GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
SSL_CTX_SET_CLIENT_CA_LIST(3) FreeBSD Library Functions Manual SSL_CTX_SET_CLIENT_CA_LIST(3)

SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, SSL_add_client_CAset list of CAs sent to the client when requesting a client certificate

#include <openssl/ssl.h>

void
SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);

void
SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);

int
SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);

int
SSL_add_client_CA(SSL *ssl, X509 *cacert);

() sets the list of CAs sent to the client when requesting a client certificate for ctx.

() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.

() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx.

() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.

When a TLS/SSL server requests a client certificate (see ()), it sends a list of CAs for which it will accept certificates to the client.

This list must explicitly be set using () for ctx and SSL_set_client_CA_list() for the specific ssl. The list specified overrides the previous setting. The CAs listed do not become trusted (list only contains the names, not the complete certificates); use SSL_CTX_load_verify_locations(3) to additionally load them for verification.

If the list of acceptable CAs is compiled in a file, the SSL_load_client_CA_file(3) function can be used to help importing the necessary data.

() and SSL_add_client_CA() can be used to add additional items the list of client CAs. If no list was specified before using SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client CA list for ctx or ssl (as appropriate) is opened.

These functions are only useful for TLS/SSL servers.

SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return values:

0
A failure while manipulating the STACK_OF(X509_NAME) object occurred or the X509_NAME could not be extracted from cacert. Check the error stack to find out the reason.
1
The operation succeeded.

Scan all certificates in CAfile and list them as acceptable CAs:

SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));

ssl(3), SSL_CTX_load_verify_locations(3), SSL_get_client_CA_list(3), SSL_load_client_CA_file(3), X509_NAME_new(3)

SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_add_client_CA(), and SSL_add_client_CA() first appeared in SSLeay 0.8.0 and have been available since OpenBSD 2.4.

March 30, 2020 FreeBSD 14.3-RELEASE
Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.