Merge branch 'vendor/OPENSSL'
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_client_cert_cb.3
CommitLineData
aac4ff6f 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
e056f0e0
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
e056f0e0 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
e056f0e0 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
e056f0e0 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
e056f0e0
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
aac4ff6f
PA
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
32.tr \(*W-|\(bv\*(Tr
e056f0e0 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
e056f0e0
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
e056f0e0
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
e056f0e0
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
e056f0e0
JR
59. nr % 0
60. rr F
984263bc 61.\}
e056f0e0 62.\"
aac4ff6f
PA
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
66.if n .na
67.\"
e056f0e0
JR
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
e056f0e0
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
e056f0e0
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
e056f0e0 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
e056f0e0
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
e056f0e0
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
e056f0e0 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
e056f0e0 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
e056f0e0 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
e056f0e0
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
e056f0e0
JR
129.\" ========================================================================
130.\"
131.IX Title "SSL_CTX_set_client_cert_cb 3"
18ed9402 132.TH SSL_CTX_set_client_cert_cb 3 "2008-09-27" "0.9.8i" "OpenSSL"
984263bc
MD
133.SH "NAME"
134SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certificate callback function
135.SH "SYNOPSIS"
e056f0e0 136.IX Header "SYNOPSIS"
984263bc
MD
137.Vb 1
138\& #include <openssl/ssl.h>
aac4ff6f
PA
139.Ve
140.PP
141.Vb 3
984263bc
MD
142\& void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
143\& int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
144\& int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
145.Ve
146.SH "DESCRIPTION"
e056f0e0
JR
147.IX Header "DESCRIPTION"
148\&\fISSL_CTX_set_client_cert_cb()\fR sets the \fB\f(BIclient_cert_cb()\fB\fR callback, that is
984263bc 149called when a client certificate is requested by a server and no certificate
e056f0e0 150was yet set for the \s-1SSL\s0 object.
984263bc 151.PP
e056f0e0 152When \fB\f(BIclient_cert_cb()\fB\fR is \s-1NULL\s0, no callback function is used.
984263bc 153.PP
e056f0e0 154\&\fISSL_CTX_get_client_cert_cb()\fR returns a pointer to the currently set callback
984263bc
MD
155function.
156.PP
e056f0e0 157\&\fIclient_cert_cb()\fR is the application defined callback. If it wants to
984263bc
MD
158set a certificate, a certificate/private key combination must be set
159using the \fBx509\fR and \fBpkey\fR arguments and \*(L"1\*(R" must be returned. The
e056f0e0 160certificate will be installed into \fBssl\fR, see the \s-1NOTES\s0 and \s-1BUGS\s0 sections.
984263bc
MD
161If no certificate should be set, \*(L"0\*(R" has to be returned and no certificate
162will be sent. A negative return value will suspend the handshake and the
e056f0e0
JR
163handshake function will return immediatly. \fISSL_get_error\fR\|(3)
164will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to indicate, that the handshake was
984263bc
MD
165suspended. The next call to the handshake function will again lead to the call
166of \fIclient_cert_cb()\fR. It is the job of the \fIclient_cert_cb()\fR to store information
167about the state of the last call, if required to continue.
168.SH "NOTES"
e056f0e0 169.IX Header "NOTES"
984263bc
MD
170During a handshake (or renegotiation) a server may request a certificate
171from the client. A client certificate must only be sent, when the server
172did send the request.
173.PP
174When a certificate was set using the
e056f0e0
JR
175\&\fISSL_CTX_use_certificate\fR\|(3) family of functions,
176it will be sent to the server. The \s-1TLS\s0 standard requires that only a
984263bc
MD
177certificate is sent, if it matches the list of acceptable CAs sent by the
178server. This constraint is violated by the default behavior of the OpenSSL
179library. Using the callback function it is possible to implement a proper
180selection routine or to allow a user interaction to choose the certificate to
181be sent.
182.PP
183If a callback function is defined and no certificate was yet defined for the
e056f0e0 184\&\s-1SSL\s0 object, the callback function will be called.
984263bc 185If the callback function returns a certificate, the OpenSSL library
e056f0e0 186will try to load the private key and certificate data into the \s-1SSL\s0
984263bc 187object using the \fISSL_use_certificate()\fR and \fISSL_use_private_key()\fR functions.
e056f0e0
JR
188Thus it will permanently install the certificate and key for this \s-1SSL\s0
189object. It will not be reset by calling \fISSL_clear\fR\|(3).
984263bc
MD
190If the callback returns no certificate, the OpenSSL library will not send
191a certificate.
192.SH "BUGS"
e056f0e0 193.IX Header "BUGS"
984263bc
MD
194The \fIclient_cert_cb()\fR cannot return a complete certificate chain, it can
195only return one client certificate. If the chain only has a length of 2,
e056f0e0 196the root \s-1CA\s0 certificate may be omitted according to the \s-1TLS\s0 standard and
984263bc
MD
197thus a standard conforming answer can be sent to the server. For a
198longer chain, the client must send the complete chain (with the option
e056f0e0
JR
199to leave out the root \s-1CA\s0 certificate). This can only be accomplished by
200either adding the intermediate \s-1CA\s0 certificates into the trusted
201certificate store for the \s-1SSL_CTX\s0 object (resulting in having to add
202\&\s-1CA\s0 certificates that otherwise maybe would not be trusted), or by adding
984263bc 203the chain certificates using the
e056f0e0
JR
204\&\fISSL_CTX_add_extra_chain_cert\fR\|(3)
205function, which is only available for the \s-1SSL_CTX\s0 object as a whole and that
984263bc
MD
206therefore probably can only apply for one client certificate, making
207the concept of the callback function (to allow the choice from several
208certificates) questionable.
209.PP
e056f0e0
JR
210Once the \s-1SSL\s0 object has been used in conjunction with the callback function,
211the certificate will be set for the \s-1SSL\s0 object and will not be cleared
212even when \fISSL_clear\fR\|(3) is being called. It is therefore
213mandatory to destroy the \s-1SSL\s0 object using \fISSL_free\fR\|(3)
984263bc
MD
214and create a new one to return to the previous state.
215.SH "SEE ALSO"
a7d27d5a 216.IX Header "SEE ALSO"
e056f0e0
JR
217\&\fIssl\fR\|(3), \fISSL_CTX_use_certificate\fR\|(3),
218\&\fISSL_CTX_add_extra_chain_cert\fR\|(3),
219\&\fISSL_get_client_CA_list\fR\|(3),
220\&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3)