Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_max_cert_list.3
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
e056f0e0
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
e056f0e0 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
e056f0e0 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
e056f0e0 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
e056f0e0
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
e056f0e0 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
e056f0e0
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
e056f0e0
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
e056f0e0 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
e056f0e0 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
e056f0e0
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
e056f0e0
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
e056f0e0
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
e056f0e0
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
e056f0e0
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
e056f0e0
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
e056f0e0 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
e056f0e0
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
e056f0e0
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
e056f0e0 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
e056f0e0 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
e056f0e0 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
e056f0e0
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
e056f0e0
JR
124.\" ========================================================================
125.\"
126.IX Title "SSL_CTX_set_max_cert_list 3"
e3261593 127.TH SSL_CTX_set_max_cert_list 3 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, \- manipulate allowed for the peer's certificate chain
134.SH "SYNOPSIS"
e056f0e0 135.IX Header "SYNOPSIS"
984263bc
MD
136.Vb 1
137\& #include <openssl/ssl.h>
e257b235 138\&
984263bc
MD
139\& long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
140\& long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
e257b235 141\&
984263bc
MD
142\& long SSL_set_max_cert_list(SSL *ssl, long size);
143\& long SSL_get_max_cert_list(SSL *ctx);
144.Ve
145.SH "DESCRIPTION"
e056f0e0
JR
146.IX Header "DESCRIPTION"
147\&\fISSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
148certificate chain for all \s-1SSL\s0 objects created from \fBctx\fR to be <size> bytes.
149The \s-1SSL\s0 objects inherit the setting valid for \fBctx\fR at the time
150\&\fISSL_new\fR\|(3) is being called.
984263bc 151.PP
e056f0e0 152\&\fISSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
984263bc 153.PP
e056f0e0 154\&\fISSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's
984263bc
MD
155certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
156until a new value is set.
157.PP
e056f0e0 158\&\fISSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
984263bc 159.SH "NOTES"
e056f0e0 160.IX Header "NOTES"
984263bc 161During the handshake process, the peer may send a certificate chain.
e056f0e0 162The \s-1TLS/SSL\s0 standard does not give any maximum size of the certificate chain.
984263bc
MD
163The OpenSSL library handles incoming data by a dynamically allocated buffer.
164In order to prevent this buffer from growing without bounds due to data
165received from a faulty or malicious peer, a maximum size for the certificate
166chain is set.
167.PP
168The default value for the maximum certificate chain size is 100kB (30kB
e056f0e0 169on the 16bit \s-1DOS\s0 platform). This should be sufficient for usual certificate
984263bc 170chains (OpenSSL's default maximum chain length is 10, see
e056f0e0
JR
171\&\fISSL_CTX_set_verify\fR\|(3), and certificates
172without special extensions have a typical size of 1\-2kB).
984263bc
MD
173.PP
174For special applications it can be necessary to extend the maximum certificate
175chain size allowed to be sent by the peer, see e.g. the work on
e056f0e0
JR
176\&\*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
177and \*(L"\s-1TLS\s0 Delegation Protocol\*(R" at http://www.ietf.org/ and
984263bc
MD
178http://www.globus.org/ .
179.PP
180Under normal conditions it should never be necessary to set a value smaller
181than the default, as the buffer is handled dynamically and only uses the
182memory actually required by the data sent by the peer.
183.PP
184If the maximum certificate chain size allowed is exceeded, the handshake will
e056f0e0 185fail with a \s-1SSL_R_EXCESSIVE_MESSAGE_SIZE\s0 error.
984263bc 186.SH "RETURN VALUES"
e056f0e0
JR
187.IX Header "RETURN VALUES"
188\&\fISSL_CTX_set_max_cert_list()\fR and \fISSL_set_max_cert_list()\fR return the previously
984263bc
MD
189set value.
190.PP
e056f0e0 191\&\fISSL_CTX_get_max_cert_list()\fR and \fISSL_get_max_cert_list()\fR return the currently
984263bc
MD
192set value.
193.SH "SEE ALSO"
a7d27d5a 194.IX Header "SEE ALSO"
e056f0e0
JR
195\&\fIssl\fR\|(3), \fISSL_new\fR\|(3),
196\&\fISSL_CTX_set_verify\fR\|(3)
197.SH "HISTORY"
a7d27d5a 198.IX Header "HISTORY"
e056f0e0 199SSL*_set/\fIget_max_cert_list()\fR have been introduced in OpenSSL 0.9.7.