SSL_CTX_set_client_CA_list.pod revision 72613
172613Skris=pod 272613Skris 372613Skris=head1 NAME 472613Skris 572613SkrisSSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, 672613SkrisSSL_add_client_CA - set list of CAs sent to the client when requesting a 772613Skrisclient certificate 872613Skris 972613Skris=head1 SYNOPSIS 1072613Skris 1172613Skris #include <openssl/ssl.h> 1272613Skris 1372613Skris void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); 1472613Skris void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); 1572613Skris int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); 1672613Skris int SSL_add_client_CA(SSL *ssl, X509 *cacert); 1772613Skris 1872613Skris=head1 DESCRIPTION 1972613Skris 2072613SkrisSSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when 2172613Skrisrequesting a client certificate for B<ctx>. 2272613Skris 2372613SkrisSSL_set_client_CA_list() sets the B<list> of CAs sent to the client when 2472613Skrisrequesting a client certificate for the chosen B<ssl>, overriding the 2572613Skrissetting valid for B<ssl>'s SSL_CTX object. 2672613Skris 2772613SkrisSSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the 2872613Skrislist of CAs sent to the client when requesting a client certificate for 2972613SkrisB<ctx>. 3072613Skris 3172613SkrisSSL_add_client_CA() adds the CA name extracted from B<cacert> to the 3272613Skrislist of CAs sent to the client when requesting a client certificate for 3372613Skristhe chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. 3472613Skris 3572613Skris=head1 NOTES 3672613Skris 3772613SkrisWhen a TLS/SSL server requests a client certificate (see 3872613SkrisB<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which 3972613Skrisit will accept certificates, to the client. If no special list is provided, 4072613Skristhe CAs available using the B<CAfile> option in 4172613SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 4272613Skrisare sent. 4372613Skris 4472613SkrisThis list can be explicitely set using the SSL_CTX_set_client_CA_list() for 4572613SkrisB<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list 4672613Skrisspecified overrides the previous setting. The CAs listed do not become 4772613Skristrusted (B<list> only contains the names, not the complete certificates); use 4872613SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 4972613Skristo additionally load them for verification. 5072613Skris 5172613SkrisSSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional 5272613Skrisitems the list of client CAs. If no list was specified before using 5372613SkrisSSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client 5472613SkrisCA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly 5572613Skrisspecified using 5672613SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 5772613Skrisare no longer used automatically. 5872613Skris 5972613SkrisThese functions are only useful for TLS/SSL servers. 6072613Skris 6172613Skris=head1 RETURN VALUES 6272613Skris 6372613SkrisSSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return 6472613Skrisdiagnostic information. 6572613Skris 6672613SkrisSSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return 6772613Skrisvalues: 6872613Skris 6972613Skris=over 4 7072613Skris 7172613Skris=item 1 7272613Skris 7372613SkrisThe operation succeeded. 7472613Skris 7572613Skris=item 0 7672613Skris 7772613SkrisA failure while manipulating the STACK_OF(X509_NAME) object occured or 7872613Skristhe X509_NAME could not be extracted from B<cacert>. Check the error stack 7972613Skristo find out the reason. 8072613Skris 8172613Skris=back 8272613Skris 8372613Skris=head1 SEE ALSO 8472613Skris 8572613SkrisL<ssl(3)|ssl(3)>, 8672613SkrisL<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, 8772613SkrisL<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> 8872613SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 8972613Skris 9072613Skris=cut 91