1 files changed, 0 insertions, 143 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3
deleted file mode 100644
index 7a7d9466d2..0000000000
--- a/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3
+++ /dev/null
@@ -1,143 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
-.\"
-.Dd $Mdocdate: December 2 2014 $
-.Dt SSL_CTX_SET_CLIENT_CERT_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_client_cert_cb ,
-.Nm SSL_CTX_get_client_cert_cb
-.Nd handle client certificate callback function
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_client_cert_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)"
-.Fc
-.Ft int
-.Fo "(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))"
-.Fa "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey"
-.Fc
-.Ft int
-.Fn "(*client_cert_cb)" "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_client_cert_cb
-sets the
-.Fa client_cert_cb()
-callback that is called when a client certificate is requested by a server and
-no certificate was yet set for the SSL object.
-.Pp
-When
-.Fa client_cert_cb
-is
-.Dv NULL ,
-no callback function is used.
-.Pp
-.Fn SSL_CTX_get_client_cert_cb
-returns a pointer to the currently set callback function.
-.Pp
-.Fn client_cert_cb
-is the application-defined callback.
-If it wants to set a certificate,
-a certificate/private key combination must be set using the
-.Fa x509
-and
-.Fa pkey
-arguments and 1 must be returned.
-The certificate will be installed into
-.Fa ssl ;
-see the
-.Sx NOTES
-and
-.Sx BUGS
-sections.
-If no certificate should be set,
-0 has to be returned and no certificate will be sent.
-A negative return value will suspend the handshake and the handshake function
-will return immediately.
-.Xr SSL_get_error 3
-will return
-.Dv SSL_ERROR_WANT_X509_LOOKUP
-to indicate that the handshake was suspended.
-The next call to the handshake function will again lead to the call of
-.Fa client_cert_cb() .
-It is the job of the
-.Fa client_cert_cb()
-to store information
-about the state of the last call, if required to continue.
-.Sh NOTES
-During a handshake (or renegotiation)
-a server may request a certificate from the client.
-A client certificate must only be sent when the server did send the request.
-.Pp
-When a certificate has been set using the
-.Xr SSL_CTX_use_certificate 3
-family of functions,
-it will be sent to the server.
-The TLS standard requires that only a certificate is sent if it matches the
-list of acceptable CAs sent by the server.
-This constraint is violated by the default behavior of the OpenSSL library.
-Using the callback function it is possible to implement a proper selection
-routine or to allow a user interaction to choose the certificate to be sent.
-.Pp
-If a callback function is defined and no certificate was yet defined for the
-.Vt SSL
-object, the callback function will be called.
-If the callback function returns a certificate, the OpenSSL library
-will try to load the private key and certificate data into the
-.Vt SSL
-object using the
-.Fn SSL_use_certificate
-and
-.Fn SSL_use_private_key
-functions.
-Thus it will permanently install the certificate and key for this SSL object.
-It will not be reset by calling
-.Xr SSL_clear 3 .
-If the callback returns no certificate, the OpenSSL library will not send a
-certificate.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_get_client_CA_list 3
-.Sh BUGS
-The
-.Fa client_cert_cb()
-cannot return a complete certificate chain;
-it can only return one client certificate.
-If the chain only has a length of 2,
-the root CA certificate may be omitted according to the TLS standard and
-thus a standard conforming answer can be sent to the server.
-For a longer chain, the client must send the complete chain
-(with the option to leave out the root CA certificate).
-This can be accomplished only by either adding the intermediate CA certificates
-into the trusted certificate store for the
-.Vt SSL_CTX
-object (resulting in having to add CA certificates that otherwise maybe would
-not be trusted), or by adding the chain certificates using the
-.Xr SSL_CTX_add_extra_chain_cert 3
-function, which is only available for the
-.Vt SSL_CTX
-object as a whole and that therefore probably can only apply for one client
-certificate, making the concept of the callback function
-(to allow the choice from several certificates) questionable.
-.Pp
-Once the
-.Vt SSL
-object has been used in conjunction with the callback function,
-the certificate will be set for the
-.Vt SSL
-object and will not be cleared even when
-.Xr SSL_clear 3
-is called.
-It is therefore
-.Em mandatory
-to destroy the
-.Vt SSL
-object using
-.Xr SSL_free 3
-and create a new one to return to the previous state.

