1 files changed, 158 insertions, 0 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3
new file mode 100644
index 0000000000..1e494032f4
--- /dev/null
+++ b/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3
@@ -0,0 +1,158 @@
+.Dd $Mdocdate: October 12 2014 $
+.Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_load_verify_locations
+.Nd set default locations for trusted CA certificates
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_CTX_load_verify_locations
+.Fa "SSL_CTX *ctx" "const char *CAfile" "const char *CApath"
+.Fc
+.Sh DESCRIPTION
+.Fn SSL_CTX_load_verify_locations
+specifies the locations for
+.Fa ctx ,
+at which CA certificates for verification purposes are located.
+The certificates available via
+.Fa CAfile
+and
+.Fa CApath
+are trusted.
+.Sh NOTES
+If
+.Fa CAfile
+is not
+.Dv NULL ,
+it points to a file of CA certificates in PEM format.
+The file can contain several CA certificates identified by sequences of:
+.Bd -literal
+ -----BEGIN CERTIFICATE-----
+ ... (CA certificate in base64 encoding) ...
+ -----END CERTIFICATE-----
+.Ed
+Before, between, and after the certificates arbitrary text is allowed which can
+be used, e.g., for descriptions of the certificates.
+.Pp
+The
+.Fa CAfile
+is processed on execution of the
+.Fn SSL_CTX_load_verify_locations
+function.
+.Pp
+If
+.Fa CApath
+is not NULL, it points to a directory containing CA certificates in PEM format.
+The files each contain one CA certificate.
+The files are looked up by the CA subject name hash value,
+which must hence be available.
+If more than one CA certificate with the same name hash value exist,
+the extension must be different (e.g.,
+.Pa 9d66eef0.0 ,
+.Pa 9d66eef0.1 ,
+etc.).
+The search is performed in the ordering of the extension number,
+regardless of other properties of the certificates.
+.Pp
+The certificates in
+.Fa CApath
+are only looked up when required, e.g., when building the certificate chain or
+when actually performing the verification of a peer certificate.
+.Pp
+When looking up CA certificates, the OpenSSL library will first search the
+certificates in
+.Fa CAfile ,
+then those in
+.Fa CApath .
+Certificate matching is done based on the subject name, the key identifier (if
+present), and the serial number as taken from the certificate to be verified.
+If these data do not match, the next certificate will be tried.
+If a first certificate matching the parameters is found,
+the verification process will be performed;
+no other certificates for the same parameters will be searched in case of
+failure.
+.Pp
+In server mode, when requesting a client certificate, the server must send
+the list of CAs of which it will accept client certificates.
+This list is not influenced by the contents of
+.Fa CAfile
+or
+.Fa CApath
+and must explicitly be set using the
+.Xr SSL_CTX_set_client_CA_list 3
+family of functions.
+.Pp
+When building its own certificate chain, an OpenSSL client/server will try to
+fill in missing certificates from
+.Fa CAfile Ns / Fa CApath ,
+if the
+certificate chain was not explicitly specified (see
+.Xr SSL_CTX_add_extra_chain_cert 3
+and
+.Xr SSL_CTX_use_certificate 3 ) .
+.Sh WARNINGS
+If several CA certificates matching the name, key identifier, and serial
+number condition are available, only the first one will be examined.
+This may lead to unexpected results if the same CA certificate is available
+with different expiration dates.
+If a
+.Dq certificate expired
+verification error occurs, no other certificate will be searched.
+Make sure to not have expired certificates mixed with valid ones.
+.Sh RETURN VALUES
+The following return values can occur:
+.Bl -tag -width Ds
+.It 0
+The operation failed because
+.Fa CAfile
+and
+.Fa CApath
+are
+.Dv NULL
+or the processing at one of the locations specified failed.
+Check the error stack to find out the reason.
+.It 1
+The operation succeeded.
