1Net::SSLeay(3) User Contributed Perl Documentation Net::SSLeay(3)
2
6 Net::SSLeay - Perl extension for using OpenSSL
7
9 use Net::SSLeay qw(get_https post_https sslcat make_headers make_form);
10 ($page) = get_https('www.bacus.pt', 443, '/'); # Case 1
12 ($page, $response, %reply_headers)
14 = get_https('www.bacus.pt', 443, '/', # Case 2
15 make_headers(User-Agent => 'Cryptozilla/5.0b1',
16 Referer => 'https://www.bacus.pt'
17 ));
18 ($page, $result, %headers) = # Case 2b
20 = get_https('www.bacus.pt', 443, '/protected.html',
21 make_headers(Authorization =>
22 'Basic ' . MIME::Base64::encode("$user:$pass",''))
23 );
24 ($page, $response, %reply_headers)
26 = post_https('www.bacus.pt', 443, '/foo.cgi', '', # Case 3
27 make_form(OK => '1',
28 name => 'Sampo'
29 ));
30 $reply = sslcat($host, $port, $request); # Case 4
32 ($reply, $err, $server_cert) = sslcat($host, $port, $request); # Case 5
34 $Net::SSLeay::trace = 2; # 0=no debugging, 1=ciphers, 2=trace, 3=dump data
36 Net::SSLeay::initialize(); # Initialize ssl library once
38
40 This module provides Perl bindings for libssl (an SSL/TLS API) and
41 libcrypto (a cryptography API).
42
44 Net::SSLeay supports the following libssl implementations:
45 • Any stable release of OpenSSL <https://www.openssl.org> in the
47 0.9.8 - 1.1.1 branches, except for OpenSSL 0.9.8 - 0.9.8b.
48 • Any stable release of LibreSSL <https://www.libressl.org> in the
50 2.0 - 3.1 series.
51 Net::SSLeay may not function as expected with newer releases than the
53 ones listed above due to libssl API incompatibilities, or, in the case
54 of LibreSSL, because of deviations from the libssl API.
55 Net::SSLeay is only as secure as the underlying libssl implementation
57 you use. Although Net::SSLeay maintains compatibility with old
58 versions of OpenSSL and LibreSSL, it is strongly recommended that you
59 use a version of OpenSSL or LibreSSL that is supported by the
60 OpenSSL/LibreSSL developers and/or your operating system vendor. Many
61 unsupported versions of OpenSSL and LibreSSL are known to contain
62 severe security vulnerabilities. Refer to the OpenSSL Release Strategy
63 <https://www.openssl.org/policies/releasestrat.html> and LibreSSL
64 Support Schedule <https://www.libressl.org/releases.html> for
65 information on which versions are currently supported.
66 The libssl API has changed significantly since OpenSSL 0.9.8: hundreds
68 of functions have been added, deprecated or removed in the intervening
69 versions. Although this documentation lists all of the functions and
70 constants that Net::SSLeay may expose, they will not be available for
71 use if they are missing from the underlying libssl implementation.
72 Refer to the compatibility notes in this documentation, as well as the
73 OpenSSL/LibreSSL manual pages, for information on which
74 OpenSSL/LibreSSL versions support each function or constant. At run-
75 time, you can check whether a function or constant is exposed before
76 calling it using the following convention:
77 if ( defined &Net::SSLeay::libssl_function ) {
79 # libssl_function() (or SSL_libssl_function()) is available
80 Net::SSLeay::libssl_function(...);
81 }
82
84 Net::SSLeay module basically comprise of:
85 • High level functions for accessing web servers (by using
87 HTTP/HTTPS)
88 • Low level API (mostly mapped 1:1 to openssl's C functions)
90 • Convenience functions (related to low level API but with more perl
92 friendly interface)
93 There is also a related module called Net::SSLeay::Handle included in
95 this distribution that you might want to use instead. It has its own
96 pod documentation.
97 High level functions for accessing web servers
99 This module offers some high level convenience functions for accessing
100 web pages on SSL servers (for symmetry, the same API is offered for
101 accessing http servers, too), an "sslcat()" function for writing your
102 own clients, and finally access to the SSL api of the SSLeay/OpenSSL
103 package so you can write servers or clients for more complicated
104 applications.
105 For high level functions it is most convenient to import them into your
107 main namespace as indicated in the synopsis.
108 Basic set of functions
110 • get_https
112 • post_https
114 • put_https
116 • head_https
118 • do_https
120 • sslcat
122 • https_cat
124 • make_form
126 • make_headers
128 Case 1 (in SYNOPSIS) demonstrates the typical invocation of get_https()
130 to fetch an HTML page from secure server. The first argument provides
131 the hostname or IP in dotted decimal notation of the remote server to
132 contact. The second argument is the TCP port at the remote end (your
133 own port is picked arbitrarily from high numbered ports as usual for
134 TCP). The third argument is the URL of the page without the host name
135 part. If in doubt consult the HTTP specifications at
136 <http://www.w3c.org>.
137 Case 2 (in SYNOPSIS) demonstrates full fledged use of "get_https()". As
139 can be seen, "get_https()" parses the response and response headers and
140 returns them as a list, which can be captured in a hash for later
141 reference. Also a fourth argument to "get_https()" is used to insert
142 some additional headers in the request. "make_headers()" is a function
143 that will convert a list or hash to such headers. By default
144 "get_https()" supplies "Host" (to make virtual hosting easy) and
145 "Accept" (reportedly needed by IIS) headers.
146 Case 2b (in SYNOPSIS) demonstrates how to get a password protected
148 page. Refer to the HTTP protocol specifications for further details
149 (e.g. RFC-2617).
150 Case 3 (in SYNOPSIS) invokes "post_https()" to submit a HTML/CGI form
152 to a secure server. The first four arguments are equal to "get_https()"
153 (note that the empty string ('') is passed as header argument). The
154 fifth argument is the contents of the form formatted according to CGI
155 specification. Do not post UTF-8 data as content: use utf8::downgrade
156 first. In this case the helper function "make_https()" is used to do
157 the formatting, but you could pass any string. "post_https()"
158 automatically adds "Content-Type" and "Content-Length" headers to the
159 request.
160 Case 4 (in SYNOPSIS) shows the fundamental "sslcat()" function
162 (inspired in spirit by the "netcat" utility :-). It's your swiss army
163 knife that allows you to easily contact servers, send some data, and
164 then get the response. You are responsible for formatting the data and
165 parsing the response - "sslcat()" is just a transport.
166 Case 5 (in SYNOPSIS) is a full invocation of "sslcat()" which allows
168 the return of errors as well as the server (peer) certificate.
169 The $trace global variable can be used to control the verbosity of the
171 high level functions. Level 0 guarantees silence, level 1 (the default)
172 only emits error messages.
173 Alternate versions of high-level API
175 • get_https3
177 • post_https3
179 • put_https3
181 • get_https4
183 • post_https4
185 • put_https4
187 The above mentioned functions actually return the response headers as a
189 list, which only gets converted to hash upon assignment (this
190 assignment looses information if the same header occurs twice, as may
191 be the case with cookies). There are also other variants of the
192 functions that return unprocessed headers and that return a reference
193 to a hash.
194 ($page, $response, @headers) = get_https('www.bacus.pt', 443, '/');
196 for ($i = 0; $i < $#headers; $i+=2) {
197 print "$headers[$i] = " . $headers[$i+1] . "\n";
198 }
199 ($page, $response, $headers, $server_cert)
201 = get_https3('www.bacus.pt', 443, '/');
202 print "$headers\n";
203 ($page, $response, $headers_ref)
205 = get_https4('www.bacus.pt', 443, '/');
206 for $k (sort keys %{$headers_ref}) {
207 for $v (@{$$headers_ref{$k}}) {
208 print "$k = $v\n";
209 }
210 }
211 All of the above code fragments accomplish the same thing: display all
213 values of all headers. The API functions ending in "3" return the
214 headers simply as a scalar string and it is up to the application to
215 split them up. The functions ending in "4" return a reference to a hash
216 of arrays (see perlref and perllol if you are not familiar with complex
217 perl data structures). To access a single value of such a header hash
218 you would do something like
219 print $$headers_ref{COOKIE}[0];
221 Variants 3 and 4 also allow you to discover the server certificate in
223 case you would like to store or display it, e.g.
224 ($p, $resp, $hdrs, $server_cert) = get_https3('www.bacus.pt', 443, '/');
226 if (!defined($server_cert) || ($server_cert == 0)) {
227 warn "Subject Name: undefined, Issuer Name: undefined";
228 } else {
229 warn 'Subject Name: '
230 . Net::SSLeay::X509_NAME_oneline(
231 Net::SSLeay::X509_get_subject_name($server_cert))
232 . 'Issuer Name: '
233 . Net::SSLeay::X509_NAME_oneline(
234 Net::SSLeay::X509_get_issuer_name($server_cert));
235 }
236 Beware that this method only allows after the fact verification of the
238 certificate: by the time "get_https3()" has returned the https request
239 has already been sent to the server, whether you decide to trust it or
240 not. To do the verification correctly you must either employ the
241 OpenSSL certificate verification framework or use the lower level API
242 to first connect and verify the certificate and only then send the http
243 data. See the implementation of "ds_https3()" for guidance on how to do
244 this.
245 Using client certificates
247 Secure web communications are encrypted using symmetric crypto keys
249 exchanged using encryption based on the certificate of the server.
250 Therefore in all SSL connections the server must have a certificate.
251 This serves both to authenticate the server to the clients and to
252 perform the key exchange.
253 Sometimes it is necessary to authenticate the client as well. Two
255 options are available: HTTP basic authentication and a client side
256 certificate. The basic authentication over HTTPS is actually quite safe
257 because HTTPS guarantees that the password will not travel in the
258 clear. Never-the-less, problems like easily guessable passwords remain.
259 The client certificate method involves authentication of the client at
260 the SSL level using a certificate. For this to work, both the client
261 and the server have certificates (which typically are different) and
262 private keys.
263 The API functions outlined above accept additional arguments that allow
265 one to supply the client side certificate and key files. The format of
266 these files is the same as used for server certificates and the caveat
267 about encrypting private keys applies.
268 ($page, $result, %headers) = # 2c
270 = get_https('www.bacus.pt', 443, '/protected.html',
271 make_headers(Authorization =>
272 'Basic ' . MIME::Base64::encode("$user:$pass",'')),
273 '', $mime_type6, $path_to_crt7, $path_to_key8);
274 ($page, $response, %reply_headers)
276 = post_https('www.bacus.pt', 443, '/foo.cgi', # 3b
277 make_headers('Authorization' =>
278 'Basic ' . MIME::Base64::encode("$user:$pass",'')),
279 make_form(OK => '1', name => 'Sampo'),
280 $mime_type6, $path_to_crt7, $path_to_key8);
281 Case 2c (in SYNOPSIS) demonstrates getting a password protected page
283 that also requires a client certificate, i.e. it is possible to use
284 both authentication methods simultaneously.
285 Case 3b (in SYNOPSIS) is a full blown POST to a secure server that
287 requires both password authentication and a client certificate, just
288 like in case 2c.
289 Note: The client will not send a certificate unless the server requests
291 one. This is typically achieved by setting the verify mode to
292 "VERIFY_PEER" on the server:
293 Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0);
295 See "perldoc ~openssl/doc/ssl/SSL_CTX_set_verify.pod" for a full
297 description.
298 Working through a web proxy
300 • set_proxy
302 "Net::SSLeay" can use a web proxy to make its connections. You need to
304 first set the proxy host and port using "set_proxy()" and then just use
305 the normal API functions, e.g:
306 Net::SSLeay::set_proxy('gateway.myorg.com', 8080);
308 ($page) = get_https('www.bacus.pt', 443, '/');
309 If your proxy requires authentication, you can supply a username and
311 password as well
312 Net::SSLeay::set_proxy('gateway.myorg.com', 8080, 'joe', 'salainen');
314 ($page, $result, %headers) =
315 = get_https('www.bacus.pt', 443, '/protected.html',
316 make_headers(Authorization =>
317 'Basic ' . MIME::Base64::encode("susie:pass",''))
318 );
319 This example demonstrates the case where we authenticate to the proxy
321 as "joe" and to the final web server as "susie". Proxy authentication
322 requires the "MIME::Base64" module to work.
323 HTTP (without S) API
325 • get_http
327 • post_http
329 • tcpcat
331 • get_httpx
333 • post_httpx
335 • tcpxcat
337 Over the years it has become clear that it would be convenient to use
339 the light-weight flavour API of "Net::SSLeay" for normal HTTP as well
340 (see "LWP" for the heavy-weight object-oriented approach). In fact it
341 would be nice to be able to flip https on and off on the fly. Thus
342 regular HTTP support was evolved.
343 use Net::SSLeay qw(get_http post_http tcpcat
345 get_httpx post_httpx tcpxcat
346 make_headers make_form);
347 ($page, $result, %headers)
349 = get_http('www.bacus.pt', 443, '/protected.html',
350 make_headers(Authorization =>
351 'Basic ' . MIME::Base64::encode("$user:$pass",''))
352 );
353 ($page, $response, %reply_headers)
355 = post_http('www.bacus.pt', 443, '/foo.cgi', '',
356 make_form(OK => '1',
357 name => 'Sampo'
358 ));
359 ($reply, $err) = tcpcat($host, $port, $request);
361 ($page, $result, %headers)
363 = get_httpx($usessl, 'www.bacus.pt', 443, '/protected.html',
364 make_headers(Authorization =>
365 'Basic ' . MIME::Base64::encode("$user:$pass",''))
366 );
367 ($page, $response, %reply_headers)
369 = post_httpx($usessl, 'www.bacus.pt', 443, '/foo.cgi', '',
370 make_form(OK => '1', name => 'Sampo' ));
371 ($reply, $err, $server_cert) = tcpxcat($usessl, $host, $port, $request);
373 As can be seen, the "x" family of APIs takes as the first argument a
375 flag which indicates whether SSL is used or not.
376 Certificate verification and Certificate Revocation Lists (CRLs)
378 OpenSSL supports the ability to verify peer certificates. It can also
379 optionally check the peer certificate against a Certificate Revocation
380 List (CRL) from the certificates issuer. A CRL is a file, created by
381 the certificate issuer that lists all the certificates that it
382 previously signed, but which it now revokes. CRLs are in PEM format.
383 You can enable "Net::SSLeay CRL" checking like this:
385 &Net::SSLeay::X509_STORE_set_flags
387 (&Net::SSLeay::CTX_get_cert_store($ssl),
388 &Net::SSLeay::X509_V_FLAG_CRL_CHECK);
389 After setting this flag, if OpenSSL checks a peer's certificate, then
391 it will attempt to find a CRL for the issuer. It does this by looking
392 for a specially named file in the search directory specified by
393 CTX_load_verify_locations. CRL files are named with the hash of the
394 issuer's subject name, followed by ".r0", ".r1" etc. For example
395 "ab1331b2.r0", "ab1331b2.r1". It will read all the .r files for the
396 issuer, and then check for a revocation of the peer certificate in all
397 of them. (You can also force it to look in a specific named CRL file.,
398 see below). You can find out the hash of the issuer subject name in a
399 CRL with
400 openssl crl -in crl.pem -hash -noout
402 If the peer certificate does not pass the revocation list, or if no CRL
404 is found, then the handshaking fails with an error.
405 You can also force OpenSSL to look for CRLs in one or more arbitrarily
407 named files.
408 my $bio = Net::SSLeay::BIO_new_file($crlfilename, 'r');
410 my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio);
411 if ($crl) {
412 Net::SSLeay::X509_STORE_add_crl(
413 Net::SSLeay::CTX_get_cert_store($ssl, $crl)
414 );
415 } else {
416 error reading CRL....
417 }
418 Usually the URLs where you can download the CRLs is contained in the
420 certificate itself and you can extract them with
421 my @url = Net::SSLeay::P_X509_get_crl_distribution_points($cert)
423 But there is no automatic downloading of the CRLs and often these CRLs
425 are too huge to just download them to verify a single certificate.
426 Also, these CRLs are often in DER format which you need to convert to
427 PEM before you can use it:
428 openssl crl -in crl.der -inform der -out crl.pem
430 So as an alternative for faster and timely revocation checks you better
432 use the Online Status Revocation Protocol (OCSP).
433 Certificate verification and Online Status Revocation Protocol (OCSP)
435 While checking for revoked certificates is possible and fast with
436 Certificate Revocation Lists, you need to download the complete and
437 often huge list before you can verify a single certificate.
438 A faster way is to ask the CA to check the revocation of just a single
440 or a few certificates using OCSP. Basically you generate for each
441 certificate an OCSP_CERTID based on the certificate itself and its
442 issuer, put the ids togetether into an OCSP_REQUEST and send the
443 request to the URL given in the certificate.
444 As a result you get back an OCSP_RESPONSE and need to check the status
446 of the response, check that it is valid (e.g. signed by the CA) and
447 finally extract the information about each OCSP_CERTID to find out if
448 the certificate is still valid or got revoked.
449 With Net::SSLeay this can be done like this:
451 # get id(s) for given certs, like from get_peer_certificate
453 # or get_peer_cert_chain. This will croak if
454 # - one tries to make an OCSP_CERTID for a self-signed certificate
455 # - the issuer of the certificate cannot be found in the SSL objects
456 # store, nor in the current certificate chain
457 my $cert = Net::SSLeay::get_peer_certificate($ssl);
458 my $id = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) };
459 die "failed to make OCSP_CERTID: $@" if $@;
460 # create OCSP_REQUEST from id(s)
462 # Multiple can be put into the same request, if the same OCSP responder
463 # is responsible for them.
464 my $req = Net::SSLeay::OCSP_ids2req($id);
465 # determine URI of OCSP responder
467 my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert);
468 # Send stringified OCSP_REQUEST with POST to $uri.
470 # We can ignore certificate verification for https, because the OCSP
471 # response itself is signed.
472 my $ua = HTTP::Tiny->new(verify_SSL => 0);
473 my $res = $ua->request( 'POST',$uri, {
474 headers => { 'Content-type' => 'application/ocsp-request' },
475 content => Net::SSLeay::i2d_OCSP_REQUEST($req)
476 });
477 my $content = $res && $res->{success} && $res->{content}
478 or die "query failed";
479 # Extract OCSP_RESPONSE.
481 # this will croak if the string is not an OCSP_RESPONSE
482 my $resp = eval { Net::SSLeay::d2i_OCSP_RESPONSE($content) };
483 # Check status of response.
485 my $status = Net::SSLeay::OCSP_response_status($resp);
486 if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL())
487 die "OCSP response failed: ".
488 Net::SSLeay::OCSP_response_status_str($status);
489 }
490 # Verify signature of response and if nonce matches request.
492 # This will croak if there is a nonce in the response, but it does not match
493 # the request. It will return false if the signature could not be verified,
494 # in which case details can be retrieved with Net::SSLeay::ERR_get_error.
495 # It will not complain if the response does not contain a nonce, which is
496 # usually the case with pre-signed responses.
497 if ( ! eval { Net::SSLeay::OCSP_response_verify($ssl,$resp,$req) }) {
498 die "OCSP response verification failed";
499 }
500 # Extract information from OCSP_RESPONSE for each of the ids.
502 # If called in scalar context it will return the time (as time_t), when the
504 # next update is due (minimum of all successful responses inside $resp). It
505 # will croak on the following problems:
506 # - response is expired or not yet valid
507 # - no response for given OCSP_CERTID
508 # - certificate status is not good (e.g. revoked or unknown)
509 if ( my $nextupd = eval { Net::SSLeay::OCSP_response_results($resp,$id) }) {
510 warn "certificate is valid, next update in ".
511 ($nextupd-time())." seconds\n";
512 } else {
513 die "certificate is not valid: $@";
514 }
515 # But in array context it will return detailed information about each given
517 # OCSP_CERTID instead croaking on errors:
518 # if no @ids are given it will return information about all single responses
519 # in the OCSP_RESPONSE
520 my @results = Net::SSLeay::OCSP_response_results($resp,@ids);
521 for my $r (@results) {
522 print Dumper($r);
523 # @results are in the same order as the @ids and contain:
524 # $r->[0] - OCSP_CERTID
525 # $r->[1] - undef if no error (certificate good) OR error message as string
526 # $r->[2] - hash with details:
527 # thisUpdate - time_t of this single response
528 # nextUpdate - time_t when update is expected
529 # statusType - integer:
530 # V_OCSP_CERTSTATUS_GOOD(0)
531 # V_OCSP_CERTSTATUS_REVOKED(1)
532 # V_OCSP_CERTSTATUS_UNKNOWN(2)
533 # revocationTime - time_t (only if revoked)
534 # revocationReason - integer (only if revoked)
535 # revocationReason_str - reason as string (only if revoked)
536 }
537 To further speed up certificate revocation checking one can use a TLS
539 extension to instruct the server to staple the OCSP response:
540 # set TLS extension before doing SSL_connect
542 Net::SSLeay::set_tlsext_status_type($ssl,
543 Net::SSLeay::TLSEXT_STATUSTYPE_ocsp());
544 # setup callback to verify OCSP response
546 my $cert_valid = undef;
547 Net::SSLeay::CTX_set_tlsext_status_cb($context,sub {
548 my ($ssl,$resp) = @_;
549 if (!$resp) {
550 # Lots of servers don't return an OCSP response.
551 # In this case we must check the OCSP status outside the SSL
552 # handshake.
553 warn "server did not return stapled OCSP response\n";
554 return 1;
555 }
556 # verify status
557 my $status = Net::SSLeay::OCSP_response_status($resp);
558 if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) {
559 warn "OCSP response failure: $status\n";
560 return 1;
561 }
562 # verify signature - we have no OCSP_REQUEST here to check nonce
563 if (!eval { Net::SSLeay::OCSP_response_verify($ssl,$resp) }) {
564 warn "OCSP response verify failed\n";
565 return 1;
566 }
567 # check if the certificate is valid
568 # we should check here against the peer_certificate
569 my $cert = Net::SSLeay::get_peer_certificate();
570 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do {
571 warn "cannot get certid from cert: $@";
572 $cert_valid = -1;
573 return 1;
574 };
575 if ( $nextupd = eval {
577 Net::SSLeay::OCSP_response_results($resp,$certid) }) {
578 warn "certificate not revoked\n";
579 $cert_valid = 1;
580 } else {
581 warn "certificate not valid: $@";
582 $cert_valid = 0;
583 }
584 });
585 # do SSL handshake here
587 ....
588 # check if certificate revocation was checked already
589 if ( ! defined $cert_valid) {
590 # check revocation outside of SSL handshake by asking OCSP responder
591 ...
592 } elsif ( ! $cert_valid ) {
593 die "certificate not valid - closing SSL connection";
594 } elsif ( $cert_valid<0 ) {
595 die "cannot verify certificate revocation - self-signed ?";
596 } else {
597 # everything fine
598 ...
599 }
600 Using Net::SSLeay in multi-threaded applications
602 IMPORTANT: versions 1.42 or earlier are not thread-safe!
603 Net::SSLeay module implements all necessary stuff to be ready for
605 multi-threaded environment - it requires openssl-0.9.7 or newer. The
606 implementation fully follows thread safety related requirements of
607 openssl library(see <http://www.openssl.org/docs/crypto/threads.html>).
608 If you are about to use Net::SSLeay (or any other module based on
610 Net::SSLeay) in multi-threaded perl application it is recommended to
611 follow this best-practice:
612 Initialization
614 Load and initialize Net::SSLeay module in the main thread:
616 use threads;
618 use Net::SSLeay;
619 Net::SSLeay::load_error_strings();
621 Net::SSLeay::SSLeay_add_ssl_algorithms();
622 Net::SSLeay::randomize();
623 sub do_master_job {
625 #... call whatever from Net::SSLeay
626 }
627 sub do_worker_job {
629 #... call whatever from Net::SSLeay
630 }
631 #start threads
633 my $master = threads->new(\&do_master_job, 'param1', 'param2');
634 my @workers = threads->new(\&do_worker_job, 'arg1', 'arg2') for (1..10);
635 #waiting for all threads to finish
637 $_->join() for (threads->list);
638 NOTE: Openssl's "int SSL_library_init(void)" function (which is also
640 aliased as "SSLeay_add_ssl_algorithms", "OpenSSL_add_ssl_algorithms"
641 and "add_ssl_algorithms") is not re-entrant and multiple calls can
642 cause a crash in threaded application. Net::SSLeay implements flags
643 preventing repeated calls to this function, therefore even multiple
644 initialization via Net::SSLeay::SSLeay_add_ssl_algorithms() should work
645 without trouble.
646 Using callbacks
648 Do not use callbacks across threads (the module blocks cross-thread
650 callback operations and throws a warning). Always do the callback
651 setup, callback use and callback destruction within the same thread.
652 Using openssl elements
654 All openssl elements (X509, SSL_CTX, ...) can be directly passed
656 between threads.
657 use threads;
659 use Net::SSLeay;
660 Net::SSLeay::load_error_strings();
662 Net::SSLeay::SSLeay_add_ssl_algorithms();
663 Net::SSLeay::randomize();
664 sub do_job {
666 my $context = shift;
667 Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" });
668 #...
669 }
670 my $c = Net::SSLeay::CTX_new();
672 threads->create(\&do_job, $c);
673 Or:
675 use threads;
677 use Net::SSLeay;
678 my $context; #does not need to be 'shared'
680 Net::SSLeay::load_error_strings();
682 Net::SSLeay::SSLeay_add_ssl_algorithms();
683 Net::SSLeay::randomize();
684 sub do_job {
686 Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" });
687 #...
688 }
689 $context = Net::SSLeay::CTX_new();
691 threads->create(\&do_job);
692 Using other perl modules based on Net::SSLeay
694 It should be fine to use any other module based on Net::SSLeay (like
696 IO::Socket::SSL) in multi-threaded applications. It is generally
697 recommended to do any global initialization of such a module in the
698 main thread before calling "threads->new(..)" or "threads->create(..)"
699 but it might differ module by module.
700 To be safe you can load and init Net::SSLeay explicitly in the main
702 thread:
703 use Net::SSLeay;
705 use Other::SSLeay::Based::Module;
706 Net::SSLeay::load_error_strings();
708 Net::SSLeay::SSLeay_add_ssl_algorithms();
709 Net::SSLeay::randomize();
710 Or even safer:
712 use Net::SSLeay;
714 use Other::SSLeay::Based::Module;
715 BEGIN {
717 Net::SSLeay::load_error_strings();
718 Net::SSLeay::SSLeay_add_ssl_algorithms();
719 Net::SSLeay::randomize();
720 }
721 Combining Net::SSLeay with other modules linked with openssl
723 BEWARE: This might be a big trouble! This is not guaranteed be thread-
725 safe!
726 There are many other (XS) modules linked directly to openssl library
728 (like Crypt::SSLeay).
729 As it is expected that also "another" module will call
731 "SSLeay_add_ssl_algorithms" at some point we have again a trouble with
732 multiple openssl initialization by Net::SSLeay and "another" module.
733 As you can expect Net::SSLeay is not able to avoid multiple
735 initialization of openssl library called by "another" module, thus you
736 have to handle this on your own (in some cases it might not be possible
737 at all to avoid this).
738 Threading with get_https and friends
740 The convenience functions get_https, post_https etc all initialize the
742 SSL library by calling Net::SSLeay::initialize which does the
743 conventional library initialization:
744 Net::SSLeay::load_error_strings();
746 Net::SSLeay::SSLeay_add_ssl_algorithms();
747 Net::SSLeay::randomize();
748 Net::SSLeay::initialize initializes the SSL library at most once. You
750 can override the Net::SSLeay::initialize function if you desire some
751 other type of initialization behaviour by get_https and friends. You
752 can call Net::SSLeay::initialize from your own code if you desire this
753 conventional library initialization.
754 Convenience routines
756 To be used with Low level API
757 Net::SSLeay::randomize($rn_seed_file,$additional_seed);
759 Net::SSLeay::set_cert_and_key($ctx, $cert_path, $key_path);
760 $cert = Net::SSLeay::dump_peer_certificate($ssl);
761 Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure";
762 $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure";
763 $got = Net::SSLeay::ssl_read_CRLF($ssl [, $max_length]);
765 $got = Net::SSLeay::ssl_read_until($ssl [, $delimit [, $max_length]]);
766 Net::SSLeay::ssl_write_CRLF($ssl, $message);
767 • randomize
769 seeds the openssl PRNG with "/dev/urandom" (see the top of
771 "SSLeay.pm" for how to change or configure this) and optionally
772 with user provided data. It is very important to properly seed your
773 random numbers, so do not forget to call this. The high level API
774 functions automatically call "randomize()" so it is not needed with
775 them. See also caveats.
776 • set_cert_and_key
778 takes two file names as arguments and sets the certificate and
780 private key to those. This can be used to set either server
781 certificates or client certificates.
782 • dump_peer_certificate
784 allows you to get a plaintext description of the certificate the
786 peer (usually the server) presented to us.
787 • ssl_read_all
789 see ssl_write_all (below)
791 • ssl_write_all
793 "ssl_read_all()" and "ssl_write_all()" provide true blocking
795 semantics for these operations (see limitation, below, for
796 explanation). These are much preferred to the low level API
797 equivalents (which implement BSD blocking semantics). The message
798 argument to "ssl_write_all()" can be a reference. This is helpful
799 to avoid unnecessary copying when writing something big, e.g:
800 $data = 'A' x 1000000000;
802 Net::SSLeay::ssl_write_all($ssl, \$data) or die "ssl write failed";
803 • ssl_read_CRLF
805 uses "ssl_read_all()" to read in a line terminated with a carriage
807 return followed by a linefeed (CRLF). The CRLF is included in the
808 returned scalar.
809 • ssl_read_until
811 uses "ssl_read_all()" to read from the SSL input stream until it
813 encounters a programmer specified delimiter. If the delimiter is
814 undefined, $/ is used. If $/ is undefined, "\n" is used. One can
815 optionally set a maximum length of bytes to read from the SSL input
816 stream.
817 • ssl_write_CRLF
819 writes $message and appends CRLF to the SSL output stream.
821 Initialization
823 In order to use the low level API you should start your programs with
824 the following incantation:
825 use Net::SSLeay qw(die_now die_if_ssl_error);
827 Net::SSLeay::load_error_strings();
828 Net::SSLeay::SSLeay_add_ssl_algorithms(); # Important!
829 Net::SSLeay::ENGINE_load_builtin_engines(); # If you want built-in engines
830 Net::SSLeay::ENGINE_register_all_complete(); # If you want built-in engines
831 Net::SSLeay::randomize();
832 Error handling functions
834 I can not emphasize the need to check for error enough. Use these
835 functions even in the most simple programs, they will reduce debugging
836 time greatly. Do not ask questions on the mailing list without having
837 first sprinkled these in your code.
838 • die_now
840 • die_if_ssl_error
842 "die_now()" and "die_if_ssl_error()" are used to conveniently print
844 the SSLeay error stack when something goes wrong:
845 Net::SSLeay::connect($ssl) or die_now("Failed SSL connect ($!)");
847 Net::SSLeay::write($ssl, "foo") or die_if_ssl_error("SSL write ($!)");
850 • print_errs
852 You can also use "Net::SSLeay::print_errs()" to dump the error
854 stack without exiting the program. As can be seen, your code
855 becomes much more readable if you import the error reporting
856 functions into your main name space.
857 Sockets
859 Perl uses file handles for all I/O. While SSLeay has a quite flexible
860 BIO mechanism and perl has an evolved PerlIO mechanism, this module
861 still sticks to using file descriptors. Thus to attach SSLeay to a
862 socket you should use "fileno()" to extract the underlying file
863 descriptor:
864 Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno
866 You should also set $| to 1 to eliminate STDIO buffering so you do not
868 get confused if you use perl I/O functions to manipulate your socket
869 handle.
870 If you need to select(2) on the socket, go right ahead, but be warned
872 that OpenSSL does some internal buffering so SSL_read does not always
873 return data even if the socket selected for reading (just keep on
874 selecting and trying to read). "Net::SSLeay" is no different from the C
875 language OpenSSL in this respect.
876 Callbacks
878 You can establish a per-context verify callback function something like
879 this:
880 sub verify {
882 my ($ok, $x509_store_ctx) = @_;
883 print "Verifying certificate...\n";
884 ...
885 return $ok;
886 }
887 It is used like this:
889 Net::SSLeay::set_verify ($ssl, Net::SSLeay::VERIFY_PEER, \&verify);
891 Per-context callbacks for decrypting private keys are implemented.
893 Net::SSLeay::CTX_set_default_passwd_cb($ctx, sub { "top-secret" });
895 Net::SSLeay::CTX_use_PrivateKey_file($ctx, "key.pem",
896 Net::SSLeay::FILETYPE_PEM)
897 or die "Error reading private key";
898 Net::SSLeay::CTX_set_default_passwd_cb($ctx, undef);
899 If Hello Extensions are supported by your OpenSSL, a session secret
901 callback can be set up to be called when a session secret is set by
902 openssl.
903 Establish it like this:
905 Net::SSLeay::set_session_secret_cb($ssl, \&session_secret_cb,
906 $somedata);
907 It will be called like this:
909 sub session_secret_cb
911 {
912 my ($secret, \@cipherlist, \$preferredcipher, $somedata) = @_;
913 }
914 No other callbacks are implemented. You do not need to use any callback
916 for simple (i.e. normal) cases where the SSLeay built-in verify
917 mechanism satisfies your needs.
918 It is required to reset these callbacks to undef immediately after use
920 to prevent memory leaks, thread safety problems and crashes on exit
921 that can occur if different threads set different callbacks.
922 If you want to use callback stuff, see examples/callback.pl! It's the
924 only one I am able to make work reliably.
925 Low level API
927 In addition to the high level functions outlined above, this module
928 contains straight-forward access to CRYPTO and SSL parts of OpenSSL C
929 API.
930 See the "*.h" headers from OpenSSL C distribution for a list of low
932 level SSLeay functions to call (check SSLeay.xs to see if some function
933 has been implemented). The module strips the initial "SSL_" off of the
934 SSLeay names. Generally you should use "Net::SSLeay::" in its place.
935 Note that some functions are prefixed with "P_" - these are very close
937 to the original API however contain some kind of a wrapper making its
938 interface more perl friendly.
939 For example:
941 In C:
943 #include <ssl.h>
945 err = SSL_set_verify (ssl, SSL_VERIFY_CLIENT_ONCE,
947 &your_call_back_here);
948 In Perl:
950 use Net::SSLeay;
952 $err = Net::SSLeay::set_verify ($ssl,
954 Net::SSLeay::VERIFY_CLIENT_ONCE,
955 \&your_call_back_here);
956 If the function does not start with "SSL_" you should use the full
958 function name, e.g.:
959 $err = Net::SSLeay::ERR_get_error;
961 The following new functions behave in perlish way:
963 $got = Net::SSLeay::read($ssl);
965 # Performs SSL_read, but returns $got
966 # resized according to data received.
967 # Returns undef on failure.
968 Net::SSLeay::write($ssl, $foo) || die;
970 # Performs SSL_write, but automatically
971 # figures out the size of $foo
972 Low level API: Version related functions
974 • SSLeay
976 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
978 Gives version number (numeric) of underlaying openssl library.
980 my $ver_number = Net::SSLeay::SSLeay();
982 # returns: the number identifying the openssl release
983 #
984 # 0x00903100 => openssl-0.9.3
985 # 0x00904100 => openssl-0.9.4
986 # 0x00905100 => openssl-0.9.5
987 # 0x0090600f => openssl-0.9.6
988 # 0x0090601f => openssl-0.9.6a
989 # 0x0090602f => openssl-0.9.6b
990 # ...
991 # 0x009060df => openssl-0.9.6m
992 # 0x0090700f => openssl-0.9.7
993 # 0x0090701f => openssl-0.9.7a
994 # 0x0090702f => openssl-0.9.7b
995 # ...
996 # 0x009070df => openssl-0.9.7m
997 # 0x0090800f => openssl-0.9.8
998 # 0x0090801f => openssl-0.9.8a
999 # 0x0090802f => openssl-0.9.8b
1000 # ...
1001 # 0x0090814f => openssl-0.9.8t
1002 # 0x1000000f => openssl-1.0.0
1003 # 0x1000004f => openssl-1.0.0d
1004 # 0x1000007f => openssl-1.0.0g
1005 You can use it like this:
1007 if (Net::SSLeay::SSLeay() < 0x0090800f) {
1009 die "you need openssl-0.9.8 or higher";
1010 }
1011 • SSLeay_version
1013 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
1015 Gives version number (string) of underlaying openssl library.
1017 my $ver_string = Net::SSLeay::SSLeay_version($type);
1019 # $type
1020 # SSLEAY_VERSION - e.g. 'OpenSSL 1.0.0d 8 Feb 2011'
1021 # SSLEAY_CFLAGS - e.g. 'compiler: gcc -D_WINDLL -DOPENSSL_USE_APPLINK .....'
1022 # SSLEAY_BUILT_ON - e.g. 'built on: Fri May 6 00:00:46 GMT 2011'
1023 # SSLEAY_PLATFORM - e.g. 'platform: mingw'
1024 # SSLEAY_DIR - e.g. 'OPENSSLDIR: "z:/...."'
1025 #
1026 # returns: string
1027 Net::SSLeay::SSLeay_version();
1029 #is equivalent to
1030 Net::SSLeay::SSLeay_version(SSLEAY_VERSION);
1031 Check openssl doc
1033 <https://www.openssl.org/docs/man1.0.2/crypto/SSLeay_version.html>
1034 • OpenSSL_version_num
1036 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
1038 requires at least OpenSSL 1.1.0
1039 Gives version number (numeric) of underlaying openssl library. See
1041 "SSLeay" for interpreting the result.
1042 my $ver_number = Net::SSLeay::OpenSSL_version_num();
1044 # returns: the number identifying the openssl release
1045 • OpenSSL_version
1047 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
1049 requires at least OpenSSL 1.1.0
1050 Gives version number (string) of underlaying openssl library.
1052 my $ver_string = Net::SSLeay::OpenSSL_version($t);
1054 # $t
1055 # OPENSSL_VERSION - e.g. 'OpenSSL 1.1.0g 2 Nov 2017'
1056 # OPENSSL_CFLAGS - e.g. 'compiler: cc -DDSO_DLFCN -DHAVE_DLFCN_H .....'
1057 # OPENSSL_BUILT_ON - e.g. 'built on: reproducible build, date unspecified'
1058 # OPENSSL_PLATFORM - e.g. 'platform: darwin64-x86_64-cc'
1059 # OPENSSL_DIR - e.g. 'OPENSSLDIR: "/opt/openssl-1.1.0g"'
1060 # OPENSSL_ENGINES_DIR - e.g. 'ENGINESDIR: "/opt/openssl-1.1.0g/lib/engines-1.1"'
1061 #
1062 # returns: string
1063 Net::SSLeay::OpenSSL_version();
1065 #is equivalent to
1066 Net::SSLeay::OpenSSL_version(OPENSSL_VERSION);
1067 Check openssl doc
1069 <https://www.openssl.org/docs/crypto/OpenSSL_version.html>
1070 Low level API: Initialization related functions
1072 • library_init
1074 Initialize SSL library by registering algorithms.
1076 my $rv = Net::SSLeay::library_init();
1078 Check openssl doc
1080 <http://www.openssl.org/docs/ssl/SSL_library_init.html>
1081 While the original function from OpenSSL always returns 1,
1083 Net::SSLeay adds a wrapper around it to make sure that the OpenSSL
1084 function is only called once. Thus the function will return 1 if
1085 initialization was done and 0 if not, i.e. if initialization was
1086 done already before.
1087 • add_ssl_algorithms
1089 The alias for "library_init"
1091 Net::SSLeay::add_ssl_algorithms();
1093 • OpenSSL_add_ssl_algorithms
1095 The alias for "library_init"
1097 Net::SSLeay::OpenSSL_add_ssl_algorithms();
1099 • SSLeay_add_ssl_algorithms
1101 The alias for "library_init"
1103 Net::SSLeay::SSLeay_add_ssl_algorithms();
1105 • load_error_strings
1107 Registers the error strings for all libcrypto + libssl related
1109 functions.
1110 Net::SSLeay::load_error_strings();
1112 #
1113 # returns: no return value
1114 Check openssl doc
1116 <http://www.openssl.org/docs/crypto/ERR_load_crypto_strings.html>
1117 • ERR_load_crypto_strings
1119 Registers the error strings for all libcrypto functions. No need to
1121 call this function if you have already called "load_error_strings".
1122 Net::SSLeay::ERR_load_crypto_strings();
1124 #
1125 # returns: no return value
1126 Check openssl doc
1128 <http://www.openssl.org/docs/crypto/ERR_load_crypto_strings.html>
1129 • ERR_load_RAND_strings
1131 Registers the error strings for RAND related functions. No need to
1133 call this function if you have already called "load_error_strings".
1134 Net::SSLeay::ERR_load_RAND_strings();
1136 #
1137 # returns: no return value
1138 • ERR_load_SSL_strings
1140 Registers the error strings for SSL related functions. No need to
1142 call this function if you have already called "load_error_strings".
1143 Net::SSLeay::ERR_load_SSL_strings();
1145 #
1146 # returns: no return value
1147 • OpenSSL_add_all_algorithms
1149 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1151 Add algorithms to internal table.
1153 Net::SSLeay::OpenSSL_add_all_algorithms();
1155 #
1156 # returns: no return value
1157 Check openssl doc
1159 <http://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html>
1160 • OPENSSL_add_all_algorithms_conf
1162 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1164 Similar to "OpenSSL_add_all_algorithms" - will ALWAYS load the
1166 config file
1167 Net::SSLeay::OPENSSL_add_all_algorithms_conf();
1169 #
1170 # returns: no return value
1171 • OPENSSL_add_all_algorithms_noconf
1173 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1175 Similar to "OpenSSL_add_all_algorithms" - will NEVER load the
1177 config file
1178 Net::SSLeay::OPENSSL_add_all_algorithms_noconf();
1180 #
1181 # returns: no return value
1182 Low level API: ERR_* and SSL_alert_* related functions
1184 NOTE: Please note that SSL_alert_* function have "SSL_" part stripped
1186 from their names.
1187 • ERR_clear_error
1189 Clear the error queue.
1191 Net::SSLeay::ERR_clear_error();
1193 #
1194 # returns: no return value
1195 Check openssl doc
1197 <http://www.openssl.org/docs/crypto/ERR_clear_error.html>
1198 • ERR_error_string
1200 Generates a human-readable string representing the error code
1202 $error.
1203 my $rv = Net::SSLeay::ERR_error_string($error);
1205 # $error - (unsigned integer) error code
1206 #
1207 # returns: string
1208 Check openssl doc
1210 <http://www.openssl.org/docs/crypto/ERR_error_string.html>
1211 • ERR_get_error
1213 Returns the earliest error code from the thread's error queue and
1215 removes the entry. This function can be called repeatedly until
1216 there are no more error codes to return.
1217 my $rv = Net::SSLeay::ERR_get_error();
1219 #
1220 # returns: (unsigned integer) error code
1221 Check openssl doc
1223 <http://www.openssl.org/docs/crypto/ERR_get_error.html>
1224 • ERR_peek_error
1226 Returns the earliest error code from the thread's error queue
1228 without modifying it.
1229 my $rv = Net::SSLeay::ERR_peek_error();
1231 #
1232 # returns: (unsigned integer) error code
1233 Check openssl doc
1235 <http://www.openssl.org/docs/crypto/ERR_get_error.html>
1236 • ERR_put_error
1238 Adds an error code to the thread's error queue. It signals that the
1240 error of $reason code reason occurred in function $func of library
1241 $lib, in line number $line of $file.
1242 Net::SSLeay::ERR_put_error($lib, $func, $reason, $file, $line);
1244 # $lib - (integer) library id (check openssl/err.h for constants e.g. ERR_LIB_SSL)
1245 # $func - (integer) function id (check openssl/ssl.h for constants e.g. SSL_F_SSL23_READ)
1246 # $reason - (integer) reason id (check openssl/ssl.h for constants e.g. SSL_R_SSL_HANDSHAKE_FAILURE)
1247 # $file - (string) file name
1248 # $line - (integer) line number in $file
1249 #
1250 # returns: no return value
1251 Check openssl doc
1253 <http://www.openssl.org/docs/crypto/ERR_put_error.html> and
1254 <http://www.openssl.org/docs/crypto/err.html>
1255 • alert_desc_string
1257 Returns a two letter string as a short form describing the reason
1259 of the alert specified by value.
