1 files changed, 84 insertions, 15 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b7ece44811..c279c1dce2 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,25 +1,85 @@
+.\"     $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.2 2016/11/30 12:55:25 schwarze Exp $
+.\"     OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
 .\"
-.\"     $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
+.\" Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2000, 2002, 2013, 2015 The OpenSSL Project.
+.\" All rights reserved.
 .\"
-.Dd $Mdocdate: November 5 2016 $
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
-.Nm SSL_CTX_add_extra_chain_cert
+.Nm SSL_CTX_add_extra_chain_cert ,
-.Nd add certificate to chain
+.Nm SSL_CTX_clear_extra_chain_certs
+.Nd add or clear extra chain certificates
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft long
-.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 *x509"
+.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
+.Ft long
+.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
 .Sh DESCRIPTION
 .Fn SSL_CTX_add_extra_chain_cert
 adds the certificate
 .Fa x509
-to the certificate chain presented together with the certificate.
+to the extra chain certificates associated with
-Several certificates can be added one after the other.
+.Fa ctx .
-.Sh NOTES
+Several certificates can be added one after another.
-When constructing the certificate chain, the chain will be formed from
+.Pp
-these certificates explicitly specified.
+.Fn SSL_CTX_clear_extra_chain_certs
+clears all extra chain certificates associated with
+.Fa ctx .
+.Pp
+These functions are implemented as macros.
+.Pp
+When sending a certificate chain, extra chain certificates are sent
+in order following the end entity certificate.
+.Pp
 If no chain is specified, the library will try to complete the chain from the
 available CA certificates in the trusted CA storage, see
 .Xr SSL_CTX_load_verify_locations 3 .
@@ -29,17 +89,26 @@ The x509 certificate provided to
 will be freed by the library when the
 .Vt SSL_CTX
 is destroyed.
-An application
+An application should not free the
-.Em should not
-free the
 .Fa x509
 object.
 .Sh RETURN VALUES
 .Fn SSL_CTX_add_extra_chain_cert
-returns 1 on success.
+and
-Check out the error stack to find out the reason for failure otherwise.
+.Fn SSL_CTX_clear_extra_chain_certs
+return 1 on success or 0 for failure.
+Check out the error stack to find out the reason for failure.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
 .Xr SSL_CTX_set_client_cert_cb 3 ,
 .Xr SSL_CTX_use_certificate 3
+.Sh CAVEATS
+Only one set of extra chain certificates can be specified per
+.Vt SSL_CTX
+structure.
+Different chains for different certificates (for example if both
+RSA and DSA certificates are specified by the same server) or
+different SSL structures with the same parent
+.Vt SSL_CTX
+cannot be specified using this function.

diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index b7ece44811..c279c1dce2 100644 --- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,25 +1,85 @@
		1	.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.2 2016/11/30 12:55:25 schwarze Exp $
		2	.\" OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
1	.\"	3	.\"
2	.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
		5	.\" Dr. Stephen Henson <steve@openssl.org>.
		6	.\" Copyright (c) 2000, 2002, 2013, 2015 The OpenSSL Project.
		7	.\" All rights reserved.
3	.\"	8	.\"
4	.Dd $Mdocdate: November 5 2016 $	9	.\" Redistribution and use in source and binary forms, with or without
		10	.\" modification, are permitted provided that the following conditions
		11	.\" are met:
		12	.\"
		13	.\" 1. Redistributions of source code must retain the above copyright
		14	.\" notice, this list of conditions and the following disclaimer.
		15	.\"
		16	.\" 2. Redistributions in binary form must reproduce the above copyright
		17	.\" notice, this list of conditions and the following disclaimer in
		18	.\" the documentation and/or other materials provided with the
		19	.\" distribution.
		20	.\"
		21	.\" 3. All advertising materials mentioning features or use of this
		22	.\" software must display the following acknowledgment:
		23	.\" "This product includes software developed by the OpenSSL Project
		24	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		25	.\"
		26	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		27	.\" endorse or promote products derived from this software without
		28	.\" prior written permission. For written permission, please contact
		29	.\" openssl-core@openssl.org.
