1SSL_CTX_SET_CLIENT_CA_LIST(3)       OpenSSL      SSL_CTX_SET_CLIENT_CA_LIST(3)
2
3
4

NAME

6       SSL_CTX_set_client_CA_list, SSL_set_client_CA_list,
7       SSL_CTX_add_client_CA, SSL_add_client_CA - set list of CAs sent to the
8       client when requesting a client certificate
9

SYNOPSIS

11        #include <openssl/ssl.h>
12
13        void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
14        void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
15        int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
16        int SSL_add_client_CA(SSL *ssl, X509 *cacert);
17

DESCRIPTION

19       SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client
20       when requesting a client certificate for ctx.
21
22       SSL_set_client_CA_list() sets the list of CAs sent to the client when
23       requesting a client certificate for the chosen ssl, overriding the
24       setting valid for ssl's SSL_CTX object.
25
26       SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the
27       list of CAs sent to the client when requesting a client certificate for
28       ctx.
29
30       SSL_add_client_CA() adds the CA name extracted from cacert to the list
31       of CAs sent to the client when requesting a client certificate for the
32       chosen ssl, overriding the setting valid for ssl's SSL_CTX object.
33

NOTES

35       When a TLS/SSL server requests a client certificate (see
36       SSL_CTX_set_verify(3)), it sends a list of CAs, for which it will
37       accept certificates, to the client.
38
39       This list must explicitly be set using SSL_CTX_set_client_CA_list() for
40       ctx and SSL_set_client_CA_list() for the specific ssl. The list
41       specified overrides the previous setting. The CAs listed do not become
42       trusted (list only contains the names, not the complete certificates);
43       use SSL_CTX_load_verify_locations(3) to additionally load them for
44       verification.
45
46       If the list of acceptable CAs is compiled in a file, the
47       SSL_load_client_CA_file(3) function can be used to help importing the
48       necessary data.
49
50       SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add
51       additional items the list of client CAs. If no list was specified
52       before using SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(),
53       a new client CA list for ctx or ssl (as appropriate) is opened.
54
55       These functions are only useful for TLS/SSL servers.
56

RETURN VALUES

58       SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return
59       diagnostic information.
60
61       SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following
62       return values:
63
64       0   A failure while manipulating the STACK_OF(X509_NAME) object
65           occurred or the X509_NAME could not be extracted from cacert. Check
66           the error stack to find out the reason.
67
68       1   The operation succeeded.
69

EXAMPLES

71       Scan all certificates in CAfile and list them as acceptable CAs:
72
73        SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
74

SEE ALSO

76       ssl(7), SSL_get_client_CA_list(3), SSL_load_client_CA_file(3),
77       SSL_CTX_load_verify_locations(3)
78
80       Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
81
82       Licensed under the OpenSSL license (the "License").  You may not use
83       this file except in compliance with the License.  You can obtain a copy
84       in the file LICENSE in the source distribution or at
85       <https://www.openssl.org/source/license.html>.
86
87
88
891.1.1                             2018-09-11     SSL_CTX_SET_CLIENT_CA_LIST(3)
Impressum