1260 my $rv = Net::SSLeay::alert_desc_string($value);
1262 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1263 #
1264 # returns: description string (2 letters)
1265 Check openssl doc
1267 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1268 • alert_desc_string_long
1270 Returns a string describing the reason of the alert specified by
1272 value.
1273 my $rv = Net::SSLeay::alert_desc_string_long($value);
1275 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1276 #
1277 # returns: description string
1278 Check openssl doc
1280 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1281 • alert_type_string
1283 Returns a one letter string indicating the type of the alert
1285 specified by value.
1286 my $rv = Net::SSLeay::alert_type_string($value);
1288 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1289 #
1290 # returns: string (1 letter)
1291 Check openssl doc
1293 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1294 • alert_type_string_long
1296 Returns a string indicating the type of the alert specified by
1298 value.
1299 my $rv = Net::SSLeay::alert_type_string_long($value);
1301 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1302 #
1303 # returns: string
1304 Check openssl doc
1306 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1307 Low level API: SSL_METHOD_* related functions
1309 • SSLv23_method, SSLv23_server_method and SSLv23_client_method
1311 COMPATIBILITY: not available in Net-SSLeay-1.82 and before.
1313 Returns SSL_METHOD structure corresponding to general-purpose
1315 version-flexible TLS method, the return value can be later used as
1316 a param of "CTX_new_with_method".
1317 NOTE: Consider using TLS_method, TLS_server_method or
1319 TLS_client_method with new code.
1320 my $rv = Net::SSLeay::SSLv2_method();
1322 #
1323 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1324 • SSLv2_method
1326 Returns SSL_METHOD structure corresponding to SSLv2 method, the
1328 return value can be later used as a param of "CTX_new_with_method".
1329 Only available where supported by the underlying openssl.
1330 my $rv = Net::SSLeay::SSLv2_method();
1332 #
1333 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1334 • SSLv3_method
1336 Returns SSL_METHOD structure corresponding to SSLv3 method, the
1338 return value can be later used as a param of "CTX_new_with_method".
1339 my $rv = Net::SSLeay::SSLv3_method();
1341 #
1342 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1343 Check openssl doc
1345 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1346 • TLSv1_method, TLSv1_server_method and TLSv1_client_method
1348 COMPATIBILITY: Server and client methods not available in
1350 Net-SSLeay-1.82 and before.
1351 Returns SSL_METHOD structure corresponding to TLSv1 method, the
1353 return value can be later used as a param of "CTX_new_with_method".
1354 my $rv = Net::SSLeay::TLSv1_method();
1356 #
1357 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1358 Check openssl doc
1360 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1361 • TLSv1_1_method, TLSv1_1_server_method and TLSv1_1_client_method
1363 COMPATIBILITY: Server and client methods not available in
1365 Net-SSLeay-1.82 and before.
1366 Returns SSL_METHOD structure corresponding to TLSv1_1 method, the
1368 return value can be later used as a param of "CTX_new_with_method".
1369 Only available where supported by the underlying openssl.
1370 my $rv = Net::SSLeay::TLSv1_1_method();
1372 #
1373 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1374 Check openssl doc
1376 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1377 • TLSv1_2_method, TLSv1_2_server_method and TLSv1_2_client_method
1379 COMPATIBILITY: Server and client methods not available in
1381 Net-SSLeay-1.82 and before.
1382 Returns SSL_METHOD structure corresponding to TLSv1_2 method, the
1384 return value can be later used as a param of "CTX_new_with_method".
1385 Only available where supported by the underlying openssl.
1386 my $rv = Net::SSLeay::TLSv1_2_method();
1388 #
1389 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1390 Check openssl doc
1392 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1393 • TLS_method, TLS_server_method and TLS_client_method
1395 COMPATIBILITY: Not available in Net-SSLeay-1.82 and before.
1397 Returns SSL_METHOD structure corresponding to general-purpose
1399 version-flexible TLS method, the return value can be later used as
1400 a param of "CTX_new_with_method". Only available where supported by
1401 the underlying openssl.
1402 my $rv = Net::SSLeay::TLS_method();
1404 #
1405 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1406 Check openssl doc
1408 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1409 Low level API: ENGINE_* related functions
1411 • ENGINE_load_builtin_engines
1413 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1415 loading support.
1416 Load all bundled ENGINEs into memory and make them visible.
1418 Net::SSLeay::ENGINE_load_builtin_engines();
1420 #
1421 # returns: no return value
1422 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1424 • ENGINE_register_all_complete
1426 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1428 loading support.
1429 Register all loaded ENGINEs for every algorithm they collectively
1431 implement.
1432 Net::SSLeay::ENGINE_register_all_complete();
1434 #
1435 # returns: no return value
1436 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1438 • ENGINE_set_default
1440 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1442 loading support.
1443 Set default engine to $e + set its flags to $flags.
1445 my $rv = Net::SSLeay::ENGINE_set_default($e, $flags);
1447 # $e - value corresponding to openssl's ENGINE structure
1448 # $flags - (integer) engine flags
1449 # flags value can be made by bitwise "OR"ing:
1450 # 0x0001 - ENGINE_METHOD_RSA
1451 # 0x0002 - ENGINE_METHOD_DSA
1452 # 0x0004 - ENGINE_METHOD_DH
1453 # 0x0008 - ENGINE_METHOD_RAND
1454 # 0x0010 - ENGINE_METHOD_ECDH
1455 # 0x0020 - ENGINE_METHOD_ECDSA
1456 # 0x0040 - ENGINE_METHOD_CIPHERS
1457 # 0x0080 - ENGINE_METHOD_DIGESTS
1458 # 0x0100 - ENGINE_METHOD_STORE
1459 # 0x0200 - ENGINE_METHOD_PKEY_METHS
1460 # 0x0400 - ENGINE_METHOD_PKEY_ASN1_METHS
1461 # Obvious all-or-nothing cases:
1462 # 0xFFFF - ENGINE_METHOD_ALL
1463 # 0x0000 - ENGINE_METHOD_NONE
1464 #
1465 # returns: 1 on success, 0 on failure
1466 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1468 • ENGINE_by_id
1470 Get ENGINE by its identification $id.
1472 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1474 loading support.
1475 my $rv = Net::SSLeay::ENGINE_by_id($id);
1477 # $id - (string) engine identification e.g. "dynamic"
1478 #
1479 # returns: value corresponding to openssl's ENGINE structure (0 on failure)
1480 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1482 Low level API: EVP_PKEY_* related functions
1484 • EVP_PKEY_copy_parameters
1486 Copies the parameters from key $from to key $to.
1488 my $rv = Net::SSLeay::EVP_PKEY_copy_parameters($to, $from);
1490 # $to - value corresponding to openssl's EVP_PKEY structure
1491 # $from - value corresponding to openssl's EVP_PKEY structure
1492 #
1493 # returns: 1 on success, 0 on failure
1494 Check openssl doc
1496 <http://www.openssl.org/docs/crypto/EVP_PKEY_cmp.html>
1497 • EVP_PKEY_new
1499 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1501 Creates a new EVP_PKEY structure.
1503 my $rv = Net::SSLeay::EVP_PKEY_new();
1505 #
1506 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
1507 Check openssl doc
1509 <http://www.openssl.org/docs/crypto/EVP_PKEY_new.html>
1510 • EVP_PKEY_free
1512 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1514 Free an allocated EVP_PKEY structure.
1516 Net::SSLeay::EVP_PKEY_free($pkey);
1518 # $pkey - value corresponding to openssl's EVP_PKEY structure
1519 #
1520 # returns: no return value
1521 Check openssl doc
1523 <http://www.openssl.org/docs/crypto/EVP_PKEY_new.html>
1524 • EVP_PKEY_assign_RSA
1526 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1528 Set the key referenced by $pkey to $key
1530 NOTE: No reference counter will be increased, i.e. $key will be
1532 freed if $pkey is freed.
1533 my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key);
1535 # $pkey - value corresponding to openssl's EVP_PKEY structure
1536 # $key - value corresponding to openssl's RSA structure
1537 #
1538 # returns: 1 on success, 0 on failure
1539 Check openssl doc
1541 <http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html>
1542 • EVP_PKEY_assign_EC_KEY
1544 COMPATIBILITY: not available in Net-SSLeay-1.74 and before
1546 Set the key referenced by $pkey to $key
1548 NOTE: No reference counter will be increased, i.e. $key will be
1550 freed if $pkey is freed.
1551 my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key);
1553 # $pkey - value corresponding to openssl's EVP_PKEY structure
1554 # $key - value corresponding to openssl's EC_KEY structure
1555 #
1556 # returns: 1 on success, 0 on failure
1557 Check openssl doc
1559 <http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html>
1560 • EVP_PKEY_bits
1562 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1564 Returns the size of the key $pkey in bits.
1566 my $rv = Net::SSLeay::EVP_PKEY_bits($pkey);
1568 # $pkey - value corresponding to openssl's EVP_PKEY structure
1569 #
1570 # returns: size in bits
1571 • EVP_PKEY_size
1573 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1575 Returns the maximum size of a signature in bytes. The actual
1577 signature may be smaller.
1578 my $rv = Net::SSLeay::EVP_PKEY_size($pkey);
1580 # $pkey - value corresponding to openssl's EVP_PKEY structure
1581 #
1582 # returns: the maximum size in bytes
1583 Check openssl doc
1585 <http://www.openssl.org/docs/crypto/EVP_SignInit.html>
1586 • EVP_PKEY_id
1588 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
1590 requires at least openssl-1.0.0
1591 Returns $pkey type (integer value of corresponding NID).
1593 my $rv = Net::SSLeay::EVP_PKEY_id($pkey);
1595 # $pkey - value corresponding to openssl's EVP_PKEY structure
1596 #
1597 # returns: (integer) key type
1598 Example:
1600 my $pubkey = Net::SSLeay::X509_get_pubkey($x509);
1602 my $type = Net::SSLeay::EVP_PKEY_id($pubkey);
1603 print Net::SSLeay::OBJ_nid2sn($type); #prints e.g. 'rsaEncryption'
1604 Low level API: PEM_* related functions
1606 Check openssl doc <http://www.openssl.org/docs/crypto/pem.html>
1608 • PEM_read_bio_X509
1610 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1612 Loads PEM formatted X509 certificate via given BIO structure.
1614 my $rv = Net::SSLeay::PEM_read_bio_X509($bio);
1616 # $bio - value corresponding to openssl's BIO structure
1617 #
1618 # returns: value corresponding to openssl's X509 structure (0 on failure)
1619 Example:
1621 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1623 my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
1624 Net::SSLeay::BIO_free($bio);
1625 • PEM_read_bio_X509_REQ
1627 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1629 Loads PEM formatted X509_REQ object via given BIO structure.
1631 my $rv = Net::SSLeay::PEM_read_bio_X509_REQ($bio, $x=NULL, $cb=NULL, $u=NULL);
1633 # $bio - value corresponding to openssl's BIO structure
1634 #
1635 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
1636 Example:
1638 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1640 my $x509_req = Net::SSLeay::PEM_read_bio_X509_REQ($bio);
1641 Net::SSLeay::BIO_free($bio);
1642 • PEM_read_bio_DHparams
1644 Reads DH structure from BIO.
1646 my $rv = Net::SSLeay::PEM_read_bio_DHparams($bio);
1648 # $bio - value corresponding to openssl's BIO structure
1649 #
1650 # returns: value corresponding to openssl's DH structure (0 on failure)
1651 • PEM_read_bio_X509_CRL
1653 Reads X509_CRL structure from BIO.
1655 my $rv = Net::SSLeay::PEM_read_bio_X509_CRL($bio);
1657 # $bio - value corresponding to openssl's BIO structure
1658 #
1659 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
1660 • PEM_read_bio_PrivateKey
1662 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1664 Loads PEM formatted private key via given BIO structure.
1666 my $rv = Net::SSLeay::PEM_read_bio_PrivateKey($bio, $cb, $data);
1668 # $bio - value corresponding to openssl's BIO structure
1669 # $cb - reference to perl callback function
1670 # $data - data that will be passed to callback function (see examples below)
1671 #
1672 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
1673 Example:
1675 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1677 my $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); #ask for password if needed
1678 Net::SSLeay::BIO_free($bio);
1679 To use password you have the following options:
1681 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func); # use callback func for getting password
1683 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func, $data); # use callback_func + pass $data to callback_func
1684 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, "secret"); # use password "secret"
1685 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, ""); # use empty password
1686 Callback function signature:
1688 sub callback_func {
1690 my ($max_passwd_size, $rwflag, $data) = @_;
1691 # $max_passwd_size - maximum size of returned password (longer values will be discarded)
1692 # $rwflag - indicates whether we are loading (0) or storing (1) - for PEM_read_bio_PrivateKey always 0
1693 # $data - the data passed to PEM_read_bio_PrivateKey as 3rd parameter
1694 return "secret";
1696 }
1697 • PEM_X509_INFO_read_bio
1699 Reads a BIO containing a PEM formatted file into a
1701 STACK_OF(X509_INFO) structure.
1702 my $rv = Net::SSLeay::PEM_X509_INFO_read_bio($bio);
1704 # $bio - value corresponding to openssl's BIO structure
1705 #
1706 # returns: value corresponding to openssl's STACK_OF(X509_INFO) structure.
1707 Example:
1709 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1711 my $sk_x509_info = Net::SSLeay::PEM_X509_INFO_read_bio($bio);
1712 Net::SSLeay::BIO_free($bio);
1713 • PEM_get_string_X509
1715 NOTE: Does not exactly correspond to any low level API function
1717 Converts/exports X509 certificate to string (PEM format).
1719 Net::SSLeay::PEM_get_string_X509($x509);
1721 # $x509 - value corresponding to openssl's X509 structure
1722 #
1723 # returns: string with $x509 in PEM format
1724 • PEM_get_string_PrivateKey
1726 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1728 Converts public key $pk into PEM formatted string (optionally
1730 protected with password).
1731 my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg);
1733 # $pk - value corresponding to openssl's EVP_PKEY structure
1734 # $passwd - [optional] (string) password to use for key encryption
1735 # $enc_alg - [optional] algorithm to use for key encryption (default: DES_CBC) - value corresponding to openssl's EVP_CIPHER structure
1736 #
1737 # returns: PEM formatted string
1738 Examples:
1740 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk);
1742 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret");
1743 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret", Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC"));
1744 • PEM_get_string_X509_CRL
1746 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1748 Converts X509_CRL object $x509_crl into PEM formatted string.
1750 Net::SSLeay::PEM_get_string_X509_CRL($x509_crl);
1752 # $x509_crl - value corresponding to openssl's X509_CRL structure
1753 #
1754 # returns: no return value
1755 • PEM_get_string_X509_REQ
1757 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1759 Converts X509_REQ object $x509_crl into PEM formatted string.
1761 Net::SSLeay::PEM_get_string_X509_REQ($x509_req);
1763 # $x509_req - value corresponding to openssl's X509_REQ structure
1764 #
1765 # returns: no return value
1766 Low level API: d2i_* (DER format) related functions
1768 • d2i_X509_bio
1770 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1772 Loads DER formatted X509 certificate via given BIO structure.
1774 my $rv = Net::SSLeay::d2i_X509_bio($bp);
1776 # $bp - value corresponding to openssl's BIO structure
1777 #
1778 # returns: value corresponding to openssl's X509 structure (0 on failure)
1779 Example:
1781 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1783 my $x509 = Net::SSLeay::d2i_X509_bio($bio);
1784 Net::SSLeay::BIO_free($bio);
1785 Check openssl doc
1787 <http://www.openssl.org/docs/crypto/d2i_X509.html>
1788 • d2i_X509_CRL_bio
1790 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1792 Loads DER formatted X509_CRL object via given BIO structure.
1794 my $rv = Net::SSLeay::d2i_X509_CRL_bio($bp);
1796 # $bp - value corresponding to openssl's BIO structure
1797 #
1798 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
1799 Example:
1801 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1803 my $x509_crl = Net::SSLeay::d2i_X509_CRL_bio($bio);
1804 Net::SSLeay::BIO_free($bio);
1805 • d2i_X509_REQ_bio
1807 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1809 Loads DER formatted X509_REQ object via given BIO structure.
1811 my $rv = Net::SSLeay::d2i_X509_REQ_bio($bp);
1813 # $bp - value corresponding to openssl's BIO structure
1814 #
1815 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
1816 Example:
1818 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1820 my $x509_req = Net::SSLeay::d2i_X509_REQ_bio($bio);
1821 Net::SSLeay::BIO_free($bio);
1822 Low level API: PKCS12 related functions
1824 • P_PKCS12_load_file
1826 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1828 Loads X509 certificate + private key + certificates of CA chain (if
1830 present in PKCS12 file).
1831 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, $load_chain, $password);
1833 # $filename - name of PKCS12 file
1834 # $load_chain - [optional] whether load (1) or not(0) CA chain (default: 0)
1835 # $password - [optional] password for private key
1836 #
1837 # returns: triplet ($privkey, $cert, @cachain)
1838 # $privkey - value corresponding to openssl's EVP_PKEY structure
1839 # $cert - value corresponding to openssl's X509 structure
1840 # @cachain - array of values corresponding to openssl's X509 structure (empty if no CA chain in PKCS12)
1841 IMPORTANT NOTE: after you do the job you need to call X509_free()
1843 on $privkey + all members of @cachain and EVP_PKEY_free() on
1844 $privkey.
1845 Examples:
1847 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename);
1849 #or
1850 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 0, $password);
1851 #or
1852 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1);
1853 #or
1854 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password);
1855 #BEWARE: THIS IS WRONG - MEMORY LEAKS! (you cannot free @cachain items)
1857 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password);
1858 NOTE With some combinations of Windows, perl, compiler and compiler
1860 options, you may see a runtime error "no OPENSSL_Applink", when
1861 calling Net::SSLeay::P_PKCS12_load_file. See README.Win32 for more
1862 details.
1863 Low level API: SESSION_* related functions
1865 • d2i_SSL_SESSION
1867 COMPATIBILITY: does not work in Net-SSLeay-1.85 and before
1869 Transforms the binary ASN1 representation string of an SSL/TLS
1871 session into an SSL_SESSION object.
1872 my $ses = Net::SSLeay::d2i_SSL_SESSION($data);
1874 # $data - the session as ASN1 representation string
1875 #
1876 # returns: $ses - the new SSL_SESSION
1877 Check openssl doc
1879 <https://www.openssl.org/docs/ssl/i2d_SSL_SESSION.html>
1880 • i2d_SSL_SESSION
1882 COMPATIBILITY: does not work in Net-SSLeay-1.85 and before
1884 Transforms the SSL_SESSION object in into the ASN1 representation
1886 and returns it as string.
1887 my $data = Net::SSLeay::i2d_SSL_SESSION($ses);
1889 # $ses - value corresponding to openssl's SSL_SESSION structure
1890 #
1891 # returns: $data - session as string
1892 Check openssl doc
1894 <https://www.openssl.org/docs/ssl/d2i_SSL_SESSION.html>
1895 • SESSION_new
1897 Creates a new SSL_SESSION structure.
1899 my $rv = Net::SSLeay::SESSION_new();
1901 #
1902 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
1903 • SESSION_free
1905 Free an allocated SSL_SESSION structure.
1907 Net::SSLeay::SESSION_free($ses);
1909 # $ses - value corresponding to openssl's SSL_SESSION structure
1910 #
1911 # returns: no return value
1912 Check openssl doc
1914 <http://www.openssl.org/docs/ssl/SSL_SESSION_free.html>
1915 • SESSION_up_ref
1917 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1919 requires at least OpenSSL 1.1.0-pre4 or LibreSSL 2.7.0
1920 Increases the reference counter on a SSL_SESSION structure.
1922 Net::SSLeay::SESSION_up_ref($ses);
1924 # $ses - value corresponding to openssl's SSL_SESSION structure
1925 #
1926 # returns: 1 on success else 0
1927 Check openssl doc
1929 <https://www.openssl.org/docs/ssl/SSL_SESSION_up_ref.html>
1930 • SESSION_dup
1932 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1934 requires at least OpenSSL 1.1.1, not in LibreSSL
1935 Duplicates a SSL_SESSION structure.
1937 Net::SSLeay::SESSION_dup($ses);
1939 # $ses - value corresponding to openssl's SSL_SESSION structure
1940 #
1941 # returns: the duplicated session
1942 Check openssl doc
1944 <https://www.openssl.org/docs/ssl/SSL_SESSION_dup.html>
1945 • SESSION_is_resumable
1947 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1949 requires at least OpenSSL 1.1.1, not in LibreSSL
1950 Determine whether an SSL_SESSION object can be used for resumption.
1952 Net::SSLeay::SESSION_is_resumable($ses);
1954 # $ses - value corresponding to openssl's SSL_SESSION structure
1955 #
1956 # returns: (integer) 1 if it can or 0 if not
1957 Check openssl doc
1959 <https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html>
1960 • SESSION_cmp
1962 Compare two SSL_SESSION structures.
1964 my $rv = Net::SSLeay::SESSION_cmp($sesa, $sesb);
1966 # $sesa - value corresponding to openssl's SSL_SESSION structure
1967 # $sesb - value corresponding to openssl's SSL_SESSION structure
1968 #
1969 # returns: 0 if the two structures are the same
1970 NOTE: Not available in openssl 1.0 or later
1972 • SESSION_get_app_data
1974 Can be used to get application defined value/data.
1976 my $rv = Net::SSLeay::SESSION_get_app_data($ses);
1978 # $ses - value corresponding to openssl's SSL_SESSION structure
1979 #
1980 # returns: string/buffer/pointer ???
1981 • SESSION_set_app_data
1983 Can be used to set some application defined value/data.
1985 my $rv = Net::SSLeay::SESSION_set_app_data($s, $a);
1987 # $s - value corresponding to openssl's SSL_SESSION structure
1988 # $a - (string/buffer/pointer ???) data
1989 #
1990 # returns: ???
1991 • SESSION_get_ex_data
1993 Is used to retrieve the information for $idx from session $ses.
1995 my $rv = Net::SSLeay::SESSION_get_ex_data($ses, $idx);
1997 # $ses - value corresponding to openssl's SSL_SESSION structure
1998 # $idx - (integer) index for application specific data
1999 #
2000 # returns: pointer to ???
2001 Check openssl doc
2003 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2004 • SESSION_set_ex_data
2006 Is used to store application data at arg for idx into the session
2008 object.
2009 my $rv = Net::SSLeay::SESSION_set_ex_data($ss, $idx, $data);
2011 # $ss - value corresponding to openssl's SSL_SESSION structure
2012 # $idx - (integer) ???
2013 # $data - (pointer) ???
2014 #
2015 # returns: 1 on success, 0 on failure
2016 Check openssl doc
2018 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2019 • SESSION_get_ex_new_index
2021 Is used to register a new index for application specific data.
2023 my $rv = Net::SSLeay::SESSION_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
2025 # $argl - (long) ???
2026 # $argp - (pointer) ???
2027 # $new_func - function pointer ??? (CRYPTO_EX_new *)
2028 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
2029 # $free_func - function pointer ??? (CRYPTO_EX_free *)
2030 #
2031 # returns: (integer) ???
2032 Check openssl doc
2034 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2035 • SESSION_get_master_key
2037 NOTE: Does not exactly correspond to any low level API function
2039 Returns 'master_key' value from SSL_SESSION structure $s
2041 Net::SSLeay::SESSION_get_master_key($s);
2043 # $s - value corresponding to openssl's SSL_SESSION structure
2044 #
2045 # returns: master key (binary data)
2046 • SESSION_set_master_key
2048 Sets 'master_key' value for SSL_SESSION structure $s
2050 Net::SSLeay::SESSION_set_master_key($s, $key);
2052 # $s - value corresponding to openssl's SSL_SESSION structure
2053 # $key - master key (binary data)
2054 #
2055 # returns: no return value
2056 Not available with OpenSSL 1.1 and later. Code that previously
2058 used
2059 SESSION_set_master_key must now set $secret in the
2060 session_secret
2061 callback set with SSL_set_session_secret_cb.
2062 • SESSION_get_time
2064 Returns the time at which the session s was established. The time
2066 is given in seconds since 1.1.1970.
2067 my $rv = Net::SSLeay::SESSION_get_time($s);
2069 # $s - value corresponding to openssl's SSL_SESSION structure
2070 #
2071 # returns: timestamp (seconds since 1.1.1970)
2072 Check openssl doc
2074 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2075 • get_time
2077 Technically the same functionality as "SESSION_get_time".
2079 my $rv = Net::SSLeay::get_time($s);
2081 • SESSION_get_timeout
2083 Returns the timeout value set for session $s in seconds.
2085 my $rv = Net::SSLeay::SESSION_get_timeout($s);
2087 # $s - value corresponding to openssl's SSL_SESSION structure
2088 #
2089 # returns: timeout (in seconds)
2090 Check openssl doc
2092 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2093 • get_timeout
2095 Technically the same functionality as "SESSION_get_timeout".
2097 my $rv = Net::SSLeay::get_timeout($s);
2099 • SESSION_print
2101 NOTE: Does not exactly correspond to any low level API function
2103 Prints session details (e.g. protocol version, cipher, session-id
2105 ...) to BIO.
2106 my $rv = Net::SSLeay::SESSION_print($fp, $ses);
2108 # $fp - value corresponding to openssl's BIO structure
2109 # $ses - value corresponding to openssl's SSL_SESSION structure
2110 #
2111 # returns: 1 on success, 0 on failure
2112 You have to use necessary BIO functions like this:
2114 # let us have $ssl corresponding to openssl's SSL structure
2116 my $ses = Net::SSLeay::get_session($ssl);
2117 my $bio = Net::SSLeay::BIO_new(&Net::SSLeay::BIO_s_mem);
2118 Net::SSLeay::SESSION_print($bio, $ses);
2119 print Net::SSLeay::BIO_read($bio);
2120 • SESSION_print_fp
2122 Prints session details (e.g. protocol version, cipher, session-id
2124 ...) to file handle.
2125 my $rv = Net::SSLeay::SESSION_print_fp($fp, $ses);
2127 # $fp - perl file handle
2128 # $ses - value corresponding to openssl's SSL_SESSION structure
2129 #
2130 # returns: 1 on success, 0 on failure
2131 Example:
2133 # let us have $ssl corresponding to openssl's SSL structure
2135 my $ses = Net::SSLeay::get_session($ssl);
2136 open my $fh, ">", "output.txt";
2137 Net::SSLeay::SESSION_print_fp($fh,$ses);
2138 • SESSION_set_time
2140 Replaces the creation time of the session s with the chosen value
2142 $t (seconds since 1.1.1970).
2143 my $rv = Net::SSLeay::SESSION_set_time($ses, $t);
2145 # $ses - value corresponding to openssl's SSL_SESSION structure
2146 # $t - time value
2147 #
2148 # returns: 1 on success
2149 Check openssl doc
2151 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2152 • set_time
2154 Technically the same functionality as "SESSION_set_time".
2156 my $rv = Net::SSLeay::set_time($ses, $t);
2158 • SESSION_set_timeout
2160 Sets the timeout value for session s in seconds to $t.
2162 my $rv = Net::SSLeay::SESSION_set_timeout($s, $t);
2164 # $s - value corresponding to openssl's SSL_SESSION structure
2165 # $t - timeout (in seconds)
2166 #
2167 # returns: 1 on success
2168 Check openssl doc
2170 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2171 • set_timeout
2173 Technically the same functionality as "SESSION_set_timeout".
2175 my $rv = Net::SSLeay::set_timeout($ses, $t);
2177 Low level API: SSL_CTX_* related functions
2179 NOTE: Please note that the function described in this chapter have
2181 "SSL_" part stripped from their original openssl names.
2182 • CTX_add_client_CA
2184 Adds the CA name extracted from $cacert to the list of CAs sent to
2186 the client when requesting a client certificate for $ctx.
2187 my $rv = Net::SSLeay::CTX_add_client_CA($ctx, $cacert);
2189 # $ctx - value corresponding to openssl's SSL_CTX structure
2190 # $cacert - value corresponding to openssl's X509 structure
2191 #
2192 # returns: 1 on success, 0 on failure
2193 Check openssl doc
2195 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
2196 • CTX_add_extra_chain_cert
2198 Adds the certificate $x509 to the certificate chain presented
2200 together with the certificate. Several certificates can be added
2201 one after the other.
2202 my $rv = Net::SSLeay::CTX_add_extra_chain_cert($ctx, $x509);
2204 # $ctx - value corresponding to openssl's SSL_CTX structure
2205 # $x509 - value corresponding to openssl's X509 structure
2206 #
2207 # returns: 1 on success, check out the error stack to find out the reason for failure otherwise
2208 Check openssl doc
2210 <http://www.openssl.org/docs/ssl/SSL_CTX_add_extra_chain_cert.html>
2211 • CTX_add_session
2213 Adds the session $ses to the context $ctx.
2215 my $rv = Net::SSLeay::CTX_add_session($ctx, $ses);
2217 # $ctx - value corresponding to openssl's SSL_CTX structure
2218 # $ses - value corresponding to openssl's SSL_SESSION structure
2219 #
2220 # returns: 1 on success, 0 on failure
2221 Check openssl doc
2223 <http://www.openssl.org/docs/ssl/SSL_CTX_add_session.html>
2224 • CTX_callback_ctrl
2226 ??? (more info needed)
2228 my $rv = Net::SSLeay::CTX_callback_ctrl($ctx, $cmd, $fp);
2230 # $ctx - value corresponding to openssl's SSL_CTX structure
2231 # $cmd - (integer) command id
2232 # $fp - (function pointer) ???
2233 #
2234 # returns: ???
2235 Check openssl doc
2237 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
2238 • CTX_check_private_key
2240 Checks the consistency of a private key with the corresponding
2242 certificate loaded into $ctx.
2243 my $rv = Net::SSLeay::CTX_check_private_key($ctx);
2245 # $ctx - value corresponding to openssl's SSL_CTX structure
2246 #
2247 # returns: 1 on success, otherwise check out the error stack to find out the reason
2248 Check openssl doc
2250 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
2251 • CTX_ctrl
2253 Internal handling function for SSL_CTX objects.
2255 BEWARE: openssl doc says: This function should never be called
2257 directly!
2258 my $rv = Net::SSLeay::CTX_ctrl($ctx, $cmd, $larg, $parg);
2260 # $ctx - value corresponding to openssl's SSL_CTX structure
2261 # $cmd - (integer) command id
2262 # $larg - (integer) long ???
2263 # $parg - (string/pointer) ???
2264 #
2265 # returns: (long) result of given command ???
2266 #valid $cmd values
2268 1 - SSL_CTRL_NEED_TMP_RSA
2269 2 - SSL_CTRL_SET_TMP_RSA
2270 3 - SSL_CTRL_SET_TMP_DH
2271 4 - SSL_CTRL_SET_TMP_ECDH
2272 5 - SSL_CTRL_SET_TMP_RSA_CB
2273 6 - SSL_CTRL_SET_TMP_DH_CB
2274 7 - SSL_CTRL_SET_TMP_ECDH_CB
2275 8 - SSL_CTRL_GET_SESSION_REUSED
2276 9 - SSL_CTRL_GET_CLIENT_CERT_REQUEST
2277 10 - SSL_CTRL_GET_NUM_RENEGOTIATIONS
2278 11 - SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS
2279 12 - SSL_CTRL_GET_TOTAL_RENEGOTIATIONS
2280 13 - SSL_CTRL_GET_FLAGS
2281 14 - SSL_CTRL_EXTRA_CHAIN_CERT
2282 15 - SSL_CTRL_SET_MSG_CALLBACK
2283 16 - SSL_CTRL_SET_MSG_CALLBACK_ARG
2284 17 - SSL_CTRL_SET_MTU
2285 20 - SSL_CTRL_SESS_NUMBER
2286 21 - SSL_CTRL_SESS_CONNECT
2287 22 - SSL_CTRL_SESS_CONNECT_GOOD
2288 23 - SSL_CTRL_SESS_CONNECT_RENEGOTIATE
2289 24 - SSL_CTRL_SESS_ACCEPT
2290 25 - SSL_CTRL_SESS_ACCEPT_GOOD
2291 26 - SSL_CTRL_SESS_ACCEPT_RENEGOTIATE
2292 27 - SSL_CTRL_SESS_HIT
2293 28 - SSL_CTRL_SESS_CB_HIT
2294 29 - SSL_CTRL_SESS_MISSES
2295 30 - SSL_CTRL_SESS_TIMEOUTS
2296 31 - SSL_CTRL_SESS_CACHE_FULL
2297 32 - SSL_CTRL_OPTIONS
2298 33 - SSL_CTRL_MODE
2299 40 - SSL_CTRL_GET_READ_AHEAD
2300 41 - SSL_CTRL_SET_READ_AHEAD
2301 42 - SSL_CTRL_SET_SESS_CACHE_SIZE
2302 43 - SSL_CTRL_GET_SESS_CACHE_SIZE
2303 44 - SSL_CTRL_SET_SESS_CACHE_MODE
2304 45 - SSL_CTRL_GET_SESS_CACHE_MODE
2305 50 - SSL_CTRL_GET_MAX_CERT_LIST
2306 51 - SSL_CTRL_SET_MAX_CERT_LIST
2307 52 - SSL_CTRL_SET_MAX_SEND_FRAGMENT
2308 53 - SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
2309 54 - SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
2310 55 - SSL_CTRL_SET_TLSEXT_HOSTNAME
2311 56 - SSL_CTRL_SET_TLSEXT_DEBUG_CB
2312 57 - SSL_CTRL_SET_TLSEXT_DEBUG_ARG
2313 58 - SSL_CTRL_GET_TLSEXT_TICKET_KEYS
2314 59 - SSL_CTRL_SET_TLSEXT_TICKET_KEYS
2315 60 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT
2316 61 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB
2317 62 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG
2318 63 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
2319 64 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG
2320 65 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE
2321 66 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS
2322 67 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS
2323 68 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS
2324 69 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS
2325 70 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP
2326 71 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP
2327 72 - SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
2328 73 - DTLS_CTRL_GET_TIMEOUT
2329 74 - DTLS_CTRL_HANDLE_TIMEOUT
2330 75 - DTLS_CTRL_LISTEN
2331 76 - SSL_CTRL_GET_RI_SUPPORT
2332 77 - SSL_CTRL_CLEAR_OPTIONS
2333 78 - SSL_CTRL_CLEAR_MODE
2334 82 - SSL_CTRL_GET_EXTRA_CHAIN_CERTS
2336 83 - SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS
2337 88 - SSL_CTRL_CHAIN
2339 89 - SSL_CTRL_CHAIN_CERT
2340 90 - SSL_CTRL_GET_CURVES
2342 91 - SSL_CTRL_SET_CURVES
2343 92 - SSL_CTRL_SET_CURVES_LIST
2344 93 - SSL_CTRL_GET_SHARED_CURVE
2345 94 - SSL_CTRL_SET_ECDH_AUTO
2346 97 - SSL_CTRL_SET_SIGALGS
2347 98 - SSL_CTRL_SET_SIGALGS_LIST
2348 99 - SSL_CTRL_CERT_FLAGS
2349 100 - SSL_CTRL_CLEAR_CERT_FLAGS
2350 101 - SSL_CTRL_SET_CLIENT_SIGALGS
2351 102 - SSL_CTRL_SET_CLIENT_SIGALGS_LIST
2352 103 - SSL_CTRL_GET_CLIENT_CERT_TYPES
2353 104 - SSL_CTRL_SET_CLIENT_CERT_TYPES
2354 105 - SSL_CTRL_BUILD_CERT_CHAIN
2355 106 - SSL_CTRL_SET_VERIFY_CERT_STORE
2356 107 - SSL_CTRL_SET_CHAIN_CERT_STORE
2357 108 - SSL_CTRL_GET_PEER_SIGNATURE_NID
2358 109 - SSL_CTRL_GET_SERVER_TMP_KEY
2359 110 - SSL_CTRL_GET_RAW_CIPHERLIST
2360 111 - SSL_CTRL_GET_EC_POINT_FORMATS
2361 112 - SSL_CTRL_GET_TLSA_RECORD
2362 113 - SSL_CTRL_SET_TLSA_RECORD
2363 114 - SSL_CTRL_PULL_TLSA_RECORD
2364 Check openssl doc
2366 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
2367 • CTX_flush_sessions
2369 Causes a run through the session cache of $ctx to remove sessions
2371 expired at time $tm.
2372 Net::SSLeay::CTX_flush_sessions($ctx, $tm);
2374 # $ctx - value corresponding to openssl's SSL_CTX structure
2375 # $tm - specifies the time which should be used for the expiration test (seconds since 1.1.1970)
2376 #
2377 # returns: no return value
2378 Check openssl doc
2380 <http://www.openssl.org/docs/ssl/SSL_CTX_flush_sessions.html>
2381 • CTX_free
2383 Free an allocated SSL_CTX object.
2385 Net::SSLeay::CTX_free($ctx);
2387 # $ctx - value corresponding to openssl's SSL_CTX structure
2388 #
2389 # returns: no return value
2390 Check openssl doc
2392 <http://www.openssl.org/docs/ssl/SSL_CTX_free.html>
2393 • CTX_get_app_data
2395 Can be used to get application defined value/data.
2397 my $rv = Net::SSLeay::CTX_get_app_data($ctx);
2399 # $ctx - value corresponding to openssl's SSL_CTX structure
2400 #
2401 # returns: string/buffer/pointer ???
2402 • CTX_set_app_data
2404 Can be used to set some application defined value/data.
2406 my $rv = Net::SSLeay::CTX_set_app_data($ctx, $arg);
2408 # $ctx - value corresponding to openssl's SSL_CTX structure
2409 # $arg - (string/buffer/pointer ???) data
2410 #
2411 # returns: ???
2412 • CTX_get0_param
2414 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2416 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
2417 Returns the current verification parameters.
2419 my $vpm = Net::SSLeay::CTX_get0_param($ctx);
2421 # $ctx - value corresponding to openssl's SSL_CTX structure
2422 #
2423 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure
2424 Check openssl doc
2426 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
2427 • CTX_get_cert_store
2429 Returns the current certificate verification storage.
2431 my $rv = Net::SSLeay::CTX_get_cert_store($ctx);
2433 # $ctx - value corresponding to openssl's SSL_CTX structure
2434 #
2435 # returns: value corresponding to openssl's X509_STORE structure (0 on failure)
2436 Check openssl doc
2438 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html>
2439 • CTX_get_client_CA_list
2441 Returns the list of client CAs explicitly set for $ctx using
2443 "CTX_set_client_CA_list".
2444 my $rv = Net::SSLeay::CTX_get_client_CA_list($ctx);
2446 # $ctx - value corresponding to openssl's SSL_CTX structure
2447 #
2448 # returns: value corresponding to openssl's X509_NAME_STACK structure (0 on failure)
2449 Check openssl doc
2451 <http://www.openssl.org/docs/ssl/SSL_get_client_CA_list.html>
2452 • CTX_get_ex_data
2454 Is used to retrieve the information for index $idx from $ctx.
2456 my $rv = Net::SSLeay::CTX_get_ex_data($ssl, $idx);
2458 # $ssl - value corresponding to openssl's SSL_CTX structure
2459 # $idx - (integer) index for application specific data
2460 #
2461 # returns: pointer to ???
2462 Check openssl doc
2464 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
2465 • CTX_get_ex_new_index
2467 Is used to register a new index for application specific data.
2469 my $rv = Net::SSLeay::CTX_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
2471 # $argl - (long) ???
2472 # $argp - (pointer) ???
2473 # $new_func - function pointer ??? (CRYPTO_EX_new *)
2474 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
2475 # $free_func - function pointer ??? (CRYPTO_EX_free *)
2476 #
2477 # returns: (integer) ???
2478 Check openssl doc
2480 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
2481 • CTX_get_mode
2483 Returns the mode set for ctx.
2485 my $rv = Net::SSLeay::CTX_get_mode($ctx);
2487 # $ctx - value corresponding to openssl's SSL_CTX structure
2488 #
2489 # returns: mode (bitmask)
2490 #to decode the return value (bitmask) use:
2492 0x00000001 corresponds to SSL_MODE_ENABLE_PARTIAL_WRITE
2493 0x00000002 corresponds to SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
2494 0x00000004 corresponds to SSL_MODE_AUTO_RETRY
2495 0x00000008 corresponds to SSL_MODE_NO_AUTO_CHAIN
2496 0x00000010 corresponds to SSL_MODE_RELEASE_BUFFERS
2497 (note: some of the bits might not be supported by older openssl versions)
2498 Check openssl doc
2500 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
2501 • CTX_set_mode
2503 Adds the mode set via bitmask in $mode to $ctx. Options already set
2505 before are not cleared.
2506 my $rv = Net::SSLeay::CTX_set_mode($ctx, $mode);
2508 # $ctx - value corresponding to openssl's SSL_CTX structure
2509 # $mode - mode bitmask
2510 #
2511 # returns: the new mode bitmask after adding $mode
2512 For bitmask details see "CTX_get_mode" (above).
2514 Check openssl doc
2516 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
2517 • CTX_get_options
2519 Returns the options (bitmask) set for $ctx.
2521 my $rv = Net::SSLeay::CTX_get_options($ctx);
2523 # $ctx - value corresponding to openssl's SSL_CTX structure
2524 #
2525 # returns: options (bitmask)
2526 BEWARE: The available constants and their values in bitmask depend
2528 on the TLS library. For example, SSL_OP_NO_TLSv1_3 became available
2529 much later than SSL_OP_NO_COMPRESS which is already deprecated by
2530 some libraries. Also, some previously used option values have been
2531 recycled and are now used for newer options. See the list of
2532 constants in this document for options Net::SSLeay currently
2533 supports.
2534 You are strongly encouraged to check your TLS library if you need
2536 to use numeric values directly. The following is a sample of
2537 historic values. It may not be correct anymore.
2538 #to decode the return value (bitmask) use:
2540 0x00000004 corresponds to SSL_OP_LEGACY_SERVER_CONNECT
2541 0x00000800 corresponds to SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2542 0x00004000 corresponds to SSL_OP_NO_TICKET
2543 0x00010000 corresponds to SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2544 0x00400000 corresponds to SSL_OP_CIPHER_SERVER_PREFERENCE
2545 0x04000000 corresponds to SSL_OP_NO_TLSv1
2546 Check openssl doc
2548 <https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html>
2549 • CTX_set_options
2551 Adds the options set via bitmask in $options to ctx. Options
2553 already set before are not cleared.
2554 Net::SSLeay::CTX_set_options($ctx, $options);
2556 # $ctx - value corresponding to openssl's SSL_CTX structure
2557 # $options - options bitmask
2558 #
2559 # returns: the new options bitmask after adding $options
2560 For bitmask details see "CTX_get_options" (above).
2562 Check openssl doc
2564 <https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html>
2565 • CTX_get_quiet_shutdown
2567 Returns the 'quiet shutdown' setting of $ctx.
2569 my $rv = Net::SSLeay::CTX_get_quiet_shutdown($ctx);
2571 # $ctx - value corresponding to openssl's SSL_CTX structure
2572 #
2573 # returns: (integer) the current setting
2574 Check openssl doc
2576 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
2577 • CTX_get_read_ahead
2579 my $rv = Net::SSLeay::CTX_get_read_ahead($ctx);
2581 # $ctx - value corresponding to openssl's SSL_CTX structure
2582 #
2583 # returns: (integer) read_ahead value
2584 • CTX_get_session_cache_mode
2586 Returns the currently used cache mode (bitmask).
2588 my $rv = Net::SSLeay::CTX_get_session_cache_mode($ctx);
2590 # $ctx - value corresponding to openssl's SSL_CTX structure
2591 #
2592 # returns: mode (bitmask)
2593 BEWARE: SESS_CACHE_OFF and other constants are not available in
2595 Net-SSLeay-1.82 and before. If the constants are not available,
2596 the following values have historically been correct. You are
2597 strongly encouraged to check your TLS library for the current
2598 values.
2599 #to decode the return value (bitmask) use:
2601 0x0000 corresponds to SSL_SESS_CACHE_OFF
2602 0x0001 corresponds to SSL_SESS_CACHE_CLIENT
2603 0x0002 corresponds to SSL_SESS_CACHE_SERVER
2604 0x0080 corresponds to SSL_SESS_CACHE_NO_AUTO_CLEAR
2605 0x0100 corresponds to SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
2606 0x0200 corresponds to SSL_SESS_CACHE_NO_INTERNAL_STORE
2607 (note: some of the bits might not be supported by older openssl versions)
2608 Check openssl doc
2610 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html>
2611 • CTX_set_session_cache_mode
2613 Enables/disables session caching by setting the operational mode
2615 for $ctx to $mode.