		30	.\"
		31	.\" 5. Products derived from this software may not be called "OpenSSL"
		32	.\" nor may "OpenSSL" appear in their names without prior written
		33	.\" permission of the OpenSSL Project.
		34	.\"
		35	.\" 6. Redistributions of any form whatsoever must retain the following
		36	.\" acknowledgment:
		37	.\" "This product includes software developed by the OpenSSL Project
		38	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		39	.\"
		40	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		41	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		42	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		43	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		44	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		45	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		46	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		47	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		48	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		49	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		52	.\"
		53	.Dd $Mdocdate: November 30 2016 $
5	.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3	54	.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
6	.Os	55	.Os
7	.Sh NAME	56	.Sh NAME
8	.Nm SSL_CTX_add_extra_chain_cert	57	.Nm SSL_CTX_add_extra_chain_cert ,
9	.Nd add certificate to chain	58	.Nm SSL_CTX_clear_extra_chain_certs
		59	.Nd add or clear extra chain certificates
10	.Sh SYNOPSIS	60	.Sh SYNOPSIS
11	.In openssl/ssl.h	61	.In openssl/ssl.h
12	.Ft long	62	.Ft long
13	.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 *x509"	63	.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 x509"
		64	.Ft long
		65	.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
14	.Sh DESCRIPTION	66	.Sh DESCRIPTION
15	.Fn SSL_CTX_add_extra_chain_cert	67	.Fn SSL_CTX_add_extra_chain_cert
16	adds the certificate	68	adds the certificate
17	.Fa x509	69	.Fa x509
18	to the certificate chain presented together with the certificate.	70	to the extra chain certificates associated with
19	Several certificates can be added one after the other.	71	.Fa ctx .
20	.Sh NOTES	72	Several certificates can be added one after another.
21	When constructing the certificate chain, the chain will be formed from	73	.Pp
22	these certificates explicitly specified.	74	.Fn SSL_CTX_clear_extra_chain_certs
		75	clears all extra chain certificates associated with
		76	.Fa ctx .
		77	.Pp
		78	These functions are implemented as macros.
		79	.Pp
		80	When sending a certificate chain, extra chain certificates are sent
		81	in order following the end entity certificate.
		82	.Pp
23	If no chain is specified, the library will try to complete the chain from the	83	If no chain is specified, the library will try to complete the chain from the
24	available CA certificates in the trusted CA storage, see	84	available CA certificates in the trusted CA storage, see
25	.Xr SSL_CTX_load_verify_locations 3 .	85	.Xr SSL_CTX_load_verify_locations 3 .
@@ -29,17 +89,26 @@ The x509 certificate provided to
29	will be freed by the library when the	89	will be freed by the library when the
30	.Vt SSL_CTX	90	.Vt SSL_CTX
31	is destroyed.	91	is destroyed.
32	An application	92	An application should not free the
33	.Em should not
34	free the
35	.Fa x509	93	.Fa x509
36	object.	94	object.
37	.Sh RETURN VALUES	95	.Sh RETURN VALUES
38	.Fn SSL_CTX_add_extra_chain_cert	96	.Fn SSL_CTX_add_extra_chain_cert
39	returns 1 on success.	97	and
40	Check out the error stack to find out the reason for failure otherwise.	98	.Fn SSL_CTX_clear_extra_chain_certs
		99	return 1 on success or 0 for failure.
		100	Check out the error stack to find out the reason for failure.
41	.Sh SEE ALSO	101	.Sh SEE ALSO
42	.Xr ssl 3 ,	102	.Xr ssl 3 ,
43	.Xr SSL_CTX_load_verify_locations 3 ,	103	.Xr SSL_CTX_load_verify_locations 3 ,
44	.Xr SSL_CTX_set_client_cert_cb 3 ,	104	.Xr SSL_CTX_set_client_cert_cb 3 ,
45	.Xr SSL_CTX_use_certificate 3	105	.Xr SSL_CTX_use_certificate 3
		106	.Sh CAVEATS
		107	Only one set of extra chain certificates can be specified per
		108	.Vt SSL_CTX
		109	structure.
		110	Different chains for different certificates (for example if both
		111	RSA and DSA certificates are specified by the same server) or
		112	different SSL structures with the same parent
		113	.Vt SSL_CTX
		114	cannot be specified using this function.