Remove my local patch again, it was still not meant to be commited.

[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_client_CA_list.3

.rn '' }`
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
'''
.de Sh
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp
.if t .sp .5v
.if n .sp
..
.de Ip
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.de Vb
.ft CW
.nf
.ne \\$1
..
.de Ve
.ft R

.fi
..
'''
'''
'''     Set up \*(-- to give an unbreakable dash;
'''     string Tr holds user defined translation string.
'''     Bell System Logo is used as a dummy character.
'''
.tr \(*W-|\(bv\*(Tr
.ie n \{\
.ds -- \(*W-
.ds PI pi
.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
.ds L" ""
.ds R" ""
'''   \*(M", \*(S", \*(N" and \*(T" are the equivalent of
'''   \*(L" and \*(R", except that they are used on ".xx" lines,
'''   such as .IP and .SH, which do another additional levels of
'''   double-quote interpretation
.ds M" """
.ds S" """
.ds N" """""
.ds T" """""
.ds L' '
.ds R' '
.ds M' '
.ds S' '
.ds N' '
.ds T' '
'br\}
.el\{\
.ds -- \(em\|
.tr \*(Tr
.ds L" ``
.ds R" ''
.ds M" ``
.ds S" ''
.ds N" ``
.ds T" ''
.ds L' `
.ds R' '
.ds M' `
.ds S' '
.ds N' `
.ds T' '
.ds PI \(*p
'br\}
.\"     If the F register is turned on, we'll generate
.\"     index entries out stderr for the following things:
.\"             TH      Title 
.\"             SH      Header
.\"             Sh      Subsection 
.\"             Ip      Item
.\"             X<>     Xref  (embedded
.\"     Of course, you have to process the output yourself
.\"     in some meaninful fashion.
.if \nF \{
.de IX
.tm Index:\\$1\t\\n%\t"\\$2"
..
.nr % 0
.rr F
.\}
.TH SSL_CTX_set_client_CA_list 3 "0.9.7d" "2/Sep/2004" "OpenSSL"
.UC
.if n .hy 0
.if n .na
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.de CQ          \" put $1 in typewriter font
.ft CW
'if n "\c
'if t \\&\\$1\c
'if n \\&\\$1\c
'if n \&"
\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
'.ft R
..
.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
.       \" AM - accent mark definitions
.bd B 3
.       \" fudge factors for nroff and troff
.if n \{\
.       ds #H 0
.       ds #V .8m
.       ds #F .3m
.       ds #[ \f1
.       ds #] \fP
.\}
.if t \{\
.       ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.       ds #V .6m
.       ds #F 0
.       ds #[ \&
.       ds #] \&
.\}
.       \" simple accents for nroff and troff
.if n \{\
.       ds ' \&
.       ds ` \&
.       ds ^ \&
.       ds , \&
.       ds ~ ~
.       ds ? ?
.       ds ! !
.       ds /
.       ds q
.\}
.if t \{\
.       ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.       ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.       ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.       ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.       ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.       ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
.       ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
.       ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.       ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
.\}
.       \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.ds oe o\h'-(\w'o'u*4/10)'e
.ds Oe O\h'-(\w'O'u*4/10)'E
.       \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.       \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.       ds : e
.       ds 8 ss
.       ds v \h'-1'\o'\(aa\(ga'
.       ds _ \h'-1'^
.       ds . \h'-1'.
.       ds 3 3
.       ds o a
.       ds d- d\h'-1'\(ga
.       ds D- D\h'-1'\(hy
.       ds th \o'bp'
.       ds Th \o'LP'
.       ds ae ae
.       ds Ae AE
.       ds oe oe
.       ds Oe OE
.\}
.rm #[ #] #H #V #F C
.SH "NAME"
SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
SSL_add_client_CA \- set list of CAs sent to the client when requesting a
client certificate
.SH "SYNOPSIS"
.PP
.Vb 6
\& #include <openssl/ssl.h>
\& 
\& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
\& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
\& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
\& int SSL_add_client_CA(SSL *ssl, X509 *cacert);
.Ve
.SH "DESCRIPTION"
\fISSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for \fBctx\fR.
.PP
\fISSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for the chosen \fBssl\fR, overriding the
setting valid for \fBssl\fR's SSL_CTX object.
.PP
\fISSL_CTX_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
\fBctx\fR.
.PP
\fISSL_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's SSL_CTX object.
.SH "NOTES"
When a TLS/SSL server requests a client certificate (see
\fBSSL_CTX_set_verify_options()\fR), it sends a list of CAs, for which
it will accept certificates, to the client.
.PP
This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for
\fBctx\fR and \fISSL_set_client_CA_list()\fR for the specific \fBssl\fR. The list
specified overrides the previous setting. The CAs listed do not become
trusted (\fBlist\fR only contains the names, not the complete certificates); use
SSL_CTX_load_verify_locations(3) 
to additionally load them for verification.
.PP
If the list of acceptable CAs is compiled in a file, the
SSL_load_client_CA_file(3)
function can be used to help importing the necessary data.
.PP
\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR can be used to add additional
items the list of client CAs. If no list was specified before using
\fISSL_CTX_set_client_CA_list()\fR or \fISSL_set_client_CA_list()\fR, a new client
CA list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
.PP
These functions are only useful for TLS/SSL servers.
.SH "RETURN VALUES"
\fISSL_CTX_set_client_CA_list()\fR and \fISSL_set_client_CA_list()\fR do not return
diagnostic information.
.PP
\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR have the following return
values:
.Ip "1" 4
The operation succeeded.
.Ip "0" 4
A failure while manipulating the \fI\s-1STACK_OF\s0\fR\|(X509_NAME) object occurred or
the X509_NAME could not be extracted from \fBcacert\fR. Check the error stack
to find out the reason.
.SH "EXAMPLES"
Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
.PP
.Vb 1
\&  SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
.Ve
.SH "SEE ALSO"
ssl(3),
SSL_get_client_CA_list(3),
SSL_load_client_CA_file(3),
SSL_CTX_load_verify_locations(3)

.rn }` ''
.IX Title "SSL_CTX_set_client_CA_list 3"
.IX Name "SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
SSL_add_client_CA - set list of CAs sent to the client when requesting a
client certificate"

.IX Header "NAME"

.IX Header "SYNOPSIS"

.IX Header "DESCRIPTION"

.IX Header "NOTES"

.IX Header "RETURN VALUES"

.IX Item "1"

.IX Item "0"

.IX Header "EXAMPLES"

.IX Header "SEE ALSO"