2616 my $rv = Net::SSLeay::CTX_set_session_cache_mode($ctx, $mode);
2618 # $ctx - value corresponding to openssl's SSL_CTX structure
2619 # $mode - mode (bitmask)
2620 #
2621 # returns: previously set cache mode
2622 For bitmask details see "CTX_get_session_cache_mode" (above).
2624 Check openssl doc
2626 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html>
2627 • CTX_get_timeout
2629 Returns the currently set timeout value for $ctx.
2631 my $rv = Net::SSLeay::CTX_get_timeout($ctx);
2633 # $ctx - value corresponding to openssl's SSL_CTX structure
2634 #
2635 # returns: timeout in seconds
2636 Check openssl doc
2638 <http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html>
2639 • CTX_get_verify_depth
2641 Returns the verification depth limit currently set in $ctx. If no
2643 limit has been explicitly set, -1 is returned and the default value
2644 will be used.",
2645 my $rv = Net::SSLeay::CTX_get_verify_depth($ctx);
2647 # $ctx - value corresponding to openssl's SSL_CTX structure
2648 #
2649 # returns: depth limit currently set in $ctx, -1 if no limit has been explicitly set
2650 Check openssl doc
2652 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
2653 • CTX_get_verify_mode
2655 Returns the verification mode (bitmask) currently set in $ctx.
2657 my $rv = Net::SSLeay::CTX_get_verify_mode($ctx);
2659 # $ctx - value corresponding to openssl's SSL_CTX structure
2660 #
2661 # returns: mode (bitmask)
2662 For bitmask details see "CTX_set_verify".
2664 Check openssl doc
2666 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_verify_mode.html>
2667 • CTX_set_verify
2669 Sets the verification flags for $ctx to be $mode and specifies the
2671 verify_callback function to be used.
2672 Net::SSLeay::CTX_set_verify($ctx, $mode, $callback);
2674 # $ctx - value corresponding to openssl's SSL_CTX structure
2675 # $mode - mode (bitmask), see OpenSSL manual
2676 # $callback - [optional] reference to perl callback function
2677 #
2678 # returns: no return value
2679 Check openssl doc
2681 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html>
2682 • CTX_set_post_handshake_auth
2684 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
2686 requires at least OpenSSL 1.1.1, not in LibreSSL
2687 Enable the Post-Handshake Authentication extension to be added to
2689 the ClientHello such that post-handshake authentication can be
2690 requested by the server.
2691 Net::SSLeay::CTX_set_posthandshake_auth($ctx, $val);
2693 # $ctx - value corresponding to openssl's SSL_CTX structure
2694 # $val - 0 then the extension is not sent, otherwise it is
2695 #
2696 # returns: no return value
2697 Check openssl doc
2699 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth
2700 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html>
2701 • CTX_load_verify_locations
2703 Specifies the locations for $ctx, at which CA certificates for
2705 verification purposes are located. The certificates available via
2706 $CAfile and $CApath are trusted.
2707 my $rv = Net::SSLeay::CTX_load_verify_locations($ctx, $CAfile, $CApath);
2709 # $ctx - value corresponding to openssl's SSL_CTX structure
2710 # $CAfile - (string) file of CA certificates in PEM format, the file can contain several CA certificates (or '')
2711 # $CApath - (string) directory containing CA certificates in PEM format (or '')
2712 #
2713 # returns: 1 on success, 0 on failure (check the error stack to find out the reason)
2714 Check openssl doc
2716 <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html>
2717 • CTX_need_tmp_RSA
2719 Return the result of
2721 "SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)"
2722 my $rv = Net::SSLeay::CTX_need_tmp_RSA($ctx);
2724 # $ctx - value corresponding to openssl's SSL_CTX structure
2725 #
2726 # returns: result of SSL_CTRL_NEED_TMP_RSA command
2727 Not available with OpenSSL 1.1 and later.
2729 • CTX_new
2731 The same as "CTX_v23_new"
2733 my $rv = Net::SSLeay::CTX_new();
2735 #
2736 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2737 Check openssl doc
2739 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
2740 Not available with OpenSSL 1.1 and later.
2742 • CTX_v2_new
2744 Creates a new SSL_CTX object - based on SSLv2_method() - as
2746 framework to establish TLS/SSL enabled connections.
2747 my $rv = Net::SSLeay::CTX_v2_new();
2749 #
2750 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2751 • CTX_v23_new
2753 Creates a new SSL_CTX object - based on SSLv23_method() - as
2755 framework to establish TLS/SSL enabled connections.
2756 my $rv = Net::SSLeay::CTX_v23_new();
2758 #
2759 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2760 • CTX_v3_new
2762 Creates a new SSL_CTX object - based on SSLv3_method() - as
2764 framework to establish TLS/SSL enabled connections.
2765 my $rv = Net::SSLeay::CTX_v3_new();
2767 #
2768 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2769 • CTX_tlsv1_new
2771 Creates a new SSL_CTX object - based on TLSv1_method() - as
2773 framework to establish TLS/SSL enabled connections.
2774 my $rv = Net::SSLeay::CTX_tlsv1_new();
2776 #
2777 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2778 • CTX_tlsv1_1_new
2780 Creates a new SSL_CTX object - based on TLSv1_1_method() - as
2782 framework to establish TLS/SSL enabled connections. Only available
2783 where supported by the underlying openssl.
2784 my $rv = Net::SSLeay::CTX_tlsv1_1_new();
2786 #
2787 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2788 • CTX_tlsv1_2_new
2790 Creates a new SSL_CTX object - based on TLSv1_2_method() - as
2792 framework to establish TLS/SSL enabled connections. Only available
2793 where supported by the underlying openssl.
2794 my $rv = Net::SSLeay::CTX_tlsv1_2_new();
2796 #
2797 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2798 • CTX_new_with_method
2800 Creates a new SSL_CTX object based on $meth method
2802 my $rv = Net::SSLeay::CTX_new_with_method($meth);
2804 # $meth - value corresponding to openssl's SSL_METHOD structure
2805 #
2806 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2807 #example
2809 my $ctx = Net::SSLeay::CTX_new_with_method(&Net::SSLeay::TLSv1_method);
2810 Check openssl doc
2812 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
2813 • CTX_set_min_proto_version, CTX_set_max_proto_version,
2815 set_min_proto_version and set_max_proto_version,
2816 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2818 requires at least OpenSSL 1.1.0-pre2 or LibreSSL 2.6.0
2819 Set the minimum and maximum supported protocol for $ctx or $ssl.
2821 my $rv = Net::SSLeay::CTX_set_min_proto_version($ctx, $version)
2823 # $ctx - value corresponding to openssl's SSL_CTX structure
2824 # $version - (integer) constat version value or 0 for automatic lowest or highest value
2825 #
2826 # returns: 1 on success, 0 on failure
2827 #example: allow only TLS 1.2 for a SSL_CTX
2829 my $rv_min = Net::SSLeay::CTX_set_min_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION());
2830 my $rv_max = Net::SSLeay::CTX_set_max_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION());
2831 #example: allow only TLS 1.1 for a SSL
2833 my $rv_min = Net::SSLeay::set_min_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION());
2834 my $rv_max = Net::SSLeay::set_max_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION());
2835 Check openssl doc
2837 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_min_proto_version.html>
2838 • CTX_get_min_proto_version, CTX_get_max_proto_version,
2840 get_min_proto_version and get_max_proto_version,
2841 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2843 requires at least OpenSSL 1.1.0g
2844 Get the minimum and maximum supported protocol for $ctx or $ssl.
2846 my $version = Net::SSLeay::CTX_get_min_proto_version($ctx)
2848 # $ctx - value corresponding to openssl's SSL_CTX structure
2849 #
2850 # returns: 0 automatic lowest or highest value, configured value otherwise
2851 Check openssl doc
2853 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_min_proto_version.html>
2854 • CTX_remove_session
2856 Removes the session $ses from the context $ctx.
2858 my $rv = Net::SSLeay::CTX_remove_session($ctx, $ses);
2860 # $ctx - value corresponding to openssl's SSL_CTX structure
2861 # $ses - value corresponding to openssl's SSL_SESSION structure
2862 #
2863 # returns: 1 on success, 0 on failure
2864 Check openssl doc
2866 <http://www.openssl.org/docs/ssl/SSL_CTX_add_session.html>
2867 • CTX_sess_accept
2869 my $rv = Net::SSLeay::CTX_sess_accept($ctx);
2871 # $ctx - value corresponding to openssl's SSL_CTX structure
2872 #
2873 # returns: number of started SSL/TLS handshakes in server mode
2874 Check openssl doc
2876 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2877 • CTX_sess_accept_good
2879 my $rv = Net::SSLeay::CTX_sess_accept_good($ctx);
2881 # $ctx - value corresponding to openssl's SSL_CTX structure
2882 #
2883 # returns: number of successfully established SSL/TLS sessions in server mode
2884 Check openssl doc
2886 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2887 • CTX_sess_accept_renegotiate
2889 my $rv = Net::SSLeay::CTX_sess_accept_renegotiate($ctx);
2891 # $ctx - value corresponding to openssl's SSL_CTX structure
2892 #
2893 # returns: number of start renegotiations in server mode
2894 Check openssl doc
2896 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2897 • CTX_sess_cache_full
2899 my $rv = Net::SSLeay::CTX_sess_cache_full($ctx);
2901 # $ctx - value corresponding to openssl's SSL_CTX structure
2902 #
2903 # returns: number of sessions that were removed because the maximum session cache size was exceeded
2904 Check openssl doc
2906 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2907 • CTX_sess_cb_hits
2909 my $rv = Net::SSLeay::CTX_sess_cb_hits($ctx);
2911 # $ctx - value corresponding to openssl's SSL_CTX structure
2912 #
2913 # returns: number of successfully retrieved sessions from the external session cache in server mode
2914 Check openssl doc
2916 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2917 • CTX_sess_connect
2919 my $rv = Net::SSLeay::CTX_sess_connect($ctx);
2921 # $ctx - value corresponding to openssl's SSL_CTX structure
2922 #
2923 # returns: number of started SSL/TLS handshakes in client mode
2924 Check openssl doc
2926 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2927 • CTX_sess_connect_good
2929 my $rv = Net::SSLeay::CTX_sess_connect_good($ctx);
2931 # $ctx - value corresponding to openssl's SSL_CTX structure
2932 #
2933 # returns: number of successfully established SSL/TLS sessions in client mode
2934 Check openssl doc
2936 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2937 • CTX_sess_connect_renegotiate
2939 my $rv = Net::SSLeay::CTX_sess_connect_renegotiate($ctx);
2941 # $ctx - value corresponding to openssl's SSL_CTX structure
2942 #
2943 # returns: number of start renegotiations in client mode
2944 Check openssl doc
2946 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2947 • CTX_sess_get_cache_size
2949 Returns the currently valid session cache size.
2951 my $rv = Net::SSLeay::CTX_sess_get_cache_size($ctx);
2953 # $ctx - value corresponding to openssl's SSL_CTX structure
2954 #
2955 # returns: current size
2956 Check openssl doc
2958 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html>
2959 • CTX_sess_hits
2961 my $rv = Net::SSLeay::CTX_sess_hits($ctx);
2963 # $ctx - value corresponding to openssl's SSL_CTX structure
2964 #
2965 # returns: number of successfully reused sessions
2966 Check openssl doc
2968 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2969 • CTX_sess_misses
2971 my $rv = Net::SSLeay::CTX_sess_misses($ctx);
2973 # $ctx - value corresponding to openssl's SSL_CTX structure
2974 #
2975 # returns: number of sessions proposed by clients that were not found in the internal session cache in server mode
2976 Check openssl doc
2978 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2979 • CTX_sess_number
2981 my $rv = Net::SSLeay::CTX_sess_number($ctx);
2983 # $ctx - value corresponding to openssl's SSL_CTX structure
2984 #
2985 # returns: current number of sessions in the internal session cache
2986 Check openssl doc
2988 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2989 • CTX_sess_set_cache_size
2991 Sets the size of the internal session cache of context $ctx to
2993 $size.
2994 Net::SSLeay::CTX_sess_set_cache_size($ctx, $size);
2996 # $ctx - value corresponding to openssl's SSL_CTX structure
2997 # $size - cache size (0 = unlimited)
2998 #
2999 # returns: previously valid size
3000 Check openssl doc
3002 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html>
3003 • CTX_sess_timeouts
3005 Returns the number of sessions proposed by clients and either found
3007 in the internal or external session cache in server mode, but that
3008 were invalid due to timeout. These sessions are not included in the
3009 SSL_CTX_sess_hits count.
3010 my $rv = Net::SSLeay::CTX_sess_timeouts($ctx);
3012 # $ctx - value corresponding to openssl's SSL_CTX structure
3013 #
3014 # returns: number of sessions
3015 Check openssl doc
3017 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
3018 • CTX_sess_set_new_cb
3020 COMPATIBILITY: not available in Net-SSLeay-1.85 and before
3022 Sets the callback function, which is automatically called whenever
3024 a new session was negotiated.
3025 Net::SSLeay::CTX_sess_set_new_cb($ctx, $func);
3027 # $ctx - value corresponding to openssl's SSL_CTX structure
3028 # $func - perl reference to callback function
3029 #
3030 # returns: no return value
3031 Check openssl doc
3033 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html>
3034 • CTX_sess_set_remove_cb
3036 COMPATIBILITY: not available in Net-SSLeay-1.85 and before
3038 Sets the callback function, which is automatically called whenever
3040 a session is removed by the SSL engine.
3041 Net::SSLeay::CTX_sess_set_remove_cb($ctx, $func);
3043 # $ctx - value corresponding to openssl's SSL_CTX structure
3044 # $func - perl reference to callback function
3045 #
3046 # returns: no return value
3047 Check openssl doc
3049 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_remove_cb.html>
3050 • CTX_sessions
3052 Returns a pointer to the lhash databases containing the internal
3054 session cache for ctx.
3055 my $rv = Net::SSLeay::CTX_sessions($ctx);
3057 # $ctx - value corresponding to openssl's SSL_CTX structure
3058 #
3059 # returns: value corresponding to openssl's LHASH structure (0 on failure)
3060 Check openssl doc
3062 <http://www.openssl.org/docs/ssl/SSL_CTX_sessions.html>
3063 • CTX_set1_param
3065 COMPATIBILITY: requires at least OpenSSL 1.0.0-beta3
3067 Applies X509 verification parameters $vpm on $ctx
3069 my $rv = Net::SSLeay::CTX_set1_param($ctx, $vpm);
3071 # $ctx - value corresponding to openssl's SSL_CTX structure
3072 # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure
3073 #
3074 # returns: 1 on success, 0 on failure
3075 Check openssl doc
3077 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
3078 • CTX_set_cert_store
3080 Sets/replaces the certificate verification storage of $ctx to/with
3082 $store.
3083 Net::SSLeay::CTX_set_cert_store($ctx, $store);
3085 # $ctx - value corresponding to openssl's SSL_CTX structure
3086 # $store - value corresponding to openssl's X509_STORE structure
3087 #
3088 # returns: no return value
3089 Check openssl doc
3091 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html>
3092 • CTX_set_cert_verify_callback
3094 Sets the verification callback function for $ctx. SSL objects that
3096 are created from $ctx inherit the setting valid at the time when
3097 "Net::SSLeay::new($ctx)" is called.
3098 Net::SSLeay::CTX_set_cert_verify_callback($ctx, $func, $data);
3100 # $ctx - value corresponding to openssl's SSL_CTX structure
3101 # $func - perl reference to callback function
3102 # $data - [optional] data that will be passed to callback function when invoked
3103 #
3104 # returns: no return value
3105 Check openssl doc
3107 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html>
3108 • CTX_set_cipher_list
3110 Sets the list of available ciphers for $ctx using the control
3112 string $str. The list of ciphers is inherited by all ssl objects
3113 created from $ctx.
3114 my $rv = Net::SSLeay::CTX_set_cipher_list($s, $str);
3116 # $s - value corresponding to openssl's SSL_CTX structure
3117 # $str - (string) cipher list e.g. '3DES:+RSA'
3118 #
3119 # returns: 1 if any cipher could be selected and 0 on complete failure
3120 The format of $str is described in
3122 <http://www.openssl.org/docs/apps/ciphers.html>
3123 Check openssl doc
3125 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
3126 • CTX_set_ciphersuites
3128 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3130 requires at least OpenSSL 1.1.1, not in LibreSSL
3131 Configure the available TLSv1.3 ciphersuites.
3133 my $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $str);
3135 # $ctx - value corresponding to openssl's SSL_CTX structure
3136 # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference
3137 #
3138 # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise
3139 Check openssl doc
3141 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html>
3142 • CTX_set_client_CA_list
3144 Sets the list of CAs sent to the client when requesting a client
3146 certificate for $ctx.
3147 Net::SSLeay::CTX_set_client_CA_list($ctx, $list);
3149 # $ctx - value corresponding to openssl's SSL_CTX structure
3150 # $list - value corresponding to openssl's X509_NAME_STACK structure
3151 #
3152 # returns: no return value
3153 Check openssl doc
3155 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
3156 • CTX_set_default_passwd_cb
3158 Sets the default password callback called when loading/storing a
3160 PEM certificate with encryption.
3161 Net::SSLeay::CTX_set_default_passwd_cb($ctx, $func);
3163 # $ctx - value corresponding to openssl's SSL_CTX structure
3164 # $func - perl reference to callback function
3165 #
3166 # returns: no return value
3167 Check openssl doc
3169 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
3170 • CTX_set_default_passwd_cb_userdata
3172 Sets a pointer to userdata which will be provided to the password
3174 callback on invocation.
3175 Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx, $userdata);
3177 # $ctx - value corresponding to openssl's SSL_CTX structure
3178 # $userdata - data that will be passed to callback function when invoked
3179 #
3180 # returns: no return value
3181 Check openssl doc
3183 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
3184 • CTX_set_default_verify_paths
3186 ??? (more info needed)
3188 my $rv = Net::SSLeay::CTX_set_default_verify_paths($ctx);
3190 # $ctx - value corresponding to openssl's SSL_CTX structure
3191 #
3192 # returns: 1 on success, 0 on failure
3193 • CTX_set_ex_data
3195 Is used to store application data at $data for $idx into the $ctx
3197 object.
3198 my $rv = Net::SSLeay::CTX_set_ex_data($ssl, $idx, $data);
3200 # $ssl - value corresponding to openssl's SSL_CTX structure
3201 # $idx - (integer) ???
3202 # $data - (pointer) ???
3203 #
3204 # returns: 1 on success, 0 on failure
3205 Check openssl doc
3207 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
3208 • CTX_set_purpose
3210 my $rv = Net::SSLeay::CTX_set_purpose($s, $purpose);
3212 # $s - value corresponding to openssl's SSL_CTX structure
3213 # $purpose - (integer) purpose identifier
3214 #
3215 # returns: 1 on success, 0 on failure
3216 #avainable purpose identifier
3218 1 - X509_PURPOSE_SSL_CLIENT
3219 2 - X509_PURPOSE_SSL_SERVER
3220 3 - X509_PURPOSE_NS_SSL_SERVER
3221 4 - X509_PURPOSE_SMIME_SIGN
3222 5 - X509_PURPOSE_SMIME_ENCRYPT
3223 6 - X509_PURPOSE_CRL_SIGN
3224 7 - X509_PURPOSE_ANY
3225 8 - X509_PURPOSE_OCSP_HELPER
3226 9 - X509_PURPOSE_TIMESTAMP_SIGN
3227 #or use corresponding constants
3229 $purpose = &Net::SSLeay::X509_PURPOSE_SSL_CLIENT;
3230 ...
3231 $purpose = &Net::SSLeay::X509_PURPOSE_TIMESTAMP_SIGN;
3232 • CTX_set_quiet_shutdown
3234 Sets the 'quiet shutdown' flag for $ctx to be mode. SSL objects
3236 created from $ctx inherit the mode valid at the time
3237 "Net::SSLeay::new($ctx)" is called.
3238 Net::SSLeay::CTX_set_quiet_shutdown($ctx, $mode);
3240 # $ctx - value corresponding to openssl's SSL_CTX structure
3241 # $mode - 0 or 1
3242 #
3243 # returns: no return value
3244 Check openssl doc
3246 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
3247 • CTX_set_read_ahead
3249 my $rv = Net::SSLeay::CTX_set_read_ahead($ctx, $val);
3251 # $ctx - value corresponding to openssl's SSL_CTX structure
3252 # $val - read_ahead value to be set
3253 #
3254 # returns: the original read_ahead value
3255 • CTX_set_session_id_context
3257 Sets the context $sid_ctx of length $sid_ctx_len within which a
3259 session can be reused for the $ctx object.
3260 my $rv = Net::SSLeay::CTX_set_session_id_context($ctx, $sid_ctx, $sid_ctx_len);
3262 # $ctx - value corresponding to openssl's SSL_CTX structure
3263 # $sid_ctx - data buffer
3264 # $sid_ctx_len - length of data in $sid_ctx
3265 #
3266 # returns: 1 on success, 0 on failure (the error is logged to the error stack)
3267 Check openssl doc
3269 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html>
3270 • CTX_set_ssl_version
3272 Sets a new default TLS/SSL method for SSL objects newly created
3274 from this $ctx. SSL objects already created with
3275 "Net::SSLeay::new($ctx)" are not affected, except when
3276 "Net::SSLeay:clear($ssl)" is being called.
3277 my $rv = Net::SSLeay::CTX_set_ssl_version($ctx, $meth);
3279 # $ctx - value corresponding to openssl's SSL_CTX structure
3280 # $meth - value corresponding to openssl's SSL_METHOD structure
3281 #
3282 # returns: 1 on success, 0 on failure
3283 Check openssl doc
3285 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
3286 • CTX_set_timeout
3288 Sets the timeout for newly created sessions for $ctx to $t. The
3290 timeout value $t must be given in seconds.
3291 my $rv = Net::SSLeay::CTX_set_timeout($ctx, $t);
3293 # $ctx - value corresponding to openssl's SSL_CTX structure
3294 # $t - timeout in seconds
3295 #
3296 # returns: previously set timeout value
3297 Check openssl doc
3299 <http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html>
3300 • CTX_set_tmp_dh
3302 Sets DH parameters to be used to be $dh. The key is inherited by
3304 all ssl objects created from $ctx.
3305 my $rv = Net::SSLeay::CTX_set_tmp_dh($ctx, $dh);
3307 # $ctx - value corresponding to openssl's SSL_CTX structure
3308 # $dh - value corresponding to openssl's DH structure
3309 #
3310 # returns: 1 on success, 0 on failure
3311 Check openssl doc
3313 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
3314 • CTX_set_tmp_dh_callback
3316 Sets the callback function for $ctx to be used when a DH parameters
3318 are required to $tmp_dh_callback.
3319 Net::SSLeay::CTX_set_tmp_dh_callback($ctx, $tmp_dh_callback);
3321 # $ctx - value corresponding to openssl's SSL_CTX structure
3322 # tmp_dh_callback - (function pointer) ???
3323 #
3324 # returns: no return value
3325 Check openssl doc
3327 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
3328 • CTX_set_tmp_rsa
3330 Sets the temporary/ephemeral RSA key to be used to be $rsa.
3332 my $rv = Net::SSLeay::CTX_set_tmp_rsa($ctx, $rsa);
3334 # $ctx - value corresponding to openssl's SSL_CTX structure
3335 # $rsa - value corresponding to openssl's RSA structure
3336 #
3337 # returns: 1 on success, 0 on failure
3338 Check openssl doc
3340 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
3341 Not available with OpenSSL 1.1 and later.
3343 • CTX_set_tmp_rsa_callback
3345 Sets the callback function for ctx to be used when a
3347 temporary/ephemeral RSA key is required to $tmp_rsa_callback.
3348 ??? (does this function really work?)
3350 Net::SSLeay::CTX_set_tmp_rsa_callback($ctx, $tmp_rsa_callback);
3352 # $ctx - value corresponding to openssl's SSL_CTX structure
3353 # $tmp_rsa_callback - (function pointer) ???
3354 #
3355 # returns: no return value
3356 Check openssl doc
3358 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
3359 Not available with OpenSSL 1.1 and later.
3361 • CTX_set_trust
3363 my $rv = Net::SSLeay::CTX_set_trust($s, $trust);
3365 # $s - value corresponding to openssl's SSL_CTX structure
3366 # $trust - (integer) trust identifier
3367 #
3368 # returns: the original value
3369 #available trust identifiers
3371 1 - X509_TRUST_COMPAT
3372 2 - X509_TRUST_SSL_CLIENT
3373 3 - X509_TRUST_SSL_SERVER
3374 4 - X509_TRUST_EMAIL
3375 5 - X509_TRUST_OBJECT_SIGN
3376 6 - X509_TRUST_OCSP_SIGN
3377 7 - X509_TRUST_OCSP_REQUEST
3378 8 - X509_TRUST_TSA
3379 #or use corresponding constants
3381 $trust = &Net::SSLeay::X509_TRUST_COMPAT;
3382 ...
3383 $trust = &Net::SSLeay::X509_TRUST_TSA;
3384 • CTX_set_verify_depth
3386 Sets the maximum depth for the certificate chain verification that
3388 shall be allowed for ctx.
3389 Net::SSLeay::CTX_set_verify_depth($ctx, $depth);
3391 # $ctx - value corresponding to openssl's SSL_CTX structure
3392 # $depth - max. depth
3393 #
3394 # returns: no return value
3395 Check openssl doc
3397 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
3398 • CTX_use_PKCS12_file
3400 Adds the certificate and private key from PKCS12 file $p12filename
3402 to $ctx.
3403 my $rv = Net::SSLeay::CTX_use_PKCS12_file($ctx, $p12filename, $password);
3405 # $ctx - value corresponding to openssl's SSL_CTX structure
3406 # $p12filename - (string) filename
3407 # $password - (string) password to decrypt private key
3408 #
3409 # returns: 1 on success, 0 on failure
3410 • CTX_use_PrivateKey
3412 Adds the private key $pkey to $ctx.
3414 my $rv = Net::SSLeay::CTX_use_PrivateKey($ctx, $pkey);
3416 # $ctx - value corresponding to openssl's SSL_CTX structure
3417 # $pkey - value corresponding to openssl's EVP_PKEY structure
3418 #
3419 # returns: 1 on success, otherwise check out the error stack to find out the reason
3420 Check openssl doc
3422 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3423 • CTX_use_PrivateKey_file
3425 Adds the first private key found in $file to $ctx.
3427 my $rv = Net::SSLeay::CTX_use_PrivateKey_file($ctx, $file, $type);
3429 # $ctx - value corresponding to openssl's SSL_CTX structure
3430 # $file - (string) file name
3431 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3432 #
3433 # returns: 1 on success, otherwise check out the error stack to find out the reason
3434 Check openssl doc
3436 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3437 • CTX_use_RSAPrivateKey
3439 Adds the RSA private key $rsa to $ctx.
3441 my $rv = Net::SSLeay::CTX_use_RSAPrivateKey($ctx, $rsa);
3443 # $ctx - value corresponding to openssl's SSL_CTX structure
3444 # $rsa - value corresponding to openssl's RSA structure
3445 #
3446 # returns: 1 on success, otherwise check out the error stack to find out the reason
3447 Check openssl doc
3449 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3450 • CTX_use_RSAPrivateKey_file
3452 Adds the first RSA private key found in $file to $ctx.
3454 my $rv = Net::SSLeay::CTX_use_RSAPrivateKey_file($ctx, $file, $type);
3456 # $ctx - value corresponding to openssl's SSL_CTX structure
3457 # $file - (string) file name
3458 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3459 #
3460 # returns: 1 on success, otherwise check out the error stack to find out the reason
3461 • CTX_use_certificate
3463 Loads the certificate $x into $ctx
3465 my $rv = Net::SSLeay::CTX_use_certificate($ctx, $x);
3467 # $ctx - value corresponding to openssl's SSL_CTX structure
3468 # $x - value corresponding to openssl's X509 structure
3469 #
3470 # returns: 1 on success, otherwise check out the error stack to find out the reason
3471 Check openssl doc
3473 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3474 • CTX_use_certificate_chain_file
3476 Loads a certificate chain from $file into $ctx. The certificates
3478 must be in PEM format and must be sorted starting with the
3479 subject's certificate (actual client or server certificate),
3480 followed by intermediate CA certificates if applicable, and ending
3481 at the highest level (root) CA.
3482 my $rv = Net::SSLeay::CTX_use_certificate_chain_file($ctx, $file);
3484 # $ctx - value corresponding to openssl's SSL_CTX structure
3485 # $file - (string) file name
3486 #
3487 # returns: 1 on success, otherwise check out the error stack to find out the reason
3488 Check openssl doc
3490 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3491 • CTX_use_certificate_file
3493 Loads the first certificate stored in $file into $ctx.
3495 my $rv = Net::SSLeay::CTX_use_certificate_file($ctx, $file, $type);
3497 # $ctx - value corresponding to openssl's SSL_CTX structure
3498 # $file - (string) file name
3499 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3500 #
3501 # returns: 1 on success, otherwise check out the error stack to find out the reason
3502 Check openssl doc
3504 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3505 • CTX_get_security_level
3507 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3509 requires at least OpenSSL 1.1.0, not in LibreSSL
3510 Returns the security level associated with $ctx.
3512 my $level = Net::SSLeay::CTX_get_security_level($ctx);
3514 # $ctx - value corresponding to openssl's SSL_CTX structure
3515 #
3516 # returns: (integer) current security level
3517 Check openssl doc
3519 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>
3520 • CTX_set_security_level
3522 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3524 requires at least OpenSSL 1.1.0, not in LibreSSL
3525 Sets the security level associated with $ctx to $level.
3527 Net::SSLeay::CTX_set_security_level($ctx, $level);
3529 # $ssl - value corresponding to openssl's SSL_CTX structure
3530 # $level - new security level
3531 #
3532 # returns: no return value
3533 Check openssl doc
3535 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html>
3536 • CTX_set_num_tickets
3538 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3540 requires at least OpenSSL 1.1.1, not in LibreSSL
3541 Set number of TLSv1.3 session tickets that will be sent to a
3543 client.
3544 my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets);
3546 # $ctx - value corresponding to openssl's SSL_CTX structure
3547 # $number_of_tickets - number of tickets to send
3548 #
3549 # returns: 1 on success, 0 on failure
3550 Set to zero if you do not no want to support a session resumption.
3552 Check openssl doc
3554 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html>
3555 • CTX_get_num_tickets
3557 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3559 requires at least OpenSSL 1.1.1, not in LibreSSL
3560 Get number of TLSv1.3 session tickets that will be sent to a
3562 client.
3563 my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx);
3565 # $ctx - value corresponding to openssl's SSL_CTX structure
3566 #
3567 # returns: (integer) number of tickets to send
3568 Check openssl doc
3570 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_num_tickets.html>
3571 Low level API: SSL_* related functions
3573 NOTE: Please note that the function described in this chapter have
3575 "SSL_" part stripped from their original openssl names.
3576 • new
3578 Creates a new SSL structure which is needed to hold the data for a
3580 TLS/SSL connection. The new structure inherits the settings of the
3581 underlying context $ctx: connection method (SSLv2/v3/TLSv1),
3582 options, verification settings, timeout settings.
3583 my $rv = Net::SSLeay::new($ctx);
3585 # $ctx - value corresponding to openssl's SSL_CTX structure
3586 #
3587 # returns: value corresponding to openssl's SSL structure (0 on failure)
3588 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_new.html>
3590 • accept
3592 Waits for a TLS/SSL client to initiate the TLS/SSL handshake. The
3594 communication channel must already have been set and assigned to
3595 the ssl by setting an underlying BIO.
3596 my $rv = Net::SSLeay::accept($ssl);
3598 # $ssl - value corresponding to openssl's SSL structure
3599 #
3600 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3601 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_accept.html>
3603 • add_client_CA
3605 Adds the CA name extracted from cacert to the list of CAs sent to
3607 the client when requesting a client certificate for the chosen ssl,
3608 overriding the setting valid for ssl's SSL_CTX object.
3609 my $rv = Net::SSLeay::add_client_CA($ssl, $x);
3611 # $ssl - value corresponding to openssl's SSL structure
3612 # $x - value corresponding to openssl's X509 structure
3613 #
3614 # returns: 1 on success, 0 on failure
3615 Check openssl doc
3617 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
3618 • callback_ctrl
3620 ??? (more info needed)
3622 my $rv = Net::SSLeay::callback_ctrl($ssl, $cmd, $fp);
3624 # $ssl - value corresponding to openssl's SSL structure
3625 # $cmd - (integer) command id
3626 # $fp - (function pointer) ???
3627 #
3628 # returns: ???
3629 Check openssl doc
3631 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
3632 • check_private_key
3634 Checks the consistency of a private key with the corresponding
3636 certificate loaded into $ssl
3637 my $rv = Net::SSLeay::check_private_key($ssl);
3639 # $ssl - value corresponding to openssl's SSL structure
3640 #
3641 # returns: 1 on success, otherwise check out the error stack to find out the reason
3642 Check openssl doc
3644 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3645 • clear
3647 Reset SSL object to allow another connection.
3649 Net::SSLeay::clear($ssl);
3651 # $ssl - value corresponding to openssl's SSL structure
3652 #
3653 # returns: no return value
3654 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_clear.html>
3656 • connect
3658 Initiate the TLS/SSL handshake with an TLS/SSL server.
3660 my $rv = Net::SSLeay::connect($ssl);
3662 # $ssl - value corresponding to openssl's SSL structure
3663 #
3664 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3665 Check openssl doc
3667 <http://www.openssl.org/docs/ssl/SSL_connect.html>
3668 • copy_session_id
3670 Copies the session structure fro $from to $to (+ also the private
3672 key and certificate associated with $from).
3673 Net::SSLeay::copy_session_id($to, $from);
3675 # $to - value corresponding to openssl's SSL structure
3676 # $from - value corresponding to openssl's SSL structure
3677 #
3678 # returns: no return value
3679 • ctrl
3681 Internal handling function for SSL objects.
3683 BEWARE: openssl doc says: This function should never be called
3685 directly!
3686 my $rv = Net::SSLeay::ctrl($ssl, $cmd, $larg, $parg);
3688 # $ssl - value corresponding to openssl's SSL structure
3689 # $cmd - (integer) command id
3690 # $larg - (integer) long ???
3691 # $parg - (string/pointer) ???
3692 #
3693 # returns: (long) result of given command ???
3694 For more details about valid $cmd values check "CTX_ctrl".
3696 Check openssl doc
3698 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
3699 • do_handshake
3701 Will wait for a SSL/TLS handshake to take place. If the connection
3703 is in client mode, the handshake will be started. The handshake
3704 routines may have to be explicitly set in advance using either
3705 SSL_set_connect_state or SSL_set_accept_state(3).
3706 my $rv = Net::SSLeay::do_handshake($ssl);
3708 # $ssl - value corresponding to openssl's SSL structure
3709 #
3710 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3711 Check openssl doc
3713 <http://www.openssl.org/docs/ssl/SSL_do_handshake.html>
3714 • dup
3716 Returns a duplicate of $ssl.
3718 my $rv = Net::SSLeay::dup($ssl);
3720 # $ssl - value corresponding to openssl's SSL structure
3721 #
3722 # returns: value corresponding to openssl's SSL structure (0 on failure)
3723 • free
3725 Free an allocated SSL structure.
3727 Net::SSLeay::free($ssl);
3729 # $ssl - value corresponding to openssl's SSL structure
3730 #
3731 # returns: no return value
3732 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_free.html>
3734 • get0_param
3736 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
3738 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
3739 Returns the current verification parameters.
3741 my $vpm = Net::SSLeay::get0_param($ssl);
3743 # $ssl - value corresponding to openssl's SSL structure
3744 #
3745 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure
3746 Check openssl doc
3748 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
3749 • get_SSL_CTX
3751 Returns a pointer to the SSL_CTX object, from which $ssl was
3753 created with Net::SSLeay::new.
3754 my $rv = Net::SSLeay::get_SSL_CTX($ssl);
3756 # $ssl - value corresponding to openssl's SSL structure
3757 #
3758 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
3759 Check openssl doc
3761 <http://www.openssl.org/docs/ssl/SSL_get_SSL_CTX.html>
3762 • set_SSL_CTX
3764 COMPATIBILITY: requires at least OpenSSL 0.9.8f
3766 Sets the SSL_CTX the corresponds to an SSL session.
3768 my $the_ssl_ctx = Net::SSLeay::set_SSL_CTX($ssl, $ssl_ctx);
3770 # $ssl - value corresponding to openssl's SSL structure
3771 # $ssl_ctx - Change the ssl object to the given ssl_ctx
3772 #
3773 # returns - the ssl_ctx
3774 • get_app_data
3776 Can be used to get application defined value/data.
3778 my $rv = Net::SSLeay::get_app_data($ssl);
3780 # $ssl - value corresponding to openssl's SSL structure
3781 #
3782 # returns: string/buffer/pointer ???
3783 • set_app_data
3785 Can be used to set some application defined value/data.
3787 my $rv = Net::SSLeay::set_app_data($ssl, $arg);
3789 # $ssl - value corresponding to openssl's SSL structure
3790 # $arg - (string/buffer/pointer ???) data
3791 #
3792 # returns: ???
3793 • get_certificate
3795 Gets X509 certificate from an established SSL connection.
3797 my $rv = Net::SSLeay::get_certificate($ssl);
3799 # $ssl - value corresponding to openssl's SSL structure
3800 #
3801 # returns: value corresponding to openssl's X509 structure (0 on failure)
3802 • get_cipher
3804 Obtains the name of the currently used cipher.
3806 my $rv = Net::SSLeay::get_cipher($ssl);
3808 # $ssl - value corresponding to openssl's SSL structure
3809 #
3810 # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA' or '', when no session has been established.
3811 Check openssl doc
3813 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html>
3814 • get_cipher_bits
3816 Obtain the number of secret/algorithm bits used.
3818 my $rv = Net::SSLeay::get_cipher_bits($ssl);
3820 # $ssl - value corresponding to openssl's SSL structure
3821 #
3822 # returns: number of secret bits used by current cipher
3823 Check openssl doc
3825 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html> and
3826 <http://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html>
3827 • get_ciphers
3829 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
3831 Returns a list of SSL_CIPHER structures available for $ssl sorted
3833 by preference
3834 my @ciphers = Net::SSLeay::get_ciphers($ssl);
3836 # $ssl - value corresponding to openssl's SSL structure
3837 #
3838 # returns: (list) SSL_CIPHER structures or nothing when $ssl is undefined or no ciphers are available
3839 Example:
3841 my @ciphers = Net::SSLeay::get_ciphers($ssl);
3843 foreach my $c (@ciphers) {
3844 print Net::SSLeay::CIPHER_get_name($c) . "\n";
3845 }
3846 Check openssl doc
3848 <https://www.openssl.org/docs/ssl/SSL_get_ciphers.html>
3849 • get_cipher_list
3851 Returns the name (string) of the SSL_CIPHER listed for $ssl with
3853 priority $n.
3854 my $rv = Net::SSLeay::get_cipher_list($ssl, $n);
3856 # $ssl - value corresponding to openssl's SSL structure
3857 # $n - (integer) priority
3858 #
3859 # returns: (string) cipher name e.g. 'EDH-DSS-DES-CBC3-SHA' or undef in case of error
3860 Call Net::SSLeay::get_cipher_list with priority starting from 0 to
3862 obtain the sorted list of available ciphers, until undef is
3863 returned:
3864 my $priority = 0;
3866 while (my $c = Net::SSLeay::get_cipher_list($ssl, $priority)) {
3867 print "cipher[$priority] = $c\n";
3868 $priority++;
3869 }
3870 Check openssl doc
3872 <https://www.openssl.org/docs/ssl/SSL_get_cipher_list.html>
3873 • get_client_CA_list
3875 Returns the list of client CAs explicitly set for $ssl using
3877 "Net::SSleay::set_client_CA_list" or $ssl's SSL_CTX object with
3878 "Net::SSLeay::CTX_set_client_CA_list", when in server mode.
3879 In client mode, returns the list of client CAs sent from the
3881 server, if any.
3882 my $rv = Net::SSLeay::get_client_CA_list($ssl);
3884 # $ssl - value corresponding to openssl's SSL structure
3885 #
3886 # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure)
3887 Check openssl doc
3889 <http://www.openssl.org/docs/ssl/SSL_get_client_CA_list.html>
3890 • get_current_cipher
3892 Returns the cipher actually used.
3894 my $rv = Net::SSLeay::get_current_cipher($ssl);
3896 # $ssl - value corresponding to openssl's SSL structure
3897 #
3898 # returns: value corresponding to openssl's SSL_CIPHER structure (0 on failure)
3899 Check openssl doc
3901 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html>
3902 • get_default_timeout
3904 Returns the default timeout value assigned to SSL_SESSION objects
3906 negotiated for the protocol valid for $ssl.
3907 my $rv = Net::SSLeay::get_default_timeout($ssl);
3909 # $ssl - value corresponding to openssl's SSL structure
3910 #
3911 # returns: (long) timeout in seconds
3912 Check openssl doc
3914 <http://www.openssl.org/docs/ssl/SSL_get_default_timeout.html>
3915 • get_error
3917 Returns a result code for a preceding call to "connect", "accept",
3919 "do_handshake", "read", "peek" or "write" on $ssl.
3920 my $rv = Net::SSLeay::get_error($ssl, $ret);
3922 # $ssl - value corresponding to openssl's SSL structure
3923 # $ret - return value of preceding TLS/SSL I/O operation
3924 #
3925 # returns: result code, which is one of the following values:
3926 # 0 - SSL_ERROR_NONE
3927 # 1 - SSL_ERROR_SSL
3928 # 2 - SSL_ERROR_WANT_READ
3929 # 3 - SSL_ERROR_WANT_WRITE
3930 # 4 - SSL_ERROR_WANT_X509_LOOKUP
3931 # 5 - SSL_ERROR_SYSCALL
3932 # 6 - SSL_ERROR_ZERO_RETURN
3933 # 7 - SSL_ERROR_WANT_CONNECT
3934 # 8 - SSL_ERROR_WANT_ACCEPT
3935 Check openssl doc
3937 <http://www.openssl.org/docs/ssl/SSL_get_error.html>
3938 • get_ex_data
3940 Is used to retrieve the information for $idx from $ssl.
3942 my $rv = Net::SSLeay::get_ex_data($ssl, $idx);
3944 # $ssl - value corresponding to openssl's SSL structure
3945 # $idx - (integer) index for application specific data
3946 #
3947 # returns: pointer to ???
3948 Check openssl doc
3950 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3951 • set_ex_data
3953 Is used to store application data at $data for $idx into the $ssl
3955 object.
3956 my $rv = Net::SSLeay::set_ex_data($ssl, $idx, $data);
3958 # $ssl - value corresponding to openssl's SSL structure
3959 # $idx - (integer) ???
3960 # $data - (pointer) ???
3961 #
3962 # returns: 1 on success, 0 on failure
3963 Check openssl doc
3965 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3966 • get_ex_new_index
3968 Is used to register a new index for application specific data.
3970 my $rv = Net::SSLeay::get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
3972 # $argl - (long) ???
3973 # $argp - (pointer) ???
3974 # $new_func - function pointer ??? (CRYPTO_EX_new *)
3975 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
3976 # $free_func - function pointer ??? (CRYPTO_EX_free *)
3977 #
3978 # returns: (integer) ???
3979 Check openssl doc
3981 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3982 • get_fd
3984 Returns the file descriptor which is linked to $ssl.
3986 my $rv = Net::SSLeay::get_fd($ssl);
3988 # $ssl - value corresponding to openssl's SSL structure
3989 #
3990 # returns: file descriptor (>=0) or -1 on failure
3991 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_get_fd.html>
3993 • get_finished
3995 Obtains the latest 'Finished' message sent to the peer. Return
3997 value is zero if there's been no Finished message yet. Default
3998 count is 2*EVP_MAX_MD_SIZE that is long enough for all possible
3999 Finish messages. If you supply a non-default count, the resulting
4000 return value may be longer than returned buf's length.
