Merge from vendor branch OPENSSH:

[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_client_CA_list.3

.\" Automatically generated by Pod::Man version 1.15
.\" Wed Feb 19 16:47:40 2003
.\"
.\" Standard preamble:
.\" ======================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R

.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  | will give a
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr
.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
.\" index entries marked with X<> in POD.  Of course, you'll have to process
.\" the output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it
.\" makes way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.bd B 3
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ======================================================================
.\"
.IX Title "SSL_CTX_set_client_CA_list 3"
.TH SSL_CTX_set_client_CA_list 3 "0.9.7a" "2003-02-19" "OpenSSL"
.UC
.SH "NAME"
SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
SSL_add_client_CA \- set list of CAs sent to the client when requesting a
client certificate
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
.Ve
.Vb 4
\& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
\& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
\& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
\& int SSL_add_client_CA(SSL *ssl, X509 *cacert);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fISSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for \fBctx\fR.
.PP
\&\fISSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for the chosen \fBssl\fR, overriding the
setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
.PP
\&\fISSL_CTX_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
\&\fBctx\fR.
.PP
\&\fISSL_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
.SH "NOTES"
.IX Header "NOTES"
When a \s-1TLS/SSL\s0 server requests a client certificate (see
\&\fB\f(BISSL_CTX_set_verify_options()\fB\fR), it sends a list of CAs, for which
it will accept certificates, to the client.
.PP
This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for
\&\fBctx\fR and \fISSL_set_client_CA_list()\fR for the specific \fBssl\fR. The list
specified overrides the previous setting. The CAs listed do not become
trusted (\fBlist\fR only contains the names, not the complete certificates); use
SSL_CTX_load_verify_locations(3) 
to additionally load them for verification.
.PP
If the list of acceptable CAs is compiled in a file, the
SSL_load_client_CA_file(3)
function can be used to help importing the necessary data.
.PP
\&\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR can be used to add additional
items the list of client CAs. If no list was specified before using
\&\fISSL_CTX_set_client_CA_list()\fR or \fISSL_set_client_CA_list()\fR, a new client
\&\s-1CA\s0 list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
.PP
These functions are only useful for \s-1TLS/SSL\s0 servers.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fISSL_CTX_set_client_CA_list()\fR and \fISSL_set_client_CA_list()\fR do not return
diagnostic information.
.PP
\&\fISSL_CTX_add_client_CA()\fR and \fISSL_add_client_CA()\fR have the following return
values:
.Ip "1" 4
.IX Item "1"
The operation succeeded.
.Ip "0" 4
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
the X509_NAME could not be extracted from \fBcacert\fR. Check the error stack
to find out the reason.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
.PP
.Vb 1
\&  SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
ssl(3),
SSL_get_client_CA_list(3),
SSL_load_client_CA_file(3),
SSL_CTX_load_verify_locations(3)