+.El
+.Sh EXAMPLES
+Generate a CA certificate file with descriptive text from the CA certificates
+.Pa ca1.pem
+.Pa ca2.pem
+.Pa ca3.pem :
+.Bd -literal
+#!/bin/sh
+rm CAfile.pem
+for i in ca1.pem ca2.pem ca3.pem; do
+        openssl x509 -in $i -text >> CAfile.pem
+done
+.Ed
+.Pp
+Prepare the directory /some/where/certs containing several CA certificates
+for use as
+.Fa CApath :
+.Bd -literal
+$ cd /some/where/certs
+$ rm -f *.[0-9]* *.r[0-9]*
+$ for c in *.pem; do
+>    [ "$c" = "*.pem" ] && continue
+>    hash=$(openssl x509 -noout -hash -in "$c")
+>    if egrep -q -- '-BEGIN( X509 | TRUSTED | )CERTIFICATE-' "$c"; then
+>      suf=0
+>      while [ -e $hash.$suf ]; do suf=$(( $suf + 1 )); done
+>      ln -s "$c" $hash.$suf
+>    fi
+>    if egrep -q -- '-BEGIN X509 CRL-' "$c"; then
+>      suf=0
+>      while [ -e $hash.r$suf ]; do suf=$(( $suf + 1 )); done
+>      ln -s "$c" $hash.r$suf
+>    fi
+> done
+.Ed
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
+.Xr SSL_CTX_set_cert_store 3 ,
+.Xr SSL_CTX_set_client_CA_list 3 ,
+.Xr SSL_CTX_use_certificate 3 ,
+.Xr SSL_get_client_CA_list 3

diff --git a/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3 new file mode 100644 index 0000000000..1e494032f4 --- /dev/null +++ b/src/lib/libssl/doc/SSL_CTX_load_verify_locations.3
@@ -0,0 +1,158 @@
	1	.Dd $Mdocdate: October 12 2014 $
	2	.Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
	3	.Os
	4	.Sh NAME
	5	.Nm SSL_CTX_load_verify_locations
	6	.Nd set default locations for trusted CA certificates
	7	.Sh SYNOPSIS
	8	.In openssl/ssl.h
	9	.Ft int
	10	.Fo SSL_CTX_load_verify_locations
	11	.Fa "SSL_CTX ctx" "const char CAfile" "const char *CApath"
	12	.Fc
	13	.Sh DESCRIPTION
	14	.Fn SSL_CTX_load_verify_locations
	15	specifies the locations for
	16	.Fa ctx ,
	17	at which CA certificates for verification purposes are located.
	18	The certificates available via
	19	.Fa CAfile
	20	and
	21	.Fa CApath
	22	are trusted.
	23	.Sh NOTES
	24	If
	25	.Fa CAfile
	26	is not
	27	.Dv NULL ,
	28	it points to a file of CA certificates in PEM format.
	29	The file can contain several CA certificates identified by sequences of:
	30	.Bd -literal
	31	-----BEGIN CERTIFICATE-----
	32	... (CA certificate in base64 encoding) ...
	33	-----END CERTIFICATE-----
	34	.Ed
	35	Before, between, and after the certificates arbitrary text is allowed which can
	36	be used, e.g., for descriptions of the certificates.
	37	.Pp
	38	The
	39	.Fa CAfile
	40	is processed on execution of the
	41	.Fn SSL_CTX_load_verify_locations
	42	function.
	43	.Pp
	44	If
	45	.Fa CApath
	46	is not NULL, it points to a directory containing CA certificates in PEM format.
	47	The files each contain one CA certificate.
	48	The files are looked up by the CA subject name hash value,
	49	which must hence be available.
	50	If more than one CA certificate with the same name hash value exist,
	51	the extension must be different (e.g.,
	52	.Pa 9d66eef0.0 ,
	53	.Pa 9d66eef0.1 ,
	54	etc.).
	55	The search is performed in the ordering of the extension number,
	56	regardless of other properties of the certificates.
	57	.Pp
	58	The certificates in
	59	.Fa CApath
	60	are only looked up when required, e.g., when building the certificate chain or
	61	when actually performing the verification of a peer certificate.
