \s-1BIO\s0 is freed then the internal
8b0cefbb JR	182	\&\s-1SSL\s0 structure is also freed using \fISSL_free()\fR.
984263bc	183	.PP
8b0cefbb	184	\&\fIBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR to \fBssl\fR using
984263bc MD	185	the close flag \fBc\fR.
984263bc MD	186	.PP
8b0cefbb JR	187	\&\fIBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1BIO\s0 \fBb\fR, it can then be
8b0cefbb JR	188	manipulated using the standard \s-1SSL\s0 library functions.
984263bc	189	.PP
8b0cefbb	190	\&\fIBIO_set_ssl_mode()\fR sets the \s-1SSL\s0 \s-1BIO\s0 mode to \fBclient\fR. If \fBclient\fR
984263bc MD	191	is 1 client mode is set. If \fBclient\fR is 0 server mode is set.
984263bc MD	192	.PP
8b0cefbb	193	\&\fIBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count
984263bc	194	to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write)
8b0cefbb	195	the \s-1SSL\s0 session is automatically renegotiated. \fBnum\fR must be at
984263bc MD	196	least 512 bytes.
984263bc MD	197	.PP
8b0cefbb JR	198	\&\fIBIO_set_ssl_renegotiate_timeout()\fR sets the renegotiate timeout to
8b0cefbb JR	199	\&\fBseconds\fR. When the renegotiate timeout elapses the session is
984263bc MD	200	automatically renegotiated.
984263bc MD	201	.PP
8b0cefbb	202	\&\fIBIO_get_num_renegotiates()\fR returns the total number of session
984263bc MD	203	renegotiations due to I/O or timeout.
984263bc MD	204	.PP
8b0cefbb	205	\&\fIBIO_new_ssl()\fR allocates an \s-1SSL\s0 \s-1BIO\s0 using \s-1SSL_CTX\s0 \fBctx\fR and using
984263bc MD	206	client mode if \fBclient\fR is non zero.
984263bc MD	207	.PP
8b0cefbb JR	208	\&\fIBIO_new_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting of an
8b0cefbb JR	209	\&\s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) followed by a connect \s-1BIO\s0.
984263bc	210	.PP
8b0cefbb JR	211	\&\fIBIO_new_buffer_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting
	212	of a buffering \s-1BIO\s0, an \s-1SSL\s0 \s-1BIO\s0 (using \fBctx\fR) and a connect
	213	\&\s-1BIO\s0.
984263bc	214	.PP
8b0cefbb JR	215	\&\fIBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between
	216	\&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the
	217	\&\s-1SSL\s0 BIOs in each chain and calling \fISSL_copy_session_id()\fR on
	218	the internal \s-1SSL\s0 pointer.
984263bc	219	.PP
8b0cefbb JR	220	\&\fIBIO_ssl_shutdown()\fR closes down an \s-1SSL\s0 connection on \s-1BIO\s0
	221	chain \fBbio\fR. It does this by locating the \s-1SSL\s0 \s-1BIO\s0 in the
	222	chain and calling \fISSL_shutdown()\fR on its internal \s-1SSL\s0
984263bc MD	223	pointer.
984263bc MD	224	.PP
8b0cefbb JR	225	\&\fIBIO_do_handshake()\fR attempts to complete an \s-1SSL\s0 handshake on the
8b0cefbb JR	226	supplied \s-1BIO\s0 and establish the \s-1SSL\s0 connection. It returns 1
984263bc MD	227	if the connection was established successfully. A zero or negative
	228	value is returned if the connection could not be established, the
	229	call \fIBIO_should_retry()\fR should be used for non blocking connect BIOs
8b0cefbb	230	to determine if the call should be retried. If an \s-1SSL\s0 connection has
984263bc MD	231	already been established this call has no effect.
984263bc MD	232	.SH "NOTES"
8b0cefbb JR	233	.IX Header "NOTES"
8b0cefbb JR	234	\&\s-1SSL\s0 BIOs are exceptional in that if the underlying transport
984263bc MD	235	is non blocking they can still request a retry in exceptional
	236	circumstances. Specifically this will happen if a session
	237	renegotiation takes place during a \fIBIO_read()\fR operation, one
8b0cefbb	238	case where this happens is when \s-1SGC\s0 or step up occurs.
984263bc	239	.PP
8b0cefbb	240	In OpenSSL 0.9.6 and later the \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be
984263bc	241	set to disable this behaviour. That is when this flag is set
8b0cefbb	242	an \s-1SSL\s0 \s-1BIO\s0 using a blocking transport will never request a
984263bc MD	243	retry.
	244	.PP
	245	Since unknown \fIBIO_ctrl()\fR operations are sent through filter
	246	BIOs the servers name and port can be set using \fIBIO_set_host()\fR
8b0cefbb JR	247	on the \s-1BIO\s0 returned by \fIBIO_new_ssl_connect()\fR without having
8b0cefbb JR	248	to locate the connect \s-1BIO\s0 first.
