summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbenno <>2017-07-25 17:28:37 +0000
committerbenno <>2017-07-25 17:28:37 +0000
commitaa578f42d5d2cf3acbcb6ae5db1801925c1146be (patch)
treee4829480080fa55b01e1e2b7989f42158d3080a7
parent9af3e38fe92a253b8750cb8cabd59df372f2fdce (diff)
downloadopenbsd-aa578f42d5d2cf3acbcb6ae5db1801925c1146be.tar.gz
openbsd-aa578f42d5d2cf3acbcb6ae5db1801925c1146be.tar.bz2
openbsd-aa578f42d5d2cf3acbcb6ae5db1801925c1146be.zip
as noted by Hanno Boeck, using the *check_private_key functions is
tricky, especially since the manpage is full of lies. Try to make readers think twice before using them. With oks and help from schwarze@, tedu@, sthen@, jmc@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/man/SSL_CTX_use_certificate.328
1 files changed, 22 insertions, 6 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index dd6caa6d88..dec16b3255 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.3 2017/04/10 01:46:37 schwarze Exp $ 1.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.4 2017/07/25 17:28:37 benno Exp $
2.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000 2.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000
3.\" 3.\"
4.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>. 4.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
49.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50.\" OF THE POSSIBILITY OF SUCH DAMAGE. 50.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51.\" 51.\"
52.Dd $Mdocdate: April 10 2017 $ 52.Dd $Mdocdate: July 25 2017 $
53.Dt SSL_CTX_USE_CERTIFICATE 3 53.Dt SSL_CTX_USE_CERTIFICATE 3
54.Os 54.Os
55.Sh NAME 55.Sh NAME
@@ -301,22 +301,38 @@ to
301adds the first private RSA key found to 301adds the first private RSA key found to
302.Fa ssl . 302.Fa ssl .
303.Pp 303.Pp
304The
304.Fn SSL_CTX_check_private_key 305.Fn SSL_CTX_check_private_key
305checks the consistency of a private key with the corresponding certificate 306function is seriously misnamed.
306loaded into 307It compares the
308.Em public
309key components and parameters of an OpenSSL private key with the
310corresponding certificate loaded into
307.Fa ctx . 311.Fa ctx .
308If more than one key/certificate pair (RSA/DSA) is installed, 312If more than one key/certificate pair (RSA/DSA) is installed,
309the last item installed will be checked. 313the last item installed will be compared.
310If, e.g., the last item was a RSA certificate or key, 314If, e.g., the last item was a RSA certificate or key,
311the RSA key/certificate pair will be checked. 315the RSA key/certificate pair will be checked.
312.Fn SSL_check_private_key 316.Fn SSL_check_private_key
313performs the same check for 317performs the same
318.Em public
319key comparison for
314.Fa ssl . 320.Fa ssl .
315If no key/certificate was explicitly added for this 321If no key/certificate was explicitly added for this
316.Fa ssl , 322.Fa ssl ,
317the last item added into 323the last item added into
318.Fa ctx 324.Fa ctx
319will be checked. 325will be checked.
326.Pp
327Despite the name, neither
328.Fn SSL_CTX_check_private_key
329nor
330.Fn SSL_check_private_key
331checks whether the private key component is indeed a private key,
332nor whether it matches the public key component.
333They merely compare the public materials (e.g. exponent and modulus of
334an RSA key) and/or key parameters (e.g. EC params of an EC key) of a
335key pair.
320.Sh NOTES 336.Sh NOTES
321The internal certificate store of OpenSSL can hold two private key/certificate 337The internal certificate store of OpenSSL can hold two private key/certificate
322pairs at a time: 338pairs at a time:
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-24 14:23:01 +0000