1=pod
2
3=head1 NAME
4
5SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function
6
7=head1 SYNOPSIS
8
9 #include <openssl/ssl.h>
10
11 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
12 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
13 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
14
15=head1 DESCRIPTION
16
17SSL_CTX_set_client_cert_cb() sets the B<client_cert_cb()> callback, that is
18called when a client certificate is requested by a server.
19When B<client_cert_cb()> is NULL, not callback function is used.
20
21SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback
22function.
23
24client_cert_cb() is the application defined callback. If it wants to
25set a certificate, a certificate/private key combination must be set
26using the B<x509> and B<pkey> arguments and "1" must be returned. The
27certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
28If no certificate should be set, "0" has to be returned and the default
29certificate will be sent. A fatal error can be indicated by returning
30a negative value, in which case the handshake will be canceled.
31
32=head1 NOTES
33
34During a handshake (or renegotiation) a server may request a certificate
35from the client. A client certificate must only be sent, when the server
36did send the request.
37
38When no callback function is set, an OpenSSL client will send the certificate
39that was set using the
40L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions.
41The TLS standard requires that only a certificate is sent, if it matches
42the list of acceptable CAs sent by the server. This constraint is
43violated by the default behavior of the OpenSSL library. Using the
44callback function it is possible to implement a proper selection routine
45or to allow a user interaction to choose the certificate to be sent.
46The callback function can obtain the list of acceptable CAs using the
47L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> function.
48
49If a callback function is defined, the callback function will be called.
50If the callback function returns a certificate, the OpenSSL library
51will try to load the private key and certificate data into the SSL
52object using SSL_use_certificate() and SSL_use_private_key() functions.
53Thus it will permanently override the certificate and key previously
54installed and will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>.
55If the callback returns no certificate, the OpenSSL library will send
56the certificate previously installed for the SSL_CTX object or the specific
57certificate of the SSL object, if available.
58
59=head1 BUGS
60
61The client_cert_cb() cannot return a complete certificate chain, it can
62only return one client certificate. If the chain only has a length of 2,
63the root CA certificate may be omitted according to the TLS standard and
64thus a standard conforming answer can be sent to the server. For a
65longer chain, the client must send the complete chain (with the option
--- 25 unchanged lines hidden ---
2
3=head1 NAME
4
5SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function
6
7=head1 SYNOPSIS
8
9 #include <openssl/ssl.h>
10
11 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
12 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
13 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
14
15=head1 DESCRIPTION
16
17SSL_CTX_set_client_cert_cb() sets the B<client_cert_cb()> callback, that is
18called when a client certificate is requested by a server.
19When B<client_cert_cb()> is NULL, not callback function is used.
20
21SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback
22function.
23
24client_cert_cb() is the application defined callback. If it wants to
25set a certificate, a certificate/private key combination must be set
26using the B<x509> and B<pkey> arguments and "1" must be returned. The
27certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
28If no certificate should be set, "0" has to be returned and the default
29certificate will be sent. A fatal error can be indicated by returning
30a negative value, in which case the handshake will be canceled.
31
32=head1 NOTES
33
34During a handshake (or renegotiation) a server may request a certificate
35from the client. A client certificate must only be sent, when the server
36did send the request.
37
38When no callback function is set, an OpenSSL client will send the certificate
39that was set using the
40L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions.
41The TLS standard requires that only a certificate is sent, if it matches
42the list of acceptable CAs sent by the server. This constraint is
43violated by the default behavior of the OpenSSL library. Using the
44callback function it is possible to implement a proper selection routine
45or to allow a user interaction to choose the certificate to be sent.
46The callback function can obtain the list of acceptable CAs using the
47L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)> function.
48
49If a callback function is defined, the callback function will be called.
50If the callback function returns a certificate, the OpenSSL library
51will try to load the private key and certificate data into the SSL
52object using SSL_use_certificate() and SSL_use_private_key() functions.
53Thus it will permanently override the certificate and key previously
54installed and will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>.
55If the callback returns no certificate, the OpenSSL library will send
56the certificate previously installed for the SSL_CTX object or the specific
57certificate of the SSL object, if available.
58
59=head1 BUGS
60
61The client_cert_cb() cannot return a complete certificate chain, it can
62only return one client certificate. If the chain only has a length of 2,
63the root CA certificate may be omitted according to the TLS standard and
64thus a standard conforming answer can be sent to the server. For a
65longer chain, the client must send the complete chain (with the option
--- 25 unchanged lines hidden ---