984263bc MD	249	.PP
	250	Applications do not have to call \fIBIO_do_handshake()\fR but may wish
	251	to do so to separate the handshake process from other I/O
	252	processing.
	253	.SH "RETURN VALUES"
8b0cefbb JR	254	.IX Header "RETURN VALUES"
8b0cefbb JR	255	\&\s-1TBA\s0
984263bc	256	.SH "EXAMPLE"
8b0cefbb JR	257	.IX Header "EXAMPLE"
	258	This \s-1SSL/TLS\s0 client example, attempts to retrieve a page from an
	259	\&\s-1SSL/TLS\s0 web server. The I/O routines are identical to those of the
	260	unencrypted example in \fIBIO_s_connect\fR\\|(3).
984263bc MD	261	.PP
	262	.Vb 5
	263	\& BIO sbio, out;
	264	\& int len;
	265	\& char tmpbuf[1024];
	266	\& SSL_CTX *ctx;
	267	\& SSL *ssl;
e257b235	268	\&
984263bc MD	269	\& ERR_load_crypto_strings();
	270	\& ERR_load_SSL_strings();
	271	\& OpenSSL_add_all_algorithms();
e257b235 PA	272	\&
e257b235 PA	273	\& /* We would seed the PRNG here if the platform didn\*(Aqt
984263bc MD	274	\& * do it automatically
984263bc MD	275	\& */
e257b235	276	\&
984263bc	277	\& ctx = SSL_CTX_new(SSLv23_client_method());
e257b235 PA	278	\&
e257b235 PA	279	\& /* We\*(Aqd normally set some stuff like the verify paths and
984263bc MD	280	\& * mode here because as things stand this will connect to
	281	\& * any server whose certificate is signed by any CA.
	282	\& */
e257b235	283	\&
984263bc	284	\& sbio = BIO_new_ssl_connect(ctx);
e257b235	285	\&
984263bc	286	\& BIO_get_ssl(sbio, &ssl);
e257b235	287	\&
984263bc	288	\& if(!ssl) {
e257b235	289	\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
984263bc MD	290	\& /* whatever ... */
984263bc MD	291	\& }
e257b235 PA	292	\&
e257b235 PA	293	\& /* Don\(Aqt want any retries /
984263bc	294	\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
e257b235	295	\&
984263bc	296	\& /* We might want to do other things with ssl here */
e257b235	297	\&
984263bc	298	\& BIO_set_conn_hostname(sbio, "localhost:https");
e257b235	299	\&
984263bc MD	300	\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
	301	\& if(BIO_do_connect(sbio) <= 0) {
	302	\& fprintf(stderr, "Error connecting to server\en");
	303	\& ERR_print_errors_fp(stderr);
	304	\& /* whatever ... */
	305	\& }
e257b235	306	\&
984263bc MD	307	\& if(BIO_do_handshake(sbio) <= 0) {
	308	\& fprintf(stderr, "Error establishing SSL connection\en");
	309	\& ERR_print_errors_fp(stderr);
	310	\& /* whatever ... */
	311	\& }
e257b235	312	\&
984263bc	313	\& /* Could examine ssl here to get connection info */
e257b235	314	\&
984263bc MD	315	\& BIO_puts(sbio, "GET / HTTP/1.0\en\en");
	316	\& for(;;) {
	317	\& len = BIO_read(sbio, tmpbuf, 1024);
	318	\& if(len <= 0) break;
	319	\& BIO_write(out, tmpbuf, len);
	320	\& }
	321	\& BIO_free_all(sbio);
	322	\& BIO_free(out);
	323	.Ve
8b0cefbb	324	.PP
984263bc	325	Here is a simple server example. It makes use of a buffering
8b0cefbb	326	\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL\s0 \s-1BIO\s0 using BIO_gets.
984263bc MD	327	It creates a pseudo web page containing the actual request from
	328	a client and also echoes the request to standard output.
