1109998Smarkm=pod 2109998Smarkm 3109998Smarkm=head1 NAME 4109998Smarkm 5109998SmarkmSSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain 6109998Smarkm 7109998Smarkm=head1 SYNOPSIS 8109998Smarkm 9109998Smarkm #include <openssl/ssl.h> 10109998Smarkm 11109998Smarkm long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size); 12109998Smarkm long SSL_CTX_get_max_cert_list(SSL_CTX *ctx); 13109998Smarkm 14109998Smarkm long SSL_set_max_cert_list(SSL *ssl, long size); 15109998Smarkm long SSL_get_max_cert_list(SSL *ctx); 16109998Smarkm 17109998Smarkm=head1 DESCRIPTION 18109998Smarkm 19109998SmarkmSSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's 20109998Smarkmcertificate chain for all SSL objects created from B<ctx> to be <size> bytes. 21109998SmarkmThe SSL objects inherit the setting valid for B<ctx> at the time 22109998SmarkmL<SSL_new(3)|SSL_new(3)> is being called. 23109998Smarkm 24109998SmarkmSSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>. 25109998Smarkm 26109998SmarkmSSL_set_max_cert_list() sets the maximum size allowed for the peer's 27109998Smarkmcertificate chain for B<ssl> to be <size> bytes. This setting stays valid 28109998Smarkmuntil a new value is set. 29109998Smarkm 30109998SmarkmSSL_get_max_cert_list() returns the currently set maximum size for B<ssl>. 31109998Smarkm 32109998Smarkm=head1 NOTES 33109998Smarkm 34109998SmarkmDuring the handshake process, the peer may send a certificate chain. 35109998SmarkmThe TLS/SSL standard does not give any maximum size of the certificate chain. 36109998SmarkmThe OpenSSL library handles incoming data by a dynamically allocated buffer. 37109998SmarkmIn order to prevent this buffer from growing without bounds due to data 38109998Smarkmreceived from a faulty or malicious peer, a maximum size for the certificate 39109998Smarkmchain is set. 40109998Smarkm 41109998SmarkmThe default value for the maximum certificate chain size is 100kB (30kB 42109998Smarkmon the 16bit DOS platform). This should be sufficient for usual certificate 43109998Smarkmchains (OpenSSL's default maximum chain length is 10, see 44109998SmarkmL<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates 45109998Smarkmwithout special extensions have a typical size of 1-2kB). 46109998Smarkm 47109998SmarkmFor special applications it can be necessary to extend the maximum certificate 48109998Smarkmchain size allowed to be sent by the peer, see e.g. the work on 49109998Smarkm"Internet X.509 Public Key Infrastructure Proxy Certificate Profile" 50109998Smarkmand "TLS Delegation Protocol" at http://www.ietf.org/ and 51109998Smarkmhttp://www.globus.org/ . 52109998Smarkm 53109998SmarkmUnder normal conditions it should never be necessary to set a value smaller 54109998Smarkmthan the default, as the buffer is handled dynamically and only uses the 55109998Smarkmmemory actually required by the data sent by the peer. 56109998Smarkm 57109998SmarkmIf the maximum certificate chain size allowed is exceeded, the handshake will 58109998Smarkmfail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error. 59109998Smarkm 60109998Smarkm=head1 RETURN VALUES 61109998Smarkm 62109998SmarkmSSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously 63109998Smarkmset value. 64109998Smarkm 65109998SmarkmSSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently 66109998Smarkmset value. 67109998Smarkm 68109998Smarkm=head1 SEE ALSO 69109998Smarkm 70109998SmarkmL<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, 71109998SmarkmL<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> 72109998Smarkm 73109998Smarkm=head1 HISTORY 74109998Smarkm 75109998SmarkmSSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7. 76109998Smarkm 77109998Smarkm=cut 78