4001 my $rv = Net::SSLeay::get_finished($ssl, $buf, $count);
4003 # $ssl - value corresponding to openssl's SSL structure
4004 # $buf - buffer where the returned data will be stored
4005 # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE
4006 #
4007 # returns: length of latest Finished message
4008 • get_peer_finished
4010 Obtains the latest 'Finished' message expected from the peer.
4012 Parameters and return value are similar to get_finished().
4013 my $rv = Net::SSLeay::get_peer_finished($ssl, $buf, $count);
4015 # $ssl - value corresponding to openssl's SSL structure
4016 # $buf - buffer where the returned data will be stored
4017 # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE
4018 #
4019 # returns: length of latest Finished message
4020 • get_keyblock_size
4022 Gets the length of the TLS keyblock.
4024 NOTE: Does not exactly correspond to any low level API function.
4026 my $rv = Net::SSLeay::get_keyblock_size($ssl);
4028 # $ssl - value corresponding to openssl's SSL structure
4029 #
4030 # returns: keyblock size, -1 on error
4031 • get_mode
4033 Returns the mode (bitmask) set for $ssl.
4035 my $rv = Net::SSLeay::get_mode($ssl);
4037 # $ssl - value corresponding to openssl's SSL structure
4038 #
4039 # returns: mode (bitmask)
4040 To decode the return value (bitmask) see documentation for
4042 "CTX_get_mode".
4043 Check openssl doc
4045 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
4046 • set_mode
4048 Adds the mode set via bitmask in $mode to $ssl. Options already set
4050 before are not cleared.
4051 my $rv = Net::SSLeay::set_mode($ssl, $mode);
4053 # $ssl - value corresponding to openssl's SSL structure
4054 # $mode - mode (bitmask)
4055 #
4056 # returns: the new mode bitmask after adding $mode
4057 For $mode bitmask details see "CTX_get_mode".
4059 Check openssl doc
4061 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
4062 • get_options
4064 Returns the options (bitmask) set for $ssl.
4066 my $rv = Net::SSLeay::get_options($ssl);
4068 # $ssl - value corresponding to openssl's SSL structure
4069 #
4070 # returns: options (bitmask)
4071 To decode the return value (bitmask) see documentation for
4073 "CTX_get_options".
4074 Check openssl doc
4076 <http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html>
4077 • set_options
4079 Adds the options set via bitmask in $options to $ssl. Options
4081 already set before are not cleared!
4082 Net::SSLeay::set_options($ssl, $options);
4084 # $ssl - value corresponding to openssl's SSL structure
4085 # $options - options (bitmask)
4086 #
4087 # returns: the new options bitmask after adding $options
4088 For $options bitmask details see "CTX_get_options".
4090 Check openssl doc
4092 <http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html>
4093 • get_peer_certificate
4095 Get the X509 certificate of the peer.
4097 my $rv = Net::SSLeay::get_peer_certificate($ssl);
4099 # $ssl - value corresponding to openssl's SSL structure
4100 #
4101 # returns: value corresponding to openssl's X509 structure (0 on failure)
4102 Check openssl doc
4104 <http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
4105 • get_peer_cert_chain
4107 Get the certificate chain of the peer as an array of X509
4109 structures.
4110 my @rv = Net::SSLeay::get_peer_cert_chain($ssl);
4112 # $ssl - value corresponding to openssl's SSL structure
4113 #
4114 # returns: list of X509 structures
4115 Check openssl doc
4117 <http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
4118 • get_quiet_shutdown
4120 Returns the 'quiet shutdown' setting of ssl.
4122 my $rv = Net::SSLeay::get_quiet_shutdown($ssl);
4124 # $ssl - value corresponding to openssl's SSL structure
4125 #
4126 # returns: (integer) current 'quiet shutdown' value
4127 Check openssl doc
4129 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
4130 • get_rbio
4132 Get 'read' BIO linked to an SSL object $ssl.
4134 my $rv = Net::SSLeay::get_rbio($ssl);
4136 # $ssl - value corresponding to openssl's SSL structure
4137 #
4138 # returns: value corresponding to openssl's BIO structure (0 on failure)
4139 Check openssl doc
4141 <http://www.openssl.org/docs/ssl/SSL_get_rbio.html>
4142 • get_read_ahead
4144 my $rv = Net::SSLeay::get_read_ahead($ssl);
4146 # $ssl - value corresponding to openssl's SSL structure
4147 #
4148 # returns: (integer) read_ahead value
4149 • set_read_ahead
4151 Net::SSLeay::set_read_ahead($ssl, $val);
4153 # $ssl - value corresponding to openssl's SSL structure
4154 # $val - read_ahead value to be set
4155 #
4156 # returns: the original read_ahead value
4157 • get_security_level
4159 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4161 requires at least OpenSSL 1.1.0, not in LibreSSL
4162 Returns the security level associated with $ssl.
4164 my $level = Net::SSLeay::get_security_level($ssl);
4166 # $ssl - value corresponding to openssl's SSL structure
4167 #
4168 # returns: (integer) current security level
4169 Check openssl doc
4171 <https://www.openssl.org/docs/manmaster/man3/SSL_get_security_level.html>
4172 • set_security_level
4174 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4176 requires at least OpenSSL 1.1.0, not in LibreSSL
4177 Sets the security level associated with $ssl to $level.
4179 Net::SSLeay::set_security_level($ssl, $level);
4181 # $ssl - value corresponding to openssl's SSL structure
4182 # $level - new security level
4183 #
4184 # returns: no return value
4185 Check openssl doc
4187 <https://www.openssl.org/docs/manmaster/man3/SSL_set_security_level.html>
4188 • set_num_tickets
4190 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4192 requires at least OpenSSL 1.1.1, not in LibreSSL
4193 Set number of TLSv1.3 session tickets that will be sent to a
4195 client.
4196 my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets);
4198 # $ssl - value corresponding to openssl's SSL structure
4199 # $number_of_tickets - number of tickets to send
4200 #
4201 # returns: 1 on success, 0 on failure
4202 Set to zero if you do not no want to support a session resumption.
4204 Check openssl doc
4206 <https://www.openssl.org/docs/manmaster/man3/SSL_set_num_tickets.html>
4207 • get_num_tickets
4209 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4211 requires at least OpenSSL 1.1.1, not in LibreSSL
4212 Get number of TLSv1.3 session tickets that will be sent to a
4214 client.
4215 my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx);
4217 # $ctx - value corresponding to openssl's SSL structure
4218 #
4219 # returns: number of tickets to send
4220 Check openssl doc
4222 <https://www.openssl.org/docs/manmaster/man3/SSL_get_num_tickets.html>
4223 • get_server_random
4225 Returns internal SSLv3 server_random value.
4227 Net::SSLeay::get_server_random($ssl);
4229 # $ssl - value corresponding to openssl's SSL structure
4230 #
4231 # returns: server_random value (binary data)
4232 • get_client_random
4234 NOTE: Does not exactly correspond to any low level API function
4236 Returns internal SSLv3 client_random value.
4238 Net::SSLeay::get_client_random($ssl);
4240 # $ssl - value corresponding to openssl's SSL structure
4241 #
4242 # returns: client_random value (binary data)
4243 • export_keying_material
4245 Returns keying material based on the string $label and optional
4247 $context. Note that with TLSv1.2 and lower, empty context (empty
4248 string) and undefined context (no value or 'undef') will return
4249 different values.
4250 my $out = Net::SSLeay::export_keying_material($ssl, $olen, $label, $context);
4252 # $ssl - value corresponding to openssl's SSL structure
4253 # $olen - number of bytes to return
4254 # $label - application specific label
4255 # $context - [optional] context - default is undef for no context
4256 #
4257 # returns: keying material (binary data) or undef on error
4258 Check openssl doc
4260 <https://www.openssl.org/docs/manmaster/man3/SSL_export_keying_material.html>
4261 • get_session
4263 Retrieve TLS/SSL session data used in $ssl. The reference count of
4265 the SSL_SESSION is NOT incremented.
4266 my $rv = Net::SSLeay::get_session($ssl);
4268 # $ssl - value corresponding to openssl's SSL structure
4269 #
4270 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
4271 Check openssl doc
4273 <http://www.openssl.org/docs/ssl/SSL_get_session.html>
4274 • SSL_get0_session
4276 The alias for "get_session" (note that the name is
4278 "SSL_get0_session" NOT "get0_session").
4279 my $rv = Net::SSLeay::SSL_get0_session();
4281 • get1_session
4283 Returns a pointer to the SSL_SESSION actually used in $ssl. The
4285 reference count of the SSL_SESSION is incremented by 1.
4286 my $rv = Net::SSLeay::get1_session($ssl);
4288 # $ssl - value corresponding to openssl's SSL structure
4289 #
4290 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
4291 Check openssl doc
4293 <http://www.openssl.org/docs/ssl/SSL_get_session.html>
4294 • get_shared_ciphers
4296 Returns string with a list (colon ':' separated) of ciphers shared
4298 between client and server within SSL session $ssl.
4299 my $rv = Net::SSLeay::get_shared_ciphers()
4301 #
4302 # returns: string like 'ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:...'
4303 • get_shutdown
4305 Returns the shutdown mode of $ssl.
4307 my $rv = Net::SSLeay::get_shutdown($ssl);
4309 # $ssl - value corresponding to openssl's SSL structure
4310 #
4311 # returns: shutdown mode (bitmask) of ssl
4312 #to decode the return value (bitmask) use:
4314 0 - No shutdown setting, yet
4315 1 - SSL_SENT_SHUTDOWN
4316 2 - SSL_RECEIVED_SHUTDOWN
4317 Check openssl doc
4319 <http://www.openssl.org/docs/ssl/SSL_set_shutdown.html>
4320 • get_ssl_method
4322 Returns a function pointer to the TLS/SSL method set in $ssl.
4324 my $rv = Net::SSLeay::get_ssl_method($ssl);
4326 # $ssl - value corresponding to openssl's SSL structure
4327 #
4328 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
4329 Check openssl doc
4331 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
4332 • in_init, in_before, is_init_finished, in_connect_init,
4334 in_accept_init
4335 COMPATIBILITY: not available in Net-SSLeay-1.85 and before.
4337 Retrieve information about the handshake state machine. All
4339 functions take $ssl as the only argument and return 0 or 1. These
4340 functions are recommended over get_state() and state().
4341 my $rv = Net::SSLeay::is_init_finished($ssl);
4343 # $ssl - value corresponding to openssl's SSL structure
4344 #
4345 # returns: All functions return 1 or 0
4346 Check openssl doc https://www.openssl.org/docs/ssl/SSL_in_init.html
4348 <http://www.openssl.org/docs/ssl/SSL_in_init.html>
4349 • get_state
4351 COMPATIBILITY: OpenSSL 1.1.0 and later use different constants
4353 which are not made available. Use is_init_finished() and related
4354 functions instead.
4355 Returns the SSL connection state.
4357 my $rv = Net::SSLeay::get_state($ssl);
4359 # $ssl - value corresponding to openssl's SSL structure
4360 #
4361 # returns: (integer) state value
4362 # to decode the returned state check:
4363 # SSL_ST_* constants in openssl/ssl.h
4364 # SSL2_ST_* constants in openssl/ssl2.h
4365 # SSL23_ST_* constants in openssl/ssl23.h
4366 # SSL3_ST_* + DTLS1_ST_* constants in openssl/ssl3.h
4367 • state
4369 Exactly the same as "get_state".
4371 my $rv = Net::SSLeay::state($ssl);
4373 • set_state
4375 Sets the SSL connection state.
4377 Net::SSLeay::set_state($ssl,Net::SSLeay::SSL_ST_ACCEPT());
4379 Not available with OpenSSL 1.1 and later.
4381 • get_verify_depth
4383 Returns the verification depth limit currently set in $ssl.
4385 my $rv = Net::SSLeay::get_verify_depth($ssl);
4387 # $ssl - value corresponding to openssl's SSL structure
4388 #
4389 # returns: current depth or -1 if no limit has been explicitly set
4390 Check openssl doc
4392 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
4393 • set_verify_depth
4395 Sets the maximum depth for the certificate chain verification that
4397 shall be allowed for $ssl.
4398 Net::SSLeay::set_verify_depth($ssl, $depth);
4400 # $ssl - value corresponding to openssl's SSL structure
4401 # $depth - (integer) depth
4402 #
4403 # returns: no return value
4404 Check openssl doc
4406 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
4407 • get_verify_mode
4409 Returns the verification mode (bitmask) currently set in $ssl.
4411 my $rv = Net::SSLeay::get_verify_mode($ssl);
4413 # $ssl - value corresponding to openssl's SSL structure
4414 #
4415 # returns: mode (bitmask)
4416 To decode the return value (bitmask) see documentation for
4418 "CTX_get_verify_mode".
4419 Check openssl doc
4421 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
4422 • set_verify
4424 Sets the verification flags for $ssl to be $mode and specifies the
4426 $verify_callback function to be used.
4427 Net::SSLeay::set_verify($ssl, $mode, $callback);
4429 # $ssl - value corresponding to openssl's SSL structure
4430 # $mode - mode (bitmask)
4431 # $callback - [optional] reference to perl callback function
4432 #
4433 # returns: no return value
4434 For $mode bitmask details see "CTX_get_verify_mode".
4436 Check openssl doc
4438 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
4439 • set_post_handshake_auth
4441 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4443 requires at least OpenSSL 1.1.1, not in LibreSSL
4444 Enable the Post-Handshake Authentication extension to be added to
4446 the ClientHello such that post-handshake authentication can be
4447 requested by the server.
4448 Net::SSLeay::set_posthandshake_auth($ssl, $val);
4450 # $ssl - value corresponding to openssl's SSL structure
4451 # $val - 0 then the extension is not sent, otherwise it is
4452 #
4453 # returns: no return value
4454 Check openssl doc
4456 https://www.openssl.org/docs/manmaster/man3/SSL_set_post_handshake_auth
4457 <https://www.openssl.org/docs/manmaster/man3/SSL_set_post_handshake_auth.html>
4458 • verify_client_post_handshake
4460 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4462 requires at least OpenSSL 1.1.1, not in LibreSSL
4463 verify_client_post_handshake causes a CertificateRequest message to
4465 be sent by a server on the given ssl connection.
4466 my $rv = Net::SSLeay::verify_client_post_handshake($ssl);
4468 # $ssl - value corresponding to openssl's SSL structure
4469 #
4470 # returns: 1 if the request succeeded, and 0 if the request failed. The error stack can be examined to determine the failure reason.
4471 Check openssl doc
4473 <https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html>
4474 • get_verify_result
4476 Returns the result of the verification of the X509 certificate
4478 presented by the peer, if any.
4479 my $rv = Net::SSLeay::get_verify_result($ssl);
4481 # $ssl - value corresponding to openssl's SSL structure
4482 #
4483 # returns: (integer)
4484 # 0 - X509_V_OK: ok
4485 # 2 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
4486 # 3 - X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
4487 # 4 - X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature
4488 # 5 - X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature
4489 # 6 - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
4490 # 7 - X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
4491 # 8 - X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
4492 # 9 - X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
4493 # 10 - X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
4494 # 11 - X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
4495 # 12 - X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
4496 # 13 - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field
4497 # 14 - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field
4498 # 15 - X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field
4499 # 16 - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field
4500 # 17 - X509_V_ERR_OUT_OF_MEM: out of memory
4501 # 18 - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
4502 # 19 - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
4503 # 20 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
4504 # 21 - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
4505 # 22 - X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
4506 # 23 - X509_V_ERR_CERT_REVOKED: certificate revoked
4507 # 24 - X509_V_ERR_INVALID_CA: invalid CA certificate
4508 # 25 - X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
4509 # 26 - X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
4510 # 27 - X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
4511 # 28 - X509_V_ERR_CERT_REJECTED: certificate rejected
4512 # 29 - X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
4513 # 30 - X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
4514 # 31 - X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
4515 # 32 - X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
4516 # 50 - X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
4517 Check openssl doc
4519 <http://www.openssl.org/docs/ssl/SSL_get_verify_result.html>
4520 • set_verify_result
4522 Override result of peer certificate verification.
4524 Net::SSLeay::set_verify_result($ssl, $v);
4526 # $ssl - value corresponding to openssl's SSL structure
4527 # $v - (integer) result value
4528 #
4529 # returns: no return value
4530 For more info about valid return values see "get_verify_result"
4532 Check openssl doc
4534 <http://www.openssl.org/docs/ssl/SSL_set_verify_result.html>
4535 • get_wbio
4537 Get 'write' BIO linked to an SSL object $ssl.
4539 my $rv = Net::SSLeay::get_wbio($ssl);
4541 # $ssl - value corresponding to openssl's SSL structure
4542 #
4543 # returns: value corresponding to openssl's BIO structure (0 on failure)
4544 Check openssl doc
4546 <http://www.openssl.org/docs/ssl/SSL_get_rbio.html>
4547 • load_client_CA_file
4549 Load X509 certificates from file (PEM formatted).
4551 my $rv = Net::SSLeay::load_client_CA_file($file);
4553 # $file - (string) file name
4554 #
4555 # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure)
4556 Check openssl doc
4558 <http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html>
4559 • clear_num_renegotiations
4561 Executes SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS command on $ssl.
4563 my $rv = Net::SSLeay::clear_num_renegotiations($ssl);
4565 # $ssl - value corresponding to openssl's SSL structure
4566 #
4567 # returns: command result
4568 • need_tmp_RSA
4570 Executes SSL_CTRL_NEED_TMP_RSA command on $ssl.
4572 my $rv = Net::SSLeay::need_tmp_RSA($ssl);
4574 # $ssl - value corresponding to openssl's SSL structure
4575 #
4576 # returns: command result
4577 Not available with OpenSSL 1.1 and later.
4579 • num_renegotiations
4581 Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl.
4583 my $rv = Net::SSLeay::num_renegotiations($ssl);
4585 # $ssl - value corresponding to openssl's SSL structure
4586 #
4587 # returns: command result
4588 • total_renegotiations
4590 Executes SSL_CTRL_GET_TOTAL_RENEGOTIATIONS command on $ssl.
4592 my $rv = Net::SSLeay::total_renegotiations($ssl);
4594 # $ssl - value corresponding to openssl's SSL structure
4595 #
4596 # returns: command result
4597 • peek
4599 Copies $max bytes from the specified $ssl into the returned value.
4601 In contrast to the "Net::SSLeay::read()" function, the data in the
4602 SSL buffer is unmodified after the SSL_peek() operation.
4603 Net::SSLeay::peek($ssl, $max);
4605 # $ssl - value corresponding to openssl's SSL structure
4606 # $max - [optional] max bytes to peek (integer) - default is 32768
4607 #
4608 # in scalar context: data read from the TLS/SSL connection, undef on error
4609 # in list context: two-item array consisting of data read (undef on error),
4610 # and return code from SSL_peek().
4611 • peek_ex
4613 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4615 requires at least OpenSSL 1.1.1, not in LibreSSL
4616 Copies $max bytes from the specified $ssl into the returned value.
4618 In contrast to the "Net::SSLeay::read_ex()" function, the data in
4619 the SSL buffer is unmodified after the SSL_peek_ex() operation.
4620 my($got, $rv) = Net::SSLeay::peek_ex($ssl, $max);
4622 # $ssl - value corresponding to openssl's SSL structure
4623 # $max - [optional] max bytes to peek (integer) - default is 32768
4624 #
4625 # returns a list: two-item list consisting of data read (undef on error),
4626 # and return code from SSL_peek_ex().
4627 Check openssl doc
4629 <https://www.openssl.org/docs/manmaster/man3/SSL_peek_ex.html>
4630 • pending
4632 Obtain number of readable bytes buffered in $ssl object.
4634 my $rv = Net::SSLeay::pending($ssl);
4636 # $ssl - value corresponding to openssl's SSL structure
4637 #
4638 # returns: the number of bytes pending
4639 Check openssl doc
4641 <http://www.openssl.org/docs/ssl/SSL_pending.html>
4642 • has_pending
4644 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4646 requires at least OpenSSL 1.1.0, not in LibreSSL
4647 Returns 1 if $ssl has buffered data (whether processed or
4649 unprocessed) and 0 otherwise.
4650 my $rv = Net::SSLeay::has_pending($ssl);
4652 # $ssl - value corresponding to openssl's SSL structure
4653 #
4654 # returns: (integer) 1 or 0
4655 Check openssl doc
4657 <https://www.openssl.org/docs/manmaster/man3/SSL_has_pending.html>
4658 • read
4660 Tries to read $max bytes from the specified $ssl.
4662 my $got = Net::SSLeay::read($ssl, $max);
4664 my($got, $rv) = Net::SSLeay::read($ssl, $max);
4665 # $ssl - value corresponding to openssl's SSL structure
4666 # $max - [optional] max bytes to read (integer) - default is 32768
4667 #
4668 # returns:
4669 # in scalar context: data read from the TLS/SSL connection, undef on error
4670 # in list context: two-item array consisting of data read (undef on error),
4671 # and return code from SSL_read().
4672 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_read.html>
4674 • read_ex
4676 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4678 requires at least OpenSSL 1.1.1, not in LibreSSL
4679 Tries to read $max bytes from the specified $ssl.
4681 my($got, $rv) = Net::SSLeay::read_ex($ssl, $max);
4683 # $ssl - value corresponding to openssl's SSL structure
4684 # $max - [optional] max bytes to read (integer) - default is 32768
4685 #
4686 # returns a list: two-item list consisting of data read (undef on error),
4687 # and return code from SSL_read_ex().
4688 Check openssl doc
4690 <https://www.openssl.org/docs/manmaster/man3/SSL_read_ex.html>
4691 • renegotiate
4693 Turn on flags for renegotiation so that renegotiation will happen
4695 my $rv = Net::SSLeay::renegotiate($ssl);
4697 # $ssl - value corresponding to openssl's SSL structure
4698 #
4699 # returns: 1 on success, 0 on failure
4700 • rstate_string
4702 Returns a 2 letter string indicating the current read state of the
4704 SSL object $ssl.
4705 my $rv = Net::SSLeay::rstate_string($ssl);
4707 # $ssl - value corresponding to openssl's SSL structure
4708 #
4709 # returns: 2-letter string
4710 Check openssl doc
4712 <http://www.openssl.org/docs/ssl/SSL_rstate_string.html>
4713 • rstate_string_long
4715 Returns a string indicating the current read state of the SSL
4717 object ssl.
4718 my $rv = Net::SSLeay::rstate_string_long($ssl);
4720 # $ssl - value corresponding to openssl's SSL structure
4721 #
4722 # returns: string with current state
4723 Check openssl doc
4725 <http://www.openssl.org/docs/ssl/SSL_rstate_string.html>
4726 • session_reused
4728 Query whether a reused session was negotiated during handshake.
4730 my $rv = Net::SSLeay::session_reused($ssl);
4732 # $ssl - value corresponding to openssl's SSL structure
4733 #
4734 # returns: 0 - new session was negotiated; 1 - session was reused.
4735 Check openssl doc
4737 <http://www.openssl.org/docs/ssl/SSL_session_reused.html>
4738 • set1_param
4740 COMPATIBILITY: requires at least OpenSSL 1.0.0-beta3
4742 Applies X509 verification parameters $vpm on $ssl
4744 my $rv = Net::SSLeay::set1_param($ssl, $vpm);
4746 # $ssl - value corresponding to openssl's SSL structure
4747 # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure
4748 #
4749 # returns: 1 on success, 0 on failure
4750 • set_accept_state
4752 Sets $ssl to work in server mode.
4754 Net::SSLeay::set_accept_state($ssl);
4756 # $ssl - value corresponding to openssl's SSL structure
4757 #
4758 # returns: no return value
4759 Check openssl doc
4761 <http://www.openssl.org/docs/ssl/SSL_set_connect_state.html>
4762 • set_bio
4764 Connects the BIOs $rbio and $wbio for the read and write operations
4766 of the TLS/SSL (encrypted) side of $ssl.
4767 Net::SSLeay::set_bio($ssl, $rbio, $wbio);
4769 # $ssl - value corresponding to openssl's SSL structure
4770 # $rbio - value corresponding to openssl's BIO structure
4771 # $wbio - value corresponding to openssl's BIO structure
4772 #
4773 # returns: no return value
4774 Check openssl doc
4776 <http://www.openssl.org/docs/ssl/SSL_set_bio.html>
4777 • set_cipher_list
4779 Sets the list of ciphers only for ssl.
4781 my $rv = Net::SSLeay::set_cipher_list($ssl, $str);
4783 # $ssl - value corresponding to openssl's SSL structure
4784 # $str - (string) cipher list e.g. '3DES:+RSA'
4785 #
4786 # returns: 1 if any cipher could be selected and 0 on complete failure
4787 Check openssl doc
4789 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
4790 • set_ciphersuites
4792 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4794 requires at least OpenSSL 1.1.1, not in LibreSSL
4795 Configure the available TLSv1.3 ciphersuites.
4797 my $rv = Net::SSLeay::set_ciphersuites($ssl, $str);
4799 # $ssl - value corresponding to openssl's SSL structure
4800 # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference
4801 #
4802 # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise
4803 Check openssl doc
4805 <https://www.openssl.org/docs/manmaster/man3/SSL_set_ciphersuites.html>
4806 • set_client_CA_list
4808 Sets the list of CAs sent to the client when requesting a client
4810 certificate for the chosen $ssl, overriding the setting valid for
4811 $ssl's SSL_CTX object.
4812 my $rv = Net::SSLeay::set_client_CA_list($ssl, $list);
4814 # $ssl - value corresponding to openssl's SSL structure
4815 # $list - value corresponding to openssl's STACK_OF(X509_NAME) structure
4816 #
4817 # returns: no return value
4818 Check openssl doc
4820 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
4821 • set_connect_state
4823 Sets $ssl to work in client mode.
4825 Net::SSLeay::set_connect_state($ssl);
4827 # $ssl - value corresponding to openssl's SSL structure
4828 #
4829 # returns: no return value
4830 Check openssl doc
4832 <http://www.openssl.org/docs/ssl/SSL_set_connect_state.html>
4833 • set_fd
4835 Sets the file descriptor $fd as the input/output facility for the
4837 TLS/SSL (encrypted) side of $ssl, $fd will typically be the socket
4838 file descriptor of a network connection.
4839 my $rv = Net::SSLeay::set_fd($ssl, $fd);
4841 # $ssl - value corresponding to openssl's SSL structure
4842 # $fd - (integer) file handle (got via perl's fileno)
4843 #
4844 # returns: 1 on success, 0 on failure
4845 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4847 • set_psk_client_callback
4849 Sets the psk client callback.
4851 Net::SSLeay::set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } );
4853 # $ssl - value corresponding to openssl's SSL structure
4854 # $hint - PSK identity hint send by the server
4855 # $identity - PSK identity
4856 # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef'
4857 #
4858 # returns: no return value
4859 Check openssl doc
4861 <http://www.openssl.org/docs/ssl/SSL_set_psk_client_callback.html>
4862 • set_rfd
4864 Sets the file descriptor $fd as the input (read) facility for the
4866 TLS/SSL (encrypted) side of $ssl.
4867 my $rv = Net::SSLeay::set_rfd($ssl, $fd);
4869 # $ssl - value corresponding to openssl's SSL structure
4870 # $fd - (integer) file handle (got via perl's fileno)
4871 #
4872 # returns: 1 on success, 0 on failure
4873 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4875 • set_wfd
4877 my $rv = Net::SSLeay::set_wfd($ssl, $fd);
4879 # $ssl - value corresponding to openssl's SSL structure
4880 # $fd - (integer) file handle (got via perl's fileno)
4881 #
4882 # returns: 1 on success, 0 on failure
4883 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4885 • set_info_callback
4887 Sets the callback function, that can be used to obtain state
4889 information for $ssl during connection setup and use. When
4890 callback is undef, the callback setting currently valid for ctx is
4891 used.
4892 Net::SSLeay::set_info_callback($ssl, $cb, [$data]);
4894 # $ssl - value corresponding to openssl's SSL structure
4895 # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... }
4896 #
4897 # returns: no return value
4898 Check openssl doc
4900 <http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
4901 • CTX_set_info_callback
4903 Sets the callback function on ctx, that can be used to obtain state
4905 information during ssl connection setup and use. When callback is
4906 undef, an existing callback will be disabled.
4907 Net::SSLeay::CTX_set_info_callback($ssl, $cb, [$data]);
4909 # $ssl - value corresponding to openssl's SSL structure
4910 # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... }
4911 #
4912 # returns: no return value
4913 Check openssl doc
4915 <http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
4916 • set_pref_cipher
4918 Sets the list of available ciphers for $ssl using the control
4920 string $str.
4921 my $rv = Net::SSLeay::set_pref_cipher($ssl, $str);
4923 # $ssl - value corresponding to openssl's SSL structure
4924 # $str - (string) cipher list e.g. '3DES:+RSA'
4925 #
4926 # returns: 1 if any cipher could be selected and 0 on complete failure
4927 Check openssl doc
4929 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
4930 • CTX_set_psk_client_callback
4932 Sets the psk client callback.
4934 Net::SSLeay::CTX_set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } );
4936 # $ssl - value corresponding to openssl's SSL structure
4937 # $hint - PSK identity hint send by the server
4938 # $identity - PSK identity
4939 # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef'
4940 #
4941 # returns: no return value
4942 Check openssl doc
4944 <http://www.openssl.org/docs/ssl/SSL_CTX_set_psk_client_callback.html>
4945 • set_purpose
4947 my $rv = Net::SSLeay::set_purpose($ssl, $purpose);
4949 # $ssl - value corresponding to openssl's SSL structure
4950 # $purpose - (integer) purpose identifier
4951 #
4952 # returns: 1 on success, 0 on failure
4953 For more info about available $purpose identifiers see
4955 "CTX_set_purpose".
4956 • set_quiet_shutdown
4958 Sets the 'quiet shutdown' flag for $ssl to be $mode.
4960 Net::SSLeay::set_quiet_shutdown($ssl, $mode);
4962 # $ssl - value corresponding to openssl's SSL structure
4963 # $mode - 0 or 1
4964 #
4965 # returns: no return value
4966 Check openssl doc
4968 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
4969 • set_session
4971 Set a TLS/SSL session to be used during TLS/SSL connect.
4973 my $rv = Net::SSLeay::set_session($to, $ses);
4975 # $to - value corresponding to openssl's SSL structure
4976 # $ses - value corresponding to openssl's SSL_SESSION structure
4977 #
4978 # returns: 1 on success, 0 on failure
4979 Check openssl doc
4981 <http://www.openssl.org/docs/ssl/SSL_set_session.html>
4982 • set_session_id_context
4984 Sets the context $sid_ctx of length $sid_ctx_len within which a
4986 session can be reused for the $ssl object.
4987 my $rv = Net::SSLeay::set_session_id_context($ssl, $sid_ctx, $sid_ctx_len);
4989 # $ssl - value corresponding to openssl's SSL structure
4990 # $sid_ctx - data buffer
4991 # $sid_ctx_len - length of data in $sid_ctx
4992 #
4993 # returns: 1 on success, 0 on failure
4994 Check openssl doc
4996 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html>
4997 • set_session_secret_cb
4999 Setup pre-shared secret session resumption function.
5001 Net::SSLeay::set_session_secret_cb($ssl, $func, $data);
5003 # $ssl - value corresponding to openssl's SSL structure
5004 # $func - perl reference to callback function
5005 # $data - [optional] data that will be passed to callback function when invoked
5006 #
5007 # returns: no return value
5008 The callback function will be called like:
5010 callback_function($secret, $ciphers, $pref_cipher, $data);
5011 # $secret is the current master session key, usually all 0s at the
5013 beginning of a session # $ciphers is ref to an array of peer cipher
5014 names # $pref_cipher is a ref to an index into the list of cipher
5015 names of # the preferred cipher. Set it if you want to specify a
5016 preferred cipher # $data is the data passed to
5017 set_session_secret_cb
5018 The callback function should return 1 if it likes the suggested
5020 cipher (or has selected an alternative by setting pref_cipher),
5021 else it should return 0 (in which case OpenSSL will select its own
5022 preferred cipher).
5023 With OpenSSL 1.1 and later, callback_function can change the master
5025 key for the session by altering $secret and returning 1.
5026 • CTX_set_tlsext_ticket_getkey_cb
5028 Setup encryption for TLS session tickets (stateless session reuse).
5030 Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data);
5032 # $ctx - value corresponding to openssl's SSL_CTX structure
5033 # $func - perl reference to callback function
5034 # $data - [optional] data that will be passed to callback function when invoked
5035 #
5036 # returns: no return value
5037 The callback function will be called like:
5039 getkey($data,[$key_name]) -> ($key,$current_key_name)
5040 # $data is the data passed to set_session_secret_cb # $key_name is
5042 the name of the key OpenSSL has extracted from the session ticket #
5043 $key is the requested key for ticket encryption + HMAC #
5044 $current_key_name is the name for the currently valid key
5045 OpenSSL will call the function without a key name if it generates a
5047 new ticket. It then needs the callback to return the
5048 encryption+HMAC key and an identifier (key name) for this key.
5049 When OpenSSL gets a session ticket from the client it extracts the
5051 key name and calls the callback with this name as argument. It then
5052 expects the callback to return the encryption+HMAC key matching the
5053 requested key name and and also the key name which should be used
5054 at the moment. If the requested key name and the returned key name
5055 differ it means that this session ticket was created with an
5056 expired key and need to be renewed. In this case OpenSSL will call
5057 the callback again with no key name to create a new session ticket
5058 based on the old one.
5059 The key must be at least 32 byte of random data which can be
5061 created with RAND_bytes. Internally the first 16 byte are used as
5062 key in AES-128 encryption while the next 16 byte are used for the
5063 SHA-256 HMAC. The key name are binary data and must be exactly 16
5064 byte long.
5065 Example:
5067 Net::SSLeay::RAND_bytes(my $oldkey,32);
5069 Net::SSLeay::RAND_bytes(my $newkey,32);
5070 my $oldkey_name = pack("a16",'oldsecret');
5071 my $newkey_name = pack("a16",'newsecret');
5072 my @keys = (
5074 [ $newkey_name, $newkey ], # current active key
5075 [ $oldkey_name, $oldkey ], # already expired
5076 );
5077 Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub {
5079 my ($mykeys,$name) = @_;
5080 # return (current_key, current_key_name) if no name given
5082 return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name;
5083 # return (matching_key, current_key_name) if we find a key matching
5085 # the given name
5086 for(my $i = 0; $i<@$mykeys; $i++) {
5087 next if $name ne $mykeys->[$i][0];
5088 return ($mykeys->[$i][1],$mykeys->[0][0]);
5089 }
5090 # no matching key found
5092 return;
5093 },\@keys);
5094 This function is based on the OpenSSL function
5096 SSL_CTX_set_tlsext_ticket_key_cb but provides a simpler to use
5097 interface. For more information see
5098 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html>
5099 • set_session_ticket_ext_cb
5101 Setup callback for TLS session tickets (stateless session reuse).
5103 Net::SSLeay::set_session_ticket_ext_cb($ssl, $func, $data);
5105 # $ssl - value corresponding to openssl's SSL structure
5106 # $func - perl reference to callback function
5107 # $data - [optional] data that will be passed to callback function when invoked
5108 #
5109 # returns: no return value
5110 The callback function will be called like:
5112 getticket($ssl,$ticket,$data) -> $return_value
5113 # $ssl is a value corresponding to openssl's SSL structure #
5115 $ticket is a value of received TLS session ticket (can also be
5116 empty) # $data is the data passed to set_session_ticket_ext_cb #
5117 $return_value is either 0 (failure) or 1 (success)
5118 This function is based on the OpenSSL function
5120 SSL_set_session_ticket_ext_cb.
5121 • set_session_ticket_ext
5123 Set TLS session ticket (stateless session reuse).
5125 Net::SSLeay::set_session_ticket_ext($ssl, $ticket);
5127 # $ssl - value corresponding to openssl's SSL structure
5128 # $ticket - is a value of TLS session ticket which client will send (can also be empty string)
5129 #
5130 # returns: no return value
5131 The callback function will be called like:
5133 getticket($ssl,$ticket,$data) -> $return_value
5134 # $ssl is a value corresponding to openssl's SSL structure #
5136 $ticket is a value of received TLS session ticket (can also be
5137 empty) # $data is the data passed to set_session_ticket_ext_cb #
5138 $return_value is either 0 (failure) or 1 (success)
5139 This function is based on the OpenSSL function
5141 SSL_set_session_ticket_ext_cb.
5142 • set_shutdown
5144 Sets the shutdown state of $ssl to $mode.
5146 Net::SSLeay::set_shutdown($ssl, $mode);
5148 # $ssl - value corresponding to openssl's SSL structure
5149 # $mode - (integer) shutdown mode:
5150 # 0 - No shutdown
5151 # 1 - SSL_SENT_SHUTDOWN
5152 # 2 - SSL_RECEIVED_SHUTDOWN
5153 # 3 - SSL_RECEIVED_SHUTDOWN+SSL_SENT_SHUTDOWN
5154 #
5155 # returns: no return value
5156 Check openssl doc
5158 <http://www.openssl.org/docs/ssl/SSL_set_shutdown.html>
5159 • set_ssl_method
5161 Sets a new TLS/SSL method for a particular $ssl object.
5163 my $rv = Net::SSLeay::set_ssl_method($ssl, $method);
5165 # $ssl - value corresponding to openssl's SSL structure
5166 # $method - value corresponding to openssl's SSL_METHOD structure
5167 #
5168 # returns: 1 on success, 0 on failure
5169 Check openssl doc
5171 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
5172 • set_tmp_dh
5174 Sets DH parameters to be used to be $dh.
5176 my $rv = Net::SSLeay::set_tmp_dh($ssl, $dh);
5178 # $ssl - value corresponding to openssl's SSL structure
5179 # $dh - value corresponding to openssl's DH structure
5180 #
5181 # returns: 1 on success, 0 on failure
5182 Check openssl doc
5184 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
5185 • set_tmp_dh_callback
5187 Sets the callback function for $ssl to be used when a DH parameters
5189 are required to $dh_cb.
5190 ??? (does this function really work?)
5192 Net::SSLeay::set_tmp_dh_callback($ssl, $dh);
5194 # $ssl - value corresponding to openssl's SSL structure
5195 # $dh_cb - pointer to function ???
5196 #
5197 # returns: no return value
5198 Check openssl doc
5200 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
5201 • set_tmp_rsa
5203 Sets the temporary/ephemeral RSA key to be used in $ssl to be $rsa.
5205 my $rv = Net::SSLeay::set_tmp_rsa($ssl, $rsa);
5207 # $ssl - value corresponding to openssl's SSL structure
5208 # $rsa - value corresponding to openssl's RSA structure
5209 #
5210 # returns: 1 on success, 0 on failure
5211 Example:
5213 $rsakey = Net::SSLeay::RSA_generate_key();
5215 Net::SSLeay::set_tmp_rsa($ssl, $rsakey);
5216 Net::SSLeay::RSA_free($rsakey);
5217 Check openssl doc
5219 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
5220 • set_tmp_rsa_callback
5222 Sets the callback function for $ssl to be used when a
5224 temporary/ephemeral RSA key is required to $tmp_rsa_callback.
5225 ??? (does this function really work?)
5227 Net::SSLeay::set_tmp_rsa_callback($ssl, $tmp_rsa_callback);
5229 # $ssl - value corresponding to openssl's SSL structure
5230 # $tmp_rsa_callback - (function pointer) ???
5231 #
5232 # returns: no return value
5233 Check openssl doc
5235 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
5236 • set_trust
5238 my $rv = Net::SSLeay::set_trust($ssl, $trust);
5240 # $ssl - value corresponding to openssl's SSL structure
5241 # $trust - (integer) trust identifier
5242 #
5243 # returns: the original value
5244 For more details about $trust values see "CTX_set_trust".
5246 • shutdown
5248 Shuts down an active TLS/SSL connection. It sends the 'close
5250 notify' shutdown alert to the peer.
5251 my $rv = Net::SSLeay::shutdown($ssl);
5253 # $ssl - value corresponding to openssl's SSL structure
5254 #
5255 # returns: 1 - shutdown was successfully completed
5256 # 0 - shutdown is not yet finished,
5257 # -1 - shutdown was not successful
5258 Check openssl doc
5260 <http://www.openssl.org/docs/ssl/SSL_shutdown.html>
5261 • state_string
5263 Returns a 6 letter string indicating the current state of the SSL
5265 object $ssl.
5266 my $rv = Net::SSLeay::state_string($ssl);
5268 # $ssl - value corresponding to openssl's SSL structure
5269 #
5270 # returns: 6-letter string
5271 Check openssl doc
5273 <http://www.openssl.org/docs/ssl/SSL_state_string.html>
5274 • state_string_long
5276 Returns a string indicating the current state of the SSL object
5278 $ssl.
5279 my $rv = Net::SSLeay::state_string_long($ssl);
5281 # $ssl - value corresponding to openssl's SSL structure
5282 #
5283 # returns: state strings
5284 Check openssl doc
5286 <http://www.openssl.org/docs/ssl/SSL_state_string.html>
5287 • set_default_passwd_cb
5289 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5291 requires at least OpenSSL 1.1.0f. Not needed with LibreSSL.
5292 Sets the default password callback called when loading/storing a
5294 PEM certificate with encryption for $ssl.
5295 Net::SSLeay::set_default_passwd_cb($ssl, $func);
5297 # $ssl - value corresponding to openssl's SSL structure
5298 # $func - perl reference to callback function
5299 #
5300 # returns: no return value
5301 Check openssl doc
5303 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
5304 • set_default_passwd_cb_userdata
5306 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5308 requires at least OpenSSL 1.1.0f. Not needed with LibreSSL.
5309 Sets a pointer to userdata which will be provided to the password
5311 callback of $ssl on invocation.
5312 Net::SSLeay::set_default_passwd_cb_userdata($ssl, $userdata);
5314 # $ssl - value corresponding to openssl's SSL structure
5315 # $userdata - data that will be passed to callback function when invoked
5316 #
5317 # returns: no return value
5318 Check openssl doc
5320 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
5321 • use_PrivateKey
5323 Adds $pkey as private key to $ssl.
5325 my $rv = Net::SSLeay::use_PrivateKey($ssl, $pkey);
5327 # $ssl - value corresponding to openssl's SSL structure
5328 # $pkey - value corresponding to openssl's EVP_PKEY structure
5329 #
5330 # returns: 1 on success, otherwise check out the error stack to find out the reason
5331 Check openssl doc
5333 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5334 • use_PrivateKey_ASN1
5336 Adds the private key of type $pk stored in $data to $ssl.
5338 my $rv = Net::SSLeay::use_PrivateKey_ASN1($pk, $ssl, $d, $len);
5340 # $pk - (integer) key type, NID of corresponding algorithm
5341 # $ssl - value corresponding to openssl's SSL structure
5342 # $data - key data (binary)
5343 # $len - length of $data
5344 #
5345 # returns: 1 on success, otherwise check out the error stack to find out the reason
5346 Check openssl doc
5348 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5349 • use_PrivateKey_file
5351 Adds the first private key found in $file to $ssl.
5353 my $rv = Net::SSLeay::use_PrivateKey_file($ssl, $file, $type);
5355 # $ssl - value corresponding to openssl's SSL structure
5356 # $file - (string) file name
5357 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5358 #
5359 # returns: 1 on success, otherwise check out the error stack to find out the reason
5360 Check openssl doc
5362 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5363 • use_RSAPrivateKey
5365 Adds $rsa as RSA private key to $ssl.
5367 my $rv = Net::SSLeay::use_RSAPrivateKey($ssl, $rsa);
5369 # $ssl - value corresponding to openssl's SSL structure
5370 # $rsa - value corresponding to openssl's RSA structure
5371 #
5372 # returns: 1 on success, otherwise check out the error stack to find out the reason
5373 Check openssl doc
5375 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5376 • use_RSAPrivateKey_ASN1
5378 Adds RSA private key stored in $data to $ssl.
5380 my $rv = Net::SSLeay::use_RSAPrivateKey_ASN1($ssl, $data, $len);
5382 # $ssl - value corresponding to openssl's SSL structure
5383 # $data - key data (binary)
5384 # $len - length of $data
5385 #
5386 # returns: 1 on success, otherwise check out the error stack to find out the reason
5387 Check openssl doc
5389 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5390 • use_RSAPrivateKey_file
5392 Adds the first RSA private key found in $file to $ssl.
5394 my $rv = Net::SSLeay::use_RSAPrivateKey_file($ssl, $file, $type);
5396 # $ssl - value corresponding to openssl's SSL structure
5397 # $file - (string) file name
5398 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5399 #
5400 # returns: 1 on success, otherwise check out the error stack to find out the reason
5401 Check openssl doc
5403 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5404 • use_certificate
5406 Loads the certificate $x into $ssl.
5408 my $rv = Net::SSLeay::use_certificate($ssl, $x);
5410 # $ssl - value corresponding to openssl's SSL structure
5411 # $x - value corresponding to openssl's X509 structure
5412 #
5413 # returns: 1 on success, otherwise check out the error stack to find out the reason
5414 Check openssl doc
5416 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5417 • use_certificate_ASN1
5419 Loads the ASN1 encoded certificate from $data to $ssl.
5421 my $rv = Net::SSLeay::use_certificate_ASN1($ssl, $data, $len);
5423 # $ssl - value corresponding to openssl's SSL structure
5424 # $data - certificate data (binary)
5425 # $len - length of $data
5426 #
5427 # returns: 1 on success, otherwise check out the error stack to find out the reason
5428 Check openssl doc
5430 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5431 • use_certificate_chain_file
5433 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5435 requires at least OpenSSL 1.1.0
5436 Loads a certificate chain from $file into $ssl. The certificates
5438 must be in PEM format and must be sorted starting with the
5439 subject's certificate (actual client or server certificate),
5440 followed by intermediate CA certificates if applicable, and ending
5441 at the highest level (root) CA.