	62	.Pp
	63	When looking up CA certificates, the OpenSSL library will first search the
	64	certificates in
	65	.Fa CAfile ,
	66	then those in
	67	.Fa CApath .
	68	Certificate matching is done based on the subject name, the key identifier (if
	69	present), and the serial number as taken from the certificate to be verified.
	70	If these data do not match, the next certificate will be tried.
	71	If a first certificate matching the parameters is found,
	72	the verification process will be performed;
	73	no other certificates for the same parameters will be searched in case of
	74	failure.
	75	.Pp
	76	In server mode, when requesting a client certificate, the server must send
	77	the list of CAs of which it will accept client certificates.
	78	This list is not influenced by the contents of
	79	.Fa CAfile
	80	or
	81	.Fa CApath
	82	and must explicitly be set using the
	83	.Xr SSL_CTX_set_client_CA_list 3
	84	family of functions.
	85	.Pp
	86	When building its own certificate chain, an OpenSSL client/server will try to
	87	fill in missing certificates from
	88	.Fa CAfile Ns / Fa CApath ,
	89	if the
	90	certificate chain was not explicitly specified (see
	91	.Xr SSL_CTX_add_extra_chain_cert 3
	92	and
	93	.Xr SSL_CTX_use_certificate 3 ) .
	94	.Sh WARNINGS
	95	If several CA certificates matching the name, key identifier, and serial
	96	number condition are available, only the first one will be examined.
	97	This may lead to unexpected results if the same CA certificate is available
	98	with different expiration dates.
	99	If a
	100	.Dq certificate expired
	101	verification error occurs, no other certificate will be searched.
	102	Make sure to not have expired certificates mixed with valid ones.
	103	.Sh RETURN VALUES
	104	The following return values can occur:
	105	.Bl -tag -width Ds
	106	.It 0
	107	The operation failed because
	108	.Fa CAfile
	109	and
	110	.Fa CApath
	111	are
	112	.Dv NULL
	113	or the processing at one of the locations specified failed.
	114	Check the error stack to find out the reason.
	115	.It 1
	116	The operation succeeded.
	117	.El
	118	.Sh EXAMPLES
	119	Generate a CA certificate file with descriptive text from the CA certificates
	120	.Pa ca1.pem
	121	.Pa ca2.pem
	122	.Pa ca3.pem :
	123	.Bd -literal
	124	#!/bin/sh
	125	rm CAfile.pem
	126	for i in ca1.pem ca2.pem ca3.pem; do
	127	openssl x509 -in $i -text >> CAfile.pem
	128	done
	129	.Ed
	130	.Pp
	131	Prepare the directory /some/where/certs containing several CA certificates
	132	for use as
	133	.Fa CApath :
	134	.Bd -literal
	135	$ cd /some/where/certs
	136	$ rm -f .[0-9] .r[0-9]
	137	$ for c in *.pem; do
	138	> [ "$c" = "*.pem" ] && continue
	139	> hash=$(openssl x509 -noout -hash -in "$c")
	140	> if egrep -q -- '-BEGIN( X509 \| TRUSTED \| )CERTIFICATE-' "$c"; then
	141	> suf=0
	142	> while [ -e $hash.$suf ]; do suf=$(( $suf + 1 )); done
	143	> ln -s "$c" $hash.$suf
	144	> fi
	145	> if egrep -q -- '-BEGIN X509 CRL-' "$c"; then
	146	> suf=0
	147	> while [ -e $hash.r$suf ]; do suf=$(( $suf + 1 )); done
	148	> ln -s "$c" $hash.r$suf
	149	> fi
	150	> done
	151	.Ed
	152	.Sh SEE ALSO
	153	.Xr ssl 3 ,
	154	.Xr SSL_CTX_add_extra_chain_cert 3 ,
	155	.Xr SSL_CTX_set_cert_store 3 ,
	156	.Xr SSL_CTX_set_client_CA_list 3 ,
	157	.Xr SSL_CTX_use_certificate 3 ,
	158	.Xr SSL_get_client_CA_list 3