diff --git a/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3 deleted file mode 100644 index 7a7d9466d2..0000000000 --- a/src/lib/libssl/doc/SSL_CTX_set_client_cert_cb.3 +++ /dev/null
@@ -1,143 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
3	.\"
4	.Dd $Mdocdate: December 2 2014 $
5	.Dt SSL_CTX_SET_CLIENT_CERT_CB 3
6	.Os
7	.Sh NAME
8	.Nm SSL_CTX_set_client_cert_cb ,
9	.Nm SSL_CTX_get_client_cert_cb
10	.Nd handle client certificate callback function
11	.Sh SYNOPSIS
12	.In openssl/ssl.h
13	.Ft void
14	.Fo SSL_CTX_set_client_cert_cb
15	.Fa "SSL_CTX *ctx"
16	.Fa "int (client_cert_cb)(SSL ssl, X509 x509, EVP_PKEY pkey)"
17	.Fc
18	.Ft int
19	.Fo "(SSL_CTX_get_client_cert_cb(SSL_CTX ctx))"
20	.Fa "SSL ssl" "X509 x509" "EVP_PKEY *pkey"
21	.Fc
22	.Ft int
23	.Fn "(client_cert_cb)" "SSL ssl" "X509 x509" "EVP_PKEY pkey"
24	.Sh DESCRIPTION
25	.Fn SSL_CTX_set_client_cert_cb
26	sets the
27	.Fa client_cert_cb()
28	callback that is called when a client certificate is requested by a server and
29	no certificate was yet set for the SSL object.
30	.Pp
31	When
32	.Fa client_cert_cb
33	is
34	.Dv NULL ,
35	no callback function is used.
36	.Pp
37	.Fn SSL_CTX_get_client_cert_cb
38	returns a pointer to the currently set callback function.
39	.Pp
40	.Fn client_cert_cb
41	is the application-defined callback.
42	If it wants to set a certificate,
43	a certificate/private key combination must be set using the
44	.Fa x509
45	and
46	.Fa pkey
47	arguments and 1 must be returned.
48	The certificate will be installed into
49	.Fa ssl ;
50	see the
51	.Sx NOTES
52	and
53	.Sx BUGS
54	sections.
55	If no certificate should be set,
56	0 has to be returned and no certificate will be sent.
57	A negative return value will suspend the handshake and the handshake function
58	will return immediately.
59	.Xr SSL_get_error 3
60	will return
61	.Dv SSL_ERROR_WANT_X509_LOOKUP
62	to indicate that the handshake was suspended.
63	The next call to the handshake function will again lead to the call of
64	.Fa client_cert_cb() .
65	It is the job of the
66	.Fa client_cert_cb()
67	to store information
68	about the state of the last call, if required to continue.
69	.Sh NOTES
70	During a handshake (or renegotiation)
71	a server may request a certificate from the client.
72	A client certificate must only be sent when the server did send the request.
73	.Pp
74	When a certificate has been set using the
75	.Xr SSL_CTX_use_certificate 3
76	family of functions,
77	it will be sent to the server.
78	The TLS standard requires that only a certificate is sent if it matches the
79	list of acceptable CAs sent by the server.
80	This constraint is violated by the default behavior of the OpenSSL library.
81	Using the callback function it is possible to implement a proper selection
82	routine or to allow a user interaction to choose the certificate to be sent.
83	.Pp
84	If a callback function is defined and no certificate was yet defined for the
85	.Vt SSL
86	object, the callback function will be called.
87	If the callback function returns a certificate, the OpenSSL library
88	will try to load the private key and certificate data into the
89	.Vt SSL
90	object using the
91	.Fn SSL_use_certificate
92	and
93	.Fn SSL_use_private_key
94	functions.
95	Thus it will permanently install the certificate and key for this SSL object.
96	It will not be reset by calling
97	.Xr SSL_clear 3 .
98	If the callback returns no certificate, the OpenSSL library will not send a
99	certificate.
100	.Sh SEE ALSO
101	.Xr ssl 3 ,
102	.Xr SSL_clear 3 ,
103	.Xr SSL_CTX_add_extra_chain_cert 3 ,
104	.Xr SSL_CTX_use_certificate 3 ,
105	.Xr SSL_free 3 ,
106	.Xr SSL_get_client_CA_list 3
107	.Sh BUGS
108	The
109	.Fa client_cert_cb()
110	cannot return a complete certificate chain;
111	it can only return one client certificate.
112	If the chain only has a length of 2,
113	the root CA certificate may be omitted according to the TLS standard and
114	thus a standard conforming answer can be sent to the server.
115	For a longer chain, the client must send the complete chain
116	(with the option to leave out the root CA certificate).
117	This can be accomplished only by either adding the intermediate CA certificates
118	into the trusted certificate store for the
119	.Vt SSL_CTX
120	object (resulting in having to add CA certificates that otherwise maybe would
121	not be trusted), or by adding the chain certificates using the
122	.Xr SSL_CTX_add_extra_chain_cert 3
123	function, which is only available for the
124	.Vt SSL_CTX
125	object as a whole and that therefore probably can only apply for one client
126	certificate, making the concept of the callback function
127	(to allow the choice from several certificates) questionable.
128	.Pp
129	Once the
130	.Vt SSL
131	object has been used in conjunction with the callback function,
132	the certificate will be set for the
133	.Vt SSL
134	object and will not be cleared even when
135	.Xr SSL_clear 3
136	is called.
137	It is therefore
138	.Em mandatory
139	to destroy the
140	.Vt SSL
141	object using
142	.Xr SSL_free 3
143	and create a new one to return to the previous state.