5442 my $rv = Net::SSLeay::use_certificate_chain_file($ssl, $file);
5444 # $ssl - value corresponding to openssl's SSL structure
5445 # $file - (string) file name
5446 #
5447 # returns: 1 on success, otherwise check out the error stack to find out the reason
5448 Check openssl doc
5450 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5451 • use_certificate_file
5453 Loads the first certificate stored in $file into $ssl.
5455 my $rv = Net::SSLeay::use_certificate_file($ssl, $file, $type);
5457 # $ssl - value corresponding to openssl's SSL structure
5458 # $file - (string) file name
5459 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5460 #
5461 # returns: 1 on success, otherwise check out the error stack to find out the reason
5462 Check openssl doc
5464 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5465 • get_version
5467 Returns SSL/TLS protocol name
5469 my $rv = Net::SSLeay::get_version($ssl);
5471 # $ssl - value corresponding to openssl's SSL structure
5472 #
5473 # returns: (string) protocol name, see OpenSSL manual for the full list
5474 # TLSv1
5475 # TLSv1.3
5476 Check openssl doc
5478 <https://www.openssl.org/docs/manmaster/man3/SSL_get_version.html>
5479 • version
5481 Returns SSL/TLS protocol version
5483 my $rv = Net::SSLeay::version($ssl);
5485 # $ssl - value corresponding to openssl's SSL structure
5486 #
5487 # returns: (integer) protocol version, see OpenSSL manual for the full list
5488 # 0x0301 - TLS1_VERSION (TLSv1)
5489 # 0xFEFF - DTLS1_VERSION (DTLSv1)
5490 Check openssl doc
5492 <https://www.openssl.org/docs/manmaster/man3/SSL_version.html>
5493 • client_version
5495 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5497 requires at least OpenSSL 1.1.0, not in LibreSSL
5498 Returns TLS protocol version used by the client when initiating the
5500 connection
5501 my $rv = Net::SSLeay::client_version($ssl);
5503 # $ssl - value corresponding to openssl's SSL structure
5504 #
5505 # returns: (integer) protocol version, see OpenSSL manual for the full list
5506 # 0x0301 - TLS1_VERSION (TLSv1)
5507 # 0xFEFF - DTLS1_VERSION (DTLSv1)
5508 Check openssl doc
5510 <https://www.openssl.org/docs/manmaster/man3/SSL_client_version.html>
5511 • is_dtls
5513 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5515 requires at least OpenSSL 1.1.0, not in LibreSSL
5516 my $rv = Net::SSLeay::is_dtls($ssl);
5518 # $ssl - value corresponding to openssl's SSL structure
5519 #
5520 # returns: (integer) zero or one
5521 # 0 - connection is not using DTLS
5522 # 1 - connection is using DTLS
5523 Check openssl doc
5525 <https://www.openssl.org/docs/manmaster/man3/SSL_is_dtls.html>
5526 • want
5528 Returns state information for the SSL object $ssl.
5530 my $rv = Net::SSLeay::want($ssl);
5532 # $ssl - value corresponding to openssl's SSL structure
5533 #
5534 # returns: state
5535 # 1 - SSL_NOTHING
5536 # 2 - SSL_WRITING
5537 # 3 - SSL_READING
5538 # 4 - SSL_X509_LOOKUP
5539 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_want.html>
5541 • write
5543 Writes data from the buffer $data into the specified $ssl
5545 connection.
5546 my $rv = Net::SSLeay::write($ssl, $data);
5548 # $ssl - value corresponding to openssl's SSL structure
5549 # $data - data to be written
5550 #
5551 # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection
5552 # 0 - write not successful, probably the underlying connection was closed
5553 # <0 - error
5554 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_write.html>
5556 • write_ex
5558 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5560 requires at least OpenSSL 1.1.1, not in LibreSSL
5561 Writes data from the buffer $data into the specified $ssl
5563 connection.
5564 my ($len, $rv) = Net::SSLeay::write_ex($ssl, $data);
5566 # $ssl - value corresponding to openssl's SSL structure
5567 # $data - data to be written
5568 #
5569 # returns a list: two-item list consisting of number of bytes written,
5570 # and return code from SSL_write_ex()
5571 Check openssl doc
5573 <https://www.openssl.org/docs/manmaster/man3/SSL_write_ex.html>
5574 • write_partial
5576 NOTE: Does not exactly correspond to any low level API function
5578 Writes a fragment of data in $data from the buffer $data into the
5580 specified $ssl connection. This is a non-blocking function like
5581 Net::SSLeay::write().
5582 my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data);
5584 # $ssl - value corresponding to openssl's SSL structure
5585 # $from - (integer) offset from the beginning of $data
5586 # $count - (integer) length of data to be written
5587 # $data - data buffer
5588 #
5589 # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection
5590 # 0 - write not successful, probably the underlying connection was closed
5591 # <0 - error
5592 • set_tlsext_host_name
5594 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
5596 requires at least openssl-0.9.8f
5597 Sets TLS servername extension on SLL object $ssl to value $name.
5599 my $rv = set_tlsext_host_name($ssl, $name);
5601 # $ssl - value corresponding to openssl's SSL structure
5602 # $name - (string) name to be set
5603 #
5604 # returns: 1 on success, 0 on failure
5605 Low level API: RAND_* related functions
5607 Check openssl doc related to RAND stuff
5609 <http://www.openssl.org/docs/crypto/rand.html>
5610 • RAND_add
5612 Mixes the $num bytes at $buf into the PRNG state.
5614 Net::SSLeay::RAND_add($buf, $num, $entropy);
5616 # $buf - buffer with data to be mixed into the PRNG state
5617 # $num - number of bytes in $buf
5618 # $entropy - estimate of how much randomness is contained in $buf (in bytes)
5619 #
5620 # returns: no return value
5621 Check openssl doc
5623 <http://www.openssl.org/docs/crypto/RAND_add.html>
5624 • RAND_seed
5626 Equivalent to "RAND_add" when $num == $entropy.
5628 Net::SSLeay::RAND_seed($buf); # Perlishly figures out buf size
5630 # $buf - buffer with data to be mixed into the PRNG state
5631 # $num - number of bytes in $buf
5632 #
5633 # returns: no return value
5634 Check openssl doc
5636 <http://www.openssl.org/docs/crypto/RAND_add.html>
5637 • RAND_status
5639 Gives PRNG status (seeded enough or not).
5641 my $rv = Net::SSLeay::RAND_status();
5643 #returns: 1 if the PRNG has been seeded with enough data, 0 otherwise
5644 Check openssl doc
5646 <http://www.openssl.org/docs/crypto/RAND_add.html>
5647 • RAND_bytes
5649 Puts $num cryptographically strong pseudo-random bytes into $buf.
5651 my $rv = Net::SSLeay::RAND_bytes($buf, $num);
5653 # $buf - buffer where the random data will be stored
5654 # $num - the size (in bytes) of requested random data
5655 #
5656 # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure
5657 Check openssl doc
5659 <http://www.openssl.org/docs/manmaster/man3/RAND_bytes.html>
5660 • RAND_priv_bytes
5662 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5664 requires at least OpenSSL 1.1.1, not in LibreSSL
5665 Puts $num cryptographically strong pseudo-random bytes into $buf.
5667 my $rv = Net::SSLeay::RAND_priv_bytes($buf, $num);
5669 # $buf - buffer where the random data will be stored
5670 # $num - the size (in bytes) of requested random data
5671 #
5672 # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure
5673 RAND_priv_bytes has the same semantics as RAND_bytes, but see see
5675 the documentation for more information.
5676 Check openssl doc
5678 <http://www.openssl.org/docs/manmaster/man3/RAND_priv_bytes.html>
5679 • RAND_pseudo_bytes
5681 Puts $num pseudo-random (not necessarily unpredictable) bytes into
5683 $buf.
5684 my $rv = Net::SSLeay::RAND_pseudo_bytes($buf, $num);
5686 # $buf - buffer where the random data will be stored
5687 # $num - the size (in bytes) of requested random data
5688 #
5689 # returns: 1 if the bytes generated are cryptographically strong, 0 otherwise
5690 Check openssl doc
5692 <http://www.openssl.org/docs/crypto/RAND_bytes.html>
5693 • RAND_cleanup
5695 Erase the PRNG state.
5697 Net::SSLeay::RAND_cleanup();
5699 # no args, no return value
5700 Check openssl doc
5702 <http://www.openssl.org/docs/crypto/RAND_cleanup.html>
5703 • RAND_egd_bytes
5705 Queries the entropy gathering daemon EGD on socket $path for $bytes
5707 bytes.
5708 my $rv = Net::SSLeay::RAND_egd_bytes($path, $bytes);
5710 # $path - path to a socket of entropy gathering daemon EGD
5711 # $bytes - number of bytes we want from EGD
5712 #
5713 # returns: the number of bytes read from the daemon on success, and -1 on failure
5714 Check openssl doc
5716 <http://www.openssl.org/docs/crypto/RAND_egd.html>
5717 • RAND_file_name
5719 Generates a default path for the random seed file.
5721 my $file = Net::SSLeay::RAND_file_name($num);
5723 # $num - maximum size of returned file name
5724 #
5725 # returns: string with file name on success, '' (empty string) on failure
5726 Check openssl doc
5728 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5729 • RAND_load_file
5731 COMPATIBILITY: Is no longer functional on LibreSSL
5733 Reads $max_bytes of bytes from $file_name and adds them to the
5735 PRNG.
5736 my $rv = Net::SSLeay::RAND_load_file($file_name, $max_bytes);
5738 # $file_name - the name of file
5739 # $max_bytes - bytes to read from $file_name; -1 => the complete file is read
5740 #
5741 # returns: the number of bytes read
5742 Check openssl doc
5744 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5745 • RAND_write_file
5747 Writes 1024 random bytes to $file_name which can be used to
5749 initialize the PRNG by calling "RAND_load_file" in a later session.
5750 my $rv = Net::SSLeay::RAND_write_file($file_name);
5752 # $file_name - the name of file
5753 #
5754 # returns: the number of bytes written, and -1 if the bytes written were generated without appropriate seed
5755 Check openssl doc
5757 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5758 • RAND_poll
5760 Collects some entropy from operating system and adds it to the
5762 PRNG.
5763 my $rv = Net::SSLeay::RAND_poll();
5765 # returns: 1 on success, 0 on failure (unable to gather reasonable entropy)
5766 Low level API: OBJ_* related functions
5768 • OBJ_cmp
5770 Compares ASN1_OBJECT $a to ASN1_OBJECT $b.
5772 my $rv = Net::SSLeay::OBJ_cmp($a, $b);
5774 # $a - value corresponding to openssl's ASN1_OBJECT structure
5775 # $b - value corresponding to openssl's ASN1_OBJECT structure
5776 #
5777 # returns: if the two are identical 0 is returned
5778 Check openssl doc
5780 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5781 • OBJ_dup
5783 Returns a copy/duplicate of $o.
5785 my $rv = Net::SSLeay::OBJ_dup($o);
5787 # $o - value corresponding to openssl's ASN1_OBJECT structure
5788 #
5789 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5790 Check openssl doc
5792 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5793 • OBJ_nid2ln
5795 Returns long name for given NID $n.
5797 my $rv = Net::SSLeay::OBJ_nid2ln($n);
5799 # $n - (integer) NID
5800 #
5801 # returns: (string) long name e.g. 'commonName'
5802 Check openssl doc
5804 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5805 • OBJ_ln2nid
5807 Returns NID corresponding to given long name $n.
5809 my $rv = Net::SSLeay::OBJ_ln2nid($s);
5811 # $s - (string) long name e.g. 'commonName'
5812 #
5813 # returns: (integer) NID
5814 • OBJ_nid2sn
5816 Returns short name for given NID $n.
5818 my $rv = Net::SSLeay::OBJ_nid2sn($n);
5820 # $n - (integer) NID
5821 #
5822 # returns: (string) short name e.g. 'CN'
5823 Example:
5825 print Net::SSLeay::OBJ_nid2sn(&Net::SSLeay::NID_commonName);
5827 • OBJ_sn2nid
5829 Returns NID corresponding to given short name $s.
5831 my $rv = Net::SSLeay::OBJ_sn2nid($s);
5833 # $s - (string) short name e.g. 'CN'
5834 #
5835 # returns: (integer) NID
5836 Example:
5838 print "NID_commonName constant=", &Net::SSLeay::NID_commonName;
5840 print "OBJ_sn2nid('CN')=", Net::SSLeay::OBJ_sn2nid('CN');
5841 • OBJ_nid2obj
5843 Returns ASN1_OBJECT for given NID $n.
5845 my $rv = Net::SSLeay::OBJ_nid2obj($n);
5847 # $n - (integer) NID
5848 #
5849 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5850 Check openssl doc
5852 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5853 • OBJ_obj2nid
5855 Returns NID corresponding to given ASN1_OBJECT $o.
5857 my $rv = Net::SSLeay::OBJ_obj2nid($o);
5859 # $o - value corresponding to openssl's ASN1_OBJECT structure
5860 #
5861 # returns: (integer) NID
5862 Check openssl doc
5864 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5865 • OBJ_txt2obj
5867 Converts the text string s into an ASN1_OBJECT structure. If
5869 $no_name is 0 then long names (e.g. 'commonName') and short names
5870 (e.g. 'CN') will be interpreted as well as numerical forms (e.g.
5871 '2.5.4.3'). If $no_name is 1 only the numerical form is acceptable.
5872 my $rv = Net::SSLeay::OBJ_txt2obj($s, $no_name);
5874 # $s - text string to be converted
5875 # $no_name - (integer) 0 or 1
5876 #
5877 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5878 Check openssl doc
5880 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5881 • OBJ_obj2txt
5883 Converts the ASN1_OBJECT a into a textual representation.
5885 Net::SSLeay::OBJ_obj2txt($a, $no_name);
5887 # $a - value corresponding to openssl's ASN1_OBJECT structure
5888 # $no_name - (integer) 0 or 1
5889 #
5890 # returns: textual representation e.g. 'commonName' ($no_name=0), '2.5.4.3' ($no_name=1)
5891 Check openssl doc
5893 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5894 • OBJ_txt2nid
5896 Returns NID corresponding to text string $s which can be a long
5898 name, a short name or the numerical representation of an object.
5899 my $rv = Net::SSLeay::OBJ_txt2nid($s);
5901 # $s - (string) e.g. 'commonName' or 'CN' or '2.5.4.3'
5902 #
5903 # returns: (integer) NID
5904 Example:
5906 my $nid = Net::SSLeay::OBJ_txt2nid('2.5.4.3');
5908 Net::SSLeay::OBJ_nid2sn($n);
5909 Check openssl doc
5911 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5912 Low level API: ASN1_INTEGER_* related functions
5914 • ASN1_INTEGER_new
5916 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5918 Creates a new ASN1_INTEGER structure.
5920 my $rv = Net::SSLeay::ASN1_INTEGER_new();
5922 #
5923 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
5924 • ASN1_INTEGER_free
5926 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5928 Free an allocated ASN1_INTEGER structure.
5930 Net::SSLeay::ASN1_INTEGER_free($i);
5932 # $i - value corresponding to openssl's ASN1_INTEGER structure
5933 #
5934 # returns: no return value
5935 • ASN1_INTEGER_get
5937 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5939 Returns integer value of given ASN1_INTEGER object.
5941 BEWARE: If the value stored in ASN1_INTEGER is greater than max.
5943 integer that can be stored in 'long' type (usually 32bit but may
5944 vary according to platform) then this function will return -1. For
5945 getting large ASN1_INTEGER values consider using
5946 "P_ASN1_INTEGER_get_dec" or "P_ASN1_INTEGER_get_hex".
5947 my $rv = Net::SSLeay::ASN1_INTEGER_get($a);
5949 # $a - value corresponding to openssl's ASN1_INTEGER structure
5950 #
5951 # returns: integer value of ASN1_INTEGER object in $a
5952 • ASN1_INTEGER_set
5954 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5956 Sets value of given ASN1_INTEGER object to value $val
5958 BEWARE: $val has max. limit (= max. integer that can be stored in
5960 'long' type). For setting large ASN1_INTEGER values consider using
5961 "P_ASN1_INTEGER_set_dec" or "P_ASN1_INTEGER_set_hex".
5962 my $rv = Net::SSLeay::ASN1_INTEGER_set($i, $val);
5964 # $i - value corresponding to openssl's ASN1_INTEGER structure
5965 # $val - integer value
5966 #
5967 # returns: 1 on success, 0 on failure
5968 • P_ASN1_INTEGER_get_dec
5970 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5972 Returns string with decimal representation of integer value of
5974 given ASN1_INTEGER object.
5975 Net::SSLeay::P_ASN1_INTEGER_get_dec($i);
5977 # $i - value corresponding to openssl's ASN1_INTEGER structure
5978 #
5979 # returns: string with decimal representation
5980 • P_ASN1_INTEGER_get_hex
5982 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5984 Returns string with hexadecimal representation of integer value of
5986 given ASN1_INTEGER object.
5987 Net::SSLeay::P_ASN1_INTEGER_get_hex($i);
5989 # $i - value corresponding to openssl's ASN1_INTEGER structure
5990 #
5991 # returns: string with hexadecimal representation
5992 • P_ASN1_INTEGER_set_dec
5994 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5996 Sets value of given ASN1_INTEGER object to value $val (decimal
5998 string, suitable for large integers)
5999 Net::SSLeay::P_ASN1_INTEGER_set_dec($i, $str);
6001 # $i - value corresponding to openssl's ASN1_INTEGER structure
6002 # $str - string with decimal representation
6003 #
6004 # returns: 1 on success, 0 on failure
6005 • P_ASN1_INTEGER_set_hex
6007 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6009 Sets value of given ASN1_INTEGER object to value $val (hexadecimal
6011 string, suitable for large integers)
6012 Net::SSLeay::P_ASN1_INTEGER_set_hex($i, $str);
6014 # $i - value corresponding to openssl's ASN1_INTEGER structure
6015 # $str - string with hexadecimal representation
6016 #
6017 # returns: 1 on success, 0 on failure
6018 Low level API: ASN1_STRING_* related functions
6020 • P_ASN1_STRING_get
6022 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6024 Returns string value of given ASN1_STRING object.
6026 Net::SSLeay::P_ASN1_STRING_get($s, $utf8_decode);
6028 # $s - value corresponding to openssl's ASN1_STRING structure
6029 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
6030 #
6031 # returns: string
6032 $string = Net::SSLeay::P_ASN1_STRING_get($s);
6034 #is the same as:
6035 $string = Net::SSLeay::P_ASN1_STRING_get($s, 0);
6036 Low level API: ASN1_TIME_* related functions
6038 • ASN1_TIME_new
6040 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6042 my $time = ASN1_TIME_new();
6044 # returns: value corresponding to openssl's ASN1_TIME structure
6045 • ASN1_TIME_free
6047 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6049 ASN1_TIME_free($time);
6051 # $time - value corresponding to openssl's ASN1_TIME structure
6052 • ASN1_TIME_set
6054 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6056 ASN1_TIME_set($time, $t);
6058 # $time - value corresponding to openssl's ASN1_TIME structure
6059 # $t - time value in seconds since 1.1.1970
6060 BEWARE: It is platform dependent how this function will handle
6062 dates after 2038. Although perl's integer is large enough the
6063 internal implementation of this function is dependent on the size
6064 of time_t structure (32bit time_t has problem with 2038).
6065 If you want to safely set date and time after 2038 use function
6067 "P_ASN1_TIME_set_isotime".
6068 • P_ASN1_TIME_get_isotime
6070 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
6072 requires at least openssl-0.9.7e
6073 NOTE: Does not exactly correspond to any low level API function
6075 Gives ISO-8601 string representation of ASN1_TIME structure.
6077 my $datetime_string = P_ASN1_TIME_get_isotime($time);
6079 # $time - value corresponding to openssl's ASN1_TIME structure
6080 #
6081 # returns: datetime string like '2033-05-16T20:39:37Z' or '' on failure
6082 The output format is compatible with module
6084 DateTime::Format::RFC3339
6085 • P_ASN1_TIME_set_isotime
6087 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
6089 requires at least openssl-0.9.7e
6090 NOTE: Does not exactly correspond to any low level API function
6092 Sets time and date value of ANS1_time structure.
6094 my $rv = P_ASN1_TIME_set_isotime($time, $string);
6096 # $time - value corresponding to openssl's ASN1_TIME structure
6097 # $string - ISO-8601 timedate string like '2033-05-16T20:39:37Z'
6098 #
6099 # returns: 1 on success, 0 on failure
6100 The $string parameter has to be in full form like
6102 "2012-03-22T23:55:33" or "2012-03-22T23:55:33Z" or
6103 "2012-03-22T23:55:33CET". Short forms like "2012-03-22T23:55" or
6104 "2012-03-22" are not supported.
6105 • P_ASN1_TIME_put2string
6107 COMPATIBILITY: not available in Net-SSLeay-1.42 and before, has
6109 bugs with openssl-0.9.8i
6110 NOTE: Does not exactly correspond to any low level API function
6112 Gives string representation of ASN1_TIME structure.
6114 my $str = P_ASN1_TIME_put2string($time);
6116 # $time - value corresponding to openssl's ASN1_TIME structure
6117 #
6118 # returns: datetime string like 'May 16 20:39:37 2033 GMT'
6119 • P_ASN1_UTCTIME_put2string
6121 NOTE: deprecated function, only for backward compatibility, just an
6123 alias for "P_ASN1_TIME_put2string"
6124 Low level API: X509_* related functions
6126 • X509_new
6128 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6130 Allocates and initializes a X509 structure.
6132 my $rv = Net::SSLeay::X509_new();
6134 #
6135 # returns: value corresponding to openssl's X509 structure (0 on failure)
6136 Check openssl doc
6138 <http://www.openssl.org/docs/crypto/X509_new.html>
6139 • X509_free
6141 Frees up the X509 structure.
6143 Net::SSLeay::X509_free($a);
6145 # $a - value corresponding to openssl's X509 structure
6146 #
6147 # returns: no return value
6148 Check openssl doc
6150 <http://www.openssl.org/docs/crypto/X509_new.html>
6151 • X509_check_host
6153 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6155 requires at least OpenSSL 1.0.2.
6156 X509_CHECK_FLAG_NEVER_CHECK_SUBJECT requires OpenSSL 1.1.0.
6157 Checks if the certificate Subject Alternative Name (SAN) or Subject
6159 CommonName (CN) matches the specified host name.
6160 my $rv = Net::SSLeay::X509_check_host($cert, $name, $flags, $peername);
6162 # $cert - value corresponding to openssl's X509 structure
6163 # $name - host name to check
6164 # $flags (optional, default: 0) - can be the bitwise OR of:
6165 # &Net::SSLeay::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
6166 # &Net::SSLeay::X509_CHECK_FLAG_NO_WILDCARDS
6167 # &Net::SSLeay::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
6168 # &Net::SSLeay::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
6169 # &Net::SSLeay::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
6170 # &Net::SSLeay::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
6171 # $peername (optional) - If not omitted and $host matches $cert,
6172 # a copy of the matching SAN or CN from
6173 # the peer certificate is stored in $peername.
6174 #
6175 # returns:
6176 # 1 for a successful match
6177 # 0 for a failed match
6178 # -1 for an internal error
6179 # -2 if the input is malformed
6180 Check openssl doc
6182 <https://www.openssl.org/docs/crypto/X509_check_host.html>.
6183 • X509_check_email
6185 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6187 requires at least OpenSSL 1.0.2.
6188 Checks if the certificate matches the specified email address.
6190 my $rv = Net::SSLeay::X509_check_email($cert, $address, $flags);
6192 # $cert - value corresponding to openssl's X509 structure
6193 # $address - email address to check
6194 # $flags (optional, default: 0) - see X509_check_host()
6195 #
6196 # returns: see X509_check_host()
6197 Check openssl doc
6199 <https://www.openssl.org/docs/crypto/X509_check_email.html>.
6200 • X509_check_ip
6202 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6204 requires at least OpenSSL 1.0.2.
6205 Checks if the certificate matches the specified IPv4 or IPv6
6207 address.
6208 my $rv = Net::SSLeay::X509_check_ip($cert, $address, $flags);
6210 # $cert - value corresponding to openssl's X509 structure
6211 # $address - IP address to check in binary format, in network byte order
6212 # $flags (optional, default: 0) - see X509_check_host()
6213 #
6214 # returns: see X509_check_host()
6215 Check openssl doc
6217 <https://www.openssl.org/docs/crypto/X509_check_ip.html>.
6218 • X509_check_ip_asc
6220 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6222 requires at least OpenSSL 1.0.2.
6223 Checks if the certificate matches the specified IPv4 or IPv6
6225 address.
6226 my $rv = Net::SSLeay::X509_check_ip_asc($cert, $address, $flags);
6228 # $cert - value corresponding to openssl's X509 structure
6229 # $address - IP address to check in text representation
6230 # $flags (optional, default: 0) - see X509_check_host()
6231 #
6232 # returns: see X509_check_host()
6233 Check openssl doc
6235 <https://www.openssl.org/docs/crypto/X509_check_ip_asc.html>.
6236 • X509_certificate_type
6238 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6240 Returns bitmask with type of certificate $x.
6242 my $rv = Net::SSLeay::X509_certificate_type($x);
6244 # $x - value corresponding to openssl's X509 structure
6245 #
6246 # returns: (integer) bitmask with certificate type
6247 #to decode bitmask returned by this function use these constants:
6249 &Net::SSLeay::EVP_PKS_DSA
6250 &Net::SSLeay::EVP_PKS_EC
6251 &Net::SSLeay::EVP_PKS_RSA
6252 &Net::SSLeay::EVP_PKT_ENC
6253 &Net::SSLeay::EVP_PKT_EXCH
6254 &Net::SSLeay::EVP_PKT_EXP
6255 &Net::SSLeay::EVP_PKT_SIGN
6256 &Net::SSLeay::EVP_PK_DH
6257 &Net::SSLeay::EVP_PK_DSA
6258 &Net::SSLeay::EVP_PK_EC
6259 &Net::SSLeay::EVP_PK_RSA
6260 • X509_digest
6262 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6264 Computes digest/fingerprint of X509 $data using $type hash
6266 function.
6267 my $digest_value = Net::SSLeay::X509_digest($data, $type);
6269 # $data - value corresponding to openssl's X509 structure
6270 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
6271 #
6272 # returns: hash value (binary)
6273 #to get printable (hex) value of digest use:
6275 print unpack('H*', $digest_value);
6276 • X509_issuer_and_serial_hash
6278 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6280 Sort of a checksum of issuer name and serial number of X509
6282 certificate $x. The result is not a full hash (e.g. sha-1), it is
6283 kind-of-a-hash truncated to the size of 'unsigned long' (32 bits).
6284 The resulting value might differ across different openssl versions
6285 for the same X509 certificate.
6286 my $rv = Net::SSLeay::X509_issuer_and_serial_hash($x);
6288 # $x - value corresponding to openssl's X509 structure
6289 #
6290 # returns: number representing checksum
6291 • X509_issuer_name_hash
6293 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6295 Sort of a checksum of issuer name of X509 certificate $x. The
6297 result is not a full hash (e.g. sha-1), it is kind-of-a-hash
6298 truncated to the size of 'unsigned long' (32 bits). The resulting
6299 value might differ across different openssl versions for the same
6300 X509 certificate.
6301 my $rv = Net::SSLeay::X509_issuer_name_hash($x);
6303 # $x - value corresponding to openssl's X509 structure
6304 #
6305 # returns: number representing checksum
6306 • X509_subject_name_hash
6308 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6310 Sort of a checksum of subject name of X509 certificate $x. The
6312 result is not a full hash (e.g. sha-1), it is kind-of-a-hash
6313 truncated to the size of 'unsigned long' (32 bits). The resulting
6314 value might differ across different openssl versions for the same
6315 X509 certificate.
6316 my $rv = Net::SSLeay::X509_subject_name_hash($x);
6318 # $x - value corresponding to openssl's X509 structure
6319 #
6320 # returns: number representing checksum
6321 • X509_pubkey_digest
6323 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6325 requires at least openssl-0.9.7
6326 Computes digest/fingerprint of public key from X509 certificate
6328 $data using $type hash function.
6329 my $digest_value = Net::SSLeay::X509_pubkey_digest($data, $type);
6331 # $data - value corresponding to openssl's X509 structure
6332 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
6333 #
6334 # returns: hash value (binary)
6335 #to get printable (hex) value of digest use:
6337 print unpack('H*', $digest_value);
6338 • X509_set_issuer_name
6340 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6342 Sets issuer of X509 certificate $x to $name.
6344 my $rv = Net::SSLeay::X509_set_issuer_name($x, $name);
6346 # $x - value corresponding to openssl's X509 structure
6347 # $name - value corresponding to openssl's X509_NAME structure
6348 #
6349 # returns: 1 on success, 0 on failure
6350 • X509_set_pubkey
6352 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6354 Sets public key of X509 certificate $x to $pkey.
6356 my $rv = Net::SSLeay::X509_set_pubkey($x, $pkey);
6358 # $x - value corresponding to openssl's X509 structure
6359 # $pkey - value corresponding to openssl's EVP_PKEY structure
6360 #
6361 # returns: 1 on success, 0 on failure
6362 • X509_set_serialNumber
6364 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6366 Sets serial number of X509 certificate $x to $serial.
6368 my $rv = Net::SSLeay::X509_set_serialNumber($x, $serial);
6370 # $x - value corresponding to openssl's X509 structure
6371 # $serial - value corresponding to openssl's ASN1_INTEGER structure
6372 #
6373 # returns: 1 on success, 0 on failure
6374 #to create $serial value use one of these:
6376 $serial = Net::SSLeay::P_ASN1_INTEGER_set_hex('45ad6f');
6377 $serial = Net::SSLeay::P_ASN1_INTEGER_set_dec('7896541238529631478');
6378 $serial = Net::SSLeay::ASN1_INTEGER_set(45896);
6379 • X509_set_subject_name
6381 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6383 Sets subject of X509 certificate $x to $name.
6385 my $rv = Net::SSLeay::X509_set_subject_name($x, $name);
6387 # $x - value corresponding to openssl's X509 structure
6388 # $name - value corresponding to openssl's X509_NAME structure
6389 #
6390 # returns: 1 on success, 0 on failure
6391 • X509_set_version
6393 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6395 Set 'version' value for X509 certificate $ to $version.
6397 my $rv = Net::SSLeay::X509_set_version($x, $version);
6399 # $x - value corresponding to openssl's X509 structure
6400 # $version - (integer) version number
6401 #
6402 # returns: 1 on success, 0 on failure
6403 • X509_sign
6405 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6407 Sign X509 certificate $x with private key $pkey (using digest
6409 algorithm $md).
6410 my $rv = Net::SSLeay::X509_sign($x, $pkey, $md);
6412 # $x - value corresponding to openssl's X509 structure
6413 # $pkey - value corresponding to openssl's EVP_PKEY structure
6414 # $md - value corresponding to openssl's EVP_MD structure
6415 #
6416 # returns: 1 on success, 0 on failure
6417 • X509_verify
6419 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6421 Verifies X509 object $a using public key $r (pubkey of issuing CA).
6423 my $rv = Net::SSLeay::X509_verify($x, $r);
6425 # $x - value corresponding to openssl's X509 structure
6426 # $r - value corresponding to openssl's EVP_PKEY structure
6427 #
6428 # returns: 0 - verify failure, 1 - verify OK, <0 - error
6429 • X509_get_ext_count
6431 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6433 Returns the total number of extensions in X509 object $x.
6435 my $rv = Net::SSLeay::X509_get_ext_count($x);
6437 # $x - value corresponding to openssl's X509 structure
6438 #
6439 # returns: count of extensions
6440 • X509_get_pubkey
6442 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6444 Returns public key corresponding to given X509 object $x.
6446 my $rv = Net::SSLeay::X509_get_pubkey($x);
6448 # $x - value corresponding to openssl's X509 structure
6449 #
6450 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
6451 NOTE: This method returns only the public key's key bits, without
6453 the algorithm or parameters. Use "X509_get_X509_PUBKEY()" to
6454 return the full public key (SPKI) instead.
6455 • X509_get_X509_PUBKEY
6457 COMPATIBILITY: not available in Net-SSLeay-1.72 and before
6459 Returns the full public key (SPKI) of given X509 certificate $x.
6461 Net::SSLeay::X509_get_X509_PUBKEY($x);
6463 # $x - value corresponding to openssl's X509 structure
6464 #
6465 # returns: public key data in DER format (binary)
6466 • X509_get_serialNumber
6468 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6470 Returns serial number of X509 certificate $x.
6472 my $rv = Net::SSLeay::X509_get_serialNumber($x);
6474 # $x - value corresponding to openssl's X509 structure
6475 #
6476 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
6477 See "P_ASN1_INTEGER_get_dec", "P_ASN1_INTEGER_get_hex" or
6479 "ASN1_INTEGER_get" to decode ASN1_INTEGER object.
6480 • X509_get0_serialNumber
6482 COMPATIBILITY: available in Net-SSLeay-1.86 onwards
6484 X509_get0_serialNumber() is the same as X509_get_serialNumber()
6486 except it accepts a const parameter and returns a const result.
6487 • X509_get_version
6489 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6491 Returns 'version' value of given X509 certificate $x.
6493 my $rv = Net::SSLeay::X509_get_version($x);
6495 # $x - value corresponding to openssl's X509 structure
6496 #
6497 # returns: (integer) version
6498 • X509_get_ext
6500 Returns X509_EXTENSION from $x509 based on given position/index.
6502 my $rv = Net::SSLeay::X509_get_ext($x509, $index);
6504 # $x509 - value corresponding to openssl's X509 structure
6505 # $index - (integer) position/index of extension within $x509
6506 #
6507 # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure)
6508 • X509_get_ext_by_NID
6510 Returns X509_EXTENSION from $x509 based on given NID.
6512 my $rv = Net::SSLeay::X509_get_ext_by_NID($x509, $nid, $loc);
6514 # $x509 - value corresponding to openssl's X509 structure
6515 # $nid - (integer) NID value
6516 # $loc - (integer) position to start lookup at
6517 #
6518 # returns: position/index of extension, negative value on error
6519 # call Net::SSLeay::X509_get_ext($x509, $rv) to get the actual extension
6520 • X509_get_fingerprint
6522 Returns fingerprint of certificate $cert.
6524 NOTE: Does not exactly correspond to any low level API function.
6526 The implementation is basen on openssl's "X509_digest()".
6527 Net::SSLeay::X509_get_fingerprint($x509, $type);
6529 # $x509 - value corresponding to openssl's X509 structure
6530 # $type - (string) digest type, currently supported values:
6531 # "md5"
6532 # "sha1"
6533 # "sha256"
6534 # "ripemd160"
6535 #
6536 # returns: certificate digest - hexadecimal string (NOT binary data!)
6537 • X509_get_issuer_name
6539 Return an X509_NAME object representing the issuer of the
6541 certificate $cert.
6542 my $rv = Net::SSLeay::X509_get_issuer_name($cert);
6544 # $cert - value corresponding to openssl's X509 structure
6545 #
6546 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
6547 • X509_get_notAfter
6549 Return an object giving the time after which the certificate $cert
6551 is not valid.
6552 my $rv = Net::SSLeay::X509_get_notAfter($cert);
6554 # $cert - value corresponding to openssl's X509 structure
6555 #
6556 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6557 To get human readable/printable form the return value you can use:
6559 my $time = Net::SSLeay::X509_get_notAfter($cert);
6561 print "notAfter=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n";
6562 • X509_get_notBefore
6564 Return an object giving the time before which the certificate $cert
6566 is not valid
6567 my $rv = Net::SSLeay::X509_get_notBefore($cert);
6569 # $cert - value corresponding to openssl's X509 structure
6570 #
6571 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6572 To get human readable/printable form the return value you can use:
6574 my $time = Net::SSLeay::X509_get_notBefore($cert);
6576 print "notBefore=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n";
6577 • X509_get_subjectAltNames
6579 NOTE: Does not exactly correspond to any low level API function.
6581 Returns the list of alternative subject names from X509 certificate
6583 $cert.
6584 my @rv = Net::SSLeay::X509_get_subjectAltNames($cert);
6586 # $cert - value corresponding to openssl's X509 structure
6587 #
6588 # returns: list containing pairs - name_type (integer), name_value (string)
6589 # where name_type can be:
6590 # 0 - GEN_OTHERNAME
6591 # 1 - GEN_EMAIL
6592 # 2 - GEN_DNS
6593 # 3 - GEN_X400
6594 # 4 - GEN_DIRNAME
6595 # 5 - GEN_EDIPARTY
6596 # 6 - GEN_URI
6597 # 7 - GEN_IPADD
6598 # 8 - GEN_RID
6599 Note: type 7 - GEN_IPADD contains the IP address as a packed binary
6601 address. GEN_RID is available in Net-SSLeay-1.90 and later. Maximum
6602 length for returned RID string is currently 2500. Invalid and
6603 overly long RID values are skipped and not returned. GEN_X400 and
6604 GEN_EDIPARTY are not supported and will not be returned even when
6605 present in the certificate.
6606 • X509_get_subject_name
6608 Returns the subject of the certificate $cert.
6610 my $rv = Net::SSLeay::X509_get_subject_name($cert);
6612 # $cert - value corresponding to openssl's X509 structure
6613 #
6614 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
6615 • X509_gmtime_adj
6617 Adjust th ASN1_TIME object to the timestamp (in GMT).
6619 my $rv = Net::SSLeay::X509_gmtime_adj($s, $adj);
6621 # $s - value corresponding to openssl's ASN1_TIME structure
6622 # $adj - timestamp (seconds since 1.1.1970)
6623 #
6624 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6625 BEWARE: this function may fail for dates after 2038 as it is
6627 dependent on time_t size on your system (32bit time_t does not work
6628 after 2038). Consider using "P_ASN1_TIME_set_isotime" instead).
6629 • X509_load_cert_crl_file
6631 Takes PEM file and loads all X509 certificates and X509 CRLs from
6633 that file into X509_LOOKUP structure.
6634 my $rv = Net::SSLeay::X509_load_cert_crl_file($ctx, $file, $type);
6636 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6637 # $file - (string) file name
6638 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6639 # if not FILETYPE_PEM then behaves as Net::SSLeay::X509_load_cert_file()
6640 #
6641 # returns: 1 on success, 0 on failure
6642 • X509_load_cert_file
6644 Loads/adds X509 certificate from $file to X509_LOOKUP structure
6646 my $rv = Net::SSLeay::X509_load_cert_file($ctx, $file, $type);
6648 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6649 # $file - (string) file name
6650 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6651 #
6652 # returns: 1 on success, 0 on failure
6653 • X509_load_crl_file
6655 Loads/adds X509 CRL from $file to X509_LOOKUP structure
6657 my $rv = Net::SSLeay::X509_load_crl_file($ctx, $file, $type);
6659 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6660 # $file - (string) file name
6661 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6662 #
6663 # returns: 1 on success, 0 on failure
6664 • X509_policy_level_get0_node
6666 ??? (more info needed)
6668 my $rv = Net::SSLeay::X509_policy_level_get0_node($level, $i);
6670 # $level - value corresponding to openssl's X509_POLICY_LEVEL structure
6671 # $i - (integer) index/position
6672 #
6673 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6674 • X509_policy_level_node_count
6676 ??? (more info needed)
6678 my $rv = Net::SSLeay::X509_policy_level_node_count($level);
6680 # $level - value corresponding to openssl's X509_POLICY_LEVEL structure
6681 #
6682 # returns: (integer) node count
6683 • X509_policy_node_get0_parent
6685 ??? (more info needed)
6687 my $rv = Net::SSLeay::X509_policy_node_get0_parent($node);
6689 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6690 #
6691 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6692 • X509_policy_node_get0_policy
6694 ??? (more info needed)
6696 my $rv = Net::SSLeay::X509_policy_node_get0_policy($node);
6698 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6699 #
6700 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6701 • X509_policy_node_get0_qualifiers
6703 ??? (more info needed)
6705 my $rv = Net::SSLeay::X509_policy_node_get0_qualifiers($node);
6707 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6708 #
6709 # returns: value corresponding to openssl's STACK_OF(POLICYQUALINFO) structure (0 on failure)
6710 • X509_policy_tree_free
6712 ??? (more info needed)
6714 Net::SSLeay::X509_policy_tree_free($tree);
6716 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6717 #
6718 # returns: no return value
6719 • X509_policy_tree_get0_level
6721 ??? (more info needed)
6723 my $rv = Net::SSLeay::X509_policy_tree_get0_level($tree, $i);
6725 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6726 # $i - (integer) level index
6727 #
6728 # returns: value corresponding to openssl's X509_POLICY_LEVEL structure (0 on failure)
6729 • X509_policy_tree_get0_policies
6731 ??? (more info needed)
6733 my $rv = Net::SSLeay::X509_policy_tree_get0_policies($tree);
6735 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6736 #
6737 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6738 • X509_policy_tree_get0_user_policies
6740 ??? (more info needed)
6742 my $rv = Net::SSLeay::X509_policy_tree_get0_user_policies($tree);
6744 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6745 #
6746 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6747 • X509_policy_tree_level_count
6749 ??? (more info needed)
6751 my $rv = Net::SSLeay::X509_policy_tree_level_count($tree);
6753 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6754 #
6755 # returns: (integer) count
6756 • X509_verify_cert_error_string
6758 Returns a human readable error string for verification error $n.
6760 my $rv = Net::SSLeay::X509_verify_cert_error_string($n);
6762 # $n - (long) numeric error code
6763 #
6764 # returns: error string
6765 Check openssl doc
6767 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
6768 • P_X509_add_extensions
6770 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6772 Adds one or more X509 extensions to X509 object $x.
6774 my $rv = Net::SSLeay::P_X509_add_extensions($x, $ca_cert, $nid, $value);
6776 # $x - value corresponding to openssl's X509 structure
6777 # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier)
6778 # $nid - NID identifying extension to be set
6779 # $value - extension value
6780 #
6781 # returns: 1 on success, 0 on failure
6782 You can set more extensions at once:
6784 my $rv = Net::SSLeay::P_X509_add_extensions($x509, $ca_cert,
6786 &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
6787 &Net::SSLeay::NID_subject_key_identifier => 'hash',
6788 &Net::SSLeay::NID_authority_key_identifier => 'keyid',
6789 &Net::SSLeay::NID_authority_key_identifier => 'issuer',
6790 &Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
6791 &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
6792 &Net::SSLeay::NID_netscape_cert_type => 'server',
6793 &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.dom.com,DNS:s2.dom.com,DNS:s3.dom.com',
6794 );
6795 • P_X509_copy_extensions
6797 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6799 Copies X509 extensions from X509_REQ object to X509 object - handy
6801 when you need to turn X509_REQ into X509 certificate.
