On Thu, Sep 28, 2000 at 09:27:23AM -0400, Ari Pirinen wrote: > However, would someone please explain to me the function of > SSL_CTX_set_session_id_context function call??? I hate to > use functions which I have no idea what they do. I've searched all over the > documents, the sources etc. but just don't get it. The passed const char * > thing is just copied around in the sources and compared. What are the proper > values for it? Right now i'm using it like s_server does it, passing an > integer with value "1". It seems to work that way, but I really need to > understand this better. The actual value is of no importance. It is use to distinguish different services. On the same server you may have SMTP-TLS, https, IMAP/TLS etc running. Some of these may share sessions (e.g. SMTP and IMAP service), some do not belong to this group. If e.g. SMTP and IMAP share the same session cache, the context id may be used for synchronization. (At least, this is how I understood it :-) > One easy question at the end: are CApath and CAfile just different ways to > give the same information (ie in directory with hashed files, or all in the > same file) ? If not, what's the difference. Please find attached my draft for the man-page which I just wrote yesterday evening. I did not yet submit it for inclusion into OpenSSL because I first wanted to add the *_client_CA_list* functions... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
diff -r -c --new-file openssl-SNAP-20000926-vanilla/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-SNAP-20000926/doc/ssl/SSL_CTX_load_verify_locations.pod *** openssl-SNAP-20000926-vanilla/doc/ssl/SSL_CTX_load_verify_locations.pod Thu Jan 1 01:00:00 1970 --- openssl-SNAP-20000926/doc/ssl/SSL_CTX_load_verify_locations.pod Wed Sep 27 23:23:01 2000 *************** *** 0 **** --- 1,91 ---- + =pod + + =head1 NAME + + SSL_CTX_load_verify_locations - set default locations for trusted CA + certificates + + =head1 SYNOPSIS + + #include <openssl/ssl.h> + + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath); + + =head1 DESCRIPTION + + SSL_CTX_load_verify_locations() specifies the locations for B<ctx>, at + which CA certificates for verification purposes are located. The certificates + available via B<CAfile> and B<CApath> are trusted. + + =head1 NOTES + + If B<CAfile> is not NULL, it points to a file of CA certificates in PEM + format. The file can contain several CA certificates identified by + + -----BEGIN CERTIFICATE----- + ... (CA certificate in base64 encoding) ... + -----END CERTIFICATE----- + + sequences. Before, between, and after the certificates text is allowed + which can be used e.g. for descriptions of the certificates. + + The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations() + function. + + If on an TLS/SSL server no special setting is perfomed using *client_CA_list() + functions, the certificates contained in B<CAfile> are listed to the client + as available CAs during the TLS/SSL handshake. + + If B<CApath> is not NULL, it points to a directory containing CA certificates + in PEM format. The files each contain one CA certificate. The files are + looked up by the CA subject name hash value, which must hence be available. + Use the B<c_rehash> utility to create the necessary links. + + The certificates in B<CAfile> are only looked up when required, e.g. when + building the certificate chain or when actually performing the verification + of a peer certificate. + + On a server, the certificates in B<CApath> are not listed as available + CA certificates to a client during a TLS/SSL handshake. + + =head1 EXAMPLES + + Generate a CA certificate file with descriptive text from the CA certificates + ca1.pem ca2.pem ca3.pem: + + #!/bin/sh + rm CAfile.pem + for i in ca1.pem ca2.pem ca3.pem ; do + openssl x509 -in $i -text >> CAfile.pem + done + + Prepare the directory /some/where/certs containing several CA certificates + for use as B<CApath>: + + cd /some/where/certs + c_rehash + + =head1 RETURN VALUES + + The following return values can occur: + + =over 4 + + =item 0 + + The operation failed because B<CAfile> and B<CApath> are NULL or the + processing at one of the locations specified failed. Check the error + stack to find out the reason. + + =item 1 + + The operation succeeded. + + =back + + =head1 SEE ALSO + + L<ssl(3)|ssl(3)> + + =cut diff -r -c --new-file openssl-SNAP-20000926-vanilla/doc/ssl/ssl.pod openssl-SNAP-20000926/doc/ssl/ssl.pod *** openssl-SNAP-20000926-vanilla/doc/ssl/ssl.pod Sat Sep 23 10:00:31 2000 --- openssl-SNAP-20000926/doc/ssl/ssl.pod Wed Sep 27 23:24:55 2000 *************** *** 625,631 **** L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>, ! L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>, --- 625,633 ---- L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>, ! L<SSL_connect(3)|SSL_connect(3)>, ! L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> ! L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>,