2 ''' $RCSfile$$Revision$$Date$
20 .ie \\n(.$>=3 .ne \\$3
36 ''' Set up \*(-- to give an unbreakable dash;
37 ''' string Tr holds user defined translation string.
38 ''' Bell System Logo is used as a dummy character.
44 .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
45 .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
48 ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
49 ''' \*(L" and \*(R", except that they are used on ".xx" lines,
50 ''' such as .IP and .SH, which do another additional levels of
51 ''' double-quote interpretation
80 .\" If the F register is turned on, we'll generate
81 .\" index entries out stderr for the following things:
86 .\" X<> Xref (embedded
87 .\" Of course, you have to process the output yourself
88 .\" in some meaninful fashion.
91 .tm Index:\\$1\t\\n%\t"\\$2"
96 .TH SSL_CTX_set_max_cert_list 3 "0.9.7d" "2/Sep/2004" "OpenSSL"
100 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
101 .de CQ \" put $1 in typewriter font
107 \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
110 .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
111 . \" AM - accent mark definitions
113 . \" fudge factors for nroff and troff
122 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
128 . \" simple accents for nroff and troff
141 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
142 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
143 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
144 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
145 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
146 . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
147 . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
148 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
149 . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
151 . \" troff and (daisy-wheel) nroff accents
152 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
153 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
154 .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
155 .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
156 .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
157 .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
158 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
159 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
160 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
161 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
162 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
163 .ds ae a\h'-(\w'a'u*4/10)'e
164 .ds Ae A\h'-(\w'A'u*4/10)'E
165 .ds oe o\h'-(\w'o'u*4/10)'e
166 .ds Oe O\h'-(\w'O'u*4/10)'E
167 . \" corrections for vroff
168 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
169 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
170 . \" for low resolution devices (crt and lpr)
171 .if \n(.H>23 .if \n(.V>19 \
175 . ds v \h'-1'\o'\(aa\(ga'
191 SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, \- manipulate allowed for the peer's certificate chain
195 \& #include <openssl/ssl.h>
198 \& long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
199 \& long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
202 \& long SSL_set_max_cert_list(SSL *ssl, long size);
203 \& long SSL_get_max_cert_list(SSL *ctx);
206 \fISSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
207 certificate chain for all SSL objects created from \fBctx\fR to be <size> bytes.
208 The SSL objects inherit the setting valid for \fBctx\fR at the time
209 SSL_new(3) is being called.
211 \fISSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
213 \fISSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's
214 certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
215 until a new value is set.
217 \fISSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
219 During the handshake process, the peer may send a certificate chain.
220 The TLS/SSL standard does not give any maximum size of the certificate chain.
221 The OpenSSL library handles incoming data by a dynamically allocated buffer.
222 In order to prevent this buffer from growing without bounds due to data
223 received from a faulty or malicious peer, a maximum size for the certificate
226 The default value for the maximum certificate chain size is 100kB (30kB
227 on the 16bit DOS platform). This should be sufficient for usual certificate
228 chains (OpenSSL's default maximum chain length is 10, see
229 SSL_CTX_set_verify(3), and certificates
230 without special extensions have a typical size of 1-2kB).
232 For special applications it can be necessary to extend the maximum certificate
233 chain size allowed to be sent by the peer, see e.g. the work on
234 \*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
235 and \*(L"TLS Delegation Protocol\*(R" at http://www.ietf.org/ and
236 http://www.globus.org/ .
238 Under normal conditions it should never be necessary to set a value smaller
239 than the default, as the buffer is handled dynamically and only uses the
240 memory actually required by the data sent by the peer.
242 If the maximum certificate chain size allowed is exceeded, the handshake will
243 fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error.
245 \fISSL_CTX_set_max_cert_list()\fR and \fISSL_set_max_cert_list()\fR return the previously
248 \fISSL_CTX_get_max_cert_list()\fR and \fISSL_get_max_cert_list()\fR return the currently
252 SSL_CTX_set_verify(3)
254 SSL*_set/\fIget_max_cert_list()\fR have been introduced in OpenSSL 0.9.7.
257 .IX Title "SSL_CTX_set_max_cert_list 3"
258 .IX Name "SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain"
262 .IX Header "SYNOPSIS"
264 .IX Header "DESCRIPTION"
268 .IX Header "RETURN VALUES"
270 .IX Header "SEE ALSO"