6802 Net::SSLeay::P_X509_copy_extensions($x509_req, $x509, $override);
6804 # $x509_req - value corresponding to openssl's X509_REQ structure
6805 # $x509 - value corresponding to openssl's X509 structure
6806 # $override - (integer) flag indication whether to override already existing items in $x509 (default 1)
6807 #
6808 # returns: 1 on success, 0 on failure
6809 • P_X509_get_crl_distribution_points
6811 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6813 requires at least openssl-0.9.7
6814 Get the list of CRL distribution points from X509 certificate.
6816 my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509);
6818 # $x509 - value corresponding to openssl's X509 structure
6819 #
6820 # returns: list of distribution points (usually URLs)
6821 • P_X509_get_ext_key_usage
6823 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6825 requires at least openssl-0.9.7
6826 Gets the list of extended key usage of given X509 certificate
6828 $cert.
6829 my @ext_usage = Net::SSLeay::P_X509_get_ext_key_usage($cert, $format);
6831 # $cert - value corresponding to openssl's X509 structure
6832 # $format - choose type of return values: 0=OIDs, 1=NIDs, 2=shortnames, 3=longnames
6833 #
6834 # returns: list of values
6835 Examples:
6837 my @extkeyusage_oid = Net::SSLeay::P_X509_get_ext_key_usage($x509,0);
6839 # returns for example: ("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2")
6840 my @extkeyusage_nid = Net::SSLeay::P_X509_get_ext_key_usage($x509,1);
6842 # returns for example: (129, 130)
6843 my @extkeyusage_sn = Net::SSLeay::P_X509_get_ext_key_usage($x509,2);
6845 # returns for example: ("serverAuth", "clientAuth")
6846 my @extkeyusage_ln = Net::SSLeay::P_X509_get_ext_key_usage($x509,3);
6848 # returns for example: ("TLS Web Server Authentication", "TLS Web Client Authentication")
6849 • P_X509_get_key_usage
6851 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6853 Gets the list of key usage of given X509 certificate $cert.
6855 my @keyusage = Net::SSLeay::P_X509_get_key_usage($cert);
6857 # $cert - value corresponding to openssl's X509 structure
6858 #
6859 # returns: list of key usage values which can be none, one or more from the following list:
6860 # "digitalSignature"
6861 # "nonRepudiation"
6862 # "keyEncipherment"
6863 # "dataEncipherment"
6864 # "keyAgreement"
6865 # "keyCertSign"
6866 # "cRLSign"
6867 # "encipherOnly"
6868 # "decipherOnly"
6869 • P_X509_get_netscape_cert_type
6871 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6873 Gets the list of Netscape cert types of given X509 certificate
6875 $cert.
6876 Net::SSLeay::P_X509_get_netscape_cert_type($cert);
6878 # $cert - value corresponding to openssl's X509 structure
6879 #
6880 # returns: list of Netscape type values which can be none, one or more from the following list:
6881 # "client"
6882 # "server"
6883 # "email"
6884 # "objsign"
6885 # "reserved"
6886 # "sslCA"
6887 # "emailCA"
6888 # "objCA"
6889 • P_X509_get_pubkey_alg
6891 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6893 Returns ASN1_OBJECT corresponding to X509 certificate public key
6895 algorithm.
6896 my $rv = Net::SSLeay::P_X509_get_pubkey_alg($x);
6898 # $x - value corresponding to openssl's X509 structure
6899 #
6900 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6901 To get textual representation use:
6903 my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_pubkey_alg($x509));
6905 # returns for example: "rsaEncryption"
6906 • P_X509_get_signature_alg
6908 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6910 Returns ASN1_OBJECT corresponding to X509 signarite key algorithm.
6912 my $rv = Net::SSLeay::P_X509_get_signature_alg($x);
6914 # $x - value corresponding to openssl's X509 structure
6915 #
6916 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6917 To get textual representation use:
6919 my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_signature_alg($x509))
6921 # returns for example: "sha1WithRSAEncryption"
6922 • sk_X509_new_null
6924 Returns a new, empty, STACK_OF(X509) structure.
6926 my $rv = Net::SSLeay::sk_X509_new_null();
6928 #
6929 # returns: value corresponding to openssl's STACK_OF(X509) structure
6930 • sk_X509_push
6932 Pushes an X509 structure onto a STACK_OF(X509) structure.
6934 my $rv = Net::SSLeay::sk_X509_push($sk_x509, $x509);
6936 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6937 # $x509 - value corresponding to openssl's X509 structure
6938 #
6939 # returns: total number of elements after the operation, 0 on failure
6940 • sk_X509_pop
6942 Pops an single X509 structure from a STACK_OF(X509) structure.
6944 my $x509 = NetSSLeay::sk_X509_pop($sk_x509)
6946 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6947 #
6948 # returns: a pointer to an X509 structure, undef on failure
6949 Check openssl doc
6951 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_pop.html>
6952 • sk_X509_shift
6954 Shifts an single X509 structure onto a STACK_OF(X509) structure.
6956 my $x509 = NetSSLeay::sk_X509_shift($sk_x509, $x509)
6958 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6959 # $x509 - value corresponding to openssl's X509 structure
6960 #
6961 # returns: a pointer to an X509 structure, undef on failure
6962 Check openssl doc
6964 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_shift.html>
6965 • sk_X509_unshift
6967 Unshifts an single X509 structure from a STACK_OF(X509) structure.
6969 my $rv = NetSSLeay::sk_X509_unshift($sk_x509)
6971 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6972 #
6973 # returns: total number of elements after the operation, 0 on failure
6974 Check openssl doc
6976 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_unshift.html>
6977 • sk_X509_insert
6979 Inserts a single X509 structure into a STACK_OF(X509) at the
6981 specified index.
6982 my $rv = Net::SSLeay::sk_X509_insert($sk_x509, $x509, index);
6984 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6985 # $x509 - value corresponding to openssl's X509 structure
6986 # index - integer - 0 based index
6987 #
6988 # returns: total number of elements after the operation, 0 on failure
6989 Check openssl doc
6991 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_insert.html>
6992 • sk_X509_delete
6994 Delete a single X509 structure from a STACK_OF(X509) at the
6996 specified index.
6997 my $x509 = Net::SSLeay::sk_X509_delete($sk_x509, index);
6999 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7000 # index - integer - 0 based index
7001 #
7002 # returns: a pointer to an X509 structure, undef on failure
7003 Check openssl doc
7005 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_delete.html>
7006 • sk_X509_value
7008 Return a single X509 structure from a STACK_OF(X509) at the
7010 specified index.
7011 my $x509 = Net::SSLeay::sk_X509_value($sk_x509, index)
7013 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7014 # index - integer - 0 based index
7015 #
7016 # returns: a pointer to an X509 structure, undef on failure
7017 Check openssl doc
7019 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_value.html>
7020 • sk_X509_num
7022 Return the number of X509 elements in a STACK_OF(X509).
7024 my $num = Net::SSLeay::sk_X509_num($sk_x509);
7026 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7027 #
7028 # returns: the number of elements in the stack, -1 if the passed stack is NULL
7029 Check openssl doc
7031 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_num.html>
7032 Low level API: X509_REQ_* related functions
7034 • X509_REQ_new
7036 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7038 Creates a new X509_REQ structure.
7040 my $rv = Net::SSLeay::X509_REQ_new();
7042 #
7043 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
7044 • X509_REQ_free
7046 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7048 Free an allocated X509_REQ structure.
7050 Net::SSLeay::X509_REQ_free($x);
7052 # $x - value corresponding to openssl's X509_REQ structure
7053 #
7054 # returns: no return value
7055 • X509_REQ_add1_attr_by_NID
7057 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7059 Adds an attribute whose name is defined by a NID $nid. The field
7061 value to be added is in $bytes.
7062 my $rv = Net::SSLeay::X509_REQ_add1_attr_by_NID($req, $nid, $type, $bytes);
7064 # $req - value corresponding to openssl's X509_REQ structure
7065 # $nid - (integer) NID value
7066 # $type - (integer) type of data in $bytes (see below)
7067 # $bytes - data to be set
7068 #
7069 # returns: 1 on success, 0 on failure
7070 # values for $type - use constants:
7072 &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data
7073 &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data
7074 • X509_REQ_digest
7076 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7078 Computes digest/fingerprint of X509_REQ $data using $type hash
7080 function.
7081 my $digest_value = Net::SSLeay::X509_REQ_digest($data, $type);
7083 # $data - value corresponding to openssl's X509_REQ structure
7084 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7085 #
7086 # returns: hash value (binary)
7087 #to get printable (hex) value of digest use:
7089 print unpack('H*', $digest_value);
7090 • X509_REQ_get_attr_by_NID
7092 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7094 Retrieve the next index matching $nid after $lastpos ($lastpos
7096 should initially be set to -1).
7097 my $rv = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid, $lastpos=-1);
7099 # $req - value corresponding to openssl's X509_REQ structure
7100 # $nid - (integer) NID value
7101 # $lastpos - [optional] (integer) index where to start search (default -1)
7102 #
7103 # returns: index (-1 if there are no more entries)
7104 Note: use "P_X509_REQ_get_attr" to get the actual attribute value -
7106 e.g.
7107 my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid);
7109 my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index);
7110 • X509_REQ_get_attr_by_OBJ
7112 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7114 Retrieve the next index matching $obj after $lastpos ($lastpos
7116 should initially be set to -1).
7117 my $rv = Net::SSLeay::X509_REQ_get_attr_by_OBJ($req, $obj, $lastpos=-1);
7119 # $req - value corresponding to openssl's X509_REQ structure
7120 # $obj - value corresponding to openssl's ASN1_OBJECT structure
7121 # $lastpos - [optional] (integer) index where to start search (default -1)
7122 #
7123 # returns: index (-1 if there are no more entries)
7124 Note: use "P_X509_REQ_get_attr" to get the actual attribute value -
7126 e.g.
7127 my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid);
7129 my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index);
7130 • X509_REQ_get_attr_count
7132 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7134 Returns the total number of attributes in $req.
7136 my $rv = Net::SSLeay::X509_REQ_get_attr_count($req);
7138 # $req - value corresponding to openssl's X509_REQ structure
7139 #
7140 # returns: (integer) items count
7141 • X509_REQ_get_pubkey
7143 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7145 Returns public key corresponding to given X509_REQ object $x.
7147 my $rv = Net::SSLeay::X509_REQ_get_pubkey($x);
7149 # $x - value corresponding to openssl's X509_REQ structure
7150 #
7151 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
7152 • X509_REQ_get_subject_name
7154 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7156 Returns X509_NAME object corresponding to subject name of given
7158 X509_REQ object $x.
7159 my $rv = Net::SSLeay::X509_REQ_get_subject_name($x);
7161 # $x - value corresponding to openssl's X509_REQ structure
7162 #
7163 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7164 • X509_REQ_get_version
7166 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7168 Returns 'version' value for given X509_REQ object $x.
7170 my $rv = Net::SSLeay::X509_REQ_get_version($x);
7172 # $x - value corresponding to openssl's X509_REQ structure
7173 #
7174 # returns: (integer) version e.g. 0 = "version 1"
7175 • X509_REQ_set_pubkey
7177 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7179 Sets public key of given X509_REQ object $x to $pkey.
7181 my $rv = Net::SSLeay::X509_REQ_set_pubkey($x, $pkey);
7183 # $x - value corresponding to openssl's X509_REQ structure
7184 # $pkey - value corresponding to openssl's EVP_PKEY structure
7185 #
7186 # returns: 1 on success, 0 on failure
7187 • X509_REQ_set_subject_name
7189 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7191 Sets subject name of given X509_REQ object $x to X509_NAME object
7193 $name.
7194 my $rv = Net::SSLeay::X509_REQ_set_subject_name($x, $name);
7196 # $x - value corresponding to openssl's X509_REQ structure
7197 # $name - value corresponding to openssl's X509_NAME structure
7198 #
7199 # returns: 1 on success, 0 on failure
7200 • X509_REQ_set_version
7202 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7204 Sets 'version' of given X509_REQ object $x to $version.
7206 my $rv = Net::SSLeay::X509_REQ_set_version($x, $version);
7208 # $x - value corresponding to openssl's X509_REQ structure
7209 # $version - (integer) e.g. 0 = "version 1"
7210 #
7211 # returns: 1 on success, 0 on failure
7212 • X509_REQ_sign
7214 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7216 Sign X509_REQ object $x with private key $pk (using digest
7218 algorithm $md).
7219 my $rv = Net::SSLeay::X509_REQ_sign($x, $pk, $md);
7221 # $x - value corresponding to openssl's X509_REQ structure
7222 # $pk - value corresponding to openssl's EVP_PKEY structure (requestor's private key)
7223 # $md - value corresponding to openssl's EVP_MD structure
7224 #
7225 # returns: 1 on success, 0 on failure
7226 • X509_REQ_verify
7228 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7230 Verifies X509_REQ object $x using public key $r (pubkey of
7232 requesting party).
7233 my $rv = Net::SSLeay::X509_REQ_verify($x, $r);
7235 # $x - value corresponding to openssl's X509_REQ structure
7236 # $r - value corresponding to openssl's EVP_PKEY structure
7237 #
7238 # returns: 0 - verify failure, 1 - verify OK, <0 - error
7239 • P_X509_REQ_add_extensions
7241 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7243 Adds one or more X509 extensions to X509_REQ object $x.
7245 my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x, $nid, $value);
7247 # $x - value corresponding to openssl's X509_REQ structure
7248 # $nid - NID identifying extension to be set
7249 # $value - extension value
7250 #
7251 # returns: 1 on success, 0 on failure
7252 You can set more extensions at once:
7254 my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x509_req,
7256 &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
7257 &Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
7258 &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
7259 &Net::SSLeay::NID_netscape_cert_type => 'server',
7260 &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.com,DNS:s2.com',
7261 &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.com/crl1,URI:http://pki.com/crl2',
7262 );
7263 • P_X509_REQ_get_attr
7265 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7267 requires at least openssl-0.9.7
7268 Returns attribute value for X509_REQ's attribute at index $n.
7270 Net::SSLeay::P_X509_REQ_get_attr($req, $n);
7272 # $req - value corresponding to openssl's X509_REQ structure
7273 # $n - (integer) attribute index
7274 #
7275 # returns: value corresponding to openssl's ASN1_STRING structure
7276 Low level API: X509_CRL_* related functions
7278 • X509_CRL_new
7280 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7282 Creates a new X509_CRL structure.
7284 my $rv = Net::SSLeay::X509_CRL_new();
7286 #
7287 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
7288 • X509_CRL_free
7290 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7292 Free an allocated X509_CRL structure.
7294 Net::SSLeay::X509_CRL_free($x);
7296 # $x - value corresponding to openssl's X509_CRL structure
7297 #
7298 # returns: no return value
7299 • X509_CRL_digest
7301 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7303 Computes digest/fingerprint of X509_CRL $data using $type hash
7305 function.
7306 my $digest_value = Net::SSLeay::X509_CRL_digest($data, $type);
7308 # $data - value corresponding to openssl's X509_CRL structure
7309 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7310 #
7311 # returns: hash value (binary)
7312 Example:
7314 my $x509_crl
7316 my $md = Net::SSLeay::EVP_get_digestbyname("sha1");
7317 my $digest_value = Net::SSLeay::X509_CRL_digest($x509_crl, $md);
7318 #to get printable (hex) value of digest use:
7319 print "digest=", unpack('H*', $digest_value), "\n";
7320 • X509_CRL_get_ext
7322 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7324 Returns X509_EXTENSION from $x509 based on given position/index.
7326 my $rv = Net::SSLeay::X509_CRL_get_ext($x509, $index);
7328 # $x509 - value corresponding to openssl's X509_CRL structure
7329 # $index - (integer) position/index of extension within $x509
7330 #
7331 # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure)
7332 • X509_CRL_get_ext_by_NID
7334 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7336 Returns X509_EXTENSION from $x509 based on given NID.
7338 my $rv = Net::SSLeay::X509_CRL_get_ext_by_NID($x509, $nid, $loc);
7340 # $x509 - value corresponding to openssl's X509_CRL structure
7341 # $nid - (integer) NID value
7342 # $loc - (integer) position to start lookup at
7343 #
7344 # returns: position/index of extension, negative value on error
7345 # call Net::SSLeay::X509_CRL_get_ext($x509, $rv) to get the actual extension
7346 • X509_CRL_get_ext_count
7348 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7350 Returns the total number of extensions in X509_CRL object $x.
7352 my $rv = Net::SSLeay::X509_CRL_get_ext_count($x);
7354 # $x - value corresponding to openssl's X509_CRL structure
7355 #
7356 # returns: count of extensions
7357 • X509_CRL_get_issuer
7359 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7361 Returns X509_NAME object corresponding to the issuer of X509_CRL
7363 $x.
7364 my $rv = Net::SSLeay::X509_CRL_get_issuer($x);
7366 # $x - value corresponding to openssl's X509_CRL structure
7367 #
7368 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7369 See other "X509_NAME_*" functions to get more info from X509_NAME
7371 structure.
7372 • X509_CRL_get_lastUpdate
7374 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7376 Returns 'lastUpdate' date-time value of X509_CRL object $x.
7378 my $rv = Net::SSLeay::X509_CRL_get_lastUpdate($x);
7380 # $x - value corresponding to openssl's X509_CRL structure
7381 #
7382 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
7383 • X509_CRL_get_nextUpdate
7385 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7387 Returns 'nextUpdate' date-time value of X509_CRL object $x.
7389 my $rv = Net::SSLeay::X509_CRL_get_nextUpdate($x);
7391 # $x - value corresponding to openssl's X509_CRL structure
7392 #
7393 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
7394 • X509_CRL_get_version
7396 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7398 Returns 'version' value of given X509_CRL structure $x.
7400 my $rv = Net::SSLeay::X509_CRL_get_version($x);
7402 # $x - value corresponding to openssl's X509_CRL structure
7403 #
7404 # returns: (integer) version
7405 • X509_CRL_set_issuer_name
7407 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7409 requires at least openssl-0.9.7
7410 Sets the issuer of X509_CRL object $x to X509_NAME object $name.
7412 my $rv = Net::SSLeay::X509_CRL_set_issuer_name($x, $name);
7414 # $x - value corresponding to openssl's X509_CRL structure
7415 # $name - value corresponding to openssl's X509_NAME structure
7416 #
7417 # returns: 1 on success, 0 on failure
7418 • X509_CRL_set_lastUpdate
7420 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7422 requires at least openssl-0.9.7
7423 Sets 'lastUpdate' value of X509_CRL object $x to $tm.
7425 my $rv = Net::SSLeay::X509_CRL_set_lastUpdate($x, $tm);
7427 # $x - value corresponding to openssl's X509_CRL structure
7428 # $tm - value corresponding to openssl's ASN1_TIME structure
7429 #
7430 # returns: 1 on success, 0 on failure
7431 • X509_CRL_set_nextUpdate
7433 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7435 requires at least openssl-0.9.7
7436 Sets 'nextUpdate' value of X509_CRL object $x to $tm.
7438 my $rv = Net::SSLeay::X509_CRL_set_nextUpdate($x, $tm);
7440 # $x - value corresponding to openssl's X509_CRL structure
7441 # $tm - value corresponding to openssl's ASN1_TIME structure
7442 #
7443 # returns: 1 on success, 0 on failure
7444 • X509_CRL_set_version
7446 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7448 requires at least openssl-0.9.7
7449 Sets 'version' value of given X509_CRL structure $x to $version.
7451 my $rv = Net::SSLeay::X509_CRL_set_version($x, $version);
7453 # $x - value corresponding to openssl's X509_CRL structure
7454 # $version - (integer) version number (1 = version 2 CRL)
7455 #
7456 # returns: 1 on success, 0 on failure
7457 Note that if you want to use any X509_CRL extension you need to set
7459 "version 2 CRL" - "Net::SSLeay::X509_CRL_set_version($x, 1)".
7460 • X509_CRL_sign
7462 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7464 Sign X509_CRL object $x with private key $pkey (using digest
7466 algorithm $md).
7467 my $rv = Net::SSLeay::X509_CRL_sign($x, $pkey, $md);
7469 # $x - value corresponding to openssl's X509_CRL structure
7470 # $pkey - value corresponding to openssl's EVP_PKEY structure
7471 # $md - value corresponding to openssl's EVP_MD structure
7472 #
7473 # returns: 1 on success, 0 on failure
7474 • X509_CRL_sort
7476 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7478 requires at least openssl-0.9.7
7479 Sorts the data of X509_CRL object so it will be written in serial
7481 number order.
7482 my $rv = Net::SSLeay::X509_CRL_sort($x);
7484 # $x - value corresponding to openssl's X509_CRL structure
7485 #
7486 # returns: 1 on success, 0 on failure
7487 • X509_CRL_verify
7489 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7491 Verifies X509_CRL object $a using public key $r (pubkey of issuing
7493 CA).
7494 my $rv = Net::SSLeay::X509_CRL_verify($a, $r);
7496 # $a - value corresponding to openssl's X509_CRL structure
7497 # $r - value corresponding to openssl's EVP_PKEY structure
7498 #
7499 # returns: 0 - verify failure, 1 - verify OK, <0 - error
7500 • P_X509_CRL_add_revoked_serial_hex
7502 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7504 requires at least openssl-0.9.7
7505 Adds given serial number $serial_hex to X509_CRL object $crl.
7507 Net::SSLeay::P_X509_CRL_add_revoked_serial_hex($crl, $serial_hex, $rev_time, $reason_code, $comp_time);
7509 # $crl - value corresponding to openssl's X509_CRL structure
7510 # $serial_hex - string (hexadecimal) representation of serial number
7511 # $rev_time - (revocation time) value corresponding to openssl's ASN1_TIME structure
7512 # $reason_code - [optional] (integer) reason code (see below) - default 0
7513 # $comp_time - [optional] (compromise time) value corresponding to openssl's ASN1_TIME structure
7514 #
7515 # returns: no return value
7516 reason codes:
7518 0 - unspecified
7519 1 - keyCompromise
7520 2 - CACompromise
7521 3 - affiliationChanged
7522 4 - superseded
7523 5 - cessationOfOperation
7524 6 - certificateHold
7525 7 - removeFromCRL
7526 • P_X509_CRL_get_serial
7528 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7530 requires at least openssl-0.9.7
7531 Returns serial number of X509_CRL object.
7533 my $rv = Net::SSLeay::P_X509_CRL_get_serial($crl);
7535 # $crl - value corresponding to openssl's X509_CRL structure
7536 #
7537 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
7538 • P_X509_CRL_set_serial
7540 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7542 requires at least openssl-0.9.7
7543 Sets serial number of X509_CRL object to $crl_number.
7545 my $rv = Net::SSLeay::P_X509_CRL_set_serial($crl, $crl_number);
7547 # $crl - value corresponding to openssl's X509_CRL structure
7548 # $crl_number - value corresponding to openssl's ASN1_INTEGER structure
7549 #
7550 # returns: 1 on success, 0 on failure
7551 • P_X509_CRL_add_extensions
7553 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
7555 Adds one or more X509 extensions to X509 CRL object $x.
7557 my $rv = Net::SSLeay::P_X509_CRL_add_extensions($x, $ca_cert, $nid, $value);
7559 # $x - value corresponding to openssl's X509 CRL structure
7560 # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier)
7561 # $nid - NID identifying extension to be set
7562 # $value - extension value
7563 #
7564 # returns: 1 on success, 0 on failure
7565 For more details see "P_X509_add_extensions".
7567 Low level API: X509_EXTENSION_* related functions
7569 • X509_EXTENSION_get_critical
7571 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7573 Returns 'critical' flag of given X509_EXTENSION object $ex.
7575 my $rv = Net::SSLeay::X509_EXTENSION_get_critical($ex);
7577 # $ex - value corresponding to openssl's X509_EXTENSION structure
7578 #
7579 # returns: (integer) 1 - critical, 0 - noncritical
7580 • X509_EXTENSION_get_data
7582 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7584 Returns value (raw data) of X509_EXTENSION object $ne.
7586 my $rv = Net::SSLeay::X509_EXTENSION_get_data($ne);
7588 # $ne - value corresponding to openssl's X509_EXTENSION structure
7589 #
7590 # returns: value corresponding to openssl's ASN1_OCTET_STRING structure (0 on failure)
7591 Note: you can use "P_ASN1_STRING_get" to convert ASN1_OCTET_STRING
7593 into perl scalar variable.
7594 • X509_EXTENSION_get_object
7596 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7598 Returns OID (ASN1_OBJECT) of X509_EXTENSION object $ne.
7600 my $rv = Net::SSLeay::X509_EXTENSION_get_object($ex);
7602 # $ex - value corresponding to openssl's X509_EXTENSION structure
7603 #
7604 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
7605 • X509V3_EXT_print
7607 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7609 Returns string representation of given X509_EXTENSION object $ext.
7611 Net::SSLeay::X509V3_EXT_print($ext, $flags, $utf8_decode);
7613 # $ext - value corresponding to openssl's X509_EXTENSION structure
7614 # $flags - [optional] (integer) Currently the flag argument is unused and should be set to 0
7615 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
7616 #
7617 # returns: no return value
7618 • X509V3_EXT_d2i
7620 Parses an extension and returns its internal structure.
7622 my $rv = Net::SSLeay::X509V3_EXT_d2i($ext);
7624 # $ext - value corresponding to openssl's X509_EXTENSION structure
7625 #
7626 # returns: pointer ???
7627 Low level API: X509_NAME_* related functions
7629 • X509_NAME_ENTRY_get_data
7631 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7633 Retrieves the field value of $ne in and ASN1_STRING structure.
7635 my $rv = Net::SSLeay::X509_NAME_ENTRY_get_data($ne);
7637 # $ne - value corresponding to openssl's X509_NAME_ENTRY structure
7638 #
7639 # returns: value corresponding to openssl's ASN1_STRING structure (0 on failure)
7640 Check openssl doc
7642 <http://www.openssl.org/docs/crypto/X509_NAME_ENTRY_get_object.html>
7643 • X509_NAME_ENTRY_get_object
7645 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7647 Retrieves the field name of $ne in and ASN1_OBJECT structure.
7649 my $rv = Net::SSLeay::X509_NAME_ENTRY_get_object($ne);
7651 # $ne - value corresponding to openssl's X509_NAME_ENTRY structure
7652 #
7653 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
7654 Check openssl doc
7656 <http://www.openssl.org/docs/crypto/X509_NAME_ENTRY_get_object.html>
7657 • X509_NAME_new
7659 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
7661 requires at least openssl-0.9.5
7662 Creates a new X509_NAME structure. Adds a field whose name is
7664 defined by a string $field. The field value to be added is in
7665 $bytes.
7666 my $rv = Net::SSLeay::X509_NAME_new();
7668 #
7669 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7670 • X509_NAME_hash
7672 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
7674 requires at least openssl-0.9.5
7675 Sort of a checksum of issuer name $name. The result is not a full
7677 hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of
7678 'unsigned long' (32 bits). The resulting value might differ across
7679 different openssl versions for the same X509 certificate.
7680 my $rv = Net::SSLeay::X509_NAME_hash($name);
7682 # $name - value corresponding to openssl's X509_NAME structure
7683 #
7684 # returns: number representing checksum
7685 • X509_NAME_add_entry_by_txt
7687 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7689 requires at least openssl-0.9.5
7690 Adds a field whose name is defined by a string $field. The field
7692 value to be added is in $bytes.
7693 my $rv = Net::SSLeay::X509_NAME_add_entry_by_txt($name, $field, $type, $bytes, $len, $loc, $set);
7695 # $name - value corresponding to openssl's X509_NAME structure
7696 # $field - (string) field definition (name) - e.g. "organizationName"
7697 # $type - (integer) type of data in $bytes (see below)
7698 # $bytes - data to be set
7699 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7700 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7701 #
7702 # returns: 1 on success, 0 on failure
7703 # values for $type - use constants:
7705 &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data
7706 &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data
7707 Unicode note: when passing non-ascii (unicode) string in $bytes do
7709 not forget to set "$flags = &Net::SSLeay::MBSTRING_UTF8" and encode
7710 the perl $string via "$bytes = encode('utf-8', $string)".
7711 Check openssl doc
7713 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7714 • X509_NAME_add_entry_by_NID
7716 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7718 requires at least openssl-0.9.5
7719 Adds a field whose name is defined by a NID $nid. The field value
7721 to be added is in $bytes.
7722 my $rv = Net::SSLeay::X509_NAME_add_entry_by_NID($name, $nid, $type, $bytes, $len, $loc, $set);
7724 # $name - value corresponding to openssl's X509_NAME structure
7725 # $nid - (integer) field definition - NID value
7726 # $type - (integer) type of data in $bytes (see below)
7727 # $bytes - data to be set
7728 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7729 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7730 #
7731 # returns: 1 on success, 0 on failure
7732 Check openssl doc
7734 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7735 • X509_NAME_add_entry_by_OBJ
7737 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7739 requires at least openssl-0.9.5
7740 Adds a field whose name is defined by a object (OID) $obj . The
7742 field value to be added is in $bytes.
7743 my $rv = Net::SSLeay::X509_NAME_add_entry_by_OBJ($name, $obj, $type, $bytes, $len, $loc, $set);
7745 # $name - value corresponding to openssl's X509_NAME structure
7746 # $obj - field definition - value corresponding to openssl's ASN1_OBJECT structure
7747 # $type - (integer) type of data in $bytes (see below)
7748 # $bytes - data to be set
7749 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7750 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7751 #
7752 # returns: 1 on success, 0 on failure
7753 Check openssl doc
7755 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7756 • X509_NAME_cmp
7758 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7760 Compares two X509_NAME obejcts.
7762 my $rv = Net::SSLeay::X509_NAME_cmp($a, $b);
7764 # $a - value corresponding to openssl's X509_NAME structure
7765 # $b - value corresponding to openssl's X509_NAME structure
7766 #
7767 # returns: 0 if $a matches $b; non zero otherwise
7768 • X509_NAME_digest
7770 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7772 Computes digest/fingerprint of X509_NAME $data using $type hash
7774 function.
7775 my $digest_value = Net::SSLeay::X509_NAME_digest($data, $type);
7777 # $data - value corresponding to openssl's X509_NAME structure
7778 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7779 #
7780 # returns: hash value (binary)
7781 #to get printable (hex) value of digest use:
7783 print unpack('H*', $digest_value);
7784 • X509_NAME_entry_count
7786 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7788 Returns the total number of entries in $name.
7790 my $rv = Net::SSLeay::X509_NAME_entry_count($name);
7792 # $name - value corresponding to openssl's X509_NAME structure
7793 #
7794 # returns: (integer) entries count
7795 Check openssl doc
7797 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7798 • X509_NAME_get_entry
7800 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7802 Retrieves the X509_NAME_ENTRY from $name corresponding to index
7804 $loc. Acceptable values for $loc run from 0 to
7805 "Net::SSLeay::X509_NAME_entry_count($name)- 1". The value returned
7806 is an internal pointer which must not be freed.
7807 my $rv = Net::SSLeay::X509_NAME_get_entry($name, $loc);
7809 # $name - value corresponding to openssl's X509_NAME structure
7810 # $loc - (integer) index of wanted entry
7811 #
7812 # returns: value corresponding to openssl's X509_NAME_ENTRY structure (0 on failure)
7813 Check openssl doc
7815 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7816 • X509_NAME_print_ex
7818 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7820 Returns a string with human readable version of $name.
7822 Net::SSLeay::X509_NAME_print_ex($name, $flags, $utf8_decode);
7824 # $name - value corresponding to openssl's X509_NAME structure
7825 # $flags - [optional] conversion flags (default XN_FLAG_RFC2253) - see below
7826 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
7827 #
7828 # returns: string representation of $name
7829 #available conversion flags - use constants:
7831 &Net::SSLeay::XN_FLAG_COMPAT
7832 &Net::SSLeay::XN_FLAG_DN_REV
7833 &Net::SSLeay::XN_FLAG_DUMP_UNKNOWN_FIELDS
7834 &Net::SSLeay::XN_FLAG_FN_ALIGN
7835 &Net::SSLeay::XN_FLAG_FN_LN
7836 &Net::SSLeay::XN_FLAG_FN_MASK
7837 &Net::SSLeay::XN_FLAG_FN_NONE
7838 &Net::SSLeay::XN_FLAG_FN_OID
7839 &Net::SSLeay::XN_FLAG_FN_SN
7840 &Net::SSLeay::XN_FLAG_MULTILINE
7841 &Net::SSLeay::XN_FLAG_ONELINE
7842 &Net::SSLeay::XN_FLAG_RFC2253
7843 &Net::SSLeay::XN_FLAG_SEP_COMMA_PLUS
7844 &Net::SSLeay::XN_FLAG_SEP_CPLUS_SPC
7845 &Net::SSLeay::XN_FLAG_SEP_MASK
7846 &Net::SSLeay::XN_FLAG_SEP_MULTILINE
7847 &Net::SSLeay::XN_FLAG_SEP_SPLUS_SPC
7848 &Net::SSLeay::XN_FLAG_SPC_EQ
7849 Most likely you will be fine with default:
7851 Net::SSLeay::X509_NAME_print_ex($name, &Net::SSLeay::XN_FLAG_RFC2253);
7853 Or you might want RFC2253-like output without utf8 chars escaping:
7855 use Net::SSLeay qw/XN_FLAG_RFC2253 ASN1_STRFLGS_ESC_MSB/;
7857 my $flag_rfc22536_utf8 = (XN_FLAG_RFC2253) & (~ ASN1_STRFLGS_ESC_MSB);
7858 my $result = Net::SSLeay::X509_NAME_print_ex($name, $flag_rfc22536_utf8, 1);
7859 Check openssl doc
7861 <http://www.openssl.org/docs/crypto/X509_NAME_print_ex.html>
7862 • X509_NAME_get_text_by_NID
7864 Retrieves the text from the first entry in name which matches $nid,
7866 if no such entry exists -1 is returned.
7867 openssl note: this is a legacy function which has various
7869 limitations which makes it of minimal use in practice. It can only
7870 find the first matching entry and will copy the contents of the
7871 field verbatim: this can be highly confusing if the target is a
7872 multicharacter string type like a BMPString or a UTF8String.
7873 Net::SSLeay::X509_NAME_get_text_by_NID($name, $nid);
7875 # $name - value corresponding to openssl's X509_NAME structure
7876 # $nid - NID value (integer)
7877 #
7878 # returns: text value
7879 Check openssl doc
7881 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7882 • X509_NAME_oneline
7884 Return an ASCII version of $name.
7886 Net::SSLeay::X509_NAME_oneline($name);
7888 # $name - value corresponding to openssl's X509_NAME structure
7889 #
7890 # returns: (string) ASCII version of $name
7891 Check openssl doc
7893 <http://www.openssl.org/docs/crypto/X509_NAME_print_ex.html>
7894 • sk_X509_NAME_free
7896 Free an allocated STACK_OF(X509_NAME) structure.
7898 Net::SSLeay::sk_X509_NAME_free($sk);
7900 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7901 #
7902 # returns: no return value
7903 • sk_X509_NAME_num
7905 Return number of items in STACK_OF(X509_NAME)
7907 my $rv = Net::SSLeay::sk_X509_NAME_num($sk);
7909 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7910 #
7911 # returns: number of items
7912 • sk_X509_NAME_value
7914 Returns X509_NAME from position $index in STACK_OF(X509_NAME)
7916 my $rv = Net::SSLeay::sk_X509_NAME_value($sk, $i);
7918 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7919 # $i - (integer) index/position
7920 #
7921 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7922 • add_file_cert_subjects_to_stack
7924 Add a file of certs to a stack. All certs in $file that are not
7926 already in the $stackCAs will be added.
7927 my $rv = Net::SSLeay::add_file_cert_subjects_to_stack($stackCAs, $file);
7929 # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure
7930 # $file - (string) filename
7931 #
7932 # returns: 1 on success, 0 on failure
7933 • add_dir_cert_subjects_to_stack
7935 Add a directory of certs to a stack. All certs in $dir that are not
7937 already in the $stackCAs will be added.
7938 my $rv = Net::SSLeay::add_dir_cert_subjects_to_stack($stackCAs, $dir);
7940 # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure
7941 # $dir - (string) the directory to append from. All files in this directory will be examined as potential certs. Any that are acceptable to SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be included.
7942 #
7943 # returns: 1 on success, 0 on failure
7944 Low level API: X509_STORE_* related functions
7946 • X509_STORE_CTX_new
7948 returns a newly initialised X509_STORE_CTX structure.
7950 • X509_STORE_CTX_init
7952 X509_STORE_CTX_init() sets up an X509_STORE_CTX for a subsequent
7954 verification operation. It must be called before each call to
7955 X509_verify_cert().
7956 Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store,
7958 $x509, $chain);
7959 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7961 structure (required) # $x509_store - value corresponding to
7962 openssl's X509_STORE structure (optional) # $x509 - value
7963 corresponding to openssl's X509 structure (optional) # $chain -
7964 value corresponding to openssl's STACK_OF(X509) structure
7965 (optional)
7966 Check openssl doc
7968 <https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
7969 • X509_STORE_CTX_free
7971 Frees an X509_STORE_CTX structure.
7973 Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
7975 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7977 structure
7978 • X509_verify_cert
7980 The X509_verify_cert() function attempts to discover and validate a
7982 certificate chain based on parameters in ctx. A complete
7983 description of the process is contained in the verify(1) manual
7984 page.
7985 If this function returns 0, use X509_STORE_CTX_get_error to get
7987 additional error information.
7988 my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx); #
7990 $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7991 structure # # returns: 1 if a complete chain can be built and
7992 validated, otherwise 0
7993 Check openssl doc
7995 <https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html>
7996 • X509_STORE_CTX_get_current_cert
7998 Returns the certificate in ctx which caused the error or 0 if no
8000 certificate is relevant.
8001 my $rv = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
8003 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8004 #
8005 # returns: value corresponding to openssl's X509 structure (0 on failure)
8006 Check openssl doc
8008 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8009 • X509_STORE_CTX_get0_cert
8011 COMPATIBILITY: not available in Net-SSLeay-1.88 and before;
8013 requires at least OpenSSL 1.1.0pre6 or LibreSSL 2.7.0
8014 Returns an internal pointer to the certificate being verified by
8016 the ctx.
8017 my $x509 = Net::SSLeay::X509_STORE_CTX_get0_cert($x509_store_ctx);
8019 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8020 #
8021 # returns: value corresponding to openssl's X509 structure
8022 Check openssl doc
8024 <https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get0_cert.html>
8025 • X509_STORE_CTX_get1_chain
8027 Returns a returns a complete validate chain if a previous call to
8029 X509_verify_cert() is successful.
8030 my $rv = Net::SSLeay::X509_STORE_CTX_get1_chain($x509_store_ctx);
8032 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8033 #
8034 # returns: value corresponding to openssl's STACK_OF(X509) structure
8035 Check openssl doc
8037 <https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get1_chain.html>
8038 • X509_STORE_CTX_get_error
8040 Returns the error code of $ctx.
8042 my $rv = Net::SSLeay::X509_STORE_CTX_get_error($x509_store_ctx);
8044 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8045 #
8046 # returns: (integer) error code
8047 For more info about erro code values check function
8049 "get_verify_result".
8050 Check openssl doc
8052 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8053 • X509_STORE_CTX_get_error_depth
8055 Returns the depth of the error. This is a non-negative integer
8057 representing where in the certificate chain the error occurred. If
8058 it is zero it occurred in the end entity certificate, one if it is
8059 the certificate which signed the end entity certificate and so on.
8060 my $rv = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx);
8062 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8063 #
8064 # returns: (integer) depth
8065 Check openssl doc
8067 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8068 • X509_STORE_CTX_get_ex_data
8070 Is used to retrieve the information for $idx from $x509_store_ctx.
8072 my $rv = Net::SSLeay::X509_STORE_CTX_get_ex_data($x509_store_ctx, $idx);
8074 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8075 # $idx - (integer) index for application specific data
8076 #
8077 # returns: pointer to ???
8078 • X509_STORE_CTX_set_ex_data
8080 Is used to store application data at arg for idx into
8082 $x509_store_ctx.
8083 my $rv = Net::SSLeay::X509_STORE_CTX_set_ex_data($x509_store_ctx, $idx, $data);
8085 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8086 # $idx - (integer) ???
8087 # $data - (pointer) ???
8088 #
8089 # returns: 1 on success, 0 on failure
8090 • X509_STORE_CTX_set_cert
8092 Sets the certificate to be verified in $x509_store_ctx to $x.
8094 Net::SSLeay::X509_STORE_CTX_set_cert($x509_store_ctx, $x);
8096 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8097 # $x - value corresponding to openssl's X509 structure
8098 #
8099 # returns: no return value
8100 Check openssl doc
8102 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_new.html>
8103 • X509_STORE_new
8105 Returns a newly initialized X509_STORE structure.
8107 my $rv = Net::SSLeay::X509_STORE_new(); # # returns: value
8109 corresponding to openssl's X509_STORE structure (0 on failure)
8110 • X509_STORE_free
8112 Frees an X509_STORE structure
8114 Net::SSLeay::X509_STORE_free($x509_store); # $x509_store - value
8116 corresponding to openssl's X509_STORE structure
8117 • X509_STORE_add_lookup
8119 Adds a lookup to an X509_STORE for a given lookup method.
8121 my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; my $rv =
8123 Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); # $method
8124 - value corresponding to openssl's X509_LOOKUP_METHOD structure #
8125 $x509_store - value corresponding to openssl's X509_STORE structure
8126 # # returns: value corresponding to openssl's X509_LOOKUP structure
8127 Check openssl doc
8129 <https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
8130 • X509_STORE_CTX_set_error
8132 Sets the error code of $ctx to $s. For example it might be used in
8134 a verification callback to set an error based on additional checks.
8135 Net::SSLeay::X509_STORE_CTX_set_error($x509_store_ctx, $s);
8137 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8138 # $s - (integer) error id
8139 #
8140 # returns: no return value
8141 Check openssl doc
8143 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8144 • X509_STORE_add_cert
8146 Adds X509 certificate $x into the X509_STORE $store.
8148 my $rv = Net::SSLeay::X509_STORE_add_cert($store, $x);
8150 # $store - value corresponding to openssl's X509_STORE structure
8151 # $x - value corresponding to openssl's X509 structure
8152 #
8153 # returns: 1 on success, 0 on failure
8154 • X509_STORE_add_crl
8156 Adds X509 CRL $x into the X509_STORE $store.
8158 my $rv = Net::SSLeay::X509_STORE_add_crl($store, $x);
8160 # $store - value corresponding to openssl's X509_STORE structure
8161 # $x - value corresponding to openssl's X509_CRL structure
8162 #
8163 # returns: 1 on success, 0 on failure
8164 • X509_STORE_set1_param
8166 ??? (more info needed)
8168 my $rv = Net::SSLeay::X509_STORE_set1_param($store, $pm);
8170 # $store - value corresponding to openssl's X509_STORE structure
8171 # $pm - value corresponding to openssl's X509_VERIFY_PARAM structure
8172 #
8173 # returns: 1 on success, 0 on failure
8174 • X509_LOOKUP_hash_dir
8176 Returns an X509_LOOKUP structure that instructs an X509_STORE to
8178 load files from a directory containing certificates with filenames
8179 in the format hash.N or crls with filenames in the format hash.rN
8180 my $rv = Net::SSLeay::X509_LOOKUP_hash_dir(); # # returns: value
8182 corresponding to openssl's X509_LOOKUP_METHOD structure, with the
8183 hashed directory method
8184 Check openssl doc
8186 <https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
8187 • X509_LOOKUP_add_dir
8189 Add a directory to an X509_LOOKUP structure, usually obtained from
8191 X509_STORE_add_lookup.
8192 my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; my $lookup =
8194 Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); my $type
8195 = &Net::SSLeay::X509_FILETYPE_PEM;
8196 Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type); # $lookup -
8197 value corresponding to openssl's X509_LOOKUP structure # $dir -
8198 string path to a directory s# $type - constant corresponding to the
8199 type of file in the directory - can be X509_FILETYPE_PEM,
8200 X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
8201 • X509_STORE_set_flags
8203 Net::SSLeay::X509_STORE_set_flags($ctx, $flags);
8205 # $ctx - value corresponding to openssl's X509_STORE structure
8206 # $flags - (unsigned long) flags to be set (bitmask)
8207 #
8208 # returns: no return value
8209 #to create $flags value use corresponding constants like
8211 $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK();
8212 For more details about $flags bitmask see
8214 "X509_VERIFY_PARAM_set_flags".