	329	.PP
	330	.Vb 5
	331	\& BIO sbio, bbio, acpt, out;
	332	\& int len;
	333	\& char tmpbuf[1024];
	334	\& SSL_CTX *ctx;
	335	\& SSL *ssl;
e257b235	336	\&
984263bc MD	337	\& ERR_load_crypto_strings();
	338	\& ERR_load_SSL_strings();
	339	\& OpenSSL_add_all_algorithms();
e257b235	340	\&
984263bc	341	\& /* Might seed PRNG here */
e257b235	342	\&
984263bc	343	\& ctx = SSL_CTX_new(SSLv23_server_method());
e257b235	344	\&
984263bc MD	345	\& if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
	346	\& \|\| !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
	347	\& \|\| !SSL_CTX_check_private_key(ctx)) {
e257b235	348	\&
984263bc MD	349	\& fprintf(stderr, "Error setting up SSL_CTX\en");
	350	\& ERR_print_errors_fp(stderr);
	351	\& return 0;
	352	\& }
e257b235	353	\&
984263bc MD	354	\& /* Might do other things here like setting verify locations and
	355	\& * DH and/or RSA temporary key callbacks
	356	\& */
e257b235	357	\&
984263bc MD	358	\& /* New SSL BIO setup as server */
984263bc MD	359	\& sbio=BIO_new_ssl(ctx,0);
e257b235	360	\&
984263bc	361	\& BIO_get_ssl(sbio, &ssl);
e257b235	362	\&
984263bc	363	\& if(!ssl) {
e257b235	364	\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
984263bc MD	365	\& /* whatever ... */
984263bc MD	366	\& }
e257b235 PA	367	\&
e257b235 PA	368	\& /* Don\(Aqt want any retries /
984263bc	369	\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
e257b235	370	\&
984263bc	371	\& /* Create the buffering BIO */
e257b235	372	\&
984263bc	373	\& bbio = BIO_new(BIO_f_buffer());
e257b235	374	\&
984263bc MD	375	\& /* Add to chain */
984263bc MD	376	\& sbio = BIO_push(bbio, sbio);
e257b235	377	\&
984263bc	378	\& acpt=BIO_new_accept("4433");
e257b235	379	\&
984263bc MD	380	\& /* By doing this when a new connection is established
984263bc MD	381	\& * we automatically have sbio inserted into it. The
e257b235	382	\& * BIO chain is now \(Aqswallowed\(Aq by the accept BIO and
984263bc MD	383	\& * will be freed when the accept BIO is freed.
984263bc MD	384	\& */
e257b235	385	\&
984263bc	386	\& BIO_set_accept_bios(acpt,sbio);
e257b235	387	\&
984263bc	388	\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
e257b235	389	\&
984263bc MD	390	\& /* Setup accept BIO */
	391	\& if(BIO_do_accept(acpt) <= 0) {
	392	\& fprintf(stderr, "Error setting up accept BIO\en");
	393	\& ERR_print_errors_fp(stderr);
	394	\& return 0;
	395	\& }
e257b235	396	\&
984263bc MD	397	\& /* Now wait for incoming connection */
	398	\& if(BIO_do_accept(acpt) <= 0) {
	399	\& fprintf(stderr, "Error in connection\en");
	400	\& ERR_print_errors_fp(stderr);
	401	\& return 0;
	402	\& }
e257b235	403	\&
984263bc MD	404	\& /* We only want one connection so remove and free
	405	\& * accept BIO
	406	\& */
e257b235	407	\&
984263bc	408	\& sbio = BIO_pop(acpt);
e257b235	409	\&
984263bc	410	\& BIO_free_all(acpt);
e257b235	411	\&
984263bc MD	412	\& if(BIO_do_handshake(sbio) <= 0) {
	413	\& fprintf(stderr, "Error in SSL handshake\en");
	414	\& ERR_print_errors_fp(stderr);
	415	\& return 0;
	416	\& }
e257b235 PA	417	\&
e257b235 PA	418	\& BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent\-type: text/plain\er\en\er\en");
74dab6c2	419	\& BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en");
e257b235 PA	420	\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
e257b235 PA	421	\&
984263bc MD	422	\& for(;;) {
	423	\& len = BIO_gets(sbio, tmpbuf, 1024);
	424	\& if(len <= 0) break;
	425	\& BIO_write(sbio, tmpbuf, len);
	426	\& BIO_write(out, tmpbuf, len);
	427	\& /* Look for blank line signifying end of headers*/
e257b235	428	\& if((tmpbuf[0] == \(Aq\er\(Aq) \|\| (tmpbuf[0] == \(Aq\en\(Aq)) break;
984263bc	429	\& }
e257b235 PA	430	\&
e257b235 PA	431	\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
74dab6c2	432	\& BIO_puts(sbio, "\er\en");
e257b235	433	\&
984263bc MD	434	\& /* Since there is a buffering BIO present we had better flush it */
984263bc MD	435	\& BIO_flush(sbio);
e257b235	436	\&
984263bc MD	437	\& BIO_free_all(sbio);
984263bc MD	438	.Ve
01185282 PA	439	.SH "BUGS"
	440	.IX Header "BUGS"
	441	In OpenSSL versions before 1.0.0 the \fIBIO_pop()\fR call was handled incorrectly,
	442	the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of
	443	decremented) and dissociated with the \s-1SSL\s0 \s-1BIO\s0 even if the \s-1SSL\s0 \s-1BIO\s0 was not
	444	explicitly being popped (e.g. a pop higher up the chain). Applications which
	445	included workarounds for this bug (e.g. freeing BIOs more than once) should
	446	be modified to handle this fix or they may free up an already freed \s-1BIO\s0.
984263bc MD	447	.SH "SEE ALSO"
984263bc MD	448	.IX Header "SEE ALSO"
8b0cefbb	449	\&\s-1TBA\s0