1295003Sjkim=pod 2295003Sjkim 3295003Sjkim=head1 NAME 4295003Sjkim 5295003SjkimSSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, 6295003SjkimSSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, 7295003SjkimSSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions 8295003Sjkim 9295003Sjkim=head1 SYNOPSIS 10295003Sjkim 11295003Sjkim #include <openssl/tls1.h> 12295003Sjkim 13295003Sjkim long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, 14295003Sjkim int (*callback)(SSL *, void *)); 15295003Sjkim long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); 16295003Sjkim 17295003Sjkim long SSL_set_tlsext_status_type(SSL *s, int type); 18295003Sjkim 19295003Sjkim long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); 20295003Sjkim long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); 21295003Sjkim 22295003Sjkim=head1 DESCRIPTION 23295003Sjkim 24295003SjkimA client application may request that a server send back an OCSP status response 25295003Sjkim(also known as OCSP stapling). To do so the client should call the 26295003SjkimSSL_set_tlsext_status_type() function prior to the start of the handshake. 27295003SjkimCurrently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value 28295003Sjkimshould be passed in the B<type> argument. The client should additionally provide 29295003Sjkima callback function to decide what to do with the returned OCSP response by 30295003Sjkimcalling SSL_CTX_set_tlsext_status_cb(). The callback function should determine 31295003Sjkimwhether the returned OCSP response is acceptable or not. The callback will be 32295003Sjkimpassed as an argument the value previously set via a call to 33295003SjkimSSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in 34295003Sjkimthe event of a handshake where session resumption occurs (because there are no 35295003SjkimCertificates exchanged in such a handshake). 36295003Sjkim 37295003SjkimThe response returned by the server can be obtained via a call to 38295003SjkimSSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point 39295003Sjkimto the OCSP response data and the return value will be the length of that data. 40295003SjkimTypically a callback would obtain an OCSP_RESPONSE object from this data via a 41295003Sjkimcall to the d2i_OCSP_RESPONSE() function. If the server has not provided any 42295003Sjkimresponse data then B<*resp> will be NULL and the return value from 43295003SjkimSSL_get_tlsext_status_ocsp_resp() will be -1. 44295003Sjkim 45295003SjkimA server application must also call the SSL_CTX_set_tlsext_status_cb() function 46295003Sjkimif it wants to be able to provide clients with OCSP Certificate Status 47295003Sjkimresponses. Typically the server callback would obtain the server certificate 48295003Sjkimthat is being sent back to the client via a call to SSL_get_certificate(); 49295003Sjkimobtain the OCSP response to be sent back; and then set that response data by 50295003Sjkimcalling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should 51295003Sjkimbe provided in the B<resp> argument, and the length of that data should be in 52295003Sjkimthe B<len> argument. 53295003Sjkim 54295003Sjkim=head1 RETURN VALUES 55295003Sjkim 56295003SjkimThe callback when used on the client side should return a negative value on 57295003Sjkimerror; 0 if the response is not acceptable (in which case the handshake will 58295003Sjkimfail) or a positive value if it is acceptable. 59295003Sjkim 60295003SjkimThe callback when used on the server side should return with either 61295003SjkimSSL_TLSEXT_ERR_OK (meaning that the OCSP response that has been set should be 62295003Sjkimreturned), SSL_TLSEXT_ERR_NOACK (meaning that an OCSP response should not be 63295003Sjkimreturned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has 64295003Sjkimoccurred). 65295003Sjkim 66295003SjkimSSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(), 67295003SjkimSSL_set_tlsext_status_type() and SSL_set_tlsext_status_ocsp_resp() return 0 on 68295003Sjkimerror or 1 on success. 69295003Sjkim 70295003SjkimSSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data 71295003Sjkimor -1 if there is no OCSP response data. 72295003Sjkim 73295003Sjkim=cut 74