8215 • X509_STORE_set_purpose
8217 Net::SSLeay::X509_STORE_set_purpose($ctx, $purpose);
8219 # $ctx - value corresponding to openssl's X509_STORE structure
8220 # $purpose - (integer) purpose identifier
8221 #
8222 # returns: no return value
8223 For more details about $purpose identifier check "CTX_set_purpose".
8225 • X509_STORE_set_trust
8227 Net::SSLeay::X509_STORE_set_trust($ctx, $trust);
8229 # $ctx - value corresponding to openssl's X509_STORE structure
8230 # $trust - (integer) trust identifier
8231 #
8232 # returns: no return value
8233 For more details about $trust identifier check "CTX_set_trust".
8235 Low Level API: X509_INFO related functions
8237 • sk_X509_INFO_num
8239 Returns the number of values in a STACK_OF(X509_INFO) structure.
8241 my $rv = Net::SSLeay::sk_X509_INFO_num($sk_x509_info);
8243 # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure
8244 #
8245 # returns: number of values in $sk_X509_info
8246 • sk_X509_INFO_value
8248 Returns the value of a STACK_OF(X509_INFO) structure at a given
8250 index.
8251 my $rv = Net::SSLeay::sk_X509_INFO_value($sk_x509_info, $index);
8253 # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure
8254 # $index - index into the stack
8255 #
8256 # returns: value corresponding to openssl's X509_INFO structure at the given index
8257 • P_X509_INFO_get_x509
8259 Returns the X509 structure stored in an X509_INFO structure.
8261 my $rv = Net::SSLeay::P_X509_INFO_get_x509($x509_info);
8263 # $x509_info - value corresponding to openssl's X509_INFO structure
8264 #
8265 # returns: value corresponding to openssl's X509 structure
8266 Low level API: X509_VERIFY_PARAM_* related functions
8268 • X509_VERIFY_PARAM_add0_policy
8270 Enables policy checking (it is disabled by default) and adds
8272 $policy to the acceptable policy set.
8273 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_policy($param, $policy);
8275 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8276 # $policy - value corresponding to openssl's ASN1_OBJECT structure
8277 #
8278 # returns: 1 on success, 0 on failure
8279 Check openssl doc
8281 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8282 • X509_VERIFY_PARAM_add0_table
8284 ??? (more info needed)
8286 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_table($param);
8288 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8289 #
8290 # returns: 1 on success, 0 on failure
8291 • X509_VERIFY_PARAM_add1_host
8293 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8295 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8296 Adds an additional reference identifier that can match the peer's
8298 certificate.
8299 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add1_host($param, $name);
8301 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8302 # $name - (string) name to be set
8303 #
8304 # returns: 1 on success, 0 on failure
8305 See also OpenSSL docs, "X509_VERIFY_PARAM_set1_host" and
8307 "X509_VERIFY_PARAM_set_hostflags" for more information, including
8308 wildcard matching.
8309 Check openssl doc
8311 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8312 • X509_VERIFY_PARAM_clear_flags
8314 Clears the flags $flags in param.
8316 my $rv = Net::SSLeay::X509_VERIFY_PARAM_clear_flags($param, $flags);
8318 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8319 # $flags - (unsigned long) flags to be set (bitmask)
8320 #
8321 # returns: 1 on success, 0 on failure
8322 For more details about $flags bitmask see
8324 "X509_VERIFY_PARAM_set_flags".
8325 Check openssl doc
8327 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8328 • X509_VERIFY_PARAM_free
8330 Frees up the X509_VERIFY_PARAM structure.
8332 Net::SSLeay::X509_VERIFY_PARAM_free($param);
8334 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8335 #
8336 # returns: no return value
8337 • X509_VERIFY_PARAM_get0_peername
8339 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8341 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8342 Returns the DNS hostname or subject CommonName from the peer
8344 certificate that matched one of the reference identifiers.
8345 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get0_peername($param);
8347 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8348 #
8349 # returns: (string) name e.g. '*.example.com' or undef
8350 Check openssl doc
8352 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8353 • X509_VERIFY_PARAM_get_depth
8355 Returns the current verification depth.
8357 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_depth($param);
8359 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8360 #
8361 # returns: (ineger) depth
8362 Check openssl doc
8364 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8365 • X509_VERIFY_PARAM_get_flags
8367 Returns the current verification flags.
8369 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_flags($param);
8371 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8372 #
8373 # returns: (unsigned long) flags to be set (bitmask)
8374 For more details about returned flags bitmask see
8376 "X509_VERIFY_PARAM_set_flags".
8377 Check openssl doc
8379 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8380 • X509_VERIFY_PARAM_set_flags
8382 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_flags($param, $flags);
8384 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8385 # $flags - (unsigned long) flags to be set (bitmask)
8386 #
8387 # returns: 1 on success, 0 on failure
8388 #to create $flags value use corresponding constants like
8390 $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK();
8391 For more details about $flags bitmask, see the OpenSSL docs below.
8393 Check openssl doc
8395 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8396 • X509_VERIFY_PARAM_inherit
8398 ??? (more info needed)
8400 my $rv = Net::SSLeay::X509_VERIFY_PARAM_inherit($to, $from);
8402 # $to - value corresponding to openssl's X509_VERIFY_PARAM structure
8403 # $from - value corresponding to openssl's X509_VERIFY_PARAM structure
8404 #
8405 # returns: 1 on success, 0 on failure
8406 • X509_VERIFY_PARAM_lookup
8408 Finds X509_VERIFY_PARAM by name.
8410 my $rv = Net::SSLeay::X509_VERIFY_PARAM_lookup($name);
8412 # $name - (string) name we want to find
8413 #
8414 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure)
8415 • X509_VERIFY_PARAM_new
8417 Creates a new X509_VERIFY_PARAM structure.
8419 my $rv = Net::SSLeay::X509_VERIFY_PARAM_new();
8421 #
8422 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure)
8423 • X509_VERIFY_PARAM_set1
8425 Sets the name of X509_VERIFY_PARAM structure $to to the same value
8427 as the name of X509_VERIFY_PARAM structure $from.
8428 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1($to, $from);
8430 # $to - value corresponding to openssl's X509_VERIFY_PARAM structure
8431 # $from - value corresponding to openssl's X509_VERIFY_PARAM structure
8432 #
8433 # returns: 1 on success, 0 on failure
8434 • X509_VERIFY_PARAM_set1_email
8436 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8438 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8439 Sets the expected RFC822 email address to email.
8441 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_email($param, $email);
8443 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8444 # $email - (string) email to be set
8445 #
8446 # returns: 1 on success, 0 on failure
8447 Check openssl doc
8449 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8450 • X509_VERIFY_PARAM_set1_host
8452 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8454 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8455 Sets the expected DNS hostname to name clearing any previously
8457 specified host name or names.
8458 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_host($param, $name);
8460 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8461 # $name - (string) name to be set
8462 #
8463 # returns: 1 on success, 0 on failure
8464 See also OpenSSL docs, "X509_VERIFY_PARAM_add1_host" and
8466 "X509_VERIFY_PARAM_set_hostflags" for more information, including
8467 wildcard matching.
8468 Check openssl doc
8470 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8471 • X509_VERIFY_PARAM_set1_ip
8473 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8475 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8476 Sets the expected IP address to ip.
8478 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_ip($param, $ip);
8480 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8481 # $ip - (binary) 4 octet IPv4 or 16 octet IPv6 address
8482 #
8483 # returns: 1 on success, 0 on failure
8484 Check openssl doc
8486 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8487 • X509_VERIFY_PARAM_set1_ip_asc
8489 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8491 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8492 Sets the expected IP address to ipasc.
8494 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_asc($param, $ipasc);
8496 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8497 # $ip - (string) IPv4 or IPv6 address
8498 #
8499 # returns: 1 on success, 0 on failure
8500 Check openssl doc
8502 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8503 • X509_VERIFY_PARAM_set1_name
8505 Sets the name of X509_VERIFY_PARAM structure $param to $name.
8507 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_name($param, $name);
8509 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8510 # $name - (string) name to be set
8511 #
8512 # returns: 1 on success, 0 on failure
8513 • X509_VERIFY_PARAM_set1_policies
8515 Enables policy checking (it is disabled by default) and sets the
8517 acceptable policy set to policies. Any existing policy set is
8518 cleared. The policies parameter can be 0 to clear an existing
8519 policy set.
8520 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_policies($param, $policies);
8522 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8523 # $policies - value corresponding to openssl's STACK_OF(ASN1_OBJECT) structure
8524 #
8525 # returns: 1 on success, 0 on failure
8526 Check openssl doc
8528 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8529 • X509_VERIFY_PARAM_set_depth
8531 Sets the maximum verification depth to depth. That is the maximum
8533 number of untrusted CA certificates that can appear in a chain.
8534 Net::SSLeay::X509_VERIFY_PARAM_set_depth($param, $depth);
8536 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8537 # $depth - (integer) depth to be set
8538 #
8539 # returns: no return value
8540 Check openssl doc
8542 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8543 • X509_VERIFY_PARAM_set_hostflags
8545 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8547 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8548 Net::SSLeay::X509_VERIFY_PARAM_set_hostflags($param, $flags);
8550 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8551 # $flags - (unsigned int) flags to be set (bitmask)
8552 #
8553 # returns: no return value
8554 See also OpenSSL docs, "X509_VERIFY_PARAM_add1_host" and
8556 "X509_VERIFY_PARAM_set1_host" for more information. The flags for
8557 controlling wildcard checks and other features are defined in
8558 OpenSSL docs.
8559 Check openssl doc
8561 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8562 • X509_VERIFY_PARAM_set_purpose
8564 Sets the verification purpose in $param to $purpose. This
8566 determines the acceptable purpose of the certificate chain, for
8567 example SSL client or SSL server.
8568 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_purpose($param, $purpose);
8570 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8571 # $purpose - (integer) purpose identifier
8572 #
8573 # returns: 1 on success, 0 on failure
8574 For more details about $purpose identifier check "CTX_set_purpose".
8576 Check openssl doc
8578 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8579 • X509_VERIFY_PARAM_set_time
8581 Sets the verification time in $param to $t. Normally the current
8583 time is used.
8584 Net::SSLeay::X509_VERIFY_PARAM_set_time($param, $t);
8586 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8587 # $t - (time_t) time in seconds since 1.1.1970
8588 #
8589 # returns: no return value
8590 Check openssl doc
8592 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8593 • X509_VERIFY_PARAM_set_trust
8595 Sets the trust setting in $param to $trust.
8597 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_trust($param, $trust);
8599 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8600 # $trust - (integer) trust identifier
8601 #
8602 # returns: 1 on success, 0 on failure
8603 For more details about $trust identifier check "CTX_set_trust".
8605 Check openssl doc
8607 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8608 • X509_VERIFY_PARAM_table_cleanup
8610 ??? (more info needed)
8612 Net::SSLeay::X509_VERIFY_PARAM_table_cleanup();
8614 #
8615 # returns: no return value
8616 Low level API: Cipher (EVP_CIPHER_*) related functions
8618 • EVP_get_cipherbyname
8620 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
8622 Returns an EVP_CIPHER structure when passed a cipher name.
8624 my $rv = Net::SSLeay::EVP_get_cipherbyname($name);
8626 # $name - (string) cipher name e.g. 'aes-128-cbc', 'camellia-256-ecb', 'des-ede', ...
8627 #
8628 # returns: value corresponding to openssl's EVP_CIPHER structure
8629 Check openssl doc
8631 <http://www.openssl.org/docs/crypto/EVP_EncryptInit.html>
8632 Low level API: Digest (EVP_MD_*) related functions
8634 • OpenSSL_add_all_digests
8636 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8638 Net::SSLeay::OpenSSL_add_all_digests();
8640 # no args, no return value
8641 http://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html
8643 • P_EVP_MD_list_all
8645 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8647 requires at least openssl-1.0.0
8648 NOTE: Does not exactly correspond to any low level API function
8650 my $rv = Net::SSLeay::P_EVP_MD_list_all();
8652 #
8653 # returns: arrayref - list of available digest names
8654 The returned digest names correspond to values expected by
8656 "EVP_get_digestbyname".
8657 Note that some of the digests are available by default and some
8659 only after calling "OpenSSL_add_all_digests".
8660 • EVP_get_digestbyname
8662 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8664 my $rv = Net::SSLeay::EVP_get_digestbyname($name);
8666 # $name - string with digest name
8667 #
8668 # returns: value corresponding to openssl's EVP_MD structure
8669 The $name param can be:
8671 md2
8673 md4
8674 md5
8675 mdc2
8676 ripemd160
8677 sha
8678 sha1
8679 sha224
8680 sha256
8681 sha512
8682 whirlpool
8683 Or better check the supported digests by calling
8685 "P_EVP_MD_list_all".
8686 • EVP_MD_type
8688 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8690 my $rv = Net::SSLeay::EVP_MD_type($md);
8692 # $md - value corresponding to openssl's EVP_MD structure
8693 #
8694 # returns: the NID (integer) of the OBJECT IDENTIFIER representing the given message digest
8695 • EVP_MD_size
8697 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8699 my $rv = Net::SSLeay::EVP_MD_size($md);
8701 # $md - value corresponding to openssl's EVP_MD structure
8702 #
8703 # returns: the size of the message digest in bytes (e.g. 20 for SHA1)
8704 • EVP_MD_CTX_md
8706 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8708 requires at least openssl-0.9.7
8709 Net::SSLeay::EVP_MD_CTX_md($ctx);
8711 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8712 #
8713 # returns: value corresponding to openssl's EVP_MD structure
8714 • EVP_MD_CTX_create
8716 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8718 requires at least openssl-0.9.7
8719 Allocates, initializes and returns a digest context.
8721 my $rv = Net::SSLeay::EVP_MD_CTX_create();
8723 #
8724 # returns: value corresponding to openssl's EVP_MD_CTX structure
8725 The complete idea behind EVP_MD_CTX looks like this example:
8727 Net::SSLeay::OpenSSL_add_all_digests();
8729 my $md = Net::SSLeay::EVP_get_digestbyname("sha1");
8731 my $ctx = Net::SSLeay::EVP_MD_CTX_create();
8732 Net::SSLeay::EVP_DigestInit($ctx, $md);
8733 while(my $chunk = get_piece_of_data()) {
8735 Net::SSLeay::EVP_DigestUpdate($ctx,$chunk);
8736 }
8737 my $result = Net::SSLeay::EVP_DigestFinal($ctx);
8739 Net::SSLeay::EVP_MD_CTX_destroy($ctx);
8740 print "digest=", unpack('H*', $result), "\n"; #print hex value
8742 • EVP_DigestInit_ex
8744 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8746 requires at least openssl-0.9.7
8747 Sets up digest context $ctx to use a digest $type from ENGINE
8749 $impl, $ctx must be initialized before calling this function, type
8750 will typically be supplied by a function such as
8751 "EVP_get_digestbyname". If $impl is 0 then the default
8752 implementation of digest $type is used.
8753 my $rv = Net::SSLeay::EVP_DigestInit_ex($ctx, $type, $impl);
8755 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8756 # $type - value corresponding to openssl's EVP_MD structure
8757 # $impl - value corresponding to openssl's ENGINE structure
8758 #
8759 # returns: 1 for success and 0 for failure
8760 • EVP_DigestInit
8762 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8764 requires at least openssl-0.9.7
8765 Behaves in the same way as "EVP_DigestInit_ex" except the passed
8767 context $ctx does not have to be initialized, and it always uses
8768 the default digest implementation.
8769 my $rv = Net::SSLeay::EVP_DigestInit($ctx, $type);
8771 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8772 # $type - value corresponding to openssl's EVP_MD structure
8773 #
8774 # returns: 1 for success and 0 for failure
8775 • EVP_MD_CTX_destroy
8777 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8779 requires at least openssl-0.9.7
8780 Cleans up digest context $ctx and frees up the space allocated to
8782 it, it should be called only on a context created using
8783 "EVP_MD_CTX_create".
8784 Net::SSLeay::EVP_MD_CTX_destroy($ctx);
8786 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8787 #
8788 # returns: no return value
8789 • EVP_DigestUpdate
8791 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8793 requires at least openssl-0.9.7
8794 my $rv = Net::SSLeay::EVP_DigestUpdate($ctx, $data);
8796 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8797 # $data - data to be hashed
8798 #
8799 # returns: 1 for success and 0 for failure
8800 • EVP_DigestFinal_ex
8802 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8804 requires at least openssl-0.9.7
8805 Retrieves the digest value from $ctx. After calling
8807 "EVP_DigestFinal_ex" no additional calls to "EVP_DigestUpdate" can
8808 be made, but "EVP_DigestInit_ex" can be called to initialize a new
8809 digest operation.
8810 my $digest_value = Net::SSLeay::EVP_DigestFinal_ex($ctx);
8812 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8813 #
8814 # returns: hash value (binary)
8815 #to get printable (hex) value of digest use:
8817 print unpack('H*', $digest_value);
8818 • EVP_DigestFinal
8820 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8822 requires at least openssl-0.9.7
8823 Similar to "EVP_DigestFinal_ex" except the digest context ctx is
8825 automatically cleaned up.
8826 my $rv = Net::SSLeay::EVP_DigestFinal($ctx);
8828 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8829 #
8830 # returns: hash value (binary)
8831 #to get printable (hex) value of digest use:
8833 print unpack('H*', $digest_value);
8834 • MD2
8836 COMPATIBILITY: no supported by default in openssl-1.0.0
8838 Computes MD2 from given $data (all data needs to be loaded into
8840 memory)
8841 my $digest = Net::SSLeay::MD2($data);
8843 print "digest(hexadecimal)=", unpack('H*', $digest);
8844 • MD4
8846 Computes MD4 from given $data (all data needs to be loaded into
8848 memory)
8849 my $digest = Net::SSLeay::MD4($data);
8851 print "digest(hexadecimal)=", unpack('H*', $digest);
8852 • MD5
8854 Computes MD5 from given $data (all data needs to be loaded into
8856 memory)
8857 my $digest = Net::SSLeay::MD5($data);
8859 print "digest(hexadecimal)=", unpack('H*', $digest);
8860 • RIPEMD160
8862 Computes RIPEMD160 from given $data (all data needs to be loaded
8864 into memory)
8865 my $digest = Net::SSLeay::RIPEMD160($data);
8867 print "digest(hexadecimal)=", unpack('H*', $digest);
8868 • SHA1
8870 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8872 Computes SHA1 from given $data (all data needs to be loaded into
8874 memory)
8875 my $digest = Net::SSLeay::SHA1($data);
8877 print "digest(hexadecimal)=", unpack('H*', $digest);
8878 • SHA256
8880 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8882 requires at least openssl-0.9.8
8883 Computes SHA256 from given $data (all data needs to be loaded into
8885 memory)
8886 my $digest = Net::SSLeay::SHA256($data);
8888 print "digest(hexadecimal)=", unpack('H*', $digest);
8889 • SHA512
8891 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8893 requires at least openssl-0.9.8
8894 Computes SHA512 from given $data (all data needs to be loaded into
8896 memory)
8897 my $digest = Net::SSLeay::SHA512($data);
8899 print "digest(hexadecimal)=", unpack('H*', $digest);
8900 • EVP_Digest
8902 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8904 requires at least openssl-0.9.7
8905 Computes "any" digest from given $data (all data needs to be loaded
8907 into memory)
8908 my $md = Net::SSLeay::EVP_get_digestbyname("sha1"); #or any other algorithm
8910 my $digest = Net::SSLeay::EVP_Digest($data, $md);
8911 print "digest(hexadecimal)=", unpack('H*', $digest);
8912 • EVP_sha1
8914 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8916 my $md = Net::SSLeay::EVP_sha1();
8918 #
8919 # returns: value corresponding to openssl's EVP_MD structure
8920 • EVP_sha256
8922 COMPATIBILITY: requires at least openssl-0.9.8
8924 my $md = Net::SSLeay::EVP_sha256();
8926 #
8927 # returns: value corresponding to openssl's EVP_MD structure
8928 • EVP_sha512
8930 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8932 requires at least openssl-0.9.8
8933 my $md = Net::SSLeay::EVP_sha512();
8935 #
8936 # returns: value corresponding to openssl's EVP_MD structure
8937 • EVP_add_digest
8939 my $rv = Net::SSLeay::EVP_add_digest($digest);
8941 # $digest - value corresponding to openssl's EVP_MD structure
8942 #
8943 # returns: 1 on success, 0 otherwise
8944 Low level API: CIPHER_* related functions
8946 • CIPHER_get_name
8948 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8950 Returns name of the cipher used.
8952 my $rv = Net::SSLeay::CIPHER_get_name($cipher);
8954 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8955 #
8956 # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA', '(NONE)' if $cipher is undefined.
8957 Check openssl doc
8959 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html>
8960 Example:
8962 my $ssl_cipher = Net::SSLeay::get_current_cipher($ssl);
8964 my $cipher_name = Net::SSLeay::CIPHER_get_name($ssl_cipher);
8965 • CIPHER_description
8967 COMPATIBILITY: doesn't work correctly in Net-SSLeay-1.88 and before
8969 Returns a textual description of the cipher used.
8971 my $rv = Net::SSLeay::CIPHER_description($cipher);
8973 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8974 #
8975 # returns: (string) cipher description e.g. 'DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1'
8976 Check openssl doc
8978 <https://www.openssl.org/docs/ssl/SSL_CIPHER_description.html>
8979 • CIPHER_get_bits
8981 COMPATIBILITY: $alg_bits doesn't work correctly in Net-SSLeay-1.88
8983 and before
8984 Returns the number of secret bits used for cipher.
8986 my $rv = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits);
8988 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8989 # $alg_bits - [optional] empty scalar for storing additional return value
8990 #
8991 # returns: (integer) number of secret bits, 0 on error
8992 # (integer) in $alg_bits for bits processed by the chosen algorithm
8993 Check openssl doc
8995 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_bits.html>
8996 Example:
8998 # bits and alg_bits are not equal for e.g., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
9000 # RFC 8422 name TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
9001 my $alg_bits;
9002 my $bits = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits);
9003 #my $bits = Net::SSLeay::CIPHER_get_bits($cipher);
9004 print "bits: $bits, alg_bits: $alg_bits\n";
9005 • CIPHER_get_version
9007 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
9009 Returns version of SSL/TLS protocol that first defined the cipher
9011 my $rv = Net::SSLeay::CIPHER_get_version($cipher);
9013 # $cipher - value corresponding to openssl's SSL_CIPHER structure
9014 #
9015 # returns: (string) cipher name e.g. 'TLSv1/SSLv3' with some libraries, 'TLSv1.0' or 'TLSv1.3', '(NONE)' if $cipher is undefined.
9016 Check openssl doc
9018 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_version.html>
9019 Low level API: RSA_* related functions
9021 • RSA_generate_key
9023 Generates a key pair and returns it in a newly allocated RSA
9025 structure. The pseudo-random number generator must be seeded prior
9026 to calling RSA_generate_key.
9027 my $rv = Net::SSLeay::RSA_generate_key($bits, $e, $perl_cb, $perl_cb_arg);
9029 # $bits - (integer) modulus size in bits e.g. 512, 1024, 2048
9030 # $e - (integer) public exponent, an odd number, typically 3, 17 or 65537
9031 # $perl_cb - [optional] reference to perl callback function
9032 # $perl_cb_arg - [optional] data that will be passed to callback function when invoked
9033 #
9034 # returns: value corresponding to openssl's RSA structure (0 on failure)
9035 Check openssl doc
9037 <http://www.openssl.org/docs/crypto/RSA_generate_key.html>
9038 • RSA_free
9040 Frees the RSA structure and its components. The key is erased
9042 before the memory is returned to the system.
9043 Net::SSLeay::RSA_free($r);
9045 # $r - value corresponding to openssl's RSA structure
9046 #
9047 # returns: no return value
9048 Check openssl doc <http://www.openssl.org/docs/crypto/RSA_new.html>
9050 • RSA_get_key_parameters
9052 Returns a list of pointers to BIGNUMs representing the parameters
9054 of the key in this order: (n, e, d, p, q, dmp1, dmq1, iqmp)
9055 Caution: returned list consists of SV pointers to BIGNUMs, which
9056 would need to be blessed as Crypt::OpenSSL::Bignum for further use
9057 my (@params) = RSA_get_key_parameters($r);
9059 Low level API: BIO_* related functions
9061 • BIO_eof
9063 Returns 1 if the BIO has read EOF, the precise meaning of 'EOF'
9065 varies according to the BIO type.
9066 my $rv = Net::SSLeay::BIO_eof($s);
9068 # $s - value corresponding to openssl's BIO structure
9069 #
9070 # returns: 1 if EOF has been reached 0 otherwise
9071 Check openssl doc
9073 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9074 • BIO_f_ssl
9076 Returns the SSL BIO method. This is a filter BIO which is a wrapper
9078 round the OpenSSL SSL routines adding a BIO 'flavour' to SSL I/O.
9079 my $rv = Net::SSLeay::BIO_f_ssl();
9081 #
9082 # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure)
9083 Check openssl doc
9085 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9086 • BIO_free
9088 Frees up a single BIO.
9090 my $rv = Net::SSLeay::BIO_free($bio;);
9092 # $bio; - value corresponding to openssl's BIO structure
9093 #
9094 # returns: 1 on success, 0 on failure
9095 Check openssl doc <http://www.openssl.org/docs/crypto/BIO_new.html>
9097 • BIO_new
9099 Returns a new BIO using method $type
9101 my $rv = Net::SSLeay::BIO_new($type);
9103 # $type - value corresponding to openssl's BIO_METHOD structure
9104 #
9105 # returns: value corresponding to openssl's BIO structure (0 on failure)
9106 Check openssl doc <http://www.openssl.org/docs/crypto/BIO_new.html>
9108 • BIO_new_buffer_ssl_connect
9110 Creates a new BIO chain consisting of a buffering BIO, an SSL BIO
9112 (using ctx) and a connect BIO.
9113 my $rv = Net::SSLeay::BIO_new_buffer_ssl_connect($ctx);
9115 # $ctx - value corresponding to openssl's SSL_CTX structure
9116 #
9117 # returns: value corresponding to openssl's BIO structure (0 on failure)
9118 Check openssl doc
9120 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9121 • BIO_new_file
9123 Creates a new file BIO with mode $mode the meaning of mode is the
9125 same as the stdio function fopen(). The BIO_CLOSE flag is set on
9126 the returned BIO.
9127 my $rv = Net::SSLeay::BIO_new_file($filename, $mode);
9129 # $filename - (string) filename
9130 # $mode - (string) opening mode (as mode by stdio function fopen)
9131 #
9132 # returns: value corresponding to openssl's BIO structure (0 on failure)
9133 Check openssl doc
9135 <http://www.openssl.org/docs/crypto/BIO_s_file.html>
9136 • BIO_new_ssl
9138 Allocates an SSL BIO using SSL_CTX ctx and using client mode if
9140 client is non zero.
9141 my $rv = Net::SSLeay::BIO_new_ssl($ctx, $client);
9143 # $ctx - value corresponding to openssl's SSL_CTX structure
9144 # $client - (integer) 0 or 1 - indicates ssl client mode
9145 #
9146 # returns: value corresponding to openssl's BIO structure (0 on failure)
9147 Check openssl doc
9149 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9150 • BIO_new_ssl_connect
9152 Creates a new BIO chain consisting of an SSL BIO (using ctx)
9154 followed by a connect BIO.
9155 my $rv = Net::SSLeay::BIO_new_ssl_connect($ctx);
9157 # $ctx - value corresponding to openssl's SSL_CTX structure
9158 #
9159 # returns: value corresponding to openssl's BIO structure (0 on failure)
9160 Check openssl doc
9162 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9163 • BIO_pending
9165 Return the number of pending characters in the BIOs read buffers.
9167 my $rv = Net::SSLeay::BIO_pending($s);
9169 # $s - value corresponding to openssl's BIO structure
9170 #
9171 # returns: the amount of pending data
9172 Check openssl doc
9174 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9175 • BIO_wpending
9177 Return the number of pending characters in the BIOs write buffers.
9179 my $rv = Net::SSLeay::BIO_wpending($s);
9181 # $s - value corresponding to openssl's BIO structure
9182 #
9183 # returns: the amount of pending data
9184 Check openssl doc
9186 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9187 • BIO_read
9189 Read the underlying descriptor.
9191 Net::SSLeay::BIO_read($s, $max);
9193 # $s - value corresponding to openssl's BIO structure
9194 # $max - [optional] max. bytes to read (if not specified, the value 32768 is used)
9195 #
9196 # returns: data
9197 Check openssl doc
9199 <http://www.openssl.org/docs/crypto/BIO_read.html>
9200 • BIO_write
9202 Attempts to write data from $buffer to BIO $b.
9204 my $rv = Net::SSLeay::BIO_write($b, $buffer);
9206 # $b - value corresponding to openssl's BIO structure
9207 # $buffer - data
9208 #
9209 # returns: amount of data successfully written
9210 # or that no data was successfully read or written if the result is 0 or -1
9211 # or -2 when the operation is not implemented in the specific BIO type
9212 Check openssl doc
9214 <http://www.openssl.org/docs/crypto/BIO_read.html>
9215 • BIO_s_mem
9217 Return the memory BIO method function.
9219 my $rv = Net::SSLeay::BIO_s_mem();
9221 #
9222 # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure)
9223 Check openssl doc
9225 <http://www.openssl.org/docs/crypto/BIO_s_mem.html>
9226 • BIO_ssl_copy_session_id
9228 Copies an SSL session id between BIO chains from and to. It does
9230 this by locating the SSL BIOs in each chain and calling
9231 SSL_copy_session_id() on the internal SSL pointer.
9232 my $rv = Net::SSLeay::BIO_ssl_copy_session_id($to, $from);
9234 # $to - value corresponding to openssl's BIO structure
9235 # $from - value corresponding to openssl's BIO structure
9236 #
9237 # returns: 1 on success, 0 on failure
9238 Check openssl doc
9240 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9241 • BIO_ssl_shutdown
9243 Closes down an SSL connection on BIO chain bio. It does this by
9245 locating the SSL BIO in the chain and calling SSL_shutdown() on its
9246 internal SSL pointer.
9247 Net::SSLeay::BIO_ssl_shutdown($ssl_bio);
9249 # $ssl_bio - value corresponding to openssl's BIO structure
9250 #
9251 # returns: no return value
9252 Check openssl doc
9254 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9255 Low level API: Server side Server Name Indication (SNI) support
9257 • set_tlsext_host_name
9259 TBA
9261 • get_servername
9263 TBA
9265 • get_servername_type
9267 TBA
9269 • CTX_set_tlsext_servername_callback
9271 COMPATIBILITY: requires at least OpenSSL 0.9.8f
9273 This function is used in a server to support Server side Server
9275 Name Indication (SNI).
9276 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, $code)
9278 # $ctx - SSL context
9279 # $code - reference to a subroutine that will be called when a new connection is being initiated
9280 #
9281 # returns: no return value
9282 On the client side: use set_tlsext_host_name($ssl, $servername)
9284 before initiating the SSL connection.
9285 On the server side: Set up an additional SSL_CTX() for each
9287 different certificate;
9288 Add a servername callback to each SSL_CTX() using
9290 CTX_set_tlsext_servername_callback();
9291 The callback function is required to retrieve the client-supplied
9293 servername with get_servername(ssl). Figure out the right SSL_CTX
9294 to go with that host name, then switch the SSL object to that
9295 SSL_CTX with set_SSL_CTX().
9296 Example:
9298 # set callback
9300 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx,
9301 sub {
9302 my $ssl = shift;
9303 my $h = Net::SSLeay::get_servername($ssl);
9304 Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h};
9305 } );
9306 More complete example:
9308 # ... initialize Net::SSLeay
9310 my %hostnames = (
9312 'sni1' => { cert=>'sni1.pem', key=>'sni1.key' },
9313 'sni2' => { cert=>'sni2.pem', key=>'sni2.key' },
9314 );
9315 # create a new context for each certificate/key pair
9317 for my $name (keys %hostnames) {
9318 $hostnames{$name}->{ctx} = Net::SSLeay::CTX_new or die;
9319 Net::SSLeay::CTX_set_cipher_list($hostnames{$name}->{ctx}, 'ALL');
9320 Net::SSLeay::set_cert_and_key($hostnames{$name}->{ctx},
9321 $hostnames{$name}->{cert}, $hostnames{$name}->{key}) or die;
9322 }
9323 # create default context
9325 my $ctx = Net::SSLeay::CTX_new or die;
9326 Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL');
9327 Net::SSLeay::set_cert_and_key($ctx, 'cert.pem','key.pem') or die;
9328 # set callback
9330 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub {
9331 my $ssl = shift;
9332 my $h = Net::SSLeay::get_servername($ssl);
9333 Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h};
9334 } );
9335 # ... later
9337 $s = Net::SSLeay::new($ctx);
9339 Net::SSLeay::set_fd($s, fileno($accepted_socket));
9340 Net::SSLeay::accept($s);
9341 Low level API: NPN (next protocol negotiation) related functions
9343 NPN is being replaced with ALPN, a more recent TLS extension for
9345 application protocol negotiation that's in process of being adopted by
9346 IETF. Please look below for APLN API description.
9347 Simple approach for using NPN support looks like this:
9349 ### client side
9351 use Net::SSLeay;
9352 use IO::Socket::INET;
9353 Net::SSLeay::initialize();
9355 my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
9356 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9357 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9358 Net::SSLeay::CTX_set_next_proto_select_cb($ctx, ['http1.1','spdy/2']);
9359 my $ssl = Net::SSLeay::new($ctx) or die;
9360 Net::SSLeay::set_fd($ssl, fileno($sock)) or die;
9361 Net::SSLeay::connect($ssl);
9362 warn "client:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl), "\n";
9364 warn "client:last_status=", Net::SSLeay::P_next_proto_last_status($ssl), "\n";
9365 ### server side
9367 use Net::SSLeay;
9368 use IO::Socket::INET;
9369 Net::SSLeay::initialize();
9371 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9372 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9373 Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
9374 Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, ['spdy/2','http1.1']);
9375 my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
9376 while (1) {
9378 my $ssl = Net::SSLeay::new($ctx);
9379 warn("server:waiting for incoming connection...\n");
9380 my $fd = $sock->accept();
9381 Net::SSLeay::set_fd($ssl, $fd->fileno);
9382 Net::SSLeay::accept($ssl);
9383 warn "server:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl),"\n";
9384 my $got = Net::SSLeay::read($ssl);
9385 Net::SSLeay::ssl_write_all($ssl, "length=".length($got));
9386 Net::SSLeay::free($ssl);
9387 $fd->close();
9388 }
9389 # check with: openssl s_client -connect localhost:5443 -nextprotoneg http/1.1,spdy/2
9390 Please note that the selection (negotiation) is performed by client
9392 side, the server side simply advertise the list of supported protocols.
9393 Advanced approach allows you to implement your own negotiation
9395 algorithm.
9396 #see below documentation for:
9398 Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data);
9399 Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data);
9400 Detection of NPN support (works even in older Net::SSLeay versions):
9402 use Net::SSLeay;
9404 if (exists &Net::SSLeay::P_next_proto_negotiated) {
9406 # do NPN stuff
9407 }
9408 • CTX_set_next_proto_select_cb
9410 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9412 requires at least openssl-1.0.1
9413 NOTE: You need CTX_set_next_proto_select_cb on client side of SSL
9415 connection.
9416 Simple usage - in this case a "common" negotiation algorithm (as
9418 implemented by openssl's function SSL_select_next_proto) is used.
9419 $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $arrayref);
9421 # $ctx - value corresponding to openssl's SSL_CTX structure
9422 # $arrayref - list of accepted protocols - e.g. ['http1.0', 'http1.1']
9423 #
9424 # returns: 0 on success, 1 on failure
9425 Advanced usage (you probably do not need this):
9427 $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data);
9429 # $ctx - value corresponding to openssl's SSL_CTX structure
9430 # $perl_callback_function - reference to perl function
9431 # $callback_data - [optional] data to passed to callback function when invoked
9432 #
9433 # returns: 0 on success, 1 on failure
9434 # where callback function looks like
9436 sub npn_advertised_cb_invoke {
9437 my ($ssl, $arrayref_proto_list_advertised_by_server, $callback_data) = @_;
9438 my $status;
9439 # ...
9440 $status = 1; #status can be:
9441 # 0 - OPENSSL_NPN_UNSUPPORTED
9442 # 1 - OPENSSL_NPN_NEGOTIATED
9443 # 2 - OPENSSL_NPN_NO_OVERLAP
9444 return $status, ['http1.1','spdy/2']; # the callback has to return 2 values
9445 }
9446 To undefine/clear this callback use:
9448 Net::SSleay::CTX_set_next_proto_select_cb($ctx, undef);
9450 • CTX_set_next_protos_advertised_cb
9452 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9454 requires at least openssl-1.0.1
9455 NOTE: You need CTX_set_next_proto_select_cb on server side of SSL
9457 connection.
9458 Simple usage:
9460 $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $arrayref);
9462 # $ctx - value corresponding to openssl's SSL_CTX structure
9463 # $arrayref - list of advertised protocols - e.g. ['http1.0', 'http1.1']
9464 #
9465 # returns: 0 on success, 1 on failure
9466 Advanced usage (you probably do not need this):
9468 $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data);
9470 # $ctx - value corresponding to openssl's SSL_CTX structure
9471 # $perl_callback_function - reference to perl function
9472 # $callback_data - [optional] data to passed to callback function when invoked
9473 #
9474 # returns: 0 on success, 1 on failure
9475 # where callback function looks like
9477 sub npn_advertised_cb_invoke {
9478 my ($ssl, $callback_data) = @_;
9479 # ...
9480 return ['http1.1','spdy/2']; # the callback has to return arrayref
9481 }
9482 To undefine/clear this callback use:
9484 Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, undef);
9486 • P_next_proto_negotiated
9488 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9490 requires at least openssl-1.0.1
9491 Returns the name of negotiated protocol for given SSL connection
9493 $ssl.
9494 $rv = Net::SSLeay::P_next_proto_negotiated($ssl)
9496 # $ssl - value corresponding to openssl's SSL structure
9497 #
9498 # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error)
9499 • P_next_proto_last_status
9501 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9503 requires at least openssl-1.0.1
9504 Returns the result of the last negotiation for given SSL connection
9506 $ssl.
9507 $rv = Net::SSLeay::P_next_proto_last_status($ssl)
9509 # $ssl - value corresponding to openssl's SSL structure
9510 #
9511 # returns: (integer) negotiation status
9512 # 0 - OPENSSL_NPN_UNSUPPORTED
9513 # 1 - OPENSSL_NPN_NEGOTIATED
9514 # 2 - OPENSSL_NPN_NO_OVERLAP
9515 Low level API: ALPN (application layer protocol negotiation) related
9517 functions
9518 Application protocol can be negotiated via two different mechanisms
9520 employing two different TLS extensions: NPN (obsolete) and ALPN
9521 (recommended).
9522 The API is rather similar, with slight differences reflecting protocol
9524 specifics. In particular, with ALPN the protocol negotiation takes
9525 place on server, while with NPN the client implements the protocol
9526 negotiation logic.
9527 With ALPN, the most basic implementation looks like this:
9529 ### client side
9531 use Net::SSLeay;
9532 use IO::Socket::INET;
9533 Net::SSLeay::initialize();
9535 my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
9536 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9537 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9538 Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9539 my $ssl = Net::SSLeay::new($ctx) or die;
9540 Net::SSLeay::set_fd($ssl, fileno($sock)) or die;
9541 Net::SSLeay::connect($ssl);
9542 warn "client:selected=",Net::SSLeay::P_alpn_selected($ssl), "\n";
9544 ### server side
9546 use Net::SSLeay;
9547 use IO::Socket::INET;
9548 Net::SSLeay::initialize();
9550 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9551 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9552 Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
9553 Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9554 my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
9555 while (1) {
9557 my $ssl = Net::SSLeay::new($ctx);
9558 warn("server:waiting for incoming connection...\n");
9559 my $fd = $sock->accept();
9560 Net::SSLeay::set_fd($ssl, $fd->fileno);
9561 Net::SSLeay::accept($ssl);
9562 warn "server:selected=",Net::SSLeay::P_alpn_selected($ssl),"\n";
9563 my $got = Net::SSLeay::read($ssl);
9564 Net::SSLeay::ssl_write_all($ssl, "length=".length($got));
9565 Net::SSLeay::free($ssl);
9566 $fd->close();
9567 }
9568 # check with: openssl s_client -connect localhost:5443 -alpn spdy/3,http/1.1
9569 Advanced approach allows you to implement your own negotiation
9571 algorithm.
9572 #see below documentation for:
9574 Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data);
9575 Detection of ALPN support (works even in older Net::SSLeay versions):
9577 use Net::SSLeay;
9579 if (exists &Net::SSLeay::P_alpn_selected) {
9581 # do ALPN stuff
9582 }
9583 • CTX_set_alpn_select_cb
9585 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9587 requires at least openssl-1.0.2
9588 NOTE: You need CTX_set_alpn_select_cb on server side of TLS
9590 connection.
9591 Simple usage - in this case a "common" negotiation algorithm (as
9593 implemented by openssl's function SSL_select_next_proto) is used.
9594 $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $arrayref);
9596 # $ctx - value corresponding to openssl's SSL_CTX structure
9597 # $arrayref - list of accepted protocols - e.g. ['http/2.0', 'http/1.1', 'spdy/3']
9598 #
9599 # returns: 0 on success, 1 on failure
9600 Advanced usage (you probably do not need this):
9602 $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data);
9604 # $ctx - value corresponding to openssl's SSL_CTX structure
9605 # $perl_callback_function - reference to perl function
9606 # $callback_data - [optional] data to passed to callback function when invoked
9607 #
9608 # returns: 0 on success, 1 on failure
9609 # where callback function looks like
9611 sub alpn_select_cb_invoke {
9612 my ($ssl, $arrayref_proto_list_advertised_by_client, $callback_data) = @_;
9613 # ...
9614 if ($negotiated) {
9615 return 'http/2.0';
9616 } else {
9617 return undef;
9618 }
9619 }
9620 To undefine/clear this callback use:
9622 Net::SSleay::CTX_set_alpn_select_cb($ctx, undef);
9624 • set_alpn_protos
9626 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9628 requires at least openssl-1.0.2
9629 NOTE: You need set_alpn_protos on client side of TLS connection.
9631 This adds list of supported application layer protocols to
9633 ClientHello message sent by a client. It advertises the
9634 enumeration of supported protocols:
9635 Net::SSLeay::set_alpn_protos($ssl, ['http/1.1', 'http/2.0', 'spdy/3]);
9637 # returns 0 on success
9638 • CTX_set_alpn_protos
9640 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9642 requires at least openssl-1.0.2
9643 NOTE: You need CTX_set_alpn_protos on client side of TLS
9645 connection.
9646 This adds list of supported application layer protocols to
9648 ClientHello message sent by a client. It advertises the
9649 enumeration of supported protocols:
9650 Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9652 # returns 0 on success
9653 • P_alpn_selected
9655 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9657 requires at least openssl-1.0.2
9658 Returns the name of negotiated protocol for given TLS connection
9660 $ssl.
9661 $rv = Net::SSLeay::P_alpn_selected($ssl)
9663 # $ssl - value corresponding to openssl's SSL structure
9664 #
9665 # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error)
9666 Low level API: DANE Support
9668 OpenSSL version 1.0.2 adds preliminary support RFC6698 Domain
9670 Authentication of Named Entities (DANE) Transport Layer Association
9671 within OpenSSL
9672 • SSL_get_tlsa_record_byname
9674 COMPATIBILITY: DELETED from net-ssleay, since it is not supported
9676 by OpenSSL
9677 In order to facilitate DANE there is additional interface,
9679 SSL_get_tlsa_record_byname, accepting hostname, port and socket
9680 type that returns packed TLSA record. In order to make it even
9681 easier there is additional SSL_ctrl function that calls
9682 SSL_get_tlsa_record_byname for you. Latter is recommended for
9683 programmers that wish to maintain broader binary compatibility,
9684 e.g. make application work with both 1.0.2 and prior version (in
9685 which case call to SSL_ctrl with new code returning error would
9686 have to be ignored when running with prior version).
9687 Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
9689 Low level API: Other functions
9691 • COMP_add_compression_method
9693 Adds the compression method cm with the identifier id to the list
9695 of available compression methods. This list is globally maintained
9696 for all SSL operations within this application. It cannot be set
9697 for specific SSL_CTX or SSL objects.
9698 my $rv = Net::SSLeay::COMP_add_compression_method($id, $cm);
9700 # $id - (integer) compression method id
9701 # 0 to 63: methods defined by the IETF
9702 # 64 to 192: external party methods assigned by IANA
9703 # 193 to 255: reserved for private use
9704 #
9705 # $cm - value corresponding to openssl's COMP_METHOD structure
9706 #
9707 # returns: 0 on success, 1 on failure (check the error queue to find out the reason)
9708 Check openssl doc
9710 <http://www.openssl.org/docs/ssl/SSL_COMP_add_compression_method.html>
9711 • DH_free
9713 Frees the DH structure and its components. The values are erased
9715 before the memory is returned to the system.
9716 Net::SSLeay::DH_free($dh);
9718 # $dh - value corresponding to openssl's DH structure
9719 #
9720 # returns: no return value
9721 Check openssl doc <http://www.openssl.org/docs/crypto/DH_new.html>
9723 • FIPS_mode_set
9725 Enable or disable FIPS mode in a FIPS capable OpenSSL.
9727 Net::SSLeay:: FIPS_mode_set($enable);
9729 # $enable - (integer) 1 to enable, 0 to disable
9730 Low level API: EC related functions
9732 • CTX_set_tmp_ecdh
9734 TBA
9736 • EC_KEY_free
9738 TBA
9740 • EC_KEY_new_by_curve_name
9742 TBA
9744 • EC_KEY_generate_key
9746 Generates a EC key and returns it in a newly allocated EC_KEY
9748 structure. The EC key then can be used to create a PKEY which can
9749 be used in calls like X509_set_pubkey.
9750 my $key = Net::SSLeay::EVP_PKEY_new();
9752 my $ec = Net::SSLeay::EC_KEY_generate_key($curve);
9753 Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec);
9754 # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve
9756 #
9757 # returns: value corresponding to openssl's EC_KEY structure (0 on failure)
9758 This function has no equivalent in OpenSSL but combines multiple
9760 OpenSSL functions for an easier interface.
9761 • CTX_set_ecdh_auto, set_ecdh_auto
9763 These functions enable or disable the automatic curve selection on
9765 the server side by calling SSL_CTX_set_ecdh_auto or
9766 SSL_set_ecdh_auto respectively. If enabled the highest preference
9767 curve is automatically used for ECDH temporary keys used during key
9768 exchange. This function is no longer available for OpenSSL 1.1.0
9769 or higher.
9770 Net::SSLeay::CTX_set_ecdh_auto($ctx,1);
9772 Net::SSLeay::set_ecdh_auto($ssl,1);
9773 • CTX_set1_curves_list, set1_curves_list
9775 These functions set the supported curves (in order of preference)
9777 by calling SSL_CTX_set1_curves_list or SSL_set1_curves_list
9778 respectively. For a TLS client these curves are offered to the
9779 server in the supported curves extension while on the server side
9780 these are used to determine the shared curve. These functions are
9781 only available since OpenSSL 1.1.0.
9782 Net::SSLeay::CTX_set1_curves_list($ctx,"P-521:P-384:P-256");
9784 Net::SSLeay::set1_curves_list($ssl,"P-521:P-384:P-256");
9785 • CTX_set1_groups_list, set1_groups_list
9787 These functions set the supported groups (in order of preference)
9789 by calling SSL_CTX_set1_groups_list or SSL_set1_groups_list
9790 respectively. This is practically the same as CTX_set1_curves_list
9791 and set1_curves_list except that all DH groups can be given as
9792 supported by TLS 1.3. These functions are only available since
9793 OpenSSL 1.1.1.
9794 Net::SSLeay::CTX_set1_groups_list($ctx,"P-521:P-384:P-256");
9796 Net::SSLeay::set1_groups_list($ssl,"P-521:P-384:P-256");
9797 Constants
9799 There are many openssl constants available in Net::SSLeay. You can use
9800 them like this:
9801 use Net::SSLeay;
9803 print &Net::SSLeay::NID_commonName;
9804 #or
9805 print Net::SSLeay::NID_commonName();
9806 Or you can import them and use:
9808 use Net::SSLeay qw/NID_commonName/;
9810 print &NID_commonName;
9811 #or
9812 print NID_commonName();
9813 #or
9814 print NID_commonName;
9815 The constants names are derived from openssl constants, however
9817 constants starting with "SSL_" prefix have name with "SSL_" part
9818 stripped - e.g. openssl's constant "SSL_OP_ALL" is available as
9819 "Net::SSleay::OP_ALL"
9820 The list of all available constant names:
9822 ASN1_STRFLGS_ESC_CTRL NID_netscape R_UNKNOWN_REMOTE_ERROR_TYPE
9824 ASN1_STRFLGS_ESC_MSB NID_netscape_base_url R_UNKNOWN_STATE
9825 ASN1_STRFLGS_ESC_QUOTE NID_netscape_ca_policy_url R_X509_LIB
9826 ASN1_STRFLGS_RFC2253 NID_netscape_ca_revocation_url SENT_SHUTDOWN
9827 CB_ACCEPT_EXIT NID_netscape_cert_extension SESSION_ASN1_VERSION
9828 CB_ACCEPT_LOOP NID_netscape_cert_sequence SESS_CACHE_BOTH
9829 CB_ALERT NID_netscape_cert_type SESS_CACHE_CLIENT
9830 CB_CONNECT_EXIT NID_netscape_comment SESS_CACHE_NO_AUTO_CLEAR
9831 CB_CONNECT_LOOP NID_netscape_data_type SESS_CACHE_NO_INTERNAL
9832 CB_EXIT NID_netscape_renewal_url SESS_CACHE_NO_INTERNAL_LOOKUP
9833 CB_HANDSHAKE_DONE NID_netscape_revocation_url SESS_CACHE_NO_INTERNAL_STORE
9834 CB_HANDSHAKE_START NID_netscape_ssl_server_name SESS_CACHE_OFF
9835 CB_LOOP NID_ns_sgc SESS_CACHE_SERVER
9836 CB_READ NID_organizationName SSL3_VERSION
9837 CB_READ_ALERT NID_organizationalUnitName SSLEAY_BUILT_ON
9838 CB_WRITE NID_pbeWithMD2AndDES_CBC SSLEAY_CFLAGS
9839 CB_WRITE_ALERT NID_pbeWithMD2AndRC2_CBC SSLEAY_DIR
9840 ERROR_NONE NID_pbeWithMD5AndCast5_CBC SSLEAY_PLATFORM
9841 ERROR_SSL NID_pbeWithMD5AndDES_CBC SSLEAY_VERSION
9842 ERROR_SYSCALL NID_pbeWithMD5AndRC2_CBC ST_ACCEPT
9843 ERROR_WANT_ACCEPT NID_pbeWithSHA1AndDES_CBC ST_BEFORE
9844 ERROR_WANT_CONNECT NID_pbeWithSHA1AndRC2_CBC ST_CONNECT
9845 ERROR_WANT_READ NID_pbe_WithSHA1And128BitRC2_CBC ST_INIT
9846 ERROR_WANT_WRITE NID_pbe_WithSHA1And128BitRC4 ST_OK
9847 ERROR_WANT_X509_LOOKUP NID_pbe_WithSHA1And2_Key_TripleDES_CBC ST_READ_BODY
9848 ERROR_ZERO_RETURN NID_pbe_WithSHA1And3_Key_TripleDES_CBC ST_READ_HEADER
9849 EVP_PKS_DSA NID_pbe_WithSHA1And40BitRC2_CBC TLS1_1_VERSION
9850 EVP_PKS_EC NID_pbe_WithSHA1And40BitRC4 TLS1_2_VERSION
9851 EVP_PKS_RSA NID_pbes2 TLS1_3_VERSION
9852 EVP_PKT_ENC NID_pbmac1 TLS1_VERSION
9853 EVP_PKT_EXCH NID_pkcs TLSEXT_STATUSTYPE_ocsp
9854 EVP_PKT_EXP NID_pkcs3 VERIFY_CLIENT_ONCE
9855 EVP_PKT_SIGN NID_pkcs7 VERIFY_FAIL_IF_NO_PEER_CERT
9856 EVP_PK_DH NID_pkcs7_data VERIFY_NONE
9857 EVP_PK_DSA NID_pkcs7_digest VERIFY_PEER
9858 EVP_PK_EC NID_pkcs7_encrypted VERIFY_POST_HANDSHAKE
9859 EVP_PK_RSA NID_pkcs7_enveloped V_OCSP_CERTSTATUS_GOOD
9860 FILETYPE_ASN1 NID_pkcs7_signed V_OCSP_CERTSTATUS_REVOKED
9861 FILETYPE_PEM NID_pkcs7_signedAndEnveloped V_OCSP_CERTSTATUS_UNKNOWN
9862 F_CLIENT_CERTIFICATE NID_pkcs8ShroudedKeyBag WRITING
9863 F_CLIENT_HELLO NID_pkcs9 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
9864 F_CLIENT_MASTER_KEY NID_pkcs9_challengePassword X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
9865 F_D2I_SSL_SESSION NID_pkcs9_contentType X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
9866 F_GET_CLIENT_FINISHED NID_pkcs9_countersignature X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
9867 F_GET_CLIENT_HELLO NID_pkcs9_emailAddress X509_CHECK_FLAG_NO_WILDCARDS
9868 F_GET_CLIENT_MASTER_KEY NID_pkcs9_extCertAttributes X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
9869 F_GET_SERVER_FINISHED NID_pkcs9_messageDigest X509_FILETYPE_ASN1
9870 F_GET_SERVER_HELLO NID_pkcs9_signingTime X509_FILETYPE_DEFAULT
9871 F_GET_SERVER_VERIFY NID_pkcs9_unstructuredAddress X509_FILETYPE_PEM
9872 F_I2D_SSL_SESSION NID_pkcs9_unstructuredName X509_LOOKUP
9873 F_READ_N NID_private_key_usage_period X509_PURPOSE_ANY
9874 F_REQUEST_CERTIFICATE NID_rc2_40_cbc X509_PURPOSE_CRL_SIGN
9875 F_SERVER_HELLO NID_rc2_64_cbc X509_PURPOSE_NS_SSL_SERVER
9876 F_SSL_CERT_NEW NID_rc2_cbc X509_PURPOSE_OCSP_HELPER
9877 F_SSL_GET_NEW_SESSION NID_rc2_cfb64 X509_PURPOSE_SMIME_ENCRYPT
9878 F_SSL_NEW NID_rc2_ecb X509_PURPOSE_SMIME_SIGN
9879 F_SSL_READ NID_rc2_ofb64 X509_PURPOSE_SSL_CLIENT
9880 F_SSL_RSA_PRIVATE_DECRYPT NID_rc4 X509_PURPOSE_SSL_SERVER
9881 F_SSL_RSA_PUBLIC_ENCRYPT NID_rc4_40 X509_PURPOSE_TIMESTAMP_SIGN
9882 F_SSL_SESSION_NEW NID_rc5_cbc X509_TRUST_COMPAT
9883 F_SSL_SESSION_PRINT_FP NID_rc5_cfb64 X509_TRUST_EMAIL
9884 F_SSL_SET_FD NID_rc5_ecb X509_TRUST_OBJECT_SIGN
9885 F_SSL_SET_RFD NID_rc5_ofb64 X509_TRUST_OCSP_REQUEST
9886 F_SSL_SET_WFD NID_ripemd160 X509_TRUST_OCSP_SIGN
9887 F_SSL_USE_CERTIFICATE NID_ripemd160WithRSA X509_TRUST_SSL_CLIENT
9888 F_SSL_USE_CERTIFICATE_ASN1 NID_rle_compression X509_TRUST_SSL_SERVER
9889 F_SSL_USE_CERTIFICATE_FILE NID_rsa X509_TRUST_TSA
9890 F_SSL_USE_PRIVATEKEY NID_rsaEncryption X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
9891 F_SSL_USE_PRIVATEKEY_ASN1 NID_rsadsi X509_V_ERR_AKID_SKID_MISMATCH
9892 F_SSL_USE_PRIVATEKEY_FILE NID_safeContentsBag X509_V_ERR_APPLICATION_VERIFICATION
9893 F_SSL_USE_RSAPRIVATEKEY NID_sdsiCertificate X509_V_ERR_CA_KEY_TOO_SMALL
9894 F_SSL_USE_RSAPRIVATEKEY_ASN1 NID_secretBag X509_V_ERR_CA_MD_TOO_WEAK
9895 F_SSL_USE_RSAPRIVATEKEY_FILE NID_serialNumber X509_V_ERR_CERT_CHAIN_TOO_LONG
9896 F_WRITE_PENDING NID_server_auth X509_V_ERR_CERT_HAS_EXPIRED
9897 GEN_DIRNAME NID_sha X509_V_ERR_CERT_NOT_YET_VALID
9898 GEN_DNS NID_sha1 X509_V_ERR_CERT_REJECTED
9899 GEN_EDIPARTY NID_sha1WithRSA X509_V_ERR_CERT_REVOKED
9900 GEN_EMAIL NID_sha1WithRSAEncryption X509_V_ERR_CERT_SIGNATURE_FAILURE
9901 GEN_IPADD NID_shaWithRSAEncryption X509_V_ERR_CERT_UNTRUSTED
9902 GEN_OTHERNAME NID_stateOrProvinceName X509_V_ERR_CRL_HAS_EXPIRED
9903 GEN_RID NID_subject_alt_name X509_V_ERR_CRL_NOT_YET_VALID
9904 GEN_URI NID_subject_key_identifier X509_V_ERR_CRL_PATH_VALIDATION_ERROR
9905 GEN_X400 NID_surname X509_V_ERR_CRL_SIGNATURE_FAILURE
9906 LIBRESSL_VERSION_NUMBER NID_sxnet X509_V_ERR_DANE_NO_MATCH
9907 MBSTRING_ASC NID_time_stamp X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
9908 MBSTRING_BMP NID_title X509_V_ERR_DIFFERENT_CRL_SCOPE
9909 MBSTRING_FLAG NID_undef X509_V_ERR_EE_KEY_TOO_SMALL
9910 MBSTRING_UNIV NID_uniqueIdentifier X509_V_ERR_EMAIL_MISMATCH
9911 MBSTRING_UTF8 NID_x509Certificate X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
9912 MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
9913 MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
9914 MODE_AUTO_RETRY NOTHING X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
9915 MODE_ENABLE_PARTIAL_WRITE OCSP_RESPONSE_STATUS_INTERNALERROR X509_V_ERR_EXCLUDED_VIOLATION
9916 MODE_RELEASE_BUFFERS OCSP_RESPONSE_STATUS_MALFORMEDREQUEST X509_V_ERR_HOSTNAME_MISMATCH
9917 NID_OCSP_sign OCSP_RESPONSE_STATUS_SIGREQUIRED X509_V_ERR_INVALID_CA
9918 NID_SMIMECapabilities OCSP_RESPONSE_STATUS_SUCCESSFUL X509_V_ERR_INVALID_CALL
9919 NID_X500 OCSP_RESPONSE_STATUS_TRYLATER X509_V_ERR_INVALID_EXTENSION
9920 NID_X509 OCSP_RESPONSE_STATUS_UNAUTHORIZED X509_V_ERR_INVALID_NON_CA
9921 NID_ad_OCSP OPENSSL_BUILT_ON X509_V_ERR_INVALID_POLICY_EXTENSION
9922 NID_ad_ca_issuers OPENSSL_CFLAGS X509_V_ERR_INVALID_PURPOSE
9923 NID_algorithm OPENSSL_DIR X509_V_ERR_IP_ADDRESS_MISMATCH
9924 NID_authority_key_identifier OPENSSL_ENGINES_DIR X509_V_ERR_KEYUSAGE_NO_CERTSIGN
9925 NID_basic_constraints OPENSSL_PLATFORM X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
9926 NID_bf_cbc OPENSSL_VERSION X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
9927 NID_bf_cfb64 OPENSSL_VERSION_NUMBER X509_V_ERR_NO_EXPLICIT_POLICY
9928 NID_bf_ecb OP_ALL X509_V_ERR_NO_VALID_SCTS
9929 NID_bf_ofb64 OP_ALLOW_NO_DHE_KEX X509_V_ERR_OCSP_CERT_UNKNOWN
9930 NID_cast5_cbc OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION X509_V_ERR_OCSP_VERIFY_FAILED
9931 NID_cast5_cfb64 OP_CIPHER_SERVER_PREFERENCE X509_V_ERR_OCSP_VERIFY_NEEDED
9932 NID_cast5_ecb OP_CISCO_ANYCONNECT X509_V_ERR_OUT_OF_MEM
9933 NID_cast5_ofb64 OP_COOKIE_EXCHANGE X509_V_ERR_PATH_LENGTH_EXCEEDED
9934 NID_certBag OP_CRYPTOPRO_TLSEXT_BUG X509_V_ERR_PATH_LOOP
9935 NID_certificate_policies OP_DONT_INSERT_EMPTY_FRAGMENTS X509_V_ERR_PERMITTED_VIOLATION
9936 NID_client_auth OP_ENABLE_MIDDLEBOX_COMPAT X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
9937 NID_code_sign OP_EPHEMERAL_RSA X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
9938 NID_commonName OP_LEGACY_SERVER_CONNECT X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
9939 NID_countryName OP_MICROSOFT_BIG_SSLV3_BUFFER X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
9940 NID_crlBag OP_MICROSOFT_SESS_ID_BUG X509_V_ERR_STORE_LOOKUP
9941 NID_crl_distribution_points OP_MSIE_SSLV2_RSA_PADDING X509_V_ERR_SUBJECT_ISSUER_MISMATCH
9942 NID_crl_number OP_NETSCAPE_CA_DN_BUG X509_V_ERR_SUBTREE_MINMAX
9943 NID_crl_reason OP_NETSCAPE_CHALLENGE_BUG X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
9944 NID_delta_crl OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG X509_V_ERR_SUITE_B_INVALID_ALGORITHM
9945 NID_des_cbc OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG X509_V_ERR_SUITE_B_INVALID_CURVE
9946 NID_des_cfb64 OP_NON_EXPORT_FIRST X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
9947 NID_des_ecb OP_NO_ANTI_REPLAY X509_V_ERR_SUITE_B_INVALID_VERSION
9948 NID_des_ede OP_NO_CLIENT_RENEGOTIATION X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
9949 NID_des_ede3 OP_NO_COMPRESSION X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
9950 NID_des_ede3_cbc OP_NO_ENCRYPT_THEN_MAC X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
9951 NID_des_ede3_cfb64 OP_NO_QUERY_MTU X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
9952 NID_des_ede3_ofb64 OP_NO_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL
9953 NID_des_ede_cbc OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
9954 NID_des_ede_cfb64 OP_NO_SSL_MASK X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
9955 NID_des_ede_ofb64 OP_NO_SSLv2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
9956 NID_des_ofb64 OP_NO_SSLv3 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
9957 NID_description OP_NO_TICKET X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
9958 NID_desx_cbc OP_NO_TLSv1 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
9959 NID_dhKeyAgreement OP_NO_TLSv1_1 X509_V_ERR_UNNESTED_RESOURCE
9960 NID_dnQualifier OP_NO_TLSv1_2 X509_V_ERR_UNSPECIFIED
9961 NID_dsa OP_NO_TLSv1_3 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
9962 NID_dsaWithSHA OP_PKCS1_CHECK_1 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
9963 NID_dsaWithSHA1 OP_PKCS1_CHECK_2 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
9964 NID_dsaWithSHA1_2 OP_PRIORITIZE_CHACHA X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
9965 NID_dsa_2 OP_SAFARI_ECDHE_ECDSA_BUG X509_V_FLAG_ALLOW_PROXY_CERTS
9966 NID_email_protect OP_SINGLE_DH_USE X509_V_FLAG_CB_ISSUER_CHECK
9967 NID_ext_key_usage OP_SINGLE_ECDH_USE X509_V_FLAG_CHECK_SS_SIGNATURE
9968 NID_ext_req OP_SSLEAY_080_CLIENT_DH_BUG X509_V_FLAG_CRL_CHECK
9969 NID_friendlyName OP_SSLREF2_REUSE_CERT_TYPE_BUG X509_V_FLAG_CRL_CHECK_ALL
9970 NID_givenName OP_TLSEXT_PADDING X509_V_FLAG_EXPLICIT_POLICY
9971 NID_hmacWithSHA1 OP_TLS_BLOCK_PADDING_BUG X509_V_FLAG_EXTENDED_CRL_SUPPORT
9972 NID_id_ad OP_TLS_D5_BUG X509_V_FLAG_IGNORE_CRITICAL
9973 NID_id_ce OP_TLS_ROLLBACK_BUG X509_V_FLAG_INHIBIT_ANY
9974 NID_id_kp READING X509_V_FLAG_INHIBIT_MAP
9975 NID_id_pbkdf2 RECEIVED_SHUTDOWN X509_V_FLAG_NOTIFY_POLICY
9976 NID_id_pe RSA_3 X509_V_FLAG_NO_ALT_CHAINS
9977 NID_id_pkix RSA_F4 X509_V_FLAG_NO_CHECK_TIME
9978 NID_id_qt_cps R_BAD_AUTHENTICATION_TYPE X509_V_FLAG_PARTIAL_CHAIN
9979 NID_id_qt_unotice R_BAD_CHECKSUM X509_V_FLAG_POLICY_CHECK
9980 NID_idea_cbc R_BAD_MAC_DECODE X509_V_FLAG_POLICY_MASK
9981 NID_idea_cfb64 R_BAD_RESPONSE_ARGUMENT X509_V_FLAG_SUITEB_128_LOS
9982 NID_idea_ecb R_BAD_SSL_FILETYPE X509_V_FLAG_SUITEB_128_LOS_ONLY
9983 NID_idea_ofb64 R_BAD_SSL_SESSION_ID_LENGTH X509_V_FLAG_SUITEB_192_LOS
9984 NID_info_access R_BAD_STATE X509_V_FLAG_TRUSTED_FIRST
9985 NID_initials R_BAD_WRITE_RETRY X509_V_FLAG_USE_CHECK_TIME
9986 NID_invalidity_date R_CHALLENGE_IS_DIFFERENT X509_V_FLAG_USE_DELTAS
9987 NID_issuer_alt_name R_CIPHER_TABLE_SRC_ERROR X509_V_FLAG_X509_STRICT
9988 NID_keyBag R_INVALID_CHALLENGE_LENGTH X509_V_OK
9989 NID_key_usage R_NO_CERTIFICATE_SET XN_FLAG_COMPAT
9990 NID_localKeyID R_NO_CERTIFICATE_SPECIFIED XN_FLAG_DN_REV
9991 NID_localityName R_NO_CIPHER_LIST XN_FLAG_DUMP_UNKNOWN_FIELDS
9992 NID_md2 R_NO_CIPHER_MATCH XN_FLAG_FN_ALIGN
9993 NID_md2WithRSAEncryption R_NO_PRIVATEKEY XN_FLAG_FN_LN
9994 NID_md5 R_NO_PUBLICKEY XN_FLAG_FN_MASK
9995 NID_md5WithRSA R_NULL_SSL_CTX XN_FLAG_FN_NONE
9996 NID_md5WithRSAEncryption R_PEER_DID_NOT_RETURN_A_CERTIFICATE XN_FLAG_FN_OID
9997 NID_md5_sha1 R_PEER_ERROR XN_FLAG_FN_SN
9998 NID_mdc2 R_PEER_ERROR_CERTIFICATE XN_FLAG_MULTILINE
9999 NID_mdc2WithRSA R_PEER_ERROR_NO_CIPHER XN_FLAG_ONELINE
10000 NID_ms_code_com R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
10001 NID_ms_code_ind R_PUBLIC_KEY_ENCRYPT_ERROR XN_FLAG_SEP_COMMA_PLUS
10002 NID_ms_ctl_sign R_PUBLIC_KEY_IS_NOT_RSA XN_FLAG_SEP_CPLUS_SPC
10003 NID_ms_efs R_READ_WRONG_PACKET_TYPE XN_FLAG_SEP_MASK
10004 NID_ms_ext_req R_SHORT_READ XN_FLAG_SEP_MULTILINE
10005 NID_ms_sgc R_SSL_SESSION_ID_IS_DIFFERENT XN_FLAG_SEP_SPLUS_SPC
10006 NID_name R_UNABLE_TO_EXTRACT_PUBLIC_KEY XN_FLAG_SPC_EQ
10007 INTERNAL ONLY functions (do not use these)
10009 The following functions are not intended for use from outside of
10010 Net::SSLeay module. They might be removed, renamed or changed without
10011 prior notice in future version.
10012 Simply DO NOT USE THEM!
10014 • hello
10016 • blength
10018 • constant
10020
10022 One very good example to look at is the implementation of "sslcat()" in
10023 the "SSLeay.pm" file.
10024 The following is a simple SSLeay client (with too little error checking
10026 :-(
10027 #!/usr/bin/perl
10029 use Socket;
10030 use Net::SSLeay qw(die_now die_if_ssl_error) ;
10031 Net::SSLeay::load_error_strings();
10032 Net::SSLeay::SSLeay_add_ssl_algorithms();
10033 Net::SSLeay::randomize();
10034 ($dest_serv, $port, $msg) = @ARGV; # Read command line
10036 $port = getservbyname ($port, 'tcp') unless $port =~ /^\d+$/;
10037 $dest_ip = gethostbyname ($dest_serv);
10038 $dest_serv_params = sockaddr_in($port, $dest_ip);
10039 socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
10041 connect (S, $dest_serv_params) or die "connect: $!";
10042 select (S); $| = 1; select (STDOUT); # Eliminate STDIO buffering
10043 # The network connection is now open, lets fire up SSL
10045 $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
10047 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10048 or die_if_ssl_error("ssl ctx set options");
10049 $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!");
10050 Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno
10051 $res = Net::SSLeay::connect($ssl) and die_if_ssl_error("ssl connect");
10052 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10053 # Exchange data
10055 $res = Net::SSLeay::write($ssl, $msg); # Perl knows how long $msg is
10057 die_if_ssl_error("ssl write");
10058 CORE::shutdown S, 1; # Half close --> No more output, sends EOF to server
10059 $got = Net::SSLeay::read($ssl); # Perl returns undef on failure
10060 die_if_ssl_error("ssl read");
10061 print $got;
10062 Net::SSLeay::free ($ssl); # Tear down connection
10064 Net::SSLeay::CTX_free ($ctx);
10065 close S;
10066 The following is a simple SSLeay echo server (non forking):
10068 #!/usr/bin/perl -w
10070 use Socket;
10071 use Net::SSLeay qw(die_now die_if_ssl_error);
10072 Net::SSLeay::load_error_strings();
10073 Net::SSLeay::SSLeay_add_ssl_algorithms();
10074 Net::SSLeay::randomize();
10075 $our_ip = "\0\0\0\0"; # Bind to all interfaces
10077 $port = 1235;
10078 $sockaddr_template = 'S n a4 x8';
10079 $our_serv_params = pack ($sockaddr_template, &AF_INET, $port, $our_ip);
10080 socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
10082 bind (S, $our_serv_params) or die "bind: $!";
10083 listen (S, 5) or die "listen: $!";
10084 $ctx = Net::SSLeay::CTX_new () or die_now("CTX_new ($ctx): $!");
10085 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10086 or die_if_ssl_error("ssl ctx set options");
10087 # Following will ask password unless private key is not encrypted
10089 Net::SSLeay::CTX_use_RSAPrivateKey_file ($ctx, 'plain-rsa.pem',
10090 &Net::SSLeay::FILETYPE_PEM);
10091 die_if_ssl_error("private key");
10092 Net::SSLeay::CTX_use_certificate_file ($ctx, 'plain-cert.pem',
10093 &Net::SSLeay::FILETYPE_PEM);
10094 die_if_ssl_error("certificate");
10095 while (1) {
10097 print "Accepting connections...\n";
10098 ($addr = accept (NS, S)) or die "accept: $!";
10099 select (NS); $| = 1; select (STDOUT); # Piping hot!
10100 ($af,$client_port,$client_ip) = unpack($sockaddr_template,$addr);
10102 @inetaddr = unpack('C4',$client_ip);
10103 print "$af connection from " .
10104 join ('.', @inetaddr) . ":$client_port\n";
10105 # We now have a network connection, lets fire up SSLeay...
10107 $ssl = Net::SSLeay::new($ctx) or die_now("SSL_new ($ssl): $!");
10109 Net::SSLeay::set_fd($ssl, fileno(NS));
10110 $err = Net::SSLeay::accept($ssl) and die_if_ssl_error('ssl accept');
10112 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10113 # Connected. Exchange some data.
10115 $got = Net::SSLeay::read($ssl); # Returns undef on fail
10117 die_if_ssl_error("ssl read");
10118 print "Got `$got' (" . length ($got) . " chars)\n";
10119 Net::SSLeay::write ($ssl, uc ($got)) or die "write: $!";
10121 die_if_ssl_error("ssl write");
10122 Net::SSLeay::free ($ssl); # Tear down connection
10124 close NS;
10125 }
10126 Yet another echo server. This one runs from "/etc/inetd.conf" so it
10128 avoids all the socket code overhead. Only caveat is opening an rsa key
10129 file - it had better be without any encryption or else it will not know
10130 where to ask for the password. Note how "STDIN" and "STDOUT" are wired
10131 to SSL.
10132 #!/usr/bin/perl
10134 # /etc/inetd.conf
10135 # ssltst stream tcp nowait root /path/to/server.pl server.pl
10136 # /etc/services
10137 # ssltst 1234/tcp
10138 use Net::SSLeay qw(die_now die_if_ssl_error);
10140 Net::SSLeay::load_error_strings();
10141 Net::SSLeay::SSLeay_add_ssl_algorithms();
10142 Net::SSLeay::randomize();
10143 chdir '/key/dir' or die "chdir: $!";
10145 $| = 1; # Piping hot!
10146 open LOG, ">>/dev/console" or die "Can't open log file $!";
10147 select LOG; print "server.pl started\n";
10148 $ctx = Net::SSLeay::CTX_new() or die_now "CTX_new ($ctx) ($!)";
10150 $ssl = Net::SSLeay::new($ctx) or die_now "new ($ssl) ($!)";
10151 Net::SSLeay::set_options($ssl, &Net::SSLeay::OP_ALL)
10152 and die_if_ssl_error("ssl set options");
10153 # We get already open network connection from inetd, now we just
10155 # need to attach SSLeay to STDIN and STDOUT
10156 Net::SSLeay::set_rfd($ssl, fileno(STDIN));
10157 Net::SSLeay::set_wfd($ssl, fileno(STDOUT));
10158 Net::SSLeay::use_RSAPrivateKey_file ($ssl, 'plain-rsa.pem',
10160 Net::SSLeay::FILETYPE_PEM);
10161 die_if_ssl_error("private key");
10162 Net::SSLeay::use_certificate_file ($ssl, 'plain-cert.pem',
10163 Net::SSLeay::FILETYPE_PEM);
10164 die_if_ssl_error("certificate");
10165 Net::SSLeay::accept($ssl) and die_if_ssl_err("ssl accept: $!");
10167 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10168 $got = Net::SSLeay::read($ssl);
10170 die_if_ssl_error("ssl read");
10171 print "Got `$got' (" . length ($got) . " chars)\n";
10172 Net::SSLeay::write ($ssl, uc($got)) or die "write: $!";
10174 die_if_ssl_error("ssl write");
10175 Net::SSLeay::free ($ssl); # Tear down the connection
10177 Net::SSLeay::CTX_free ($ctx);
10178 close LOG;
10179 There are also a number of example/test programs in the examples
10181 directory:
10182 sslecho.pl - A simple server, not unlike the one above
10184 minicli.pl - Implements a client using low level SSLeay routines
10185 sslcat.pl - Demonstrates using high level sslcat utility function
10186 get_page.pl - Is a utility for getting html pages from secure servers
10187 callback.pl - Demonstrates certificate verification and callback usage
10188 stdio_bulk.pl - Does SSL over Unix pipes
10189 ssl-inetd-serv.pl - SSL server that can be invoked from inetd.conf
10190 httpd-proxy-snif.pl - Utility that allows you to see how a browser
10191 sends https request to given server and what reply
10192 it gets back (very educative :-)
10193 makecert.pl - Creates a self signed cert (does not use this module)
10194
10196 See README and README.* in the distribution directory for installation
10197 guidance on a variety of platforms.
10198
10200 "Net::SSLeay::read()" uses an internal buffer of 32KB, thus no single
10201 read will return more. In practice one read returns much less, usually
10202 as much as fits in one network packet. To work around this, you should
10203 use a loop like this:
10204 $reply = '';
10206 while ($got = Net::SSLeay::read($ssl)) {
10207 last if print_errs('SSL_read');
10208 $reply .= $got;
10209 }
10210 Although there is no built-in limit in "Net::SSLeay::write()", the
10212 network packet size limitation applies here as well, thus use:
10213 $written = 0;
10215 while ($written < length($message)) {
10217 $written += Net::SSLeay::write($ssl, substr($message, $written));
10218 last if print_errs('SSL_write');
10219 }
10220 Or alternatively you can just use the following convenience functions:
10222 Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure";
10224 $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure";
10225
10227 An OpenSSL bug CVE-2015-0290 "OpenSSL Multiblock Corrupted Pointer
10228 Issue" can cause POST requests of over 90kB to fail or crash. This bug
10229 is reported to be fixed in OpenSSL 1.0.2a.
10230 Autoloader emits a
10232 Argument "xxx" isn't numeric in entersub at blib/lib/Net/SSLeay.pm'
10234 warning if die_if_ssl_error is made autoloadable. If you figure out
10236 why, drop me a line.
10237 Callback set using "SSL_set_verify()" does not appear to work. This may
10239 well be an openssl problem (e.g. see "ssl/ssl_lib.c" line 1029). Try
10240 using "SSL_CTX_set_verify()" instead and do not be surprised if even
10241 this stops working in future versions.
10242 Callback and certificate verification stuff is generally too little
10244 tested.
10245 Random numbers are not initialized randomly enough, especially if you
10247 do not have "/dev/random" and/or "/dev/urandom" (such as in Solaris
10248 platforms - but it's been suggested that cryptorand daemon from the
10249 SUNski package solves this). In this case you should investigate third
10250 party software that can emulate these devices, e.g. by way of a named
10251 pipe to some program.
10252 Another gotcha with random number initialization is randomness
10254 depletion. This phenomenon, which has been extensively discussed in
10255 OpenSSL, Apache-SSL, and Apache-mod_ssl forums, can cause your script
10256 to block if you use "/dev/random" or to operate insecurely if you use
10257 "/dev/urandom". What happens is that when too much randomness is drawn
10258 from the operating system's randomness pool then randomness can
10259 temporarily be unavailable. "/dev/random" solves this problem by
10260 waiting until enough randomness can be gathered - and this can take a
10261 long time since blocking reduces activity in the machine and less
10262 activity provides less random events: a vicious circle. "/dev/urandom"
10263 solves this dilemma more pragmatically by simply returning predictable
10264 "random" numbers. Some" /dev/urandom" emulation software however
10265 actually seems to implement "/dev/random" semantics. Caveat emptor.
10266 I've been pointed to two such daemons by Mik Firestone
10268 <mik@@speed.stdio._com> who has used them on Solaris 8:
10269 1. Entropy Gathering Daemon (EGD) at
10271 <http://www.lothar.com/tech/crypto/>
10272 2. Pseudo-random number generating daemon (PRNGD) at
10274 <http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html>
10275 If you are using the low level API functions to communicate with other
10277 SSL implementations, you would do well to call
10278 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10280 or die_if_ssl_error("ssl ctx set options");
10281 to cope with some well know bugs in some other SSL implementations. The
10283 high level API functions always set all known compatibility options.
10284 Sometimes "sslcat()" (and the high level HTTPS functions that build on
10286 it) is too fast in signaling the EOF to legacy HTTPS servers. This
10287 causes the server to return empty page. To work around this problem you
10288 can set the global variable
10289 $Net::SSLeay::slowly = 1; # Add sleep so broken servers can keep up
10291 HTTP/1.1 is not supported. Specifically this module does not know to
10293 issue or serve multiple http requests per connection. This is a serious
10294 shortcoming, but using the SSL session cache on your server helps to
10295 alleviate the CPU load somewhat.
10296 As of version 1.09 many newer OpenSSL auxiliary functions were added
10298 (from "REM_AUTOMATICALLY_GENERATED_1_09" onwards in "SSLeay.xs").
10299 Unfortunately I have not had any opportunity to test these. Some of
10300 them are trivial enough that I believe they "just work", but others
10301 have rather complex interfaces with function pointers and all. In these
10302 cases you should proceed wit great caution.
10303 This module defaults to using OpenSSL automatic protocol negotiation
10305 code for automatically detecting the version of the SSL/TLS protocol
10306 that the other end talks. With most web servers this works just fine,
10307 but once in a while I get complaints from people that the module does
10308 not work with some web servers. Usually this can be solved by
10309 explicitly setting the protocol version, e.g.
10310 $Net::SSLeay::ssl_version = 2; # Insist on SSLv2
10312 $Net::SSLeay::ssl_version = 3; # Insist on SSLv3
10313 $Net::SSLeay::ssl_version = 10; # Insist on TLSv1
10314 $Net::SSLeay::ssl_version = 11; # Insist on TLSv1.1
10315 $Net::SSLeay::ssl_version = 12; # Insist on TLSv1.2
10316 $Net::SSLeay::ssl_version = 13; # Insist on TLSv1.3
10317 Although the autonegotiation is nice to have, the SSL standards do not
10319 formally specify any such mechanism. Most of the world has accepted the
10320 SSLeay/OpenSSL way of doing it as the de facto standard. But for the
10321 few that think differently, you have to explicitly speak the correct
10322 version. This is not really a bug, but rather a deficiency in the
10323 standards. If a site refuses to respond or sends back some nonsensical
10324 error codes (at the SSL handshake level), try this option before
10325 mailing me.
10326 On some systems, OpenSSL may be compiled without support for SSLv2. If
10328 this is the case, Net::SSLeay will warn if ssl_version has been set to
10329 2.
10330 The high level API returns the certificate of the peer, thus allowing
10332 one to check what certificate was supplied. However, you will only be
10333 able to check the certificate after the fact, i.e. you already sent
10334 your form data by the time you find out that you did not trust them,
10335 oops.
10336 So, while being able to know the certificate after the fact is surely
10338 useful, the security minded would still choose to do the connection and
10339 certificate verification first and only then exchange data with the
10340 site. Currently none of the high level API functions do this, thus you
10341 would have to program it using the low level API. A good place to start
10342 is to see how the "Net::SSLeay::http_cat()" function is implemented.
10343 The high level API functions use a global file handle "SSLCAT_S"
10345 internally. This really should not be a problem because there is no way
10346 to interleave the high level API functions, unless you use threads (but
10347 threads are not very well supported in perl anyway). However, you may
10348 run into problems if you call undocumented internal functions in an
10349 interleaved fashion. The best solution is to "require Net::SSLeay" in
10350 one thread after all the threads have been created.
10351
10353 Random number generator not seeded!!!
10354 (W) This warning indicates that "randomize()" was not able to read
10355 "/dev/random" or "/dev/urandom", possibly because your system does
10356 not have them or they are differently named. You can still use SSL,
10357 but the encryption will not be as strong.
10358 open_tcp_connection: destination host not found:`server' (port 123)
10360 ($!)
10361 Name lookup for host named "server" failed.
10362 open_tcp_connection: failed `server', 123 ($!)
10364 The name was resolved, but establishing the TCP connection failed.
10365 msg 123: 1 - error:140770F8:SSL routines:SSL23_GET_SERVER_HELLO:unknown
10367 proto
10368 SSLeay error string. The first number (123) is the PID, the second
10369 number (1) indicates the position of the error message in SSLeay
10370 error stack. You often see a pile of these messages as errors
10371 cascade.
10372 msg 123: 1 - error:02001002::lib(2) :func(1) :reason(2)
10374 The same as above, but you didn't call load_error_strings() so
10375 SSLeay couldn't verbosely explain the error. You can still find out
10376 what it means with this command:
10377 /usr/local/ssl/bin/ssleay errstr 02001002
10379 Password is being asked for private key
10381 This is normal behaviour if your private key is encrypted. Either
10382 you have to supply the password or you have to use an unencrypted
10383 private key. Scan OpenSSL.org for the FAQ that explains how to do
10384 this (or just study examples/makecert.pl which is used during "make
10385 test" to do just that).
10386
10388 You can mitigate some of the security vulnerabilities that might be
10389 present in your SSL/TLS application:
10390 BEAST Attack
10392 http://blogs.cisco.com/security/beat-the-beast-with-tls/
10393 https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
10394 http://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html
10395 The BEAST attack relies on a weakness in the way CBC mode is used in
10397 SSL/TLS. In OpenSSL versions 0.9.6d and later, the protocol-level
10398 mitigation is enabled by default, thus making it not vulnerable to the
10399 BEAST attack.
10400 Solutions:
10402 • Compile with OpenSSL versions 0.9.6d or later, which enables
10404 SSL_OP_ALL by default
10405 • Ensure SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not enabled (its not
10407 enabled by default)
10408 • Don't support SSLv2, SSLv3
10410 • Actively control the ciphers your server supports with
10412 set_cipher_list:
10413 Net::SSLeay::set_cipher_list($ssl, 'RC4-SHA:HIGH:!ADH');
10415 Session Resumption
10417 http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
10418 The SSL Labs vulnerability test on your SSL server might report in red:
10420 Session resumption No (IDs assigned but not accepted)
10422 This report is not really bug or a vulnerability, since the server will
10424 not accept session resumption requests. However, you can prevent this
10425 noise in the report by disabling the session cache altogether:
10426 Net::SSLeay::CTX_set_session_cache_mode($ssl_ctx,
10427 Net::SSLeay::SESS_CACHE_OFF()); Use 0 if you don't have SESS_CACHE_OFF
10428 constant.
10429 Secure Renegotiation and DoS Attack
10431 https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
10432 This is not a "security flaw," it is more of a DoS vulnerability.
10434 Solutions:
10436 • Do not support SSLv2
10438 • Do not set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option
10440 • Compile with OpenSSL 0.9.8m or later
10442
10444 If you encounter a problem with this module that you believe is a bug,
10445 please create a new issue <https://github.com/radiator-software/p5-net-
10446 ssleay/issues/new> in the Net-SSLeay GitHub repository. Please make
10447 sure your bug report includes the following information:
10448 • the code you are trying to run;
10450 • your operating system name and version;
10452 • the output of "perl -V";
10454 • the version of OpenSSL or LibreSSL you are using.
10456
10458 Originally written by Sampo Kellomäki.
10459 Maintained by Florian Ragwitz between November 2005 and January 2010.
10461 Maintained by Mike McCauley between November 2005 and June 2018.
10463 Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen
10465 since June 2018.
10466
10468 Copyright (c) 1996-2003 Sampo Kellomäki <sampo@iki.fi>
10469 Copyright (c) 2005-2010 Florian Ragwitz <rafl@debian.org>
10471 Copyright (c) 2005-2018 Mike McCauley <mikem@airspayce.com>
10473 Copyright (c) 2018- Chris Novakovic <chris@chrisn.me.uk>
10475 Copyright (c) 2018- Tuure Vartiainen <vartiait@radiatorsoftware.com>
10477 Copyright (c) 2018- Heikki Vatiainen <hvn@radiatorsoftware.com>
10479 All rights reserved.
10481
10483 This module is released under the terms of the Artistic License 2.0.
10484 For details, see the "LICENSE" file distributed with Net-SSLeay's
10485 source code.
10486
10488 Net::SSLeay::Handle - File handle interface
10489 ./examples - Example servers and a clients
10490 <http://www.openssl.org/> - OpenSSL source, documentation, etc
10491 openssl-users-request@openssl.org - General OpenSSL mailing list
10492 <http://www.ietf.org/rfc/rfc2246.txt> - TLS 1.0 specification
10493 <http://www.w3c.org> - HTTP specifications
10494 <http://www.ietf.org/rfc/rfc2617.txt> - How to send password
10495 <http://www.lothar.com/tech/crypto/> - Entropy Gathering Daemon (EGD)
10496 <http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html>
10497 - pseudo-random number generating daemon (PRNGD)
10498 perl(1)
10499 perlref(1)
10500 perllol(1)
10501 perldoc ~openssl/doc/ssl/SSL_CTX_set_verify.pod
10502perl v5.32.1 2021-01-27 Net::SSLeay(3)