source-git / openssl

Clone
Source Code
GIT

Blame doc/man3/SSL_CTX_set_max_cert_list.pod

c8 c8s master
  1.   3c126e197bf64be56e1432546d39885b80b61a84
  2.   doc
  3.   man3
  4.   SSL_CTX_set_max_cert_list.pod
Blob History Raw
Packit Service 084de1 
=pod
Packit Service 084de1
Packit Service 084de1 
=head1 NAME
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list - manipulate allowed size for the peer's certificate chain
Packit Service 084de1
Packit Service 084de1 
=head1 SYNOPSIS
Packit Service 084de1
Packit Service 084de1 
 #include <openssl/ssl.h>
Packit Service 084de1
Packit Service 084de1 
 long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
Packit Service 084de1 
 long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
Packit Service 084de1
Packit Service 084de1 
 long SSL_set_max_cert_list(SSL *ssl, long size);
Packit Service 084de1 
 long SSL_get_max_cert_list(SSL *ctx);
Packit Service 084de1
Packit Service 084de1 
=head1 DESCRIPTION
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's
Packit Service 084de1 
certificate chain for all SSL objects created from B<ctx> to be <size> bytes.
Packit Service 084de1 
The SSL objects inherit the setting valid for B<ctx> at the time
Packit Service 084de1 
L<SSL_new(3)> is being called.
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>.
Packit Service 084de1
Packit Service 084de1 
SSL_set_max_cert_list() sets the maximum size allowed for the peer's
Packit Service 084de1 
certificate chain for B<ssl> to be <size> bytes. This setting stays valid
Packit Service 084de1 
until a new value is set.
Packit Service 084de1
Packit Service 084de1 
SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>.
Packit Service 084de1
Packit Service 084de1 
=head1 NOTES
Packit Service 084de1
Packit Service 084de1 
During the handshake process, the peer may send a certificate chain.
Packit Service 084de1 
The TLS/SSL standard does not give any maximum size of the certificate chain.
Packit Service 084de1 
The OpenSSL library handles incoming data by a dynamically allocated buffer.
Packit Service 084de1 
In order to prevent this buffer from growing without bounds due to data
Packit Service 084de1 
received from a faulty or malicious peer, a maximum size for the certificate
Packit Service 084de1 
chain is set.
Packit Service 084de1
Packit Service 084de1 
The default value for the maximum certificate chain size is 100kB (30kB
Packit Service 084de1 
on the 16bit DOS platform). This should be sufficient for usual certificate
Packit Service 084de1 
chains (OpenSSL's default maximum chain length is 10, see
Packit Service 084de1 
L<SSL_CTX_set_verify(3)>, and certificates
Packit Service 084de1 
without special extensions have a typical size of 1-2kB).
Packit Service 084de1
Packit Service 084de1 
For special applications it can be necessary to extend the maximum certificate
Packit Service 084de1 
chain size allowed to be sent by the peer, see e.g. the work on
Packit Service 084de1 
"Internet X.509 Public Key Infrastructure Proxy Certificate Profile"
Packit Service 084de1 
and "TLS Delegation Protocol" at http://www.ietf.org/ and
Packit Service 084de1 
http://www.globus.org/ .
Packit Service 084de1
Packit Service 084de1 
Under normal conditions it should never be necessary to set a value smaller
Packit Service 084de1 
than the default, as the buffer is handled dynamically and only uses the
Packit Service 084de1 
memory actually required by the data sent by the peer.
Packit Service 084de1
Packit Service 084de1 
If the maximum certificate chain size allowed is exceeded, the handshake will
Packit Service 084de1 
fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error.
Packit Service 084de1
Packit Service 084de1 
=head1 RETURN VALUES
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously
Packit Service 084de1 
set value.
Packit Service 084de1
Packit Service 084de1 
SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently
Packit Service 084de1 
set value.
Packit Service 084de1
Packit Service 084de1 
=head1 SEE ALSO
Packit Service 084de1
Packit Service 084de1 
L<ssl(7)>, L<SSL_new(3)>,
Packit Service 084de1 
L<SSL_CTX_set_verify(3)>
Packit Service 084de1
Packit Service 084de1 
=head1 COPYRIGHT
Packit Service 084de1
Packit Service 084de1 
Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
Packit Service 084de1
Packit Service 084de1 
Licensed under the OpenSSL license (the "License").  You may not use
Packit Service 084de1 
this file except in compliance with the License.  You can obtain a copy
Packit Service 084de1 
in the file LICENSE in the source distribution or at
Packit Service 084de1 
L<https://www.openssl.org/source/license.html>.
Packit Service 084de1
Packit Service 084de1 
=cut

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation