1Net::SSLeay(3) User Contributed Perl Documentation Net::SSLeay(3)
2
3
4
6 Net::SSLeay - Perl extension for using OpenSSL
7
9 use Net::SSLeay qw(get_https post_https sslcat make_headers make_form);
10
11 ($page) = get_https('www.bacus.pt', 443, '/'); # Case 1
12
13 ($page, $response, %reply_headers)
14 = get_https('www.bacus.pt', 443, '/', # Case 2
15 make_headers(User-Agent => 'Cryptozilla/5.0b1',
16 Referer => 'https://www.bacus.pt'
17 ));
18
19 ($page, $result, %headers) = # Case 2b
20 = get_https('www.bacus.pt', 443, '/protected.html',
21 make_headers(Authorization =>
22 'Basic ' . MIME::Base64::encode("$user:$pass",''))
23 );
24
25 ($page, $response, %reply_headers)
26 = post_https('www.bacus.pt', 443, '/foo.cgi', '', # Case 3
27 make_form(OK => '1',
28 name => 'Sampo'
29 ));
30
31 $reply = sslcat($host, $port, $request); # Case 4
32
33 ($reply, $err, $server_cert) = sslcat($host, $port, $request); # Case 5
34
35 $Net::SSLeay::trace = 2; # 0=no debugging, 1=ciphers, 2=trace, 3=dump data
36
37 Net::SSLeay::initialize(); # Initialize ssl library once
38
40 This module provides Perl bindings for libssl (an SSL/TLS API) and
41 libcrypto (a cryptography API).
42
44 Net::SSLeay supports the following libssl implementations:
45
46 • Any stable release of OpenSSL <https://www.openssl.org> in the
47 0.9.8 - 1.1.1 branches, except for OpenSSL 0.9.8 - 0.9.8b.
48
49 • Any stable release of LibreSSL <https://www.libressl.org> in the
50 2.0 - 3.1 series.
51
52 Net::SSLeay may not function as expected with newer releases than the
53 ones listed above due to libssl API incompatibilities, or, in the case
54 of LibreSSL, because of deviations from the libssl API.
55
56 Net::SSLeay is only as secure as the underlying libssl implementation
57 you use. Although Net::SSLeay maintains compatibility with old
58 versions of OpenSSL and LibreSSL, it is strongly recommended that you
59 use a version of OpenSSL or LibreSSL that is supported by the
60 OpenSSL/LibreSSL developers and/or your operating system vendor. Many
61 unsupported versions of OpenSSL and LibreSSL are known to contain
62 severe security vulnerabilities. Refer to the OpenSSL Release Strategy
63 <https://www.openssl.org/policies/releasestrat.html> and LibreSSL
64 Support Schedule <https://www.libressl.org/releases.html> for
65 information on which versions are currently supported.
66
67 The libssl API has changed significantly since OpenSSL 0.9.8: hundreds
68 of functions have been added, deprecated or removed in the intervening
69 versions. Although this documentation lists all of the functions and
70 constants that Net::SSLeay may expose, they will not be available for
71 use if they are missing from the underlying libssl implementation.
72 Refer to the compatibility notes in this documentation, as well as the
73 OpenSSL/LibreSSL manual pages, for information on which
74 OpenSSL/LibreSSL versions support each function or constant. At run-
75 time, you can check whether a function or constant is exposed before
76 calling it using the following convention:
77
78 if ( defined &Net::SSLeay::libssl_function ) {
79 # libssl_function() (or SSL_libssl_function()) is available
80 Net::SSLeay::libssl_function(...);
81 }
82
84 Net::SSLeay module basically comprise of:
85
86 • High level functions for accessing web servers (by using
87 HTTP/HTTPS)
88
89 • Low level API (mostly mapped 1:1 to openssl's C functions)
90
91 • Convenience functions (related to low level API but with more perl
92 friendly interface)
93
94 There is also a related module called Net::SSLeay::Handle included in
95 this distribution that you might want to use instead. It has its own
96 pod documentation.
97
98 High level functions for accessing web servers
99 This module offers some high level convenience functions for accessing
100 web pages on SSL servers (for symmetry, the same API is offered for
101 accessing http servers, too), an "sslcat()" function for writing your
102 own clients, and finally access to the SSL api of the SSLeay/OpenSSL
103 package so you can write servers or clients for more complicated
104 applications.
105
106 For high level functions it is most convenient to import them into your
107 main namespace as indicated in the synopsis.
108
109 Basic set of functions
110
111 • get_https
112
113 • post_https
114
115 • put_https
116
117 • head_https
118
119 • do_https
120
121 • sslcat
122
123 • https_cat
124
125 • make_form
126
127 • make_headers
128
129 Case 1 (in SYNOPSIS) demonstrates the typical invocation of get_https()
130 to fetch an HTML page from secure server. The first argument provides
131 the hostname or IP in dotted decimal notation of the remote server to
132 contact. The second argument is the TCP port at the remote end (your
133 own port is picked arbitrarily from high numbered ports as usual for
134 TCP). The third argument is the URL of the page without the host name
135 part. If in doubt consult the HTTP specifications at
136 <http://www.w3c.org>.
137
138 Case 2 (in SYNOPSIS) demonstrates full fledged use of "get_https()". As
139 can be seen, "get_https()" parses the response and response headers and
140 returns them as a list, which can be captured in a hash for later
141 reference. Also a fourth argument to "get_https()" is used to insert
142 some additional headers in the request. "make_headers()" is a function
143 that will convert a list or hash to such headers. By default
144 "get_https()" supplies "Host" (to make virtual hosting easy) and
145 "Accept" (reportedly needed by IIS) headers.
146
147 Case 2b (in SYNOPSIS) demonstrates how to get a password protected
148 page. Refer to the HTTP protocol specifications for further details
149 (e.g. RFC-2617).
150
151 Case 3 (in SYNOPSIS) invokes "post_https()" to submit a HTML/CGI form
152 to a secure server. The first four arguments are equal to "get_https()"
153 (note that the empty string ('') is passed as header argument). The
154 fifth argument is the contents of the form formatted according to CGI
155 specification. Do not post UTF-8 data as content: use utf8::downgrade
156 first. In this case the helper function "make_https()" is used to do
157 the formatting, but you could pass any string. "post_https()"
158 automatically adds "Content-Type" and "Content-Length" headers to the
159 request.
160
161 Case 4 (in SYNOPSIS) shows the fundamental "sslcat()" function
162 (inspired in spirit by the "netcat" utility :-). It's your swiss army
163 knife that allows you to easily contact servers, send some data, and
164 then get the response. You are responsible for formatting the data and
165 parsing the response - "sslcat()" is just a transport.
166
167 Case 5 (in SYNOPSIS) is a full invocation of "sslcat()" which allows
168 the return of errors as well as the server (peer) certificate.
169
170 The $trace global variable can be used to control the verbosity of the
171 high level functions. Level 0 guarantees silence, level 1 (the default)
172 only emits error messages.
173
174 Alternate versions of high-level API
175
176 • get_https3
177
178 • post_https3
179
180 • put_https3
181
182 • get_https4
183
184 • post_https4
185
186 • put_https4
187
188 The above mentioned functions actually return the response headers as a
189 list, which only gets converted to hash upon assignment (this
190 assignment looses information if the same header occurs twice, as may
191 be the case with cookies). There are also other variants of the
192 functions that return unprocessed headers and that return a reference
193 to a hash.
194
195 ($page, $response, @headers) = get_https('www.bacus.pt', 443, '/');
196 for ($i = 0; $i < $#headers; $i+=2) {
197 print "$headers[$i] = " . $headers[$i+1] . "\n";
198 }
199
200 ($page, $response, $headers, $server_cert)
201 = get_https3('www.bacus.pt', 443, '/');
202 print "$headers\n";
203
204 ($page, $response, $headers_ref)
205 = get_https4('www.bacus.pt', 443, '/');
206 for $k (sort keys %{$headers_ref}) {
207 for $v (@{$$headers_ref{$k}}) {
208 print "$k = $v\n";
209 }
210 }
211
212 All of the above code fragments accomplish the same thing: display all
213 values of all headers. The API functions ending in "3" return the
214 headers simply as a scalar string and it is up to the application to
215 split them up. The functions ending in "4" return a reference to a hash
216 of arrays (see perlref and perllol if you are not familiar with complex
217 perl data structures). To access a single value of such a header hash
218 you would do something like
219
220 print $$headers_ref{COOKIE}[0];
221
222 Variants 3 and 4 also allow you to discover the server certificate in
223 case you would like to store or display it, e.g.
224
225 ($p, $resp, $hdrs, $server_cert) = get_https3('www.bacus.pt', 443, '/');
226 if (!defined($server_cert) || ($server_cert == 0)) {
227 warn "Subject Name: undefined, Issuer Name: undefined";
228 } else {
229 warn 'Subject Name: '
230 . Net::SSLeay::X509_NAME_oneline(
231 Net::SSLeay::X509_get_subject_name($server_cert))
232 . 'Issuer Name: '
233 . Net::SSLeay::X509_NAME_oneline(
234 Net::SSLeay::X509_get_issuer_name($server_cert));
235 }
236
237 Beware that this method only allows after the fact verification of the
238 certificate: by the time "get_https3()" has returned the https request
239 has already been sent to the server, whether you decide to trust it or
240 not. To do the verification correctly you must either employ the
241 OpenSSL certificate verification framework or use the lower level API
242 to first connect and verify the certificate and only then send the http
243 data. See the implementation of "ds_https3()" for guidance on how to do
244 this.
245
246 Using client certificates
247
248 Secure web communications are encrypted using symmetric crypto keys
249 exchanged using encryption based on the certificate of the server.
250 Therefore in all SSL connections the server must have a certificate.
251 This serves both to authenticate the server to the clients and to
252 perform the key exchange.
253
254 Sometimes it is necessary to authenticate the client as well. Two
255 options are available: HTTP basic authentication and a client side
256 certificate. The basic authentication over HTTPS is actually quite safe
257 because HTTPS guarantees that the password will not travel in the
258 clear. Never-the-less, problems like easily guessable passwords remain.
259 The client certificate method involves authentication of the client at
260 the SSL level using a certificate. For this to work, both the client
261 and the server have certificates (which typically are different) and
262 private keys.
263
264 The API functions outlined above accept additional arguments that allow
265 one to supply the client side certificate and key files. The format of
266 these files is the same as used for server certificates and the caveat
267 about encrypting private keys applies.
268
269 ($page, $result, %headers) = # 2c
270 = get_https('www.bacus.pt', 443, '/protected.html',
271 make_headers(Authorization =>
272 'Basic ' . MIME::Base64::encode("$user:$pass",'')),
273 '', $mime_type6, $path_to_crt7, $path_to_key8);
274
275 ($page, $response, %reply_headers)
276 = post_https('www.bacus.pt', 443, '/foo.cgi', # 3b
277 make_headers('Authorization' =>
278 'Basic ' . MIME::Base64::encode("$user:$pass",'')),
279 make_form(OK => '1', name => 'Sampo'),
280 $mime_type6, $path_to_crt7, $path_to_key8);
281
282 Case 2c (in SYNOPSIS) demonstrates getting a password protected page
283 that also requires a client certificate, i.e. it is possible to use
284 both authentication methods simultaneously.
285
286 Case 3b (in SYNOPSIS) is a full blown POST to a secure server that
287 requires both password authentication and a client certificate, just
288 like in case 2c.
289
290 Note: The client will not send a certificate unless the server requests
291 one. This is typically achieved by setting the verify mode to
292 "VERIFY_PEER" on the server:
293
294 Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0);
295
296 See "perldoc ~openssl/doc/ssl/SSL_CTX_set_verify.pod" for a full
297 description.
298
299 Working through a web proxy
300
301 • set_proxy
302
303 "Net::SSLeay" can use a web proxy to make its connections. You need to
304 first set the proxy host and port using "set_proxy()" and then just use
305 the normal API functions, e.g:
306
307 Net::SSLeay::set_proxy('gateway.myorg.com', 8080);
308 ($page) = get_https('www.bacus.pt', 443, '/');
309
310 If your proxy requires authentication, you can supply a username and
311 password as well
312
313 Net::SSLeay::set_proxy('gateway.myorg.com', 8080, 'joe', 'salainen');
314 ($page, $result, %headers) =
315 = get_https('www.bacus.pt', 443, '/protected.html',
316 make_headers(Authorization =>
317 'Basic ' . MIME::Base64::encode("susie:pass",''))
318 );
319
320 This example demonstrates the case where we authenticate to the proxy
321 as "joe" and to the final web server as "susie". Proxy authentication
322 requires the "MIME::Base64" module to work.
323
324 HTTP (without S) API
325
326 • get_http
327
328 • post_http
329
330 • tcpcat
331
332 • get_httpx
333
334 • post_httpx
335
336 • tcpxcat
337
338 Over the years it has become clear that it would be convenient to use
339 the light-weight flavour API of "Net::SSLeay" for normal HTTP as well
340 (see "LWP" for the heavy-weight object-oriented approach). In fact it
341 would be nice to be able to flip https on and off on the fly. Thus
342 regular HTTP support was evolved.
343
344 use Net::SSLeay qw(get_http post_http tcpcat
345 get_httpx post_httpx tcpxcat
346 make_headers make_form);
347
348 ($page, $result, %headers)
349 = get_http('www.bacus.pt', 443, '/protected.html',
350 make_headers(Authorization =>
351 'Basic ' . MIME::Base64::encode("$user:$pass",''))
352 );
353
354 ($page, $response, %reply_headers)
355 = post_http('www.bacus.pt', 443, '/foo.cgi', '',
356 make_form(OK => '1',
357 name => 'Sampo'
358 ));
359
360 ($reply, $err) = tcpcat($host, $port, $request);
361
362 ($page, $result, %headers)
363 = get_httpx($usessl, 'www.bacus.pt', 443, '/protected.html',
364 make_headers(Authorization =>
365 'Basic ' . MIME::Base64::encode("$user:$pass",''))
366 );
367
368 ($page, $response, %reply_headers)
369 = post_httpx($usessl, 'www.bacus.pt', 443, '/foo.cgi', '',
370 make_form(OK => '1', name => 'Sampo' ));
371
372 ($reply, $err, $server_cert) = tcpxcat($usessl, $host, $port, $request);
373
374 As can be seen, the "x" family of APIs takes as the first argument a
375 flag which indicates whether SSL is used or not.
376
377 Certificate verification and Certificate Revocation Lists (CRLs)
378 OpenSSL supports the ability to verify peer certificates. It can also
379 optionally check the peer certificate against a Certificate Revocation
380 List (CRL) from the certificates issuer. A CRL is a file, created by
381 the certificate issuer that lists all the certificates that it
382 previously signed, but which it now revokes. CRLs are in PEM format.
383
384 You can enable "Net::SSLeay CRL" checking like this:
385
386 &Net::SSLeay::X509_STORE_set_flags
387 (&Net::SSLeay::CTX_get_cert_store($ssl),
388 &Net::SSLeay::X509_V_FLAG_CRL_CHECK);
389
390 After setting this flag, if OpenSSL checks a peer's certificate, then
391 it will attempt to find a CRL for the issuer. It does this by looking
392 for a specially named file in the search directory specified by
393 CTX_load_verify_locations. CRL files are named with the hash of the
394 issuer's subject name, followed by ".r0", ".r1" etc. For example
395 "ab1331b2.r0", "ab1331b2.r1". It will read all the .r files for the
396 issuer, and then check for a revocation of the peer certificate in all
397 of them. (You can also force it to look in a specific named CRL file.,
398 see below). You can find out the hash of the issuer subject name in a
399 CRL with
400
401 openssl crl -in crl.pem -hash -noout
402
403 If the peer certificate does not pass the revocation list, or if no CRL
404 is found, then the handshaking fails with an error.
405
406 You can also force OpenSSL to look for CRLs in one or more arbitrarily
407 named files.
408
409 my $bio = Net::SSLeay::BIO_new_file($crlfilename, 'r');
410 my $crl = Net::SSLeay::PEM_read_bio_X509_CRL($bio);
411 if ($crl) {
412 Net::SSLeay::X509_STORE_add_crl(
413 Net::SSLeay::CTX_get_cert_store($ssl, $crl)
414 );
415 } else {
416 error reading CRL....
417 }
418
419 Usually the URLs where you can download the CRLs is contained in the
420 certificate itself and you can extract them with
421
422 my @url = Net::SSLeay::P_X509_get_crl_distribution_points($cert)
423
424 But there is no automatic downloading of the CRLs and often these CRLs
425 are too huge to just download them to verify a single certificate.
426 Also, these CRLs are often in DER format which you need to convert to
427 PEM before you can use it:
428
429 openssl crl -in crl.der -inform der -out crl.pem
430
431 So as an alternative for faster and timely revocation checks you better
432 use the Online Status Revocation Protocol (OCSP).
433
434 Certificate verification and Online Status Revocation Protocol (OCSP)
435 While checking for revoked certificates is possible and fast with
436 Certificate Revocation Lists, you need to download the complete and
437 often huge list before you can verify a single certificate.
438
439 A faster way is to ask the CA to check the revocation of just a single
440 or a few certificates using OCSP. Basically you generate for each
441 certificate an OCSP_CERTID based on the certificate itself and its
442 issuer, put the ids togetether into an OCSP_REQUEST and send the
443 request to the URL given in the certificate.
444
445 As a result you get back an OCSP_RESPONSE and need to check the status
446 of the response, check that it is valid (e.g. signed by the CA) and
447 finally extract the information about each OCSP_CERTID to find out if
448 the certificate is still valid or got revoked.
449
450 With Net::SSLeay this can be done like this:
451
452 # get id(s) for given certs, like from get_peer_certificate
453 # or get_peer_cert_chain. This will croak if
454 # - one tries to make an OCSP_CERTID for a self-signed certificate
455 # - the issuer of the certificate cannot be found in the SSL objects
456 # store, nor in the current certificate chain
457 my $cert = Net::SSLeay::get_peer_certificate($ssl);
458 my $id = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) };
459 die "failed to make OCSP_CERTID: $@" if $@;
460
461 # create OCSP_REQUEST from id(s)
462 # Multiple can be put into the same request, if the same OCSP responder
463 # is responsible for them.
464 my $req = Net::SSLeay::OCSP_ids2req($id);
465
466 # determine URI of OCSP responder
467 my $uri = Net::SSLeay::P_X509_get_ocsp_uri($cert);
468
469 # Send stringified OCSP_REQUEST with POST to $uri.
470 # We can ignore certificate verification for https, because the OCSP
471 # response itself is signed.
472 my $ua = HTTP::Tiny->new(verify_SSL => 0);
473 my $res = $ua->request( 'POST',$uri, {
474 headers => { 'Content-type' => 'application/ocsp-request' },
475 content => Net::SSLeay::i2d_OCSP_REQUEST($req)
476 });
477 my $content = $res && $res->{success} && $res->{content}
478 or die "query failed";
479
480 # Extract OCSP_RESPONSE.
481 # this will croak if the string is not an OCSP_RESPONSE
482 my $resp = eval { Net::SSLeay::d2i_OCSP_RESPONSE($content) };
483
484 # Check status of response.
485 my $status = Net::SSLeay::OCSP_response_status($resp);
486 if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL())
487 die "OCSP response failed: ".
488 Net::SSLeay::OCSP_response_status_str($status);
489 }
490
491 # Verify signature of response and if nonce matches request.
492 # This will croak if there is a nonce in the response, but it does not match
493 # the request. It will return false if the signature could not be verified,
494 # in which case details can be retrieved with Net::SSLeay::ERR_get_error.
495 # It will not complain if the response does not contain a nonce, which is
496 # usually the case with pre-signed responses.
497 if ( ! eval { Net::SSLeay::OCSP_response_verify($ssl,$resp,$req) }) {
498 die "OCSP response verification failed";
499 }
500
501 # Extract information from OCSP_RESPONSE for each of the ids.
502
503 # If called in scalar context it will return the time (as time_t), when the
504 # next update is due (minimum of all successful responses inside $resp). It
505 # will croak on the following problems:
506 # - response is expired or not yet valid
507 # - no response for given OCSP_CERTID
508 # - certificate status is not good (e.g. revoked or unknown)
509 if ( my $nextupd = eval { Net::SSLeay::OCSP_response_results($resp,$id) }) {
510 warn "certificate is valid, next update in ".
511 ($nextupd-time())." seconds\n";
512 } else {
513 die "certificate is not valid: $@";
514 }
515
516 # But in array context it will return detailed information about each given
517 # OCSP_CERTID instead croaking on errors:
518 # if no @ids are given it will return information about all single responses
519 # in the OCSP_RESPONSE
520 my @results = Net::SSLeay::OCSP_response_results($resp,@ids);
521 for my $r (@results) {
522 print Dumper($r);
523 # @results are in the same order as the @ids and contain:
524 # $r->[0] - OCSP_CERTID
525 # $r->[1] - undef if no error (certificate good) OR error message as string
526 # $r->[2] - hash with details:
527 # thisUpdate - time_t of this single response
528 # nextUpdate - time_t when update is expected
529 # statusType - integer:
530 # V_OCSP_CERTSTATUS_GOOD(0)
531 # V_OCSP_CERTSTATUS_REVOKED(1)
532 # V_OCSP_CERTSTATUS_UNKNOWN(2)
533 # revocationTime - time_t (only if revoked)
534 # revocationReason - integer (only if revoked)
535 # revocationReason_str - reason as string (only if revoked)
536 }
537
538 To further speed up certificate revocation checking one can use a TLS
539 extension to instruct the server to staple the OCSP response:
540
541 # set TLS extension before doing SSL_connect
542 Net::SSLeay::set_tlsext_status_type($ssl,
543 Net::SSLeay::TLSEXT_STATUSTYPE_ocsp());
544
545 # setup callback to verify OCSP response
546 my $cert_valid = undef;
547 Net::SSLeay::CTX_set_tlsext_status_cb($context,sub {
548 my ($ssl,$resp) = @_;
549 if (!$resp) {
550 # Lots of servers don't return an OCSP response.
551 # In this case we must check the OCSP status outside the SSL
552 # handshake.
553 warn "server did not return stapled OCSP response\n";
554 return 1;
555 }
556 # verify status
557 my $status = Net::SSLeay::OCSP_response_status($resp);
558 if ($status != Net::SSLeay::OCSP_RESPONSE_STATUS_SUCCESSFUL()) {
559 warn "OCSP response failure: $status\n";
560 return 1;
561 }
562 # verify signature - we have no OCSP_REQUEST here to check nonce
563 if (!eval { Net::SSLeay::OCSP_response_verify($ssl,$resp) }) {
564 warn "OCSP response verify failed\n";
565 return 1;
566 }
567 # check if the certificate is valid
568 # we should check here against the peer_certificate
569 my $cert = Net::SSLeay::get_peer_certificate();
570 my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl,$cert) } or do {
571 warn "cannot get certid from cert: $@";
572 $cert_valid = -1;
573 return 1;
574 };
575
576 if ( $nextupd = eval {
577 Net::SSLeay::OCSP_response_results($resp,$certid) }) {
578 warn "certificate not revoked\n";
579 $cert_valid = 1;
580 } else {
581 warn "certificate not valid: $@";
582 $cert_valid = 0;
583 }
584 });
585
586 # do SSL handshake here
587 ....
588 # check if certificate revocation was checked already
589 if ( ! defined $cert_valid) {
590 # check revocation outside of SSL handshake by asking OCSP responder
591 ...
592 } elsif ( ! $cert_valid ) {
593 die "certificate not valid - closing SSL connection";
594 } elsif ( $cert_valid<0 ) {
595 die "cannot verify certificate revocation - self-signed ?";
596 } else {
597 # everything fine
598 ...
599 }
600
601 Using Net::SSLeay in multi-threaded applications
602 IMPORTANT: versions 1.42 or earlier are not thread-safe!
603
604 Net::SSLeay module implements all necessary stuff to be ready for
605 multi-threaded environment - it requires openssl-0.9.7 or newer. The
606 implementation fully follows thread safety related requirements of
607 openssl library(see <http://www.openssl.org/docs/crypto/threads.html>).
608
609 If you are about to use Net::SSLeay (or any other module based on
610 Net::SSLeay) in multi-threaded perl application it is recommended to
611 follow this best-practice:
612
613 Initialization
614
615 Load and initialize Net::SSLeay module in the main thread:
616
617 use threads;
618 use Net::SSLeay;
619
620 Net::SSLeay::load_error_strings();
621 Net::SSLeay::SSLeay_add_ssl_algorithms();
622 Net::SSLeay::randomize();
623
624 sub do_master_job {
625 #... call whatever from Net::SSLeay
626 }
627
628 sub do_worker_job {
629 #... call whatever from Net::SSLeay
630 }
631
632 #start threads
633 my $master = threads->new(\&do_master_job, 'param1', 'param2');
634 my @workers = threads->new(\&do_worker_job, 'arg1', 'arg2') for (1..10);
635
636 #waiting for all threads to finish
637 $_->join() for (threads->list);
638
639 NOTE: Openssl's "int SSL_library_init(void)" function (which is also
640 aliased as "SSLeay_add_ssl_algorithms", "OpenSSL_add_ssl_algorithms"
641 and "add_ssl_algorithms") is not re-entrant and multiple calls can
642 cause a crash in threaded application. Net::SSLeay implements flags
643 preventing repeated calls to this function, therefore even multiple
644 initialization via Net::SSLeay::SSLeay_add_ssl_algorithms() should work
645 without trouble.
646
647 Using callbacks
648
649 Do not use callbacks across threads (the module blocks cross-thread
650 callback operations and throws a warning). Always do the callback
651 setup, callback use and callback destruction within the same thread.
652
653 Using openssl elements
654
655 All openssl elements (X509, SSL_CTX, ...) can be directly passed
656 between threads.
657
658 use threads;
659 use Net::SSLeay;
660
661 Net::SSLeay::load_error_strings();
662 Net::SSLeay::SSLeay_add_ssl_algorithms();
663 Net::SSLeay::randomize();
664
665 sub do_job {
666 my $context = shift;
667 Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" });
668 #...
669 }
670
671 my $c = Net::SSLeay::CTX_new();
672 threads->create(\&do_job, $c);
673
674 Or:
675
676 use threads;
677 use Net::SSLeay;
678
679 my $context; #does not need to be 'shared'
680
681 Net::SSLeay::load_error_strings();
682 Net::SSLeay::SSLeay_add_ssl_algorithms();
683 Net::SSLeay::randomize();
684
685 sub do_job {
686 Net::SSLeay::CTX_set_default_passwd_cb($context, sub { "secret" });
687 #...
688 }
689
690 $context = Net::SSLeay::CTX_new();
691 threads->create(\&do_job);
692
693 Using other perl modules based on Net::SSLeay
694
695 It should be fine to use any other module based on Net::SSLeay (like
696 IO::Socket::SSL) in multi-threaded applications. It is generally
697 recommended to do any global initialization of such a module in the
698 main thread before calling "threads->new(..)" or "threads->create(..)"
699 but it might differ module by module.
700
701 To be safe you can load and init Net::SSLeay explicitly in the main
702 thread:
703
704 use Net::SSLeay;
705 use Other::SSLeay::Based::Module;
706
707 Net::SSLeay::load_error_strings();
708 Net::SSLeay::SSLeay_add_ssl_algorithms();
709 Net::SSLeay::randomize();
710
711 Or even safer:
712
713 use Net::SSLeay;
714 use Other::SSLeay::Based::Module;
715
716 BEGIN {
717 Net::SSLeay::load_error_strings();
718 Net::SSLeay::SSLeay_add_ssl_algorithms();
719 Net::SSLeay::randomize();
720 }
721
722 Combining Net::SSLeay with other modules linked with openssl
723
724 BEWARE: This might be a big trouble! This is not guaranteed be thread-
725 safe!
726
727 There are many other (XS) modules linked directly to openssl library
728 (like Crypt::SSLeay).
729
730 As it is expected that also "another" module will call
731 "SSLeay_add_ssl_algorithms" at some point we have again a trouble with
732 multiple openssl initialization by Net::SSLeay and "another" module.
733
734 As you can expect Net::SSLeay is not able to avoid multiple
735 initialization of openssl library called by "another" module, thus you
736 have to handle this on your own (in some cases it might not be possible
737 at all to avoid this).
738
739 Threading with get_https and friends
740
741 The convenience functions get_https, post_https etc all initialize the
742 SSL library by calling Net::SSLeay::initialize which does the
743 conventional library initialization:
744
745 Net::SSLeay::load_error_strings();
746 Net::SSLeay::SSLeay_add_ssl_algorithms();
747 Net::SSLeay::randomize();
748
749 Net::SSLeay::initialize initializes the SSL library at most once. You
750 can override the Net::SSLeay::initialize function if you desire some
751 other type of initialization behaviour by get_https and friends. You
752 can call Net::SSLeay::initialize from your own code if you desire this
753 conventional library initialization.
754
755 Convenience routines
756 To be used with Low level API
757
758 Net::SSLeay::randomize($rn_seed_file,$additional_seed);
759 Net::SSLeay::set_cert_and_key($ctx, $cert_path, $key_path);
760 $cert = Net::SSLeay::dump_peer_certificate($ssl);
761 Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure";
762 $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure";
763
764 $got = Net::SSLeay::ssl_read_CRLF($ssl [, $max_length]);
765 $got = Net::SSLeay::ssl_read_until($ssl [, $delimit [, $max_length]]);
766 Net::SSLeay::ssl_write_CRLF($ssl, $message);
767
768 • randomize
769
770 seeds the openssl PRNG with "/dev/urandom" (see the top of
771 "SSLeay.pm" for how to change or configure this) and optionally
772 with user provided data. It is very important to properly seed your
773 random numbers, so do not forget to call this. The high level API
774 functions automatically call "randomize()" so it is not needed with
775 them. See also caveats.
776
777 • set_cert_and_key
778
779 takes two file names as arguments and sets the certificate and
780 private key to those. This can be used to set either server
781 certificates or client certificates.
782
783 • dump_peer_certificate
784
785 allows you to get a plaintext description of the certificate the
786 peer (usually the server) presented to us.
787
788 • ssl_read_all
789
790 see ssl_write_all (below)
791
792 • ssl_write_all
793
794 "ssl_read_all()" and "ssl_write_all()" provide true blocking
795 semantics for these operations (see limitation, below, for
796 explanation). These are much preferred to the low level API
797 equivalents (which implement BSD blocking semantics). The message
798 argument to "ssl_write_all()" can be a reference. This is helpful
799 to avoid unnecessary copying when writing something big, e.g:
800
801 $data = 'A' x 1000000000;
802 Net::SSLeay::ssl_write_all($ssl, \$data) or die "ssl write failed";
803
804 • ssl_read_CRLF
805
806 uses "ssl_read_all()" to read in a line terminated with a carriage
807 return followed by a linefeed (CRLF). The CRLF is included in the
808 returned scalar.
809
810 • ssl_read_until
811
812 uses "ssl_read_all()" to read from the SSL input stream until it
813 encounters a programmer specified delimiter. If the delimiter is
814 undefined, $/ is used. If $/ is undefined, "\n" is used. One can
815 optionally set a maximum length of bytes to read from the SSL input
816 stream.
817
818 • ssl_write_CRLF
819
820 writes $message and appends CRLF to the SSL output stream.
821
822 Initialization
823 In order to use the low level API you should start your programs with
824 the following incantation:
825
826 use Net::SSLeay qw(die_now die_if_ssl_error);
827 Net::SSLeay::load_error_strings();
828 Net::SSLeay::SSLeay_add_ssl_algorithms(); # Important!
829 Net::SSLeay::ENGINE_load_builtin_engines(); # If you want built-in engines
830 Net::SSLeay::ENGINE_register_all_complete(); # If you want built-in engines
831 Net::SSLeay::randomize();
832
833 Error handling functions
834 I can not emphasize the need to check for error enough. Use these
835 functions even in the most simple programs, they will reduce debugging
836 time greatly. Do not ask questions on the mailing list without having
837 first sprinkled these in your code.
838
839 • die_now
840
841 • die_if_ssl_error
842
843 "die_now()" and "die_if_ssl_error()" are used to conveniently print
844 the SSLeay error stack when something goes wrong:
845
846 Net::SSLeay::connect($ssl) or die_now("Failed SSL connect ($!)");
847
848
849 Net::SSLeay::write($ssl, "foo") or die_if_ssl_error("SSL write ($!)");
850
851 • print_errs
852
853 You can also use "Net::SSLeay::print_errs()" to dump the error
854 stack without exiting the program. As can be seen, your code
855 becomes much more readable if you import the error reporting
856 functions into your main name space.
857
858 Sockets
859 Perl uses file handles for all I/O. While SSLeay has a quite flexible
860 BIO mechanism and perl has an evolved PerlIO mechanism, this module
861 still sticks to using file descriptors. Thus to attach SSLeay to a
862 socket you should use "fileno()" to extract the underlying file
863 descriptor:
864
865 Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno
866
867 You should also set $| to 1 to eliminate STDIO buffering so you do not
868 get confused if you use perl I/O functions to manipulate your socket
869 handle.
870
871 If you need to select(2) on the socket, go right ahead, but be warned
872 that OpenSSL does some internal buffering so SSL_read does not always
873 return data even if the socket selected for reading (just keep on
874 selecting and trying to read). "Net::SSLeay" is no different from the C
875 language OpenSSL in this respect.
876
877 Callbacks
878 You can establish a per-context verify callback function something like
879 this:
880
881 sub verify {
882 my ($ok, $x509_store_ctx) = @_;
883 print "Verifying certificate...\n";
884 ...
885 return $ok;
886 }
887
888 It is used like this:
889
890 Net::SSLeay::set_verify ($ssl, Net::SSLeay::VERIFY_PEER, \&verify);
891
892 Per-context callbacks for decrypting private keys are implemented.
893
894 Net::SSLeay::CTX_set_default_passwd_cb($ctx, sub { "top-secret" });
895 Net::SSLeay::CTX_use_PrivateKey_file($ctx, "key.pem",
896 Net::SSLeay::FILETYPE_PEM)
897 or die "Error reading private key";
898 Net::SSLeay::CTX_set_default_passwd_cb($ctx, undef);
899
900 If Hello Extensions are supported by your OpenSSL, a session secret
901 callback can be set up to be called when a session secret is set by
902 openssl.
903
904 Establish it like this:
905 Net::SSLeay::set_session_secret_cb($ssl, \&session_secret_cb,
906 $somedata);
907
908 It will be called like this:
909
910 sub session_secret_cb
911 {
912 my ($secret, \@cipherlist, \$preferredcipher, $somedata) = @_;
913 }
914
915 No other callbacks are implemented. You do not need to use any callback
916 for simple (i.e. normal) cases where the SSLeay built-in verify
917 mechanism satisfies your needs.
918
919 It is required to reset these callbacks to undef immediately after use
920 to prevent memory leaks, thread safety problems and crashes on exit
921 that can occur if different threads set different callbacks.
922
923 If you want to use callback stuff, see examples/callback.pl! It's the
924 only one I am able to make work reliably.
925
926 Low level API
927 In addition to the high level functions outlined above, this module
928 contains straight-forward access to CRYPTO and SSL parts of OpenSSL C
929 API.
930
931 See the "*.h" headers from OpenSSL C distribution for a list of low
932 level SSLeay functions to call (check SSLeay.xs to see if some function
933 has been implemented). The module strips the initial "SSL_" off of the
934 SSLeay names. Generally you should use "Net::SSLeay::" in its place.
935
936 Note that some functions are prefixed with "P_" - these are very close
937 to the original API however contain some kind of a wrapper making its
938 interface more perl friendly.
939
940 For example:
941
942 In C:
943
944 #include <ssl.h>
945
946 err = SSL_set_verify (ssl, SSL_VERIFY_CLIENT_ONCE,
947 &your_call_back_here);
948
949 In Perl:
950
951 use Net::SSLeay;
952
953 $err = Net::SSLeay::set_verify ($ssl,
954 Net::SSLeay::VERIFY_CLIENT_ONCE,
955 \&your_call_back_here);
956
957 If the function does not start with "SSL_" you should use the full
958 function name, e.g.:
959
960 $err = Net::SSLeay::ERR_get_error;
961
962 The following new functions behave in perlish way:
963
964 $got = Net::SSLeay::read($ssl);
965 # Performs SSL_read, but returns $got
966 # resized according to data received.
967 # Returns undef on failure.
968
969 Net::SSLeay::write($ssl, $foo) || die;
970 # Performs SSL_write, but automatically
971 # figures out the size of $foo
972
973 Low level API: Version related functions
974
975 • SSLeay
976
977 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
978
979 Gives version number (numeric) of underlaying openssl library.
980
981 my $ver_number = Net::SSLeay::SSLeay();
982 # returns: the number identifying the openssl release
983 #
984 # 0x00903100 => openssl-0.9.3
985 # 0x00904100 => openssl-0.9.4
986 # 0x00905100 => openssl-0.9.5
987 # 0x0090600f => openssl-0.9.6
988 # 0x0090601f => openssl-0.9.6a
989 # 0x0090602f => openssl-0.9.6b
990 # ...
991 # 0x009060df => openssl-0.9.6m
992 # 0x0090700f => openssl-0.9.7
993 # 0x0090701f => openssl-0.9.7a
994 # 0x0090702f => openssl-0.9.7b
995 # ...
996 # 0x009070df => openssl-0.9.7m
997 # 0x0090800f => openssl-0.9.8
998 # 0x0090801f => openssl-0.9.8a
999 # 0x0090802f => openssl-0.9.8b
1000 # ...
1001 # 0x0090814f => openssl-0.9.8t
1002 # 0x1000000f => openssl-1.0.0
1003 # 0x1000004f => openssl-1.0.0d
1004 # 0x1000007f => openssl-1.0.0g
1005
1006 You can use it like this:
1007
1008 if (Net::SSLeay::SSLeay() < 0x0090800f) {
1009 die "you need openssl-0.9.8 or higher";
1010 }
1011
1012 • SSLeay_version
1013
1014 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
1015
1016 Gives version number (string) of underlaying openssl library.
1017
1018 my $ver_string = Net::SSLeay::SSLeay_version($type);
1019 # $type
1020 # SSLEAY_VERSION - e.g. 'OpenSSL 1.0.0d 8 Feb 2011'
1021 # SSLEAY_CFLAGS - e.g. 'compiler: gcc -D_WINDLL -DOPENSSL_USE_APPLINK .....'
1022 # SSLEAY_BUILT_ON - e.g. 'built on: Fri May 6 00:00:46 GMT 2011'
1023 # SSLEAY_PLATFORM - e.g. 'platform: mingw'
1024 # SSLEAY_DIR - e.g. 'OPENSSLDIR: "z:/...."'
1025 #
1026 # returns: string
1027
1028 Net::SSLeay::SSLeay_version();
1029 #is equivalent to
1030 Net::SSLeay::SSLeay_version(SSLEAY_VERSION);
1031
1032 Check openssl doc
1033 <https://www.openssl.org/docs/man1.0.2/crypto/SSLeay_version.html>
1034
1035 • OpenSSL_version_num
1036
1037 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
1038 requires at least OpenSSL 1.1.0
1039
1040 Gives version number (numeric) of underlaying openssl library. See
1041 "SSLeay" for interpreting the result.
1042
1043 my $ver_number = Net::SSLeay::OpenSSL_version_num();
1044 # returns: the number identifying the openssl release
1045
1046 • OpenSSL_version
1047
1048 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
1049 requires at least OpenSSL 1.1.0
1050
1051 Gives version number (string) of underlaying openssl library.
1052
1053 my $ver_string = Net::SSLeay::OpenSSL_version($t);
1054 # $t
1055 # OPENSSL_VERSION - e.g. 'OpenSSL 1.1.0g 2 Nov 2017'
1056 # OPENSSL_CFLAGS - e.g. 'compiler: cc -DDSO_DLFCN -DHAVE_DLFCN_H .....'
1057 # OPENSSL_BUILT_ON - e.g. 'built on: reproducible build, date unspecified'
1058 # OPENSSL_PLATFORM - e.g. 'platform: darwin64-x86_64-cc'
1059 # OPENSSL_DIR - e.g. 'OPENSSLDIR: "/opt/openssl-1.1.0g"'
1060 # OPENSSL_ENGINES_DIR - e.g. 'ENGINESDIR: "/opt/openssl-1.1.0g/lib/engines-1.1"'
1061 #
1062 # returns: string
1063
1064 Net::SSLeay::OpenSSL_version();
1065 #is equivalent to
1066 Net::SSLeay::OpenSSL_version(OPENSSL_VERSION);
1067
1068 Check openssl doc
1069 <https://www.openssl.org/docs/crypto/OpenSSL_version.html>
1070
1071 Low level API: Initialization related functions
1072
1073 • library_init
1074
1075 Initialize SSL library by registering algorithms.
1076
1077 my $rv = Net::SSLeay::library_init();
1078
1079 Check openssl doc
1080 <http://www.openssl.org/docs/ssl/SSL_library_init.html>
1081
1082 While the original function from OpenSSL always returns 1,
1083 Net::SSLeay adds a wrapper around it to make sure that the OpenSSL
1084 function is only called once. Thus the function will return 1 if
1085 initialization was done and 0 if not, i.e. if initialization was
1086 done already before.
1087
1088 • add_ssl_algorithms
1089
1090 The alias for "library_init"
1091
1092 Net::SSLeay::add_ssl_algorithms();
1093
1094 • OpenSSL_add_ssl_algorithms
1095
1096 The alias for "library_init"
1097
1098 Net::SSLeay::OpenSSL_add_ssl_algorithms();
1099
1100 • SSLeay_add_ssl_algorithms
1101
1102 The alias for "library_init"
1103
1104 Net::SSLeay::SSLeay_add_ssl_algorithms();
1105
1106 • load_error_strings
1107
1108 Registers the error strings for all libcrypto + libssl related
1109 functions.
1110
1111 Net::SSLeay::load_error_strings();
1112 #
1113 # returns: no return value
1114
1115 Check openssl doc
1116 <http://www.openssl.org/docs/crypto/ERR_load_crypto_strings.html>
1117
1118 • ERR_load_crypto_strings
1119
1120 Registers the error strings for all libcrypto functions. No need to
1121 call this function if you have already called "load_error_strings".
1122
1123 Net::SSLeay::ERR_load_crypto_strings();
1124 #
1125 # returns: no return value
1126
1127 Check openssl doc
1128 <http://www.openssl.org/docs/crypto/ERR_load_crypto_strings.html>
1129
1130 • ERR_load_RAND_strings
1131
1132 Registers the error strings for RAND related functions. No need to
1133 call this function if you have already called "load_error_strings".
1134
1135 Net::SSLeay::ERR_load_RAND_strings();
1136 #
1137 # returns: no return value
1138
1139 • ERR_load_SSL_strings
1140
1141 Registers the error strings for SSL related functions. No need to
1142 call this function if you have already called "load_error_strings".
1143
1144 Net::SSLeay::ERR_load_SSL_strings();
1145 #
1146 # returns: no return value
1147
1148 • OpenSSL_add_all_algorithms
1149
1150 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1151
1152 Add algorithms to internal table.
1153
1154 Net::SSLeay::OpenSSL_add_all_algorithms();
1155 #
1156 # returns: no return value
1157
1158 Check openssl doc
1159 <http://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html>
1160
1161 • OPENSSL_add_all_algorithms_conf
1162
1163 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1164
1165 Similar to "OpenSSL_add_all_algorithms" - will ALWAYS load the
1166 config file
1167
1168 Net::SSLeay::OPENSSL_add_all_algorithms_conf();
1169 #
1170 # returns: no return value
1171
1172 • OPENSSL_add_all_algorithms_noconf
1173
1174 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1175
1176 Similar to "OpenSSL_add_all_algorithms" - will NEVER load the
1177 config file
1178
1179 Net::SSLeay::OPENSSL_add_all_algorithms_noconf();
1180 #
1181 # returns: no return value
1182
1183 Low level API: ERR_* and SSL_alert_* related functions
1184
1185 NOTE: Please note that SSL_alert_* function have "SSL_" part stripped
1186 from their names.
1187
1188 • ERR_clear_error
1189
1190 Clear the error queue.
1191
1192 Net::SSLeay::ERR_clear_error();
1193 #
1194 # returns: no return value
1195
1196 Check openssl doc
1197 <http://www.openssl.org/docs/crypto/ERR_clear_error.html>
1198
1199 • ERR_error_string
1200
1201 Generates a human-readable string representing the error code
1202 $error.
1203
1204 my $rv = Net::SSLeay::ERR_error_string($error);
1205 # $error - (unsigned integer) error code
1206 #
1207 # returns: string
1208
1209 Check openssl doc
1210 <http://www.openssl.org/docs/crypto/ERR_error_string.html>
1211
1212 • ERR_get_error
1213
1214 Returns the earliest error code from the thread's error queue and
1215 removes the entry. This function can be called repeatedly until
1216 there are no more error codes to return.
1217
1218 my $rv = Net::SSLeay::ERR_get_error();
1219 #
1220 # returns: (unsigned integer) error code
1221
1222 Check openssl doc
1223 <http://www.openssl.org/docs/crypto/ERR_get_error.html>
1224
1225 • ERR_peek_error
1226
1227 Returns the earliest error code from the thread's error queue
1228 without modifying it.
1229
1230 my $rv = Net::SSLeay::ERR_peek_error();
1231 #
1232 # returns: (unsigned integer) error code
1233
1234 Check openssl doc
1235 <http://www.openssl.org/docs/crypto/ERR_get_error.html>
1236
1237 • ERR_put_error
1238
1239 Adds an error code to the thread's error queue. It signals that the
1240 error of $reason code reason occurred in function $func of library
1241 $lib, in line number $line of $file.
1242
1243 Net::SSLeay::ERR_put_error($lib, $func, $reason, $file, $line);
1244 # $lib - (integer) library id (check openssl/err.h for constants e.g. ERR_LIB_SSL)
1245 # $func - (integer) function id (check openssl/ssl.h for constants e.g. SSL_F_SSL23_READ)
1246 # $reason - (integer) reason id (check openssl/ssl.h for constants e.g. SSL_R_SSL_HANDSHAKE_FAILURE)
1247 # $file - (string) file name
1248 # $line - (integer) line number in $file
1249 #
1250 # returns: no return value
1251
1252 Check openssl doc
1253 <http://www.openssl.org/docs/crypto/ERR_put_error.html> and
1254 <http://www.openssl.org/docs/crypto/err.html>
1255
1256 • alert_desc_string
1257
1258 Returns a two letter string as a short form describing the reason
1259 of the alert specified by value.
1260
1261 my $rv = Net::SSLeay::alert_desc_string($value);
1262 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1263 #
1264 # returns: description string (2 letters)
1265
1266 Check openssl doc
1267 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1268
1269 • alert_desc_string_long
1270
1271 Returns a string describing the reason of the alert specified by
1272 value.
1273
1274 my $rv = Net::SSLeay::alert_desc_string_long($value);
1275 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1276 #
1277 # returns: description string
1278
1279 Check openssl doc
1280 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1281
1282 • alert_type_string
1283
1284 Returns a one letter string indicating the type of the alert
1285 specified by value.
1286
1287 my $rv = Net::SSLeay::alert_type_string($value);
1288 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1289 #
1290 # returns: string (1 letter)
1291
1292 Check openssl doc
1293 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1294
1295 • alert_type_string_long
1296
1297 Returns a string indicating the type of the alert specified by
1298 value.
1299
1300 my $rv = Net::SSLeay::alert_type_string_long($value);
1301 # $value - (integer) allert id (check openssl/ssl.h for SSL3_AD_* and TLS1_AD_* constants)
1302 #
1303 # returns: string
1304
1305 Check openssl doc
1306 <http://www.openssl.org/docs/ssl/SSL_alert_type_string.html>
1307
1308 Low level API: SSL_METHOD_* related functions
1309
1310 • SSLv23_method, SSLv23_server_method and SSLv23_client_method
1311
1312 COMPATIBILITY: not available in Net-SSLeay-1.82 and before.
1313
1314 Returns SSL_METHOD structure corresponding to general-purpose
1315 version-flexible TLS method, the return value can be later used as
1316 a param of "CTX_new_with_method".
1317
1318 NOTE: Consider using TLS_method, TLS_server_method or
1319 TLS_client_method with new code.
1320
1321 my $rv = Net::SSLeay::SSLv2_method();
1322 #
1323 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1324
1325 • SSLv2_method
1326
1327 Returns SSL_METHOD structure corresponding to SSLv2 method, the
1328 return value can be later used as a param of "CTX_new_with_method".
1329 Only available where supported by the underlying openssl.
1330
1331 my $rv = Net::SSLeay::SSLv2_method();
1332 #
1333 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1334
1335 • SSLv3_method
1336
1337 Returns SSL_METHOD structure corresponding to SSLv3 method, the
1338 return value can be later used as a param of "CTX_new_with_method".
1339
1340 my $rv = Net::SSLeay::SSLv3_method();
1341 #
1342 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1343
1344 Check openssl doc
1345 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1346
1347 • TLSv1_method, TLSv1_server_method and TLSv1_client_method
1348
1349 COMPATIBILITY: Server and client methods not available in
1350 Net-SSLeay-1.82 and before.
1351
1352 Returns SSL_METHOD structure corresponding to TLSv1 method, the
1353 return value can be later used as a param of "CTX_new_with_method".
1354
1355 my $rv = Net::SSLeay::TLSv1_method();
1356 #
1357 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1358
1359 Check openssl doc
1360 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1361
1362 • TLSv1_1_method, TLSv1_1_server_method and TLSv1_1_client_method
1363
1364 COMPATIBILITY: Server and client methods not available in
1365 Net-SSLeay-1.82 and before.
1366
1367 Returns SSL_METHOD structure corresponding to TLSv1_1 method, the
1368 return value can be later used as a param of "CTX_new_with_method".
1369 Only available where supported by the underlying openssl.
1370
1371 my $rv = Net::SSLeay::TLSv1_1_method();
1372 #
1373 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1374
1375 Check openssl doc
1376 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1377
1378 • TLSv1_2_method, TLSv1_2_server_method and TLSv1_2_client_method
1379
1380 COMPATIBILITY: Server and client methods not available in
1381 Net-SSLeay-1.82 and before.
1382
1383 Returns SSL_METHOD structure corresponding to TLSv1_2 method, the
1384 return value can be later used as a param of "CTX_new_with_method".
1385 Only available where supported by the underlying openssl.
1386
1387 my $rv = Net::SSLeay::TLSv1_2_method();
1388 #
1389 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1390
1391 Check openssl doc
1392 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1393
1394 • TLS_method, TLS_server_method and TLS_client_method
1395
1396 COMPATIBILITY: Not available in Net-SSLeay-1.82 and before.
1397
1398 Returns SSL_METHOD structure corresponding to general-purpose
1399 version-flexible TLS method, the return value can be later used as
1400 a param of "CTX_new_with_method". Only available where supported by
1401 the underlying openssl.
1402
1403 my $rv = Net::SSLeay::TLS_method();
1404 #
1405 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
1406
1407 Check openssl doc
1408 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
1409
1410 Low level API: ENGINE_* related functions
1411
1412 • ENGINE_load_builtin_engines
1413
1414 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1415 loading support.
1416
1417 Load all bundled ENGINEs into memory and make them visible.
1418
1419 Net::SSLeay::ENGINE_load_builtin_engines();
1420 #
1421 # returns: no return value
1422
1423 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1424
1425 • ENGINE_register_all_complete
1426
1427 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1428 loading support.
1429
1430 Register all loaded ENGINEs for every algorithm they collectively
1431 implement.
1432
1433 Net::SSLeay::ENGINE_register_all_complete();
1434 #
1435 # returns: no return value
1436
1437 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1438
1439 • ENGINE_set_default
1440
1441 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1442 loading support.
1443
1444 Set default engine to $e + set its flags to $flags.
1445
1446 my $rv = Net::SSLeay::ENGINE_set_default($e, $flags);
1447 # $e - value corresponding to openssl's ENGINE structure
1448 # $flags - (integer) engine flags
1449 # flags value can be made by bitwise "OR"ing:
1450 # 0x0001 - ENGINE_METHOD_RSA
1451 # 0x0002 - ENGINE_METHOD_DSA
1452 # 0x0004 - ENGINE_METHOD_DH
1453 # 0x0008 - ENGINE_METHOD_RAND
1454 # 0x0010 - ENGINE_METHOD_ECDH
1455 # 0x0020 - ENGINE_METHOD_ECDSA
1456 # 0x0040 - ENGINE_METHOD_CIPHERS
1457 # 0x0080 - ENGINE_METHOD_DIGESTS
1458 # 0x0100 - ENGINE_METHOD_STORE
1459 # 0x0200 - ENGINE_METHOD_PKEY_METHS
1460 # 0x0400 - ENGINE_METHOD_PKEY_ASN1_METHS
1461 # Obvious all-or-nothing cases:
1462 # 0xFFFF - ENGINE_METHOD_ALL
1463 # 0x0000 - ENGINE_METHOD_NONE
1464 #
1465 # returns: 1 on success, 0 on failure
1466
1467 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1468
1469 • ENGINE_by_id
1470
1471 Get ENGINE by its identification $id.
1472
1473 COMPATIBILITY: Requires an OpenSSL build with dynamic engine
1474 loading support.
1475
1476 my $rv = Net::SSLeay::ENGINE_by_id($id);
1477 # $id - (string) engine identification e.g. "dynamic"
1478 #
1479 # returns: value corresponding to openssl's ENGINE structure (0 on failure)
1480
1481 Check openssl doc <http://www.openssl.org/docs/crypto/engine.html>
1482
1483 Low level API: EVP_PKEY_* related functions
1484
1485 • EVP_PKEY_copy_parameters
1486
1487 Copies the parameters from key $from to key $to.
1488
1489 my $rv = Net::SSLeay::EVP_PKEY_copy_parameters($to, $from);
1490 # $to - value corresponding to openssl's EVP_PKEY structure
1491 # $from - value corresponding to openssl's EVP_PKEY structure
1492 #
1493 # returns: 1 on success, 0 on failure
1494
1495 Check openssl doc
1496 <http://www.openssl.org/docs/crypto/EVP_PKEY_cmp.html>
1497
1498 • EVP_PKEY_new
1499
1500 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1501
1502 Creates a new EVP_PKEY structure.
1503
1504 my $rv = Net::SSLeay::EVP_PKEY_new();
1505 #
1506 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
1507
1508 Check openssl doc
1509 <http://www.openssl.org/docs/crypto/EVP_PKEY_new.html>
1510
1511 • EVP_PKEY_free
1512
1513 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1514
1515 Free an allocated EVP_PKEY structure.
1516
1517 Net::SSLeay::EVP_PKEY_free($pkey);
1518 # $pkey - value corresponding to openssl's EVP_PKEY structure
1519 #
1520 # returns: no return value
1521
1522 Check openssl doc
1523 <http://www.openssl.org/docs/crypto/EVP_PKEY_new.html>
1524
1525 • EVP_PKEY_assign_RSA
1526
1527 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1528
1529 Set the key referenced by $pkey to $key
1530
1531 NOTE: No reference counter will be increased, i.e. $key will be
1532 freed if $pkey is freed.
1533
1534 my $rv = Net::SSLeay::EVP_PKEY_assign_RSA($pkey, $key);
1535 # $pkey - value corresponding to openssl's EVP_PKEY structure
1536 # $key - value corresponding to openssl's RSA structure
1537 #
1538 # returns: 1 on success, 0 on failure
1539
1540 Check openssl doc
1541 <http://www.openssl.org/docs/crypto/EVP_PKEY_assign_RSA.html>
1542
1543 • EVP_PKEY_assign_EC_KEY
1544
1545 COMPATIBILITY: not available in Net-SSLeay-1.74 and before
1546
1547 Set the key referenced by $pkey to $key
1548
1549 NOTE: No reference counter will be increased, i.e. $key will be
1550 freed if $pkey is freed.
1551
1552 my $rv = Net::SSLeay::EVP_PKEY_assign_EC_KEY($pkey, $key);
1553 # $pkey - value corresponding to openssl's EVP_PKEY structure
1554 # $key - value corresponding to openssl's EC_KEY structure
1555 #
1556 # returns: 1 on success, 0 on failure
1557
1558 Check openssl doc
1559 <http://www.openssl.org/docs/crypto/EVP_PKEY_assign_EC_KEY.html>
1560
1561 • EVP_PKEY_bits
1562
1563 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1564
1565 Returns the size of the key $pkey in bits.
1566
1567 my $rv = Net::SSLeay::EVP_PKEY_bits($pkey);
1568 # $pkey - value corresponding to openssl's EVP_PKEY structure
1569 #
1570 # returns: size in bits
1571
1572 • EVP_PKEY_size
1573
1574 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1575
1576 Returns the maximum size of a signature in bytes. The actual
1577 signature may be smaller.
1578
1579 my $rv = Net::SSLeay::EVP_PKEY_size($pkey);
1580 # $pkey - value corresponding to openssl's EVP_PKEY structure
1581 #
1582 # returns: the maximum size in bytes
1583
1584 Check openssl doc
1585 <http://www.openssl.org/docs/crypto/EVP_SignInit.html>
1586
1587 • EVP_PKEY_id
1588
1589 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
1590 requires at least openssl-1.0.0
1591
1592 Returns $pkey type (integer value of corresponding NID).
1593
1594 my $rv = Net::SSLeay::EVP_PKEY_id($pkey);
1595 # $pkey - value corresponding to openssl's EVP_PKEY structure
1596 #
1597 # returns: (integer) key type
1598
1599 Example:
1600
1601 my $pubkey = Net::SSLeay::X509_get_pubkey($x509);
1602 my $type = Net::SSLeay::EVP_PKEY_id($pubkey);
1603 print Net::SSLeay::OBJ_nid2sn($type); #prints e.g. 'rsaEncryption'
1604
1605 Low level API: PEM_* related functions
1606
1607 Check openssl doc <http://www.openssl.org/docs/crypto/pem.html>
1608
1609 • PEM_read_bio_X509
1610
1611 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1612
1613 Loads PEM formatted X509 certificate via given BIO structure.
1614
1615 my $rv = Net::SSLeay::PEM_read_bio_X509($bio);
1616 # $bio - value corresponding to openssl's BIO structure
1617 #
1618 # returns: value corresponding to openssl's X509 structure (0 on failure)
1619
1620 Example:
1621
1622 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1623 my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
1624 Net::SSLeay::BIO_free($bio);
1625
1626 • PEM_read_bio_X509_REQ
1627
1628 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1629
1630 Loads PEM formatted X509_REQ object via given BIO structure.
1631
1632 my $rv = Net::SSLeay::PEM_read_bio_X509_REQ($bio, $x=NULL, $cb=NULL, $u=NULL);
1633 # $bio - value corresponding to openssl's BIO structure
1634 #
1635 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
1636
1637 Example:
1638
1639 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1640 my $x509_req = Net::SSLeay::PEM_read_bio_X509_REQ($bio);
1641 Net::SSLeay::BIO_free($bio);
1642
1643 • PEM_read_bio_DHparams
1644
1645 Reads DH structure from BIO.
1646
1647 my $rv = Net::SSLeay::PEM_read_bio_DHparams($bio);
1648 # $bio - value corresponding to openssl's BIO structure
1649 #
1650 # returns: value corresponding to openssl's DH structure (0 on failure)
1651
1652 • PEM_read_bio_X509_CRL
1653
1654 Reads X509_CRL structure from BIO.
1655
1656 my $rv = Net::SSLeay::PEM_read_bio_X509_CRL($bio);
1657 # $bio - value corresponding to openssl's BIO structure
1658 #
1659 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
1660
1661 • PEM_read_bio_PrivateKey
1662
1663 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1664
1665 Loads PEM formatted private key via given BIO structure.
1666
1667 my $rv = Net::SSLeay::PEM_read_bio_PrivateKey($bio, $cb, $data);
1668 # $bio - value corresponding to openssl's BIO structure
1669 # $cb - reference to perl callback function
1670 # $data - data that will be passed to callback function (see examples below)
1671 #
1672 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
1673
1674 Example:
1675
1676 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1677 my $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio); #ask for password if needed
1678 Net::SSLeay::BIO_free($bio);
1679
1680 To use password you have the following options:
1681
1682 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func); # use callback func for getting password
1683 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, \&callback_func, $data); # use callback_func + pass $data to callback_func
1684 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, "secret"); # use password "secret"
1685 $privkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio, undef, ""); # use empty password
1686
1687 Callback function signature:
1688
1689 sub callback_func {
1690 my ($max_passwd_size, $rwflag, $data) = @_;
1691 # $max_passwd_size - maximum size of returned password (longer values will be discarded)
1692 # $rwflag - indicates whether we are loading (0) or storing (1) - for PEM_read_bio_PrivateKey always 0
1693 # $data - the data passed to PEM_read_bio_PrivateKey as 3rd parameter
1694
1695 return "secret";
1696 }
1697
1698 • PEM_X509_INFO_read_bio
1699
1700 Reads a BIO containing a PEM formatted file into a
1701 STACK_OF(X509_INFO) structure.
1702
1703 my $rv = Net::SSLeay::PEM_X509_INFO_read_bio($bio);
1704 # $bio - value corresponding to openssl's BIO structure
1705 #
1706 # returns: value corresponding to openssl's STACK_OF(X509_INFO) structure.
1707
1708 Example:
1709
1710 my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
1711 my $sk_x509_info = Net::SSLeay::PEM_X509_INFO_read_bio($bio);
1712 Net::SSLeay::BIO_free($bio);
1713
1714 • PEM_get_string_X509
1715
1716 NOTE: Does not exactly correspond to any low level API function
1717
1718 Converts/exports X509 certificate to string (PEM format).
1719
1720 Net::SSLeay::PEM_get_string_X509($x509);
1721 # $x509 - value corresponding to openssl's X509 structure
1722 #
1723 # returns: string with $x509 in PEM format
1724
1725 • PEM_get_string_PrivateKey
1726
1727 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1728
1729 Converts public key $pk into PEM formatted string (optionally
1730 protected with password).
1731
1732 my $rv = Net::SSLeay::PEM_get_string_PrivateKey($pk, $passwd, $enc_alg);
1733 # $pk - value corresponding to openssl's EVP_PKEY structure
1734 # $passwd - [optional] (string) password to use for key encryption
1735 # $enc_alg - [optional] algorithm to use for key encryption (default: DES_CBC) - value corresponding to openssl's EVP_CIPHER structure
1736 #
1737 # returns: PEM formatted string
1738
1739 Examples:
1740
1741 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk);
1742 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret");
1743 $pem_privkey = Net::SSLeay::PEM_get_string_PrivateKey($pk, "secret", Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC"));
1744
1745 • PEM_get_string_X509_CRL
1746
1747 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1748
1749 Converts X509_CRL object $x509_crl into PEM formatted string.
1750
1751 Net::SSLeay::PEM_get_string_X509_CRL($x509_crl);
1752 # $x509_crl - value corresponding to openssl's X509_CRL structure
1753 #
1754 # returns: no return value
1755
1756 • PEM_get_string_X509_REQ
1757
1758 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1759
1760 Converts X509_REQ object $x509_crl into PEM formatted string.
1761
1762 Net::SSLeay::PEM_get_string_X509_REQ($x509_req);
1763 # $x509_req - value corresponding to openssl's X509_REQ structure
1764 #
1765 # returns: no return value
1766
1767 Low level API: d2i_* (DER format) related functions
1768
1769 • d2i_X509_bio
1770
1771 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1772
1773 Loads DER formatted X509 certificate via given BIO structure.
1774
1775 my $rv = Net::SSLeay::d2i_X509_bio($bp);
1776 # $bp - value corresponding to openssl's BIO structure
1777 #
1778 # returns: value corresponding to openssl's X509 structure (0 on failure)
1779
1780 Example:
1781
1782 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1783 my $x509 = Net::SSLeay::d2i_X509_bio($bio);
1784 Net::SSLeay::BIO_free($bio);
1785
1786 Check openssl doc
1787 <http://www.openssl.org/docs/crypto/d2i_X509.html>
1788
1789 • d2i_X509_CRL_bio
1790
1791 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1792
1793 Loads DER formatted X509_CRL object via given BIO structure.
1794
1795 my $rv = Net::SSLeay::d2i_X509_CRL_bio($bp);
1796 # $bp - value corresponding to openssl's BIO structure
1797 #
1798 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
1799
1800 Example:
1801
1802 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1803 my $x509_crl = Net::SSLeay::d2i_X509_CRL_bio($bio);
1804 Net::SSLeay::BIO_free($bio);
1805
1806 • d2i_X509_REQ_bio
1807
1808 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1809
1810 Loads DER formatted X509_REQ object via given BIO structure.
1811
1812 my $rv = Net::SSLeay::d2i_X509_REQ_bio($bp);
1813 # $bp - value corresponding to openssl's BIO structure
1814 #
1815 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
1816
1817 Example:
1818
1819 my $bio = Net::SSLeay::BIO_new_file($filename, 'rb');
1820 my $x509_req = Net::SSLeay::d2i_X509_REQ_bio($bio);
1821 Net::SSLeay::BIO_free($bio);
1822
1823 Low level API: PKCS12 related functions
1824
1825 • P_PKCS12_load_file
1826
1827 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
1828
1829 Loads X509 certificate + private key + certificates of CA chain (if
1830 present in PKCS12 file).
1831
1832 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, $load_chain, $password);
1833 # $filename - name of PKCS12 file
1834 # $load_chain - [optional] whether load (1) or not(0) CA chain (default: 0)
1835 # $password - [optional] password for private key
1836 #
1837 # returns: triplet ($privkey, $cert, @cachain)
1838 # $privkey - value corresponding to openssl's EVP_PKEY structure
1839 # $cert - value corresponding to openssl's X509 structure
1840 # @cachain - array of values corresponding to openssl's X509 structure (empty if no CA chain in PKCS12)
1841
1842 IMPORTANT NOTE: after you do the job you need to call X509_free()
1843 on $privkey + all members of @cachain and EVP_PKEY_free() on
1844 $privkey.
1845
1846 Examples:
1847
1848 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename);
1849 #or
1850 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 0, $password);
1851 #or
1852 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1);
1853 #or
1854 my ($privkey, $cert, @cachain) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password);
1855
1856 #BEWARE: THIS IS WRONG - MEMORY LEAKS! (you cannot free @cachain items)
1857 my ($privkey, $cert) = Net::SSLeay::P_PKCS12_load_file($filename, 1, $password);
1858
1859 NOTE With some combinations of Windows, perl, compiler and compiler
1860 options, you may see a runtime error "no OPENSSL_Applink", when
1861 calling Net::SSLeay::P_PKCS12_load_file. See README.Win32 for more
1862 details.
1863
1864 Low level API: SESSION_* related functions
1865
1866 • d2i_SSL_SESSION
1867
1868 COMPATIBILITY: does not work in Net-SSLeay-1.85 and before
1869
1870 Transforms the binary ASN1 representation string of an SSL/TLS
1871 session into an SSL_SESSION object.
1872
1873 my $ses = Net::SSLeay::d2i_SSL_SESSION($data);
1874 # $data - the session as ASN1 representation string
1875 #
1876 # returns: $ses - the new SSL_SESSION
1877
1878 Check openssl doc
1879 <https://www.openssl.org/docs/ssl/i2d_SSL_SESSION.html>
1880
1881 • i2d_SSL_SESSION
1882
1883 COMPATIBILITY: does not work in Net-SSLeay-1.85 and before
1884
1885 Transforms the SSL_SESSION object in into the ASN1 representation
1886 and returns it as string.
1887
1888 my $data = Net::SSLeay::i2d_SSL_SESSION($ses);
1889 # $ses - value corresponding to openssl's SSL_SESSION structure
1890 #
1891 # returns: $data - session as string
1892
1893 Check openssl doc
1894 <https://www.openssl.org/docs/ssl/d2i_SSL_SESSION.html>
1895
1896 • SESSION_new
1897
1898 Creates a new SSL_SESSION structure.
1899
1900 my $rv = Net::SSLeay::SESSION_new();
1901 #
1902 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
1903
1904 • SESSION_free
1905
1906 Free an allocated SSL_SESSION structure.
1907
1908 Net::SSLeay::SESSION_free($ses);
1909 # $ses - value corresponding to openssl's SSL_SESSION structure
1910 #
1911 # returns: no return value
1912
1913 Check openssl doc
1914 <http://www.openssl.org/docs/ssl/SSL_SESSION_free.html>
1915
1916 • SESSION_up_ref
1917
1918 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1919 requires at least OpenSSL 1.1.0-pre4 or LibreSSL 2.7.0
1920
1921 Increases the reference counter on a SSL_SESSION structure.
1922
1923 Net::SSLeay::SESSION_up_ref($ses);
1924 # $ses - value corresponding to openssl's SSL_SESSION structure
1925 #
1926 # returns: 1 on success else 0
1927
1928 Check openssl doc
1929 <https://www.openssl.org/docs/ssl/SSL_SESSION_up_ref.html>
1930
1931 • SESSION_dup
1932
1933 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1934 requires at least OpenSSL 1.1.1, not in LibreSSL
1935
1936 Duplicates a SSL_SESSION structure.
1937
1938 Net::SSLeay::SESSION_dup($ses);
1939 # $ses - value corresponding to openssl's SSL_SESSION structure
1940 #
1941 # returns: the duplicated session
1942
1943 Check openssl doc
1944 <https://www.openssl.org/docs/ssl/SSL_SESSION_dup.html>
1945
1946 • SESSION_is_resumable
1947
1948 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
1949 requires at least OpenSSL 1.1.1, not in LibreSSL
1950
1951 Determine whether an SSL_SESSION object can be used for resumption.
1952
1953 Net::SSLeay::SESSION_is_resumable($ses);
1954 # $ses - value corresponding to openssl's SSL_SESSION structure
1955 #
1956 # returns: (integer) 1 if it can or 0 if not
1957
1958 Check openssl doc
1959 <https://www.openssl.org/docs/manmaster/man3/SSL_SESSION_is_resumable.html>
1960
1961 • SESSION_cmp
1962
1963 Compare two SSL_SESSION structures.
1964
1965 my $rv = Net::SSLeay::SESSION_cmp($sesa, $sesb);
1966 # $sesa - value corresponding to openssl's SSL_SESSION structure
1967 # $sesb - value corresponding to openssl's SSL_SESSION structure
1968 #
1969 # returns: 0 if the two structures are the same
1970
1971 NOTE: Not available in openssl 1.0 or later
1972
1973 • SESSION_get_app_data
1974
1975 Can be used to get application defined value/data.
1976
1977 my $rv = Net::SSLeay::SESSION_get_app_data($ses);
1978 # $ses - value corresponding to openssl's SSL_SESSION structure
1979 #
1980 # returns: string/buffer/pointer ???
1981
1982 • SESSION_set_app_data
1983
1984 Can be used to set some application defined value/data.
1985
1986 my $rv = Net::SSLeay::SESSION_set_app_data($s, $a);
1987 # $s - value corresponding to openssl's SSL_SESSION structure
1988 # $a - (string/buffer/pointer ???) data
1989 #
1990 # returns: ???
1991
1992 • SESSION_get_ex_data
1993
1994 Is used to retrieve the information for $idx from session $ses.
1995
1996 my $rv = Net::SSLeay::SESSION_get_ex_data($ses, $idx);
1997 # $ses - value corresponding to openssl's SSL_SESSION structure
1998 # $idx - (integer) index for application specific data
1999 #
2000 # returns: pointer to ???
2001
2002 Check openssl doc
2003 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2004
2005 • SESSION_set_ex_data
2006
2007 Is used to store application data at arg for idx into the session
2008 object.
2009
2010 my $rv = Net::SSLeay::SESSION_set_ex_data($ss, $idx, $data);
2011 # $ss - value corresponding to openssl's SSL_SESSION structure
2012 # $idx - (integer) ???
2013 # $data - (pointer) ???
2014 #
2015 # returns: 1 on success, 0 on failure
2016
2017 Check openssl doc
2018 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2019
2020 • SESSION_get_ex_new_index
2021
2022 Is used to register a new index for application specific data.
2023
2024 my $rv = Net::SSLeay::SESSION_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
2025 # $argl - (long) ???
2026 # $argp - (pointer) ???
2027 # $new_func - function pointer ??? (CRYPTO_EX_new *)
2028 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
2029 # $free_func - function pointer ??? (CRYPTO_EX_free *)
2030 #
2031 # returns: (integer) ???
2032
2033 Check openssl doc
2034 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_ex_new_index.html>
2035
2036 • SESSION_get_master_key
2037
2038 NOTE: Does not exactly correspond to any low level API function
2039
2040 Returns 'master_key' value from SSL_SESSION structure $s
2041
2042 Net::SSLeay::SESSION_get_master_key($s);
2043 # $s - value corresponding to openssl's SSL_SESSION structure
2044 #
2045 # returns: master key (binary data)
2046
2047 • SESSION_set_master_key
2048
2049 Sets 'master_key' value for SSL_SESSION structure $s
2050
2051 Net::SSLeay::SESSION_set_master_key($s, $key);
2052 # $s - value corresponding to openssl's SSL_SESSION structure
2053 # $key - master key (binary data)
2054 #
2055 # returns: no return value
2056
2057 Not available with OpenSSL 1.1 and later. Code that previously
2058 used
2059 SESSION_set_master_key must now set $secret in the
2060 session_secret
2061 callback set with SSL_set_session_secret_cb.
2062
2063 • SESSION_get_time
2064
2065 Returns the time at which the session s was established. The time
2066 is given in seconds since 1.1.1970.
2067
2068 my $rv = Net::SSLeay::SESSION_get_time($s);
2069 # $s - value corresponding to openssl's SSL_SESSION structure
2070 #
2071 # returns: timestamp (seconds since 1.1.1970)
2072
2073 Check openssl doc
2074 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2075
2076 • get_time
2077
2078 Technically the same functionality as "SESSION_get_time".
2079
2080 my $rv = Net::SSLeay::get_time($s);
2081
2082 • SESSION_get_timeout
2083
2084 Returns the timeout value set for session $s in seconds.
2085
2086 my $rv = Net::SSLeay::SESSION_get_timeout($s);
2087 # $s - value corresponding to openssl's SSL_SESSION structure
2088 #
2089 # returns: timeout (in seconds)
2090
2091 Check openssl doc
2092 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2093
2094 • get_timeout
2095
2096 Technically the same functionality as "SESSION_get_timeout".
2097
2098 my $rv = Net::SSLeay::get_timeout($s);
2099
2100 • SESSION_print
2101
2102 NOTE: Does not exactly correspond to any low level API function
2103
2104 Prints session details (e.g. protocol version, cipher, session-id
2105 ...) to BIO.
2106
2107 my $rv = Net::SSLeay::SESSION_print($fp, $ses);
2108 # $fp - value corresponding to openssl's BIO structure
2109 # $ses - value corresponding to openssl's SSL_SESSION structure
2110 #
2111 # returns: 1 on success, 0 on failure
2112
2113 You have to use necessary BIO functions like this:
2114
2115 # let us have $ssl corresponding to openssl's SSL structure
2116 my $ses = Net::SSLeay::get_session($ssl);
2117 my $bio = Net::SSLeay::BIO_new(&Net::SSLeay::BIO_s_mem);
2118 Net::SSLeay::SESSION_print($bio, $ses);
2119 print Net::SSLeay::BIO_read($bio);
2120
2121 • SESSION_print_fp
2122
2123 Prints session details (e.g. protocol version, cipher, session-id
2124 ...) to file handle.
2125
2126 my $rv = Net::SSLeay::SESSION_print_fp($fp, $ses);
2127 # $fp - perl file handle
2128 # $ses - value corresponding to openssl's SSL_SESSION structure
2129 #
2130 # returns: 1 on success, 0 on failure
2131
2132 Example:
2133
2134 # let us have $ssl corresponding to openssl's SSL structure
2135 my $ses = Net::SSLeay::get_session($ssl);
2136 open my $fh, ">", "output.txt";
2137 Net::SSLeay::SESSION_print_fp($fh,$ses);
2138
2139 • SESSION_set_time
2140
2141 Replaces the creation time of the session s with the chosen value
2142 $t (seconds since 1.1.1970).
2143
2144 my $rv = Net::SSLeay::SESSION_set_time($ses, $t);
2145 # $ses - value corresponding to openssl's SSL_SESSION structure
2146 # $t - time value
2147 #
2148 # returns: 1 on success
2149
2150 Check openssl doc
2151 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2152
2153 • set_time
2154
2155 Technically the same functionality as "SESSION_set_time".
2156
2157 my $rv = Net::SSLeay::set_time($ses, $t);
2158
2159 • SESSION_set_timeout
2160
2161 Sets the timeout value for session s in seconds to $t.
2162
2163 my $rv = Net::SSLeay::SESSION_set_timeout($s, $t);
2164 # $s - value corresponding to openssl's SSL_SESSION structure
2165 # $t - timeout (in seconds)
2166 #
2167 # returns: 1 on success
2168
2169 Check openssl doc
2170 <http://www.openssl.org/docs/ssl/SSL_SESSION_get_time.html>
2171
2172 • set_timeout
2173
2174 Technically the same functionality as "SESSION_set_timeout".
2175
2176 my $rv = Net::SSLeay::set_timeout($ses, $t);
2177
2178 Low level API: SSL_CTX_* related functions
2179
2180 NOTE: Please note that the function described in this chapter have
2181 "SSL_" part stripped from their original openssl names.
2182
2183 • CTX_add_client_CA
2184
2185 Adds the CA name extracted from $cacert to the list of CAs sent to
2186 the client when requesting a client certificate for $ctx.
2187
2188 my $rv = Net::SSLeay::CTX_add_client_CA($ctx, $cacert);
2189 # $ctx - value corresponding to openssl's SSL_CTX structure
2190 # $cacert - value corresponding to openssl's X509 structure
2191 #
2192 # returns: 1 on success, 0 on failure
2193
2194 Check openssl doc
2195 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
2196
2197 • CTX_add_extra_chain_cert
2198
2199 Adds the certificate $x509 to the certificate chain presented
2200 together with the certificate. Several certificates can be added
2201 one after the other.
2202
2203 my $rv = Net::SSLeay::CTX_add_extra_chain_cert($ctx, $x509);
2204 # $ctx - value corresponding to openssl's SSL_CTX structure
2205 # $x509 - value corresponding to openssl's X509 structure
2206 #
2207 # returns: 1 on success, check out the error stack to find out the reason for failure otherwise
2208
2209 Check openssl doc
2210 <http://www.openssl.org/docs/ssl/SSL_CTX_add_extra_chain_cert.html>
2211
2212 • CTX_add_session
2213
2214 Adds the session $ses to the context $ctx.
2215
2216 my $rv = Net::SSLeay::CTX_add_session($ctx, $ses);
2217 # $ctx - value corresponding to openssl's SSL_CTX structure
2218 # $ses - value corresponding to openssl's SSL_SESSION structure
2219 #
2220 # returns: 1 on success, 0 on failure
2221
2222 Check openssl doc
2223 <http://www.openssl.org/docs/ssl/SSL_CTX_add_session.html>
2224
2225 • CTX_callback_ctrl
2226
2227 ??? (more info needed)
2228
2229 my $rv = Net::SSLeay::CTX_callback_ctrl($ctx, $cmd, $fp);
2230 # $ctx - value corresponding to openssl's SSL_CTX structure
2231 # $cmd - (integer) command id
2232 # $fp - (function pointer) ???
2233 #
2234 # returns: ???
2235
2236 Check openssl doc
2237 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
2238
2239 • CTX_check_private_key
2240
2241 Checks the consistency of a private key with the corresponding
2242 certificate loaded into $ctx.
2243
2244 my $rv = Net::SSLeay::CTX_check_private_key($ctx);
2245 # $ctx - value corresponding to openssl's SSL_CTX structure
2246 #
2247 # returns: 1 on success, otherwise check out the error stack to find out the reason
2248
2249 Check openssl doc
2250 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
2251
2252 • CTX_ctrl
2253
2254 Internal handling function for SSL_CTX objects.
2255
2256 BEWARE: openssl doc says: This function should never be called
2257 directly!
2258
2259 my $rv = Net::SSLeay::CTX_ctrl($ctx, $cmd, $larg, $parg);
2260 # $ctx - value corresponding to openssl's SSL_CTX structure
2261 # $cmd - (integer) command id
2262 # $larg - (integer) long ???
2263 # $parg - (string/pointer) ???
2264 #
2265 # returns: (long) result of given command ???
2266
2267 #valid $cmd values
2268 1 - SSL_CTRL_NEED_TMP_RSA
2269 2 - SSL_CTRL_SET_TMP_RSA
2270 3 - SSL_CTRL_SET_TMP_DH
2271 4 - SSL_CTRL_SET_TMP_ECDH
2272 5 - SSL_CTRL_SET_TMP_RSA_CB
2273 6 - SSL_CTRL_SET_TMP_DH_CB
2274 7 - SSL_CTRL_SET_TMP_ECDH_CB
2275 8 - SSL_CTRL_GET_SESSION_REUSED
2276 9 - SSL_CTRL_GET_CLIENT_CERT_REQUEST
2277 10 - SSL_CTRL_GET_NUM_RENEGOTIATIONS
2278 11 - SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS
2279 12 - SSL_CTRL_GET_TOTAL_RENEGOTIATIONS
2280 13 - SSL_CTRL_GET_FLAGS
2281 14 - SSL_CTRL_EXTRA_CHAIN_CERT
2282 15 - SSL_CTRL_SET_MSG_CALLBACK
2283 16 - SSL_CTRL_SET_MSG_CALLBACK_ARG
2284 17 - SSL_CTRL_SET_MTU
2285 20 - SSL_CTRL_SESS_NUMBER
2286 21 - SSL_CTRL_SESS_CONNECT
2287 22 - SSL_CTRL_SESS_CONNECT_GOOD
2288 23 - SSL_CTRL_SESS_CONNECT_RENEGOTIATE
2289 24 - SSL_CTRL_SESS_ACCEPT
2290 25 - SSL_CTRL_SESS_ACCEPT_GOOD
2291 26 - SSL_CTRL_SESS_ACCEPT_RENEGOTIATE
2292 27 - SSL_CTRL_SESS_HIT
2293 28 - SSL_CTRL_SESS_CB_HIT
2294 29 - SSL_CTRL_SESS_MISSES
2295 30 - SSL_CTRL_SESS_TIMEOUTS
2296 31 - SSL_CTRL_SESS_CACHE_FULL
2297 32 - SSL_CTRL_OPTIONS
2298 33 - SSL_CTRL_MODE
2299 40 - SSL_CTRL_GET_READ_AHEAD
2300 41 - SSL_CTRL_SET_READ_AHEAD
2301 42 - SSL_CTRL_SET_SESS_CACHE_SIZE
2302 43 - SSL_CTRL_GET_SESS_CACHE_SIZE
2303 44 - SSL_CTRL_SET_SESS_CACHE_MODE
2304 45 - SSL_CTRL_GET_SESS_CACHE_MODE
2305 50 - SSL_CTRL_GET_MAX_CERT_LIST
2306 51 - SSL_CTRL_SET_MAX_CERT_LIST
2307 52 - SSL_CTRL_SET_MAX_SEND_FRAGMENT
2308 53 - SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
2309 54 - SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
2310 55 - SSL_CTRL_SET_TLSEXT_HOSTNAME
2311 56 - SSL_CTRL_SET_TLSEXT_DEBUG_CB
2312 57 - SSL_CTRL_SET_TLSEXT_DEBUG_ARG
2313 58 - SSL_CTRL_GET_TLSEXT_TICKET_KEYS
2314 59 - SSL_CTRL_SET_TLSEXT_TICKET_KEYS
2315 60 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT
2316 61 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB
2317 62 - SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG
2318 63 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
2319 64 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG
2320 65 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE
2321 66 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS
2322 67 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS
2323 68 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS
2324 69 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS
2325 70 - SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP
2326 71 - SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP
2327 72 - SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
2328 73 - DTLS_CTRL_GET_TIMEOUT
2329 74 - DTLS_CTRL_HANDLE_TIMEOUT
2330 75 - DTLS_CTRL_LISTEN
2331 76 - SSL_CTRL_GET_RI_SUPPORT
2332 77 - SSL_CTRL_CLEAR_OPTIONS
2333 78 - SSL_CTRL_CLEAR_MODE
2334
2335 82 - SSL_CTRL_GET_EXTRA_CHAIN_CERTS
2336 83 - SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS
2337
2338 88 - SSL_CTRL_CHAIN
2339 89 - SSL_CTRL_CHAIN_CERT
2340
2341 90 - SSL_CTRL_GET_CURVES
2342 91 - SSL_CTRL_SET_CURVES
2343 92 - SSL_CTRL_SET_CURVES_LIST
2344 93 - SSL_CTRL_GET_SHARED_CURVE
2345 94 - SSL_CTRL_SET_ECDH_AUTO
2346 97 - SSL_CTRL_SET_SIGALGS
2347 98 - SSL_CTRL_SET_SIGALGS_LIST
2348 99 - SSL_CTRL_CERT_FLAGS
2349 100 - SSL_CTRL_CLEAR_CERT_FLAGS
2350 101 - SSL_CTRL_SET_CLIENT_SIGALGS
2351 102 - SSL_CTRL_SET_CLIENT_SIGALGS_LIST
2352 103 - SSL_CTRL_GET_CLIENT_CERT_TYPES
2353 104 - SSL_CTRL_SET_CLIENT_CERT_TYPES
2354 105 - SSL_CTRL_BUILD_CERT_CHAIN
2355 106 - SSL_CTRL_SET_VERIFY_CERT_STORE
2356 107 - SSL_CTRL_SET_CHAIN_CERT_STORE
2357 108 - SSL_CTRL_GET_PEER_SIGNATURE_NID
2358 109 - SSL_CTRL_GET_SERVER_TMP_KEY
2359 110 - SSL_CTRL_GET_RAW_CIPHERLIST
2360 111 - SSL_CTRL_GET_EC_POINT_FORMATS
2361 112 - SSL_CTRL_GET_TLSA_RECORD
2362 113 - SSL_CTRL_SET_TLSA_RECORD
2363 114 - SSL_CTRL_PULL_TLSA_RECORD
2364
2365 Check openssl doc
2366 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
2367
2368 • CTX_flush_sessions
2369
2370 Causes a run through the session cache of $ctx to remove sessions
2371 expired at time $tm.
2372
2373 Net::SSLeay::CTX_flush_sessions($ctx, $tm);
2374 # $ctx - value corresponding to openssl's SSL_CTX structure
2375 # $tm - specifies the time which should be used for the expiration test (seconds since 1.1.1970)
2376 #
2377 # returns: no return value
2378
2379 Check openssl doc
2380 <http://www.openssl.org/docs/ssl/SSL_CTX_flush_sessions.html>
2381
2382 • CTX_free
2383
2384 Free an allocated SSL_CTX object.
2385
2386 Net::SSLeay::CTX_free($ctx);
2387 # $ctx - value corresponding to openssl's SSL_CTX structure
2388 #
2389 # returns: no return value
2390
2391 Check openssl doc
2392 <http://www.openssl.org/docs/ssl/SSL_CTX_free.html>
2393
2394 • CTX_get_app_data
2395
2396 Can be used to get application defined value/data.
2397
2398 my $rv = Net::SSLeay::CTX_get_app_data($ctx);
2399 # $ctx - value corresponding to openssl's SSL_CTX structure
2400 #
2401 # returns: string/buffer/pointer ???
2402
2403 • CTX_set_app_data
2404
2405 Can be used to set some application defined value/data.
2406
2407 my $rv = Net::SSLeay::CTX_set_app_data($ctx, $arg);
2408 # $ctx - value corresponding to openssl's SSL_CTX structure
2409 # $arg - (string/buffer/pointer ???) data
2410 #
2411 # returns: ???
2412
2413 • CTX_get0_param
2414
2415 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2416 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
2417
2418 Returns the current verification parameters.
2419
2420 my $vpm = Net::SSLeay::CTX_get0_param($ctx);
2421 # $ctx - value corresponding to openssl's SSL_CTX structure
2422 #
2423 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure
2424
2425 Check openssl doc
2426 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
2427
2428 • CTX_get_cert_store
2429
2430 Returns the current certificate verification storage.
2431
2432 my $rv = Net::SSLeay::CTX_get_cert_store($ctx);
2433 # $ctx - value corresponding to openssl's SSL_CTX structure
2434 #
2435 # returns: value corresponding to openssl's X509_STORE structure (0 on failure)
2436
2437 Check openssl doc
2438 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html>
2439
2440 • CTX_get_client_CA_list
2441
2442 Returns the list of client CAs explicitly set for $ctx using
2443 "CTX_set_client_CA_list".
2444
2445 my $rv = Net::SSLeay::CTX_get_client_CA_list($ctx);
2446 # $ctx - value corresponding to openssl's SSL_CTX structure
2447 #
2448 # returns: value corresponding to openssl's X509_NAME_STACK structure (0 on failure)
2449
2450 Check openssl doc
2451 <http://www.openssl.org/docs/ssl/SSL_get_client_CA_list.html>
2452
2453 • CTX_get_ex_data
2454
2455 Is used to retrieve the information for index $idx from $ctx.
2456
2457 my $rv = Net::SSLeay::CTX_get_ex_data($ssl, $idx);
2458 # $ssl - value corresponding to openssl's SSL_CTX structure
2459 # $idx - (integer) index for application specific data
2460 #
2461 # returns: pointer to ???
2462
2463 Check openssl doc
2464 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
2465
2466 • CTX_get_ex_new_index
2467
2468 Is used to register a new index for application specific data.
2469
2470 my $rv = Net::SSLeay::CTX_get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
2471 # $argl - (long) ???
2472 # $argp - (pointer) ???
2473 # $new_func - function pointer ??? (CRYPTO_EX_new *)
2474 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
2475 # $free_func - function pointer ??? (CRYPTO_EX_free *)
2476 #
2477 # returns: (integer) ???
2478
2479 Check openssl doc
2480 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
2481
2482 • CTX_get_mode
2483
2484 Returns the mode set for ctx.
2485
2486 my $rv = Net::SSLeay::CTX_get_mode($ctx);
2487 # $ctx - value corresponding to openssl's SSL_CTX structure
2488 #
2489 # returns: mode (bitmask)
2490
2491 #to decode the return value (bitmask) use:
2492 0x00000001 corresponds to SSL_MODE_ENABLE_PARTIAL_WRITE
2493 0x00000002 corresponds to SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
2494 0x00000004 corresponds to SSL_MODE_AUTO_RETRY
2495 0x00000008 corresponds to SSL_MODE_NO_AUTO_CHAIN
2496 0x00000010 corresponds to SSL_MODE_RELEASE_BUFFERS
2497 (note: some of the bits might not be supported by older openssl versions)
2498
2499 Check openssl doc
2500 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
2501
2502 • CTX_set_mode
2503
2504 Adds the mode set via bitmask in $mode to $ctx. Options already set
2505 before are not cleared.
2506
2507 my $rv = Net::SSLeay::CTX_set_mode($ctx, $mode);
2508 # $ctx - value corresponding to openssl's SSL_CTX structure
2509 # $mode - mode bitmask
2510 #
2511 # returns: the new mode bitmask after adding $mode
2512
2513 For bitmask details see "CTX_get_mode" (above).
2514
2515 Check openssl doc
2516 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
2517
2518 • CTX_get_options
2519
2520 Returns the options (bitmask) set for $ctx.
2521
2522 my $rv = Net::SSLeay::CTX_get_options($ctx);
2523 # $ctx - value corresponding to openssl's SSL_CTX structure
2524 #
2525 # returns: options (bitmask)
2526
2527 BEWARE: The available constants and their values in bitmask depend
2528 on the TLS library. For example, SSL_OP_NO_TLSv1_3 became available
2529 much later than SSL_OP_NO_COMPRESS which is already deprecated by
2530 some libraries. Also, some previously used option values have been
2531 recycled and are now used for newer options. See the list of
2532 constants in this document for options Net::SSLeay currently
2533 supports.
2534
2535 You are strongly encouraged to check your TLS library if you need
2536 to use numeric values directly. The following is a sample of
2537 historic values. It may not be correct anymore.
2538
2539 #to decode the return value (bitmask) use:
2540 0x00000004 corresponds to SSL_OP_LEGACY_SERVER_CONNECT
2541 0x00000800 corresponds to SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2542 0x00004000 corresponds to SSL_OP_NO_TICKET
2543 0x00010000 corresponds to SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2544 0x00400000 corresponds to SSL_OP_CIPHER_SERVER_PREFERENCE
2545 0x04000000 corresponds to SSL_OP_NO_TLSv1
2546
2547 Check openssl doc
2548 <https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html>
2549
2550 • CTX_set_options
2551
2552 Adds the options set via bitmask in $options to ctx. Options
2553 already set before are not cleared.
2554
2555 Net::SSLeay::CTX_set_options($ctx, $options);
2556 # $ctx - value corresponding to openssl's SSL_CTX structure
2557 # $options - options bitmask
2558 #
2559 # returns: the new options bitmask after adding $options
2560
2561 For bitmask details see "CTX_get_options" (above).
2562
2563 Check openssl doc
2564 <https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html>
2565
2566 • CTX_get_quiet_shutdown
2567
2568 Returns the 'quiet shutdown' setting of $ctx.
2569
2570 my $rv = Net::SSLeay::CTX_get_quiet_shutdown($ctx);
2571 # $ctx - value corresponding to openssl's SSL_CTX structure
2572 #
2573 # returns: (integer) the current setting
2574
2575 Check openssl doc
2576 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
2577
2578 • CTX_get_read_ahead
2579
2580 my $rv = Net::SSLeay::CTX_get_read_ahead($ctx);
2581 # $ctx - value corresponding to openssl's SSL_CTX structure
2582 #
2583 # returns: (integer) read_ahead value
2584
2585 • CTX_get_session_cache_mode
2586
2587 Returns the currently used cache mode (bitmask).
2588
2589 my $rv = Net::SSLeay::CTX_get_session_cache_mode($ctx);
2590 # $ctx - value corresponding to openssl's SSL_CTX structure
2591 #
2592 # returns: mode (bitmask)
2593
2594 BEWARE: SESS_CACHE_OFF and other constants are not available in
2595 Net-SSLeay-1.82 and before. If the constants are not available,
2596 the following values have historically been correct. You are
2597 strongly encouraged to check your TLS library for the current
2598 values.
2599
2600 #to decode the return value (bitmask) use:
2601 0x0000 corresponds to SSL_SESS_CACHE_OFF
2602 0x0001 corresponds to SSL_SESS_CACHE_CLIENT
2603 0x0002 corresponds to SSL_SESS_CACHE_SERVER
2604 0x0080 corresponds to SSL_SESS_CACHE_NO_AUTO_CLEAR
2605 0x0100 corresponds to SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
2606 0x0200 corresponds to SSL_SESS_CACHE_NO_INTERNAL_STORE
2607 (note: some of the bits might not be supported by older openssl versions)
2608
2609 Check openssl doc
2610 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html>
2611
2612 • CTX_set_session_cache_mode
2613
2614 Enables/disables session caching by setting the operational mode
2615 for $ctx to $mode.
2616
2617 my $rv = Net::SSLeay::CTX_set_session_cache_mode($ctx, $mode);
2618 # $ctx - value corresponding to openssl's SSL_CTX structure
2619 # $mode - mode (bitmask)
2620 #
2621 # returns: previously set cache mode
2622
2623 For bitmask details see "CTX_get_session_cache_mode" (above).
2624
2625 Check openssl doc
2626 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html>
2627
2628 • CTX_get_timeout
2629
2630 Returns the currently set timeout value for $ctx.
2631
2632 my $rv = Net::SSLeay::CTX_get_timeout($ctx);
2633 # $ctx - value corresponding to openssl's SSL_CTX structure
2634 #
2635 # returns: timeout in seconds
2636
2637 Check openssl doc
2638 <http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html>
2639
2640 • CTX_get_verify_depth
2641
2642 Returns the verification depth limit currently set in $ctx. If no
2643 limit has been explicitly set, -1 is returned and the default value
2644 will be used.",
2645
2646 my $rv = Net::SSLeay::CTX_get_verify_depth($ctx);
2647 # $ctx - value corresponding to openssl's SSL_CTX structure
2648 #
2649 # returns: depth limit currently set in $ctx, -1 if no limit has been explicitly set
2650
2651 Check openssl doc
2652 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
2653
2654 • CTX_get_verify_mode
2655
2656 Returns the verification mode (bitmask) currently set in $ctx.
2657
2658 my $rv = Net::SSLeay::CTX_get_verify_mode($ctx);
2659 # $ctx - value corresponding to openssl's SSL_CTX structure
2660 #
2661 # returns: mode (bitmask)
2662
2663 For bitmask details see "CTX_set_verify".
2664
2665 Check openssl doc
2666 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_verify_mode.html>
2667
2668 • CTX_set_verify
2669
2670 Sets the verification flags for $ctx to be $mode and specifies the
2671 verify_callback function to be used.
2672
2673 Net::SSLeay::CTX_set_verify($ctx, $mode, $callback);
2674 # $ctx - value corresponding to openssl's SSL_CTX structure
2675 # $mode - mode (bitmask), see OpenSSL manual
2676 # $callback - [optional] reference to perl callback function
2677 #
2678 # returns: no return value
2679
2680 Check openssl doc
2681 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html>
2682
2683 • CTX_set_post_handshake_auth
2684
2685 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
2686 requires at least OpenSSL 1.1.1, not in LibreSSL
2687
2688 Enable the Post-Handshake Authentication extension to be added to
2689 the ClientHello such that post-handshake authentication can be
2690 requested by the server.
2691
2692 Net::SSLeay::CTX_set_posthandshake_auth($ctx, $val);
2693 # $ctx - value corresponding to openssl's SSL_CTX structure
2694 # $val - 0 then the extension is not sent, otherwise it is
2695 #
2696 # returns: no return value
2697
2698 Check openssl doc
2699 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth
2700 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_post_handshake_auth.html>
2701
2702 • CTX_load_verify_locations
2703
2704 Specifies the locations for $ctx, at which CA certificates for
2705 verification purposes are located. The certificates available via
2706 $CAfile and $CApath are trusted.
2707
2708 my $rv = Net::SSLeay::CTX_load_verify_locations($ctx, $CAfile, $CApath);
2709 # $ctx - value corresponding to openssl's SSL_CTX structure
2710 # $CAfile - (string) file of CA certificates in PEM format, the file can contain several CA certificates (or '')
2711 # $CApath - (string) directory containing CA certificates in PEM format (or '')
2712 #
2713 # returns: 1 on success, 0 on failure (check the error stack to find out the reason)
2714
2715 Check openssl doc
2716 <http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html>
2717
2718 • CTX_need_tmp_RSA
2719
2720 Return the result of
2721 "SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)"
2722
2723 my $rv = Net::SSLeay::CTX_need_tmp_RSA($ctx);
2724 # $ctx - value corresponding to openssl's SSL_CTX structure
2725 #
2726 # returns: result of SSL_CTRL_NEED_TMP_RSA command
2727
2728 Not available with OpenSSL 1.1 and later.
2729
2730 • CTX_new
2731
2732 The same as "CTX_v23_new"
2733
2734 my $rv = Net::SSLeay::CTX_new();
2735 #
2736 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2737
2738 Check openssl doc
2739 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
2740
2741 Not available with OpenSSL 1.1 and later.
2742
2743 • CTX_v2_new
2744
2745 Creates a new SSL_CTX object - based on SSLv2_method() - as
2746 framework to establish TLS/SSL enabled connections.
2747
2748 my $rv = Net::SSLeay::CTX_v2_new();
2749 #
2750 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2751
2752 • CTX_v23_new
2753
2754 Creates a new SSL_CTX object - based on SSLv23_method() - as
2755 framework to establish TLS/SSL enabled connections.
2756
2757 my $rv = Net::SSLeay::CTX_v23_new();
2758 #
2759 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2760
2761 • CTX_v3_new
2762
2763 Creates a new SSL_CTX object - based on SSLv3_method() - as
2764 framework to establish TLS/SSL enabled connections.
2765
2766 my $rv = Net::SSLeay::CTX_v3_new();
2767 #
2768 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2769
2770 • CTX_tlsv1_new
2771
2772 Creates a new SSL_CTX object - based on TLSv1_method() - as
2773 framework to establish TLS/SSL enabled connections.
2774
2775 my $rv = Net::SSLeay::CTX_tlsv1_new();
2776 #
2777 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2778
2779 • CTX_tlsv1_1_new
2780
2781 Creates a new SSL_CTX object - based on TLSv1_1_method() - as
2782 framework to establish TLS/SSL enabled connections. Only available
2783 where supported by the underlying openssl.
2784
2785 my $rv = Net::SSLeay::CTX_tlsv1_1_new();
2786 #
2787 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2788
2789 • CTX_tlsv1_2_new
2790
2791 Creates a new SSL_CTX object - based on TLSv1_2_method() - as
2792 framework to establish TLS/SSL enabled connections. Only available
2793 where supported by the underlying openssl.
2794
2795 my $rv = Net::SSLeay::CTX_tlsv1_2_new();
2796 #
2797 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2798
2799 • CTX_new_with_method
2800
2801 Creates a new SSL_CTX object based on $meth method
2802
2803 my $rv = Net::SSLeay::CTX_new_with_method($meth);
2804 # $meth - value corresponding to openssl's SSL_METHOD structure
2805 #
2806 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
2807
2808 #example
2809 my $ctx = Net::SSLeay::CTX_new_with_method(&Net::SSLeay::TLSv1_method);
2810
2811 Check openssl doc
2812 <http://www.openssl.org/docs/ssl/SSL_CTX_new.html>
2813
2814 • CTX_set_min_proto_version, CTX_set_max_proto_version,
2815 set_min_proto_version and set_max_proto_version,
2816
2817 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2818 requires at least OpenSSL 1.1.0-pre2 or LibreSSL 2.6.0
2819
2820 Set the minimum and maximum supported protocol for $ctx or $ssl.
2821
2822 my $rv = Net::SSLeay::CTX_set_min_proto_version($ctx, $version)
2823 # $ctx - value corresponding to openssl's SSL_CTX structure
2824 # $version - (integer) constat version value or 0 for automatic lowest or highest value
2825 #
2826 # returns: 1 on success, 0 on failure
2827
2828 #example: allow only TLS 1.2 for a SSL_CTX
2829 my $rv_min = Net::SSLeay::CTX_set_min_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION());
2830 my $rv_max = Net::SSLeay::CTX_set_max_proto_version($ctx, Net::SSLeay::TLS1_2_VERSION());
2831
2832 #example: allow only TLS 1.1 for a SSL
2833 my $rv_min = Net::SSLeay::set_min_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION());
2834 my $rv_max = Net::SSLeay::set_max_proto_version($ssl, Net::SSLeay::TLS1_1_VERSION());
2835
2836 Check openssl doc
2837 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_min_proto_version.html>
2838
2839 • CTX_get_min_proto_version, CTX_get_max_proto_version,
2840 get_min_proto_version and get_max_proto_version,
2841
2842 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
2843 requires at least OpenSSL 1.1.0g
2844
2845 Get the minimum and maximum supported protocol for $ctx or $ssl.
2846
2847 my $version = Net::SSLeay::CTX_get_min_proto_version($ctx)
2848 # $ctx - value corresponding to openssl's SSL_CTX structure
2849 #
2850 # returns: 0 automatic lowest or highest value, configured value otherwise
2851
2852 Check openssl doc
2853 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_min_proto_version.html>
2854
2855 • CTX_remove_session
2856
2857 Removes the session $ses from the context $ctx.
2858
2859 my $rv = Net::SSLeay::CTX_remove_session($ctx, $ses);
2860 # $ctx - value corresponding to openssl's SSL_CTX structure
2861 # $ses - value corresponding to openssl's SSL_SESSION structure
2862 #
2863 # returns: 1 on success, 0 on failure
2864
2865 Check openssl doc
2866 <http://www.openssl.org/docs/ssl/SSL_CTX_add_session.html>
2867
2868 • CTX_sess_accept
2869
2870 my $rv = Net::SSLeay::CTX_sess_accept($ctx);
2871 # $ctx - value corresponding to openssl's SSL_CTX structure
2872 #
2873 # returns: number of started SSL/TLS handshakes in server mode
2874
2875 Check openssl doc
2876 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2877
2878 • CTX_sess_accept_good
2879
2880 my $rv = Net::SSLeay::CTX_sess_accept_good($ctx);
2881 # $ctx - value corresponding to openssl's SSL_CTX structure
2882 #
2883 # returns: number of successfully established SSL/TLS sessions in server mode
2884
2885 Check openssl doc
2886 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2887
2888 • CTX_sess_accept_renegotiate
2889
2890 my $rv = Net::SSLeay::CTX_sess_accept_renegotiate($ctx);
2891 # $ctx - value corresponding to openssl's SSL_CTX structure
2892 #
2893 # returns: number of start renegotiations in server mode
2894
2895 Check openssl doc
2896 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2897
2898 • CTX_sess_cache_full
2899
2900 my $rv = Net::SSLeay::CTX_sess_cache_full($ctx);
2901 # $ctx - value corresponding to openssl's SSL_CTX structure
2902 #
2903 # returns: number of sessions that were removed because the maximum session cache size was exceeded
2904
2905 Check openssl doc
2906 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2907
2908 • CTX_sess_cb_hits
2909
2910 my $rv = Net::SSLeay::CTX_sess_cb_hits($ctx);
2911 # $ctx - value corresponding to openssl's SSL_CTX structure
2912 #
2913 # returns: number of successfully retrieved sessions from the external session cache in server mode
2914
2915 Check openssl doc
2916 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2917
2918 • CTX_sess_connect
2919
2920 my $rv = Net::SSLeay::CTX_sess_connect($ctx);
2921 # $ctx - value corresponding to openssl's SSL_CTX structure
2922 #
2923 # returns: number of started SSL/TLS handshakes in client mode
2924
2925 Check openssl doc
2926 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2927
2928 • CTX_sess_connect_good
2929
2930 my $rv = Net::SSLeay::CTX_sess_connect_good($ctx);
2931 # $ctx - value corresponding to openssl's SSL_CTX structure
2932 #
2933 # returns: number of successfully established SSL/TLS sessions in client mode
2934
2935 Check openssl doc
2936 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2937
2938 • CTX_sess_connect_renegotiate
2939
2940 my $rv = Net::SSLeay::CTX_sess_connect_renegotiate($ctx);
2941 # $ctx - value corresponding to openssl's SSL_CTX structure
2942 #
2943 # returns: number of start renegotiations in client mode
2944
2945 Check openssl doc
2946 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2947
2948 • CTX_sess_get_cache_size
2949
2950 Returns the currently valid session cache size.
2951
2952 my $rv = Net::SSLeay::CTX_sess_get_cache_size($ctx);
2953 # $ctx - value corresponding to openssl's SSL_CTX structure
2954 #
2955 # returns: current size
2956
2957 Check openssl doc
2958 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html>
2959
2960 • CTX_sess_hits
2961
2962 my $rv = Net::SSLeay::CTX_sess_hits($ctx);
2963 # $ctx - value corresponding to openssl's SSL_CTX structure
2964 #
2965 # returns: number of successfully reused sessions
2966
2967 Check openssl doc
2968 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2969
2970 • CTX_sess_misses
2971
2972 my $rv = Net::SSLeay::CTX_sess_misses($ctx);
2973 # $ctx - value corresponding to openssl's SSL_CTX structure
2974 #
2975 # returns: number of sessions proposed by clients that were not found in the internal session cache in server mode
2976
2977 Check openssl doc
2978 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2979
2980 • CTX_sess_number
2981
2982 my $rv = Net::SSLeay::CTX_sess_number($ctx);
2983 # $ctx - value corresponding to openssl's SSL_CTX structure
2984 #
2985 # returns: current number of sessions in the internal session cache
2986
2987 Check openssl doc
2988 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
2989
2990 • CTX_sess_set_cache_size
2991
2992 Sets the size of the internal session cache of context $ctx to
2993 $size.
2994
2995 Net::SSLeay::CTX_sess_set_cache_size($ctx, $size);
2996 # $ctx - value corresponding to openssl's SSL_CTX structure
2997 # $size - cache size (0 = unlimited)
2998 #
2999 # returns: previously valid size
3000
3001 Check openssl doc
3002 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html>
3003
3004 • CTX_sess_timeouts
3005
3006 Returns the number of sessions proposed by clients and either found
3007 in the internal or external session cache in server mode, but that
3008 were invalid due to timeout. These sessions are not included in the
3009 SSL_CTX_sess_hits count.
3010
3011 my $rv = Net::SSLeay::CTX_sess_timeouts($ctx);
3012 # $ctx - value corresponding to openssl's SSL_CTX structure
3013 #
3014 # returns: number of sessions
3015
3016 Check openssl doc
3017 <http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html>
3018
3019 • CTX_sess_set_new_cb
3020
3021 COMPATIBILITY: not available in Net-SSLeay-1.85 and before
3022
3023 Sets the callback function, which is automatically called whenever
3024 a new session was negotiated.
3025
3026 Net::SSLeay::CTX_sess_set_new_cb($ctx, $func);
3027 # $ctx - value corresponding to openssl's SSL_CTX structure
3028 # $func - perl reference to callback function
3029 #
3030 # returns: no return value
3031
3032 Check openssl doc
3033 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html>
3034
3035 • CTX_sess_set_remove_cb
3036
3037 COMPATIBILITY: not available in Net-SSLeay-1.85 and before
3038
3039 Sets the callback function, which is automatically called whenever
3040 a session is removed by the SSL engine.
3041
3042 Net::SSLeay::CTX_sess_set_remove_cb($ctx, $func);
3043 # $ctx - value corresponding to openssl's SSL_CTX structure
3044 # $func - perl reference to callback function
3045 #
3046 # returns: no return value
3047
3048 Check openssl doc
3049 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_remove_cb.html>
3050
3051 • CTX_sessions
3052
3053 Returns a pointer to the lhash databases containing the internal
3054 session cache for ctx.
3055
3056 my $rv = Net::SSLeay::CTX_sessions($ctx);
3057 # $ctx - value corresponding to openssl's SSL_CTX structure
3058 #
3059 # returns: value corresponding to openssl's LHASH structure (0 on failure)
3060
3061 Check openssl doc
3062 <http://www.openssl.org/docs/ssl/SSL_CTX_sessions.html>
3063
3064 • CTX_set1_param
3065
3066 COMPATIBILITY: requires at least OpenSSL 1.0.0-beta3
3067
3068 Applies X509 verification parameters $vpm on $ctx
3069
3070 my $rv = Net::SSLeay::CTX_set1_param($ctx, $vpm);
3071 # $ctx - value corresponding to openssl's SSL_CTX structure
3072 # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure
3073 #
3074 # returns: 1 on success, 0 on failure
3075
3076 Check openssl doc
3077 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
3078
3079 • CTX_set_cert_store
3080
3081 Sets/replaces the certificate verification storage of $ctx to/with
3082 $store.
3083
3084 Net::SSLeay::CTX_set_cert_store($ctx, $store);
3085 # $ctx - value corresponding to openssl's SSL_CTX structure
3086 # $store - value corresponding to openssl's X509_STORE structure
3087 #
3088 # returns: no return value
3089
3090 Check openssl doc
3091 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html>
3092
3093 • CTX_set_cert_verify_callback
3094
3095 Sets the verification callback function for $ctx. SSL objects that
3096 are created from $ctx inherit the setting valid at the time when
3097 "Net::SSLeay::new($ctx)" is called.
3098
3099 Net::SSLeay::CTX_set_cert_verify_callback($ctx, $func, $data);
3100 # $ctx - value corresponding to openssl's SSL_CTX structure
3101 # $func - perl reference to callback function
3102 # $data - [optional] data that will be passed to callback function when invoked
3103 #
3104 # returns: no return value
3105
3106 Check openssl doc
3107 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html>
3108
3109 • CTX_set_cipher_list
3110
3111 Sets the list of available ciphers for $ctx using the control
3112 string $str. The list of ciphers is inherited by all ssl objects
3113 created from $ctx.
3114
3115 my $rv = Net::SSLeay::CTX_set_cipher_list($s, $str);
3116 # $s - value corresponding to openssl's SSL_CTX structure
3117 # $str - (string) cipher list e.g. '3DES:+RSA'
3118 #
3119 # returns: 1 if any cipher could be selected and 0 on complete failure
3120
3121 The format of $str is described in
3122 <http://www.openssl.org/docs/apps/ciphers.html>
3123
3124 Check openssl doc
3125 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
3126
3127 • CTX_set_ciphersuites
3128
3129 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3130 requires at least OpenSSL 1.1.1, not in LibreSSL
3131
3132 Configure the available TLSv1.3 ciphersuites.
3133
3134 my $rv = Net::SSLeay::CTX_set_ciphersuites($ctx, $str);
3135 # $ctx - value corresponding to openssl's SSL_CTX structure
3136 # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference
3137 #
3138 # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise
3139
3140 Check openssl doc
3141 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html>
3142
3143 • CTX_set_client_CA_list
3144
3145 Sets the list of CAs sent to the client when requesting a client
3146 certificate for $ctx.
3147
3148 Net::SSLeay::CTX_set_client_CA_list($ctx, $list);
3149 # $ctx - value corresponding to openssl's SSL_CTX structure
3150 # $list - value corresponding to openssl's X509_NAME_STACK structure
3151 #
3152 # returns: no return value
3153
3154 Check openssl doc
3155 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
3156
3157 • CTX_set_default_passwd_cb
3158
3159 Sets the default password callback called when loading/storing a
3160 PEM certificate with encryption.
3161
3162 Net::SSLeay::CTX_set_default_passwd_cb($ctx, $func);
3163 # $ctx - value corresponding to openssl's SSL_CTX structure
3164 # $func - perl reference to callback function
3165 #
3166 # returns: no return value
3167
3168 Check openssl doc
3169 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
3170
3171 • CTX_set_default_passwd_cb_userdata
3172
3173 Sets a pointer to userdata which will be provided to the password
3174 callback on invocation.
3175
3176 Net::SSLeay::CTX_set_default_passwd_cb_userdata($ctx, $userdata);
3177 # $ctx - value corresponding to openssl's SSL_CTX structure
3178 # $userdata - data that will be passed to callback function when invoked
3179 #
3180 # returns: no return value
3181
3182 Check openssl doc
3183 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
3184
3185 • CTX_set_default_verify_paths
3186
3187 ??? (more info needed)
3188
3189 my $rv = Net::SSLeay::CTX_set_default_verify_paths($ctx);
3190 # $ctx - value corresponding to openssl's SSL_CTX structure
3191 #
3192 # returns: 1 on success, 0 on failure
3193
3194 • CTX_set_ex_data
3195
3196 Is used to store application data at $data for $idx into the $ctx
3197 object.
3198
3199 my $rv = Net::SSLeay::CTX_set_ex_data($ssl, $idx, $data);
3200 # $ssl - value corresponding to openssl's SSL_CTX structure
3201 # $idx - (integer) ???
3202 # $data - (pointer) ???
3203 #
3204 # returns: 1 on success, 0 on failure
3205
3206 Check openssl doc
3207 <http://www.openssl.org/docs/ssl/SSL_CTX_get_ex_new_index.html>
3208
3209 • CTX_set_purpose
3210
3211 my $rv = Net::SSLeay::CTX_set_purpose($s, $purpose);
3212 # $s - value corresponding to openssl's SSL_CTX structure
3213 # $purpose - (integer) purpose identifier
3214 #
3215 # returns: 1 on success, 0 on failure
3216
3217 #avainable purpose identifier
3218 1 - X509_PURPOSE_SSL_CLIENT
3219 2 - X509_PURPOSE_SSL_SERVER
3220 3 - X509_PURPOSE_NS_SSL_SERVER
3221 4 - X509_PURPOSE_SMIME_SIGN
3222 5 - X509_PURPOSE_SMIME_ENCRYPT
3223 6 - X509_PURPOSE_CRL_SIGN
3224 7 - X509_PURPOSE_ANY
3225 8 - X509_PURPOSE_OCSP_HELPER
3226 9 - X509_PURPOSE_TIMESTAMP_SIGN
3227
3228 #or use corresponding constants
3229 $purpose = &Net::SSLeay::X509_PURPOSE_SSL_CLIENT;
3230 ...
3231 $purpose = &Net::SSLeay::X509_PURPOSE_TIMESTAMP_SIGN;
3232
3233 • CTX_set_quiet_shutdown
3234
3235 Sets the 'quiet shutdown' flag for $ctx to be mode. SSL objects
3236 created from $ctx inherit the mode valid at the time
3237 "Net::SSLeay::new($ctx)" is called.
3238
3239 Net::SSLeay::CTX_set_quiet_shutdown($ctx, $mode);
3240 # $ctx - value corresponding to openssl's SSL_CTX structure
3241 # $mode - 0 or 1
3242 #
3243 # returns: no return value
3244
3245 Check openssl doc
3246 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
3247
3248 • CTX_set_read_ahead
3249
3250 my $rv = Net::SSLeay::CTX_set_read_ahead($ctx, $val);
3251 # $ctx - value corresponding to openssl's SSL_CTX structure
3252 # $val - read_ahead value to be set
3253 #
3254 # returns: the original read_ahead value
3255
3256 • CTX_set_session_id_context
3257
3258 Sets the context $sid_ctx of length $sid_ctx_len within which a
3259 session can be reused for the $ctx object.
3260
3261 my $rv = Net::SSLeay::CTX_set_session_id_context($ctx, $sid_ctx, $sid_ctx_len);
3262 # $ctx - value corresponding to openssl's SSL_CTX structure
3263 # $sid_ctx - data buffer
3264 # $sid_ctx_len - length of data in $sid_ctx
3265 #
3266 # returns: 1 on success, 0 on failure (the error is logged to the error stack)
3267
3268 Check openssl doc
3269 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html>
3270
3271 • CTX_set_ssl_version
3272
3273 Sets a new default TLS/SSL method for SSL objects newly created
3274 from this $ctx. SSL objects already created with
3275 "Net::SSLeay::new($ctx)" are not affected, except when
3276 "Net::SSLeay:clear($ssl)" is being called.
3277
3278 my $rv = Net::SSLeay::CTX_set_ssl_version($ctx, $meth);
3279 # $ctx - value corresponding to openssl's SSL_CTX structure
3280 # $meth - value corresponding to openssl's SSL_METHOD structure
3281 #
3282 # returns: 1 on success, 0 on failure
3283
3284 Check openssl doc
3285 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
3286
3287 • CTX_set_timeout
3288
3289 Sets the timeout for newly created sessions for $ctx to $t. The
3290 timeout value $t must be given in seconds.
3291
3292 my $rv = Net::SSLeay::CTX_set_timeout($ctx, $t);
3293 # $ctx - value corresponding to openssl's SSL_CTX structure
3294 # $t - timeout in seconds
3295 #
3296 # returns: previously set timeout value
3297
3298 Check openssl doc
3299 <http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html>
3300
3301 • CTX_set_tmp_dh
3302
3303 Sets DH parameters to be used to be $dh. The key is inherited by
3304 all ssl objects created from $ctx.
3305
3306 my $rv = Net::SSLeay::CTX_set_tmp_dh($ctx, $dh);
3307 # $ctx - value corresponding to openssl's SSL_CTX structure
3308 # $dh - value corresponding to openssl's DH structure
3309 #
3310 # returns: 1 on success, 0 on failure
3311
3312 Check openssl doc
3313 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
3314
3315 • CTX_set_tmp_dh_callback
3316
3317 Sets the callback function for $ctx to be used when a DH parameters
3318 are required to $tmp_dh_callback.
3319
3320 Net::SSLeay::CTX_set_tmp_dh_callback($ctx, $tmp_dh_callback);
3321 # $ctx - value corresponding to openssl's SSL_CTX structure
3322 # tmp_dh_callback - (function pointer) ???
3323 #
3324 # returns: no return value
3325
3326 Check openssl doc
3327 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
3328
3329 • CTX_set_tmp_rsa
3330
3331 Sets the temporary/ephemeral RSA key to be used to be $rsa.
3332
3333 my $rv = Net::SSLeay::CTX_set_tmp_rsa($ctx, $rsa);
3334 # $ctx - value corresponding to openssl's SSL_CTX structure
3335 # $rsa - value corresponding to openssl's RSA structure
3336 #
3337 # returns: 1 on success, 0 on failure
3338
3339 Check openssl doc
3340 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
3341
3342 Not available with OpenSSL 1.1 and later.
3343
3344 • CTX_set_tmp_rsa_callback
3345
3346 Sets the callback function for ctx to be used when a
3347 temporary/ephemeral RSA key is required to $tmp_rsa_callback.
3348
3349 ??? (does this function really work?)
3350
3351 Net::SSLeay::CTX_set_tmp_rsa_callback($ctx, $tmp_rsa_callback);
3352 # $ctx - value corresponding to openssl's SSL_CTX structure
3353 # $tmp_rsa_callback - (function pointer) ???
3354 #
3355 # returns: no return value
3356
3357 Check openssl doc
3358 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
3359
3360 Not available with OpenSSL 1.1 and later.
3361
3362 • CTX_set_trust
3363
3364 my $rv = Net::SSLeay::CTX_set_trust($s, $trust);
3365 # $s - value corresponding to openssl's SSL_CTX structure
3366 # $trust - (integer) trust identifier
3367 #
3368 # returns: the original value
3369
3370 #available trust identifiers
3371 1 - X509_TRUST_COMPAT
3372 2 - X509_TRUST_SSL_CLIENT
3373 3 - X509_TRUST_SSL_SERVER
3374 4 - X509_TRUST_EMAIL
3375 5 - X509_TRUST_OBJECT_SIGN
3376 6 - X509_TRUST_OCSP_SIGN
3377 7 - X509_TRUST_OCSP_REQUEST
3378 8 - X509_TRUST_TSA
3379
3380 #or use corresponding constants
3381 $trust = &Net::SSLeay::X509_TRUST_COMPAT;
3382 ...
3383 $trust = &Net::SSLeay::X509_TRUST_TSA;
3384
3385 • CTX_set_verify_depth
3386
3387 Sets the maximum depth for the certificate chain verification that
3388 shall be allowed for ctx.
3389
3390 Net::SSLeay::CTX_set_verify_depth($ctx, $depth);
3391 # $ctx - value corresponding to openssl's SSL_CTX structure
3392 # $depth - max. depth
3393 #
3394 # returns: no return value
3395
3396 Check openssl doc
3397 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
3398
3399 • CTX_use_PKCS12_file
3400
3401 Adds the certificate and private key from PKCS12 file $p12filename
3402 to $ctx.
3403
3404 my $rv = Net::SSLeay::CTX_use_PKCS12_file($ctx, $p12filename, $password);
3405 # $ctx - value corresponding to openssl's SSL_CTX structure
3406 # $p12filename - (string) filename
3407 # $password - (string) password to decrypt private key
3408 #
3409 # returns: 1 on success, 0 on failure
3410
3411 • CTX_use_PrivateKey
3412
3413 Adds the private key $pkey to $ctx.
3414
3415 my $rv = Net::SSLeay::CTX_use_PrivateKey($ctx, $pkey);
3416 # $ctx - value corresponding to openssl's SSL_CTX structure
3417 # $pkey - value corresponding to openssl's EVP_PKEY structure
3418 #
3419 # returns: 1 on success, otherwise check out the error stack to find out the reason
3420
3421 Check openssl doc
3422 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3423
3424 • CTX_use_PrivateKey_file
3425
3426 Adds the first private key found in $file to $ctx.
3427
3428 my $rv = Net::SSLeay::CTX_use_PrivateKey_file($ctx, $file, $type);
3429 # $ctx - value corresponding to openssl's SSL_CTX structure
3430 # $file - (string) file name
3431 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3432 #
3433 # returns: 1 on success, otherwise check out the error stack to find out the reason
3434
3435 Check openssl doc
3436 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3437
3438 • CTX_use_RSAPrivateKey
3439
3440 Adds the RSA private key $rsa to $ctx.
3441
3442 my $rv = Net::SSLeay::CTX_use_RSAPrivateKey($ctx, $rsa);
3443 # $ctx - value corresponding to openssl's SSL_CTX structure
3444 # $rsa - value corresponding to openssl's RSA structure
3445 #
3446 # returns: 1 on success, otherwise check out the error stack to find out the reason
3447
3448 Check openssl doc
3449 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3450
3451 • CTX_use_RSAPrivateKey_file
3452
3453 Adds the first RSA private key found in $file to $ctx.
3454
3455 my $rv = Net::SSLeay::CTX_use_RSAPrivateKey_file($ctx, $file, $type);
3456 # $ctx - value corresponding to openssl's SSL_CTX structure
3457 # $file - (string) file name
3458 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3459 #
3460 # returns: 1 on success, otherwise check out the error stack to find out the reason
3461
3462 • CTX_use_certificate
3463
3464 Loads the certificate $x into $ctx
3465
3466 my $rv = Net::SSLeay::CTX_use_certificate($ctx, $x);
3467 # $ctx - value corresponding to openssl's SSL_CTX structure
3468 # $x - value corresponding to openssl's X509 structure
3469 #
3470 # returns: 1 on success, otherwise check out the error stack to find out the reason
3471
3472 Check openssl doc
3473 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3474
3475 • CTX_use_certificate_chain_file
3476
3477 Loads a certificate chain from $file into $ctx. The certificates
3478 must be in PEM format and must be sorted starting with the
3479 subject's certificate (actual client or server certificate),
3480 followed by intermediate CA certificates if applicable, and ending
3481 at the highest level (root) CA.
3482
3483 my $rv = Net::SSLeay::CTX_use_certificate_chain_file($ctx, $file);
3484 # $ctx - value corresponding to openssl's SSL_CTX structure
3485 # $file - (string) file name
3486 #
3487 # returns: 1 on success, otherwise check out the error stack to find out the reason
3488
3489 Check openssl doc
3490 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3491
3492 • CTX_use_certificate_file
3493
3494 Loads the first certificate stored in $file into $ctx.
3495
3496 my $rv = Net::SSLeay::CTX_use_certificate_file($ctx, $file, $type);
3497 # $ctx - value corresponding to openssl's SSL_CTX structure
3498 # $file - (string) file name
3499 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
3500 #
3501 # returns: 1 on success, otherwise check out the error stack to find out the reason
3502
3503 Check openssl doc
3504 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3505
3506 • CTX_get_security_level
3507
3508 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3509 requires at least OpenSSL 1.1.0, not in LibreSSL
3510
3511 Returns the security level associated with $ctx.
3512
3513 my $level = Net::SSLeay::CTX_get_security_level($ctx);
3514 # $ctx - value corresponding to openssl's SSL_CTX structure
3515 #
3516 # returns: (integer) current security level
3517
3518 Check openssl doc
3519 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_security_level.html>
3520
3521 • CTX_set_security_level
3522
3523 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3524 requires at least OpenSSL 1.1.0, not in LibreSSL
3525
3526 Sets the security level associated with $ctx to $level.
3527
3528 Net::SSLeay::CTX_set_security_level($ctx, $level);
3529 # $ssl - value corresponding to openssl's SSL_CTX structure
3530 # $level - new security level
3531 #
3532 # returns: no return value
3533
3534 Check openssl doc
3535 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html>
3536
3537 • CTX_set_num_tickets
3538
3539 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3540 requires at least OpenSSL 1.1.1, not in LibreSSL
3541
3542 Set number of TLSv1.3 session tickets that will be sent to a
3543 client.
3544
3545 my $rv = Net::SSLeay::CTX_set_num_tickets($ctx, $number_of_tickets);
3546 # $ctx - value corresponding to openssl's SSL_CTX structure
3547 # $number_of_tickets - number of tickets to send
3548 #
3549 # returns: 1 on success, 0 on failure
3550
3551 Set to zero if you do not no want to support a session resumption.
3552
3553 Check openssl doc
3554 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_num_tickets.html>
3555
3556 • CTX_get_num_tickets
3557
3558 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
3559 requires at least OpenSSL 1.1.1, not in LibreSSL
3560
3561 Get number of TLSv1.3 session tickets that will be sent to a
3562 client.
3563
3564 my $number_of_tickets = Net::SSLeay::CTX_get_num_tickets($ctx);
3565 # $ctx - value corresponding to openssl's SSL_CTX structure
3566 #
3567 # returns: (integer) number of tickets to send
3568
3569 Check openssl doc
3570 <https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_num_tickets.html>
3571
3572 Low level API: SSL_* related functions
3573
3574 NOTE: Please note that the function described in this chapter have
3575 "SSL_" part stripped from their original openssl names.
3576
3577 • new
3578
3579 Creates a new SSL structure which is needed to hold the data for a
3580 TLS/SSL connection. The new structure inherits the settings of the
3581 underlying context $ctx: connection method (SSLv2/v3/TLSv1),
3582 options, verification settings, timeout settings.
3583
3584 my $rv = Net::SSLeay::new($ctx);
3585 # $ctx - value corresponding to openssl's SSL_CTX structure
3586 #
3587 # returns: value corresponding to openssl's SSL structure (0 on failure)
3588
3589 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_new.html>
3590
3591 • accept
3592
3593 Waits for a TLS/SSL client to initiate the TLS/SSL handshake. The
3594 communication channel must already have been set and assigned to
3595 the ssl by setting an underlying BIO.
3596
3597 my $rv = Net::SSLeay::accept($ssl);
3598 # $ssl - value corresponding to openssl's SSL structure
3599 #
3600 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3601
3602 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_accept.html>
3603
3604 • add_client_CA
3605
3606 Adds the CA name extracted from cacert to the list of CAs sent to
3607 the client when requesting a client certificate for the chosen ssl,
3608 overriding the setting valid for ssl's SSL_CTX object.
3609
3610 my $rv = Net::SSLeay::add_client_CA($ssl, $x);
3611 # $ssl - value corresponding to openssl's SSL structure
3612 # $x - value corresponding to openssl's X509 structure
3613 #
3614 # returns: 1 on success, 0 on failure
3615
3616 Check openssl doc
3617 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
3618
3619 • callback_ctrl
3620
3621 ??? (more info needed)
3622
3623 my $rv = Net::SSLeay::callback_ctrl($ssl, $cmd, $fp);
3624 # $ssl - value corresponding to openssl's SSL structure
3625 # $cmd - (integer) command id
3626 # $fp - (function pointer) ???
3627 #
3628 # returns: ???
3629
3630 Check openssl doc
3631 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
3632
3633 • check_private_key
3634
3635 Checks the consistency of a private key with the corresponding
3636 certificate loaded into $ssl
3637
3638 my $rv = Net::SSLeay::check_private_key($ssl);
3639 # $ssl - value corresponding to openssl's SSL structure
3640 #
3641 # returns: 1 on success, otherwise check out the error stack to find out the reason
3642
3643 Check openssl doc
3644 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
3645
3646 • clear
3647
3648 Reset SSL object to allow another connection.
3649
3650 Net::SSLeay::clear($ssl);
3651 # $ssl - value corresponding to openssl's SSL structure
3652 #
3653 # returns: no return value
3654
3655 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_clear.html>
3656
3657 • connect
3658
3659 Initiate the TLS/SSL handshake with an TLS/SSL server.
3660
3661 my $rv = Net::SSLeay::connect($ssl);
3662 # $ssl - value corresponding to openssl's SSL structure
3663 #
3664 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3665
3666 Check openssl doc
3667 <http://www.openssl.org/docs/ssl/SSL_connect.html>
3668
3669 • copy_session_id
3670
3671 Copies the session structure fro $from to $to (+ also the private
3672 key and certificate associated with $from).
3673
3674 Net::SSLeay::copy_session_id($to, $from);
3675 # $to - value corresponding to openssl's SSL structure
3676 # $from - value corresponding to openssl's SSL structure
3677 #
3678 # returns: no return value
3679
3680 • ctrl
3681
3682 Internal handling function for SSL objects.
3683
3684 BEWARE: openssl doc says: This function should never be called
3685 directly!
3686
3687 my $rv = Net::SSLeay::ctrl($ssl, $cmd, $larg, $parg);
3688 # $ssl - value corresponding to openssl's SSL structure
3689 # $cmd - (integer) command id
3690 # $larg - (integer) long ???
3691 # $parg - (string/pointer) ???
3692 #
3693 # returns: (long) result of given command ???
3694
3695 For more details about valid $cmd values check "CTX_ctrl".
3696
3697 Check openssl doc
3698 <http://www.openssl.org/docs/ssl/SSL_CTX_ctrl.html>
3699
3700 • do_handshake
3701
3702 Will wait for a SSL/TLS handshake to take place. If the connection
3703 is in client mode, the handshake will be started. The handshake
3704 routines may have to be explicitly set in advance using either
3705 SSL_set_connect_state or SSL_set_accept_state(3).
3706
3707 my $rv = Net::SSLeay::do_handshake($ssl);
3708 # $ssl - value corresponding to openssl's SSL structure
3709 #
3710 # returns: 1 = success, 0 = handshake not successful, <0 = fatal error during handshake
3711
3712 Check openssl doc
3713 <http://www.openssl.org/docs/ssl/SSL_do_handshake.html>
3714
3715 • dup
3716
3717 Returns a duplicate of $ssl.
3718
3719 my $rv = Net::SSLeay::dup($ssl);
3720 # $ssl - value corresponding to openssl's SSL structure
3721 #
3722 # returns: value corresponding to openssl's SSL structure (0 on failure)
3723
3724 • free
3725
3726 Free an allocated SSL structure.
3727
3728 Net::SSLeay::free($ssl);
3729 # $ssl - value corresponding to openssl's SSL structure
3730 #
3731 # returns: no return value
3732
3733 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_free.html>
3734
3735 • get0_param
3736
3737 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
3738 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
3739
3740 Returns the current verification parameters.
3741
3742 my $vpm = Net::SSLeay::get0_param($ssl);
3743 # $ssl - value corresponding to openssl's SSL structure
3744 #
3745 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure
3746
3747 Check openssl doc
3748 <https://www.openssl.org/docs/ssl/SSL_CTX_get0_param.html>
3749
3750 • get_SSL_CTX
3751
3752 Returns a pointer to the SSL_CTX object, from which $ssl was
3753 created with Net::SSLeay::new.
3754
3755 my $rv = Net::SSLeay::get_SSL_CTX($ssl);
3756 # $ssl - value corresponding to openssl's SSL structure
3757 #
3758 # returns: value corresponding to openssl's SSL_CTX structure (0 on failure)
3759
3760 Check openssl doc
3761 <http://www.openssl.org/docs/ssl/SSL_get_SSL_CTX.html>
3762
3763 • set_SSL_CTX
3764
3765 COMPATIBILITY: requires at least OpenSSL 0.9.8f
3766
3767 Sets the SSL_CTX the corresponds to an SSL session.
3768
3769 my $the_ssl_ctx = Net::SSLeay::set_SSL_CTX($ssl, $ssl_ctx);
3770 # $ssl - value corresponding to openssl's SSL structure
3771 # $ssl_ctx - Change the ssl object to the given ssl_ctx
3772 #
3773 # returns - the ssl_ctx
3774
3775 • get_app_data
3776
3777 Can be used to get application defined value/data.
3778
3779 my $rv = Net::SSLeay::get_app_data($ssl);
3780 # $ssl - value corresponding to openssl's SSL structure
3781 #
3782 # returns: string/buffer/pointer ???
3783
3784 • set_app_data
3785
3786 Can be used to set some application defined value/data.
3787
3788 my $rv = Net::SSLeay::set_app_data($ssl, $arg);
3789 # $ssl - value corresponding to openssl's SSL structure
3790 # $arg - (string/buffer/pointer ???) data
3791 #
3792 # returns: ???
3793
3794 • get_certificate
3795
3796 Gets X509 certificate from an established SSL connection.
3797
3798 my $rv = Net::SSLeay::get_certificate($ssl);
3799 # $ssl - value corresponding to openssl's SSL structure
3800 #
3801 # returns: value corresponding to openssl's X509 structure (0 on failure)
3802
3803 • get_cipher
3804
3805 Obtains the name of the currently used cipher.
3806
3807 my $rv = Net::SSLeay::get_cipher($ssl);
3808 # $ssl - value corresponding to openssl's SSL structure
3809 #
3810 # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA' or '', when no session has been established.
3811
3812 Check openssl doc
3813 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html>
3814
3815 • get_cipher_bits
3816
3817 Obtain the number of secret/algorithm bits used.
3818
3819 my $rv = Net::SSLeay::get_cipher_bits($ssl);
3820 # $ssl - value corresponding to openssl's SSL structure
3821 #
3822 # returns: number of secret bits used by current cipher
3823
3824 Check openssl doc
3825 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html> and
3826 <http://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html>
3827
3828 • get_ciphers
3829
3830 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
3831
3832 Returns a list of SSL_CIPHER structures available for $ssl sorted
3833 by preference
3834
3835 my @ciphers = Net::SSLeay::get_ciphers($ssl);
3836 # $ssl - value corresponding to openssl's SSL structure
3837 #
3838 # returns: (list) SSL_CIPHER structures or nothing when $ssl is undefined or no ciphers are available
3839
3840 Example:
3841
3842 my @ciphers = Net::SSLeay::get_ciphers($ssl);
3843 foreach my $c (@ciphers) {
3844 print Net::SSLeay::CIPHER_get_name($c) . "\n";
3845 }
3846
3847 Check openssl doc
3848 <https://www.openssl.org/docs/ssl/SSL_get_ciphers.html>
3849
3850 • get_cipher_list
3851
3852 Returns the name (string) of the SSL_CIPHER listed for $ssl with
3853 priority $n.
3854
3855 my $rv = Net::SSLeay::get_cipher_list($ssl, $n);
3856 # $ssl - value corresponding to openssl's SSL structure
3857 # $n - (integer) priority
3858 #
3859 # returns: (string) cipher name e.g. 'EDH-DSS-DES-CBC3-SHA' or undef in case of error
3860
3861 Call Net::SSLeay::get_cipher_list with priority starting from 0 to
3862 obtain the sorted list of available ciphers, until undef is
3863 returned:
3864
3865 my $priority = 0;
3866 while (my $c = Net::SSLeay::get_cipher_list($ssl, $priority)) {
3867 print "cipher[$priority] = $c\n";
3868 $priority++;
3869 }
3870
3871 Check openssl doc
3872 <https://www.openssl.org/docs/ssl/SSL_get_cipher_list.html>
3873
3874 • get_client_CA_list
3875
3876 Returns the list of client CAs explicitly set for $ssl using
3877 "Net::SSleay::set_client_CA_list" or $ssl's SSL_CTX object with
3878 "Net::SSLeay::CTX_set_client_CA_list", when in server mode.
3879
3880 In client mode, returns the list of client CAs sent from the
3881 server, if any.
3882
3883 my $rv = Net::SSLeay::get_client_CA_list($ssl);
3884 # $ssl - value corresponding to openssl's SSL structure
3885 #
3886 # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure)
3887
3888 Check openssl doc
3889 <http://www.openssl.org/docs/ssl/SSL_get_client_CA_list.html>
3890
3891 • get_current_cipher
3892
3893 Returns the cipher actually used.
3894
3895 my $rv = Net::SSLeay::get_current_cipher($ssl);
3896 # $ssl - value corresponding to openssl's SSL structure
3897 #
3898 # returns: value corresponding to openssl's SSL_CIPHER structure (0 on failure)
3899
3900 Check openssl doc
3901 <http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html>
3902
3903 • get_default_timeout
3904
3905 Returns the default timeout value assigned to SSL_SESSION objects
3906 negotiated for the protocol valid for $ssl.
3907
3908 my $rv = Net::SSLeay::get_default_timeout($ssl);
3909 # $ssl - value corresponding to openssl's SSL structure
3910 #
3911 # returns: (long) timeout in seconds
3912
3913 Check openssl doc
3914 <http://www.openssl.org/docs/ssl/SSL_get_default_timeout.html>
3915
3916 • get_error
3917
3918 Returns a result code for a preceding call to "connect", "accept",
3919 "do_handshake", "read", "peek" or "write" on $ssl.
3920
3921 my $rv = Net::SSLeay::get_error($ssl, $ret);
3922 # $ssl - value corresponding to openssl's SSL structure
3923 # $ret - return value of preceding TLS/SSL I/O operation
3924 #
3925 # returns: result code, which is one of the following values:
3926 # 0 - SSL_ERROR_NONE
3927 # 1 - SSL_ERROR_SSL
3928 # 2 - SSL_ERROR_WANT_READ
3929 # 3 - SSL_ERROR_WANT_WRITE
3930 # 4 - SSL_ERROR_WANT_X509_LOOKUP
3931 # 5 - SSL_ERROR_SYSCALL
3932 # 6 - SSL_ERROR_ZERO_RETURN
3933 # 7 - SSL_ERROR_WANT_CONNECT
3934 # 8 - SSL_ERROR_WANT_ACCEPT
3935
3936 Check openssl doc
3937 <http://www.openssl.org/docs/ssl/SSL_get_error.html>
3938
3939 • get_ex_data
3940
3941 Is used to retrieve the information for $idx from $ssl.
3942
3943 my $rv = Net::SSLeay::get_ex_data($ssl, $idx);
3944 # $ssl - value corresponding to openssl's SSL structure
3945 # $idx - (integer) index for application specific data
3946 #
3947 # returns: pointer to ???
3948
3949 Check openssl doc
3950 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3951
3952 • set_ex_data
3953
3954 Is used to store application data at $data for $idx into the $ssl
3955 object.
3956
3957 my $rv = Net::SSLeay::set_ex_data($ssl, $idx, $data);
3958 # $ssl - value corresponding to openssl's SSL structure
3959 # $idx - (integer) ???
3960 # $data - (pointer) ???
3961 #
3962 # returns: 1 on success, 0 on failure
3963
3964 Check openssl doc
3965 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3966
3967 • get_ex_new_index
3968
3969 Is used to register a new index for application specific data.
3970
3971 my $rv = Net::SSLeay::get_ex_new_index($argl, $argp, $new_func, $dup_func, $free_func);
3972 # $argl - (long) ???
3973 # $argp - (pointer) ???
3974 # $new_func - function pointer ??? (CRYPTO_EX_new *)
3975 # $dup_func - function pointer ??? (CRYPTO_EX_dup *)
3976 # $free_func - function pointer ??? (CRYPTO_EX_free *)
3977 #
3978 # returns: (integer) ???
3979
3980 Check openssl doc
3981 <http://www.openssl.org/docs/ssl/SSL_get_ex_new_index.html>
3982
3983 • get_fd
3984
3985 Returns the file descriptor which is linked to $ssl.
3986
3987 my $rv = Net::SSLeay::get_fd($ssl);
3988 # $ssl - value corresponding to openssl's SSL structure
3989 #
3990 # returns: file descriptor (>=0) or -1 on failure
3991
3992 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_get_fd.html>
3993
3994 • get_finished
3995
3996 Obtains the latest 'Finished' message sent to the peer. Return
3997 value is zero if there's been no Finished message yet. Default
3998 count is 2*EVP_MAX_MD_SIZE that is long enough for all possible
3999 Finish messages. If you supply a non-default count, the resulting
4000 return value may be longer than returned buf's length.
4001
4002 my $rv = Net::SSLeay::get_finished($ssl, $buf, $count);
4003 # $ssl - value corresponding to openssl's SSL structure
4004 # $buf - buffer where the returned data will be stored
4005 # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE
4006 #
4007 # returns: length of latest Finished message
4008
4009 • get_peer_finished
4010
4011 Obtains the latest 'Finished' message expected from the peer.
4012 Parameters and return value are similar to get_finished().
4013
4014 my $rv = Net::SSLeay::get_peer_finished($ssl, $buf, $count);
4015 # $ssl - value corresponding to openssl's SSL structure
4016 # $buf - buffer where the returned data will be stored
4017 # $count - [optional] max size of return data - default is 2*EVP_MAX_MD_SIZE
4018 #
4019 # returns: length of latest Finished message
4020
4021 • get_keyblock_size
4022
4023 Gets the length of the TLS keyblock.
4024
4025 NOTE: Does not exactly correspond to any low level API function.
4026
4027 my $rv = Net::SSLeay::get_keyblock_size($ssl);
4028 # $ssl - value corresponding to openssl's SSL structure
4029 #
4030 # returns: keyblock size, -1 on error
4031
4032 • get_mode
4033
4034 Returns the mode (bitmask) set for $ssl.
4035
4036 my $rv = Net::SSLeay::get_mode($ssl);
4037 # $ssl - value corresponding to openssl's SSL structure
4038 #
4039 # returns: mode (bitmask)
4040
4041 To decode the return value (bitmask) see documentation for
4042 "CTX_get_mode".
4043
4044 Check openssl doc
4045 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
4046
4047 • set_mode
4048
4049 Adds the mode set via bitmask in $mode to $ssl. Options already set
4050 before are not cleared.
4051
4052 my $rv = Net::SSLeay::set_mode($ssl, $mode);
4053 # $ssl - value corresponding to openssl's SSL structure
4054 # $mode - mode (bitmask)
4055 #
4056 # returns: the new mode bitmask after adding $mode
4057
4058 For $mode bitmask details see "CTX_get_mode".
4059
4060 Check openssl doc
4061 <http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html>
4062
4063 • get_options
4064
4065 Returns the options (bitmask) set for $ssl.
4066
4067 my $rv = Net::SSLeay::get_options($ssl);
4068 # $ssl - value corresponding to openssl's SSL structure
4069 #
4070 # returns: options (bitmask)
4071
4072 To decode the return value (bitmask) see documentation for
4073 "CTX_get_options".
4074
4075 Check openssl doc
4076 <http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html>
4077
4078 • set_options
4079
4080 Adds the options set via bitmask in $options to $ssl. Options
4081 already set before are not cleared!
4082
4083 Net::SSLeay::set_options($ssl, $options);
4084 # $ssl - value corresponding to openssl's SSL structure
4085 # $options - options (bitmask)
4086 #
4087 # returns: the new options bitmask after adding $options
4088
4089 For $options bitmask details see "CTX_get_options".
4090
4091 Check openssl doc
4092 <http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html>
4093
4094 • get_peer_certificate
4095
4096 Get the X509 certificate of the peer.
4097
4098 my $rv = Net::SSLeay::get_peer_certificate($ssl);
4099 # $ssl - value corresponding to openssl's SSL structure
4100 #
4101 # returns: value corresponding to openssl's X509 structure (0 on failure)
4102
4103 Check openssl doc
4104 <http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
4105
4106 • get_peer_cert_chain
4107
4108 Get the certificate chain of the peer as an array of X509
4109 structures.
4110
4111 my @rv = Net::SSLeay::get_peer_cert_chain($ssl);
4112 # $ssl - value corresponding to openssl's SSL structure
4113 #
4114 # returns: list of X509 structures
4115
4116 Check openssl doc
4117 <http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html>
4118
4119 • get_quiet_shutdown
4120
4121 Returns the 'quiet shutdown' setting of ssl.
4122
4123 my $rv = Net::SSLeay::get_quiet_shutdown($ssl);
4124 # $ssl - value corresponding to openssl's SSL structure
4125 #
4126 # returns: (integer) current 'quiet shutdown' value
4127
4128 Check openssl doc
4129 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
4130
4131 • get_rbio
4132
4133 Get 'read' BIO linked to an SSL object $ssl.
4134
4135 my $rv = Net::SSLeay::get_rbio($ssl);
4136 # $ssl - value corresponding to openssl's SSL structure
4137 #
4138 # returns: value corresponding to openssl's BIO structure (0 on failure)
4139
4140 Check openssl doc
4141 <http://www.openssl.org/docs/ssl/SSL_get_rbio.html>
4142
4143 • get_read_ahead
4144
4145 my $rv = Net::SSLeay::get_read_ahead($ssl);
4146 # $ssl - value corresponding to openssl's SSL structure
4147 #
4148 # returns: (integer) read_ahead value
4149
4150 • set_read_ahead
4151
4152 Net::SSLeay::set_read_ahead($ssl, $val);
4153 # $ssl - value corresponding to openssl's SSL structure
4154 # $val - read_ahead value to be set
4155 #
4156 # returns: the original read_ahead value
4157
4158 • get_security_level
4159
4160 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4161 requires at least OpenSSL 1.1.0, not in LibreSSL
4162
4163 Returns the security level associated with $ssl.
4164
4165 my $level = Net::SSLeay::get_security_level($ssl);
4166 # $ssl - value corresponding to openssl's SSL structure
4167 #
4168 # returns: (integer) current security level
4169
4170 Check openssl doc
4171 <https://www.openssl.org/docs/manmaster/man3/SSL_get_security_level.html>
4172
4173 • set_security_level
4174
4175 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4176 requires at least OpenSSL 1.1.0, not in LibreSSL
4177
4178 Sets the security level associated with $ssl to $level.
4179
4180 Net::SSLeay::set_security_level($ssl, $level);
4181 # $ssl - value corresponding to openssl's SSL structure
4182 # $level - new security level
4183 #
4184 # returns: no return value
4185
4186 Check openssl doc
4187 <https://www.openssl.org/docs/manmaster/man3/SSL_set_security_level.html>
4188
4189 • set_num_tickets
4190
4191 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4192 requires at least OpenSSL 1.1.1, not in LibreSSL
4193
4194 Set number of TLSv1.3 session tickets that will be sent to a
4195 client.
4196
4197 my $rv = Net::SSLeay::set_num_tickets($ssl, $number_of_tickets);
4198 # $ssl - value corresponding to openssl's SSL structure
4199 # $number_of_tickets - number of tickets to send
4200 #
4201 # returns: 1 on success, 0 on failure
4202
4203 Set to zero if you do not no want to support a session resumption.
4204
4205 Check openssl doc
4206 <https://www.openssl.org/docs/manmaster/man3/SSL_set_num_tickets.html>
4207
4208 • get_num_tickets
4209
4210 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4211 requires at least OpenSSL 1.1.1, not in LibreSSL
4212
4213 Get number of TLSv1.3 session tickets that will be sent to a
4214 client.
4215
4216 my $number_of_tickets = Net::SSLeay::get_num_tickets($ctx);
4217 # $ctx - value corresponding to openssl's SSL structure
4218 #
4219 # returns: number of tickets to send
4220
4221 Check openssl doc
4222 <https://www.openssl.org/docs/manmaster/man3/SSL_get_num_tickets.html>
4223
4224 • get_server_random
4225
4226 Returns internal SSLv3 server_random value.
4227
4228 Net::SSLeay::get_server_random($ssl);
4229 # $ssl - value corresponding to openssl's SSL structure
4230 #
4231 # returns: server_random value (binary data)
4232
4233 • get_client_random
4234
4235 NOTE: Does not exactly correspond to any low level API function
4236
4237 Returns internal SSLv3 client_random value.
4238
4239 Net::SSLeay::get_client_random($ssl);
4240 # $ssl - value corresponding to openssl's SSL structure
4241 #
4242 # returns: client_random value (binary data)
4243
4244 • export_keying_material
4245
4246 Returns keying material based on the string $label and optional
4247 $context. Note that with TLSv1.2 and lower, empty context (empty
4248 string) and undefined context (no value or 'undef') will return
4249 different values.
4250
4251 my $out = Net::SSLeay::export_keying_material($ssl, $olen, $label, $context);
4252 # $ssl - value corresponding to openssl's SSL structure
4253 # $olen - number of bytes to return
4254 # $label - application specific label
4255 # $context - [optional] context - default is undef for no context
4256 #
4257 # returns: keying material (binary data) or undef on error
4258
4259 Check openssl doc
4260 <https://www.openssl.org/docs/manmaster/man3/SSL_export_keying_material.html>
4261
4262 • get_session
4263
4264 Retrieve TLS/SSL session data used in $ssl. The reference count of
4265 the SSL_SESSION is NOT incremented.
4266
4267 my $rv = Net::SSLeay::get_session($ssl);
4268 # $ssl - value corresponding to openssl's SSL structure
4269 #
4270 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
4271
4272 Check openssl doc
4273 <http://www.openssl.org/docs/ssl/SSL_get_session.html>
4274
4275 • SSL_get0_session
4276
4277 The alias for "get_session" (note that the name is
4278 "SSL_get0_session" NOT "get0_session").
4279
4280 my $rv = Net::SSLeay::SSL_get0_session();
4281
4282 • get1_session
4283
4284 Returns a pointer to the SSL_SESSION actually used in $ssl. The
4285 reference count of the SSL_SESSION is incremented by 1.
4286
4287 my $rv = Net::SSLeay::get1_session($ssl);
4288 # $ssl - value corresponding to openssl's SSL structure
4289 #
4290 # returns: value corresponding to openssl's SSL_SESSION structure (0 on failure)
4291
4292 Check openssl doc
4293 <http://www.openssl.org/docs/ssl/SSL_get_session.html>
4294
4295 • get_shared_ciphers
4296
4297 Returns string with a list (colon ':' separated) of ciphers shared
4298 between client and server within SSL session $ssl.
4299
4300 my $rv = Net::SSLeay::get_shared_ciphers()
4301 #
4302 # returns: string like 'ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:...'
4303
4304 • get_shutdown
4305
4306 Returns the shutdown mode of $ssl.
4307
4308 my $rv = Net::SSLeay::get_shutdown($ssl);
4309 # $ssl - value corresponding to openssl's SSL structure
4310 #
4311 # returns: shutdown mode (bitmask) of ssl
4312
4313 #to decode the return value (bitmask) use:
4314 0 - No shutdown setting, yet
4315 1 - SSL_SENT_SHUTDOWN
4316 2 - SSL_RECEIVED_SHUTDOWN
4317
4318 Check openssl doc
4319 <http://www.openssl.org/docs/ssl/SSL_set_shutdown.html>
4320
4321 • get_ssl_method
4322
4323 Returns a function pointer to the TLS/SSL method set in $ssl.
4324
4325 my $rv = Net::SSLeay::get_ssl_method($ssl);
4326 # $ssl - value corresponding to openssl's SSL structure
4327 #
4328 # returns: value corresponding to openssl's SSL_METHOD structure (0 on failure)
4329
4330 Check openssl doc
4331 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
4332
4333 • in_init, in_before, is_init_finished, in_connect_init,
4334 in_accept_init
4335
4336 COMPATIBILITY: not available in Net-SSLeay-1.85 and before.
4337
4338 Retrieve information about the handshake state machine. All
4339 functions take $ssl as the only argument and return 0 or 1. These
4340 functions are recommended over get_state() and state().
4341
4342 my $rv = Net::SSLeay::is_init_finished($ssl);
4343 # $ssl - value corresponding to openssl's SSL structure
4344 #
4345 # returns: All functions return 1 or 0
4346
4347 Check openssl doc https://www.openssl.org/docs/ssl/SSL_in_init.html
4348 <http://www.openssl.org/docs/ssl/SSL_in_init.html>
4349
4350 • get_state
4351
4352 COMPATIBILITY: OpenSSL 1.1.0 and later use different constants
4353 which are not made available. Use is_init_finished() and related
4354 functions instead.
4355
4356 Returns the SSL connection state.
4357
4358 my $rv = Net::SSLeay::get_state($ssl);
4359 # $ssl - value corresponding to openssl's SSL structure
4360 #
4361 # returns: (integer) state value
4362 # to decode the returned state check:
4363 # SSL_ST_* constants in openssl/ssl.h
4364 # SSL2_ST_* constants in openssl/ssl2.h
4365 # SSL23_ST_* constants in openssl/ssl23.h
4366 # SSL3_ST_* + DTLS1_ST_* constants in openssl/ssl3.h
4367
4368 • state
4369
4370 Exactly the same as "get_state".
4371
4372 my $rv = Net::SSLeay::state($ssl);
4373
4374 • set_state
4375
4376 Sets the SSL connection state.
4377
4378 Net::SSLeay::set_state($ssl,Net::SSLeay::SSL_ST_ACCEPT());
4379
4380 Not available with OpenSSL 1.1 and later.
4381
4382 • get_verify_depth
4383
4384 Returns the verification depth limit currently set in $ssl.
4385
4386 my $rv = Net::SSLeay::get_verify_depth($ssl);
4387 # $ssl - value corresponding to openssl's SSL structure
4388 #
4389 # returns: current depth or -1 if no limit has been explicitly set
4390
4391 Check openssl doc
4392 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
4393
4394 • set_verify_depth
4395
4396 Sets the maximum depth for the certificate chain verification that
4397 shall be allowed for $ssl.
4398
4399 Net::SSLeay::set_verify_depth($ssl, $depth);
4400 # $ssl - value corresponding to openssl's SSL structure
4401 # $depth - (integer) depth
4402 #
4403 # returns: no return value
4404
4405 Check openssl doc
4406 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
4407
4408 • get_verify_mode
4409
4410 Returns the verification mode (bitmask) currently set in $ssl.
4411
4412 my $rv = Net::SSLeay::get_verify_mode($ssl);
4413 # $ssl - value corresponding to openssl's SSL structure
4414 #
4415 # returns: mode (bitmask)
4416
4417 To decode the return value (bitmask) see documentation for
4418 "CTX_get_verify_mode".
4419
4420 Check openssl doc
4421 <http://www.openssl.org/docs/ssl/SSL_CTX_get_verify_mode.html>
4422
4423 • set_verify
4424
4425 Sets the verification flags for $ssl to be $mode and specifies the
4426 $verify_callback function to be used.
4427
4428 Net::SSLeay::set_verify($ssl, $mode, $callback);
4429 # $ssl - value corresponding to openssl's SSL structure
4430 # $mode - mode (bitmask)
4431 # $callback - [optional] reference to perl callback function
4432 #
4433 # returns: no return value
4434
4435 For $mode bitmask details see "CTX_get_verify_mode".
4436
4437 Check openssl doc
4438 <http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html>
4439
4440 • set_post_handshake_auth
4441
4442 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4443 requires at least OpenSSL 1.1.1, not in LibreSSL
4444
4445 Enable the Post-Handshake Authentication extension to be added to
4446 the ClientHello such that post-handshake authentication can be
4447 requested by the server.
4448
4449 Net::SSLeay::set_posthandshake_auth($ssl, $val);
4450 # $ssl - value corresponding to openssl's SSL structure
4451 # $val - 0 then the extension is not sent, otherwise it is
4452 #
4453 # returns: no return value
4454
4455 Check openssl doc
4456 https://www.openssl.org/docs/manmaster/man3/SSL_set_post_handshake_auth
4457 <https://www.openssl.org/docs/manmaster/man3/SSL_set_post_handshake_auth.html>
4458
4459 • verify_client_post_handshake
4460
4461 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4462 requires at least OpenSSL 1.1.1, not in LibreSSL
4463
4464 verify_client_post_handshake causes a CertificateRequest message to
4465 be sent by a server on the given ssl connection.
4466
4467 my $rv = Net::SSLeay::verify_client_post_handshake($ssl);
4468 # $ssl - value corresponding to openssl's SSL structure
4469 #
4470 # returns: 1 if the request succeeded, and 0 if the request failed. The error stack can be examined to determine the failure reason.
4471
4472 Check openssl doc
4473 <https://www.openssl.org/docs/manmaster/man3/SSL_verify_client_post_handshake.html>
4474
4475 • get_verify_result
4476
4477 Returns the result of the verification of the X509 certificate
4478 presented by the peer, if any.
4479
4480 my $rv = Net::SSLeay::get_verify_result($ssl);
4481 # $ssl - value corresponding to openssl's SSL structure
4482 #
4483 # returns: (integer)
4484 # 0 - X509_V_OK: ok
4485 # 2 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
4486 # 3 - X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
4487 # 4 - X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature
4488 # 5 - X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature
4489 # 6 - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
4490 # 7 - X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
4491 # 8 - X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
4492 # 9 - X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
4493 # 10 - X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
4494 # 11 - X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
4495 # 12 - X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
4496 # 13 - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field
4497 # 14 - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field
4498 # 15 - X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field
4499 # 16 - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field
4500 # 17 - X509_V_ERR_OUT_OF_MEM: out of memory
4501 # 18 - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
4502 # 19 - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
4503 # 20 - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
4504 # 21 - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
4505 # 22 - X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
4506 # 23 - X509_V_ERR_CERT_REVOKED: certificate revoked
4507 # 24 - X509_V_ERR_INVALID_CA: invalid CA certificate
4508 # 25 - X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
4509 # 26 - X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
4510 # 27 - X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
4511 # 28 - X509_V_ERR_CERT_REJECTED: certificate rejected
4512 # 29 - X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
4513 # 30 - X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
4514 # 31 - X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
4515 # 32 - X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
4516 # 50 - X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
4517
4518 Check openssl doc
4519 <http://www.openssl.org/docs/ssl/SSL_get_verify_result.html>
4520
4521 • set_verify_result
4522
4523 Override result of peer certificate verification.
4524
4525 Net::SSLeay::set_verify_result($ssl, $v);
4526 # $ssl - value corresponding to openssl's SSL structure
4527 # $v - (integer) result value
4528 #
4529 # returns: no return value
4530
4531 For more info about valid return values see "get_verify_result"
4532
4533 Check openssl doc
4534 <http://www.openssl.org/docs/ssl/SSL_set_verify_result.html>
4535
4536 • get_wbio
4537
4538 Get 'write' BIO linked to an SSL object $ssl.
4539
4540 my $rv = Net::SSLeay::get_wbio($ssl);
4541 # $ssl - value corresponding to openssl's SSL structure
4542 #
4543 # returns: value corresponding to openssl's BIO structure (0 on failure)
4544
4545 Check openssl doc
4546 <http://www.openssl.org/docs/ssl/SSL_get_rbio.html>
4547
4548 • load_client_CA_file
4549
4550 Load X509 certificates from file (PEM formatted).
4551
4552 my $rv = Net::SSLeay::load_client_CA_file($file);
4553 # $file - (string) file name
4554 #
4555 # returns: value corresponding to openssl's STACK_OF(X509_NAME) structure (0 on failure)
4556
4557 Check openssl doc
4558 <http://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html>
4559
4560 • clear_num_renegotiations
4561
4562 Executes SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS command on $ssl.
4563
4564 my $rv = Net::SSLeay::clear_num_renegotiations($ssl);
4565 # $ssl - value corresponding to openssl's SSL structure
4566 #
4567 # returns: command result
4568
4569 • need_tmp_RSA
4570
4571 Executes SSL_CTRL_NEED_TMP_RSA command on $ssl.
4572
4573 my $rv = Net::SSLeay::need_tmp_RSA($ssl);
4574 # $ssl - value corresponding to openssl's SSL structure
4575 #
4576 # returns: command result
4577
4578 Not available with OpenSSL 1.1 and later.
4579
4580 • num_renegotiations
4581
4582 Executes SSL_CTRL_GET_NUM_RENEGOTIATIONS command on $ssl.
4583
4584 my $rv = Net::SSLeay::num_renegotiations($ssl);
4585 # $ssl - value corresponding to openssl's SSL structure
4586 #
4587 # returns: command result
4588
4589 • total_renegotiations
4590
4591 Executes SSL_CTRL_GET_TOTAL_RENEGOTIATIONS command on $ssl.
4592
4593 my $rv = Net::SSLeay::total_renegotiations($ssl);
4594 # $ssl - value corresponding to openssl's SSL structure
4595 #
4596 # returns: command result
4597
4598 • peek
4599
4600 Copies $max bytes from the specified $ssl into the returned value.
4601 In contrast to the "Net::SSLeay::read()" function, the data in the
4602 SSL buffer is unmodified after the SSL_peek() operation.
4603
4604 Net::SSLeay::peek($ssl, $max);
4605 # $ssl - value corresponding to openssl's SSL structure
4606 # $max - [optional] max bytes to peek (integer) - default is 32768
4607 #
4608 # in scalar context: data read from the TLS/SSL connection, undef on error
4609 # in list context: two-item array consisting of data read (undef on error),
4610 # and return code from SSL_peek().
4611
4612 • peek_ex
4613
4614 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4615 requires at least OpenSSL 1.1.1, not in LibreSSL
4616
4617 Copies $max bytes from the specified $ssl into the returned value.
4618 In contrast to the "Net::SSLeay::read_ex()" function, the data in
4619 the SSL buffer is unmodified after the SSL_peek_ex() operation.
4620
4621 my($got, $rv) = Net::SSLeay::peek_ex($ssl, $max);
4622 # $ssl - value corresponding to openssl's SSL structure
4623 # $max - [optional] max bytes to peek (integer) - default is 32768
4624 #
4625 # returns a list: two-item list consisting of data read (undef on error),
4626 # and return code from SSL_peek_ex().
4627
4628 Check openssl doc
4629 <https://www.openssl.org/docs/manmaster/man3/SSL_peek_ex.html>
4630
4631 • pending
4632
4633 Obtain number of readable bytes buffered in $ssl object.
4634
4635 my $rv = Net::SSLeay::pending($ssl);
4636 # $ssl - value corresponding to openssl's SSL structure
4637 #
4638 # returns: the number of bytes pending
4639
4640 Check openssl doc
4641 <http://www.openssl.org/docs/ssl/SSL_pending.html>
4642
4643 • has_pending
4644
4645 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4646 requires at least OpenSSL 1.1.0, not in LibreSSL
4647
4648 Returns 1 if $ssl has buffered data (whether processed or
4649 unprocessed) and 0 otherwise.
4650
4651 my $rv = Net::SSLeay::has_pending($ssl);
4652 # $ssl - value corresponding to openssl's SSL structure
4653 #
4654 # returns: (integer) 1 or 0
4655
4656 Check openssl doc
4657 <https://www.openssl.org/docs/manmaster/man3/SSL_has_pending.html>
4658
4659 • read
4660
4661 Tries to read $max bytes from the specified $ssl.
4662
4663 my $got = Net::SSLeay::read($ssl, $max);
4664 my($got, $rv) = Net::SSLeay::read($ssl, $max);
4665 # $ssl - value corresponding to openssl's SSL structure
4666 # $max - [optional] max bytes to read (integer) - default is 32768
4667 #
4668 # returns:
4669 # in scalar context: data read from the TLS/SSL connection, undef on error
4670 # in list context: two-item array consisting of data read (undef on error),
4671 # and return code from SSL_read().
4672
4673 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_read.html>
4674
4675 • read_ex
4676
4677 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4678 requires at least OpenSSL 1.1.1, not in LibreSSL
4679
4680 Tries to read $max bytes from the specified $ssl.
4681
4682 my($got, $rv) = Net::SSLeay::read_ex($ssl, $max);
4683 # $ssl - value corresponding to openssl's SSL structure
4684 # $max - [optional] max bytes to read (integer) - default is 32768
4685 #
4686 # returns a list: two-item list consisting of data read (undef on error),
4687 # and return code from SSL_read_ex().
4688
4689 Check openssl doc
4690 <https://www.openssl.org/docs/manmaster/man3/SSL_read_ex.html>
4691
4692 • renegotiate
4693
4694 Turn on flags for renegotiation so that renegotiation will happen
4695
4696 my $rv = Net::SSLeay::renegotiate($ssl);
4697 # $ssl - value corresponding to openssl's SSL structure
4698 #
4699 # returns: 1 on success, 0 on failure
4700
4701 • rstate_string
4702
4703 Returns a 2 letter string indicating the current read state of the
4704 SSL object $ssl.
4705
4706 my $rv = Net::SSLeay::rstate_string($ssl);
4707 # $ssl - value corresponding to openssl's SSL structure
4708 #
4709 # returns: 2-letter string
4710
4711 Check openssl doc
4712 <http://www.openssl.org/docs/ssl/SSL_rstate_string.html>
4713
4714 • rstate_string_long
4715
4716 Returns a string indicating the current read state of the SSL
4717 object ssl.
4718
4719 my $rv = Net::SSLeay::rstate_string_long($ssl);
4720 # $ssl - value corresponding to openssl's SSL structure
4721 #
4722 # returns: string with current state
4723
4724 Check openssl doc
4725 <http://www.openssl.org/docs/ssl/SSL_rstate_string.html>
4726
4727 • session_reused
4728
4729 Query whether a reused session was negotiated during handshake.
4730
4731 my $rv = Net::SSLeay::session_reused($ssl);
4732 # $ssl - value corresponding to openssl's SSL structure
4733 #
4734 # returns: 0 - new session was negotiated; 1 - session was reused.
4735
4736 Check openssl doc
4737 <http://www.openssl.org/docs/ssl/SSL_session_reused.html>
4738
4739 • set1_param
4740
4741 COMPATIBILITY: requires at least OpenSSL 1.0.0-beta3
4742
4743 Applies X509 verification parameters $vpm on $ssl
4744
4745 my $rv = Net::SSLeay::set1_param($ssl, $vpm);
4746 # $ssl - value corresponding to openssl's SSL structure
4747 # $vpm - value corresponding to openssl's X509_VERIFY_PARAM structure
4748 #
4749 # returns: 1 on success, 0 on failure
4750
4751 • set_accept_state
4752
4753 Sets $ssl to work in server mode.
4754
4755 Net::SSLeay::set_accept_state($ssl);
4756 # $ssl - value corresponding to openssl's SSL structure
4757 #
4758 # returns: no return value
4759
4760 Check openssl doc
4761 <http://www.openssl.org/docs/ssl/SSL_set_connect_state.html>
4762
4763 • set_bio
4764
4765 Connects the BIOs $rbio and $wbio for the read and write operations
4766 of the TLS/SSL (encrypted) side of $ssl.
4767
4768 Net::SSLeay::set_bio($ssl, $rbio, $wbio);
4769 # $ssl - value corresponding to openssl's SSL structure
4770 # $rbio - value corresponding to openssl's BIO structure
4771 # $wbio - value corresponding to openssl's BIO structure
4772 #
4773 # returns: no return value
4774
4775 Check openssl doc
4776 <http://www.openssl.org/docs/ssl/SSL_set_bio.html>
4777
4778 • set_cipher_list
4779
4780 Sets the list of ciphers only for ssl.
4781
4782 my $rv = Net::SSLeay::set_cipher_list($ssl, $str);
4783 # $ssl - value corresponding to openssl's SSL structure
4784 # $str - (string) cipher list e.g. '3DES:+RSA'
4785 #
4786 # returns: 1 if any cipher could be selected and 0 on complete failure
4787
4788 Check openssl doc
4789 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
4790
4791 • set_ciphersuites
4792
4793 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
4794 requires at least OpenSSL 1.1.1, not in LibreSSL
4795
4796 Configure the available TLSv1.3 ciphersuites.
4797
4798 my $rv = Net::SSLeay::set_ciphersuites($ssl, $str);
4799 # $ssl - value corresponding to openssl's SSL structure
4800 # $str - colon (":") separated list of TLSv1.3 ciphersuite names in order of preference
4801 #
4802 # returns: (integer) 1 if the requested ciphersuite list was configured, and 0 otherwise
4803
4804 Check openssl doc
4805 <https://www.openssl.org/docs/manmaster/man3/SSL_set_ciphersuites.html>
4806
4807 • set_client_CA_list
4808
4809 Sets the list of CAs sent to the client when requesting a client
4810 certificate for the chosen $ssl, overriding the setting valid for
4811 $ssl's SSL_CTX object.
4812
4813 my $rv = Net::SSLeay::set_client_CA_list($ssl, $list);
4814 # $ssl - value corresponding to openssl's SSL structure
4815 # $list - value corresponding to openssl's STACK_OF(X509_NAME) structure
4816 #
4817 # returns: no return value
4818
4819 Check openssl doc
4820 <http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html>
4821
4822 • set_connect_state
4823
4824 Sets $ssl to work in client mode.
4825
4826 Net::SSLeay::set_connect_state($ssl);
4827 # $ssl - value corresponding to openssl's SSL structure
4828 #
4829 # returns: no return value
4830
4831 Check openssl doc
4832 <http://www.openssl.org/docs/ssl/SSL_set_connect_state.html>
4833
4834 • set_fd
4835
4836 Sets the file descriptor $fd as the input/output facility for the
4837 TLS/SSL (encrypted) side of $ssl, $fd will typically be the socket
4838 file descriptor of a network connection.
4839
4840 my $rv = Net::SSLeay::set_fd($ssl, $fd);
4841 # $ssl - value corresponding to openssl's SSL structure
4842 # $fd - (integer) file handle (got via perl's fileno)
4843 #
4844 # returns: 1 on success, 0 on failure
4845
4846 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4847
4848 • set_psk_client_callback
4849
4850 Sets the psk client callback.
4851
4852 Net::SSLeay::set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } );
4853 # $ssl - value corresponding to openssl's SSL structure
4854 # $hint - PSK identity hint send by the server
4855 # $identity - PSK identity
4856 # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef'
4857 #
4858 # returns: no return value
4859
4860 Check openssl doc
4861 <http://www.openssl.org/docs/ssl/SSL_set_psk_client_callback.html>
4862
4863 • set_rfd
4864
4865 Sets the file descriptor $fd as the input (read) facility for the
4866 TLS/SSL (encrypted) side of $ssl.
4867
4868 my $rv = Net::SSLeay::set_rfd($ssl, $fd);
4869 # $ssl - value corresponding to openssl's SSL structure
4870 # $fd - (integer) file handle (got via perl's fileno)
4871 #
4872 # returns: 1 on success, 0 on failure
4873
4874 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4875
4876 • set_wfd
4877
4878 my $rv = Net::SSLeay::set_wfd($ssl, $fd);
4879 # $ssl - value corresponding to openssl's SSL structure
4880 # $fd - (integer) file handle (got via perl's fileno)
4881 #
4882 # returns: 1 on success, 0 on failure
4883
4884 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_set_fd.html>
4885
4886 • set_info_callback
4887
4888 Sets the callback function, that can be used to obtain state
4889 information for $ssl during connection setup and use. When
4890 callback is undef, the callback setting currently valid for ctx is
4891 used.
4892
4893 Net::SSLeay::set_info_callback($ssl, $cb, [$data]);
4894 # $ssl - value corresponding to openssl's SSL structure
4895 # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... }
4896 #
4897 # returns: no return value
4898
4899 Check openssl doc
4900 <http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
4901
4902 • CTX_set_info_callback
4903
4904 Sets the callback function on ctx, that can be used to obtain state
4905 information during ssl connection setup and use. When callback is
4906 undef, an existing callback will be disabled.
4907
4908 Net::SSLeay::CTX_set_info_callback($ssl, $cb, [$data]);
4909 # $ssl - value corresponding to openssl's SSL structure
4910 # $cb - sub { my ($ssl,$where,$ret,$data) = @_; ... }
4911 #
4912 # returns: no return value
4913
4914 Check openssl doc
4915 <http://www.openssl.org/docs/ssl/SSL_CTX_set_info_callback.html>
4916
4917 • set_pref_cipher
4918
4919 Sets the list of available ciphers for $ssl using the control
4920 string $str.
4921
4922 my $rv = Net::SSLeay::set_pref_cipher($ssl, $str);
4923 # $ssl - value corresponding to openssl's SSL structure
4924 # $str - (string) cipher list e.g. '3DES:+RSA'
4925 #
4926 # returns: 1 if any cipher could be selected and 0 on complete failure
4927
4928 Check openssl doc
4929 <http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html>
4930
4931 • CTX_set_psk_client_callback
4932
4933 Sets the psk client callback.
4934
4935 Net::SSLeay::CTX_set_psk_client_callback($ssl, sub { my $hint = shift; return ($identity, $key) } );
4936 # $ssl - value corresponding to openssl's SSL structure
4937 # $hint - PSK identity hint send by the server
4938 # $identity - PSK identity
4939 # $key - PSK key, hex string without the leading '0x', e.g. 'deadbeef'
4940 #
4941 # returns: no return value
4942
4943 Check openssl doc
4944 <http://www.openssl.org/docs/ssl/SSL_CTX_set_psk_client_callback.html>
4945
4946 • set_purpose
4947
4948 my $rv = Net::SSLeay::set_purpose($ssl, $purpose);
4949 # $ssl - value corresponding to openssl's SSL structure
4950 # $purpose - (integer) purpose identifier
4951 #
4952 # returns: 1 on success, 0 on failure
4953
4954 For more info about available $purpose identifiers see
4955 "CTX_set_purpose".
4956
4957 • set_quiet_shutdown
4958
4959 Sets the 'quiet shutdown' flag for $ssl to be $mode.
4960
4961 Net::SSLeay::set_quiet_shutdown($ssl, $mode);
4962 # $ssl - value corresponding to openssl's SSL structure
4963 # $mode - 0 or 1
4964 #
4965 # returns: no return value
4966
4967 Check openssl doc
4968 <http://www.openssl.org/docs/ssl/SSL_CTX_set_quiet_shutdown.html>
4969
4970 • set_session
4971
4972 Set a TLS/SSL session to be used during TLS/SSL connect.
4973
4974 my $rv = Net::SSLeay::set_session($to, $ses);
4975 # $to - value corresponding to openssl's SSL structure
4976 # $ses - value corresponding to openssl's SSL_SESSION structure
4977 #
4978 # returns: 1 on success, 0 on failure
4979
4980 Check openssl doc
4981 <http://www.openssl.org/docs/ssl/SSL_set_session.html>
4982
4983 • set_session_id_context
4984
4985 Sets the context $sid_ctx of length $sid_ctx_len within which a
4986 session can be reused for the $ssl object.
4987
4988 my $rv = Net::SSLeay::set_session_id_context($ssl, $sid_ctx, $sid_ctx_len);
4989 # $ssl - value corresponding to openssl's SSL structure
4990 # $sid_ctx - data buffer
4991 # $sid_ctx_len - length of data in $sid_ctx
4992 #
4993 # returns: 1 on success, 0 on failure
4994
4995 Check openssl doc
4996 <http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html>
4997
4998 • set_session_secret_cb
4999
5000 Setup pre-shared secret session resumption function.
5001
5002 Net::SSLeay::set_session_secret_cb($ssl, $func, $data);
5003 # $ssl - value corresponding to openssl's SSL structure
5004 # $func - perl reference to callback function
5005 # $data - [optional] data that will be passed to callback function when invoked
5006 #
5007 # returns: no return value
5008
5009 The callback function will be called like:
5010 callback_function($secret, $ciphers, $pref_cipher, $data);
5011
5012 # $secret is the current master session key, usually all 0s at the
5013 beginning of a session # $ciphers is ref to an array of peer cipher
5014 names # $pref_cipher is a ref to an index into the list of cipher
5015 names of # the preferred cipher. Set it if you want to specify a
5016 preferred cipher # $data is the data passed to
5017 set_session_secret_cb
5018
5019 The callback function should return 1 if it likes the suggested
5020 cipher (or has selected an alternative by setting pref_cipher),
5021 else it should return 0 (in which case OpenSSL will select its own
5022 preferred cipher).
5023
5024 With OpenSSL 1.1 and later, callback_function can change the master
5025 key for the session by altering $secret and returning 1.
5026
5027 • CTX_set_tlsext_ticket_getkey_cb
5028
5029 Setup encryption for TLS session tickets (stateless session reuse).
5030
5031 Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($ctx, $func, $data);
5032 # $ctx - value corresponding to openssl's SSL_CTX structure
5033 # $func - perl reference to callback function
5034 # $data - [optional] data that will be passed to callback function when invoked
5035 #
5036 # returns: no return value
5037
5038 The callback function will be called like:
5039 getkey($data,[$key_name]) -> ($key,$current_key_name)
5040
5041 # $data is the data passed to set_session_secret_cb # $key_name is
5042 the name of the key OpenSSL has extracted from the session ticket #
5043 $key is the requested key for ticket encryption + HMAC #
5044 $current_key_name is the name for the currently valid key
5045
5046 OpenSSL will call the function without a key name if it generates a
5047 new ticket. It then needs the callback to return the
5048 encryption+HMAC key and an identifier (key name) for this key.
5049
5050 When OpenSSL gets a session ticket from the client it extracts the
5051 key name and calls the callback with this name as argument. It then
5052 expects the callback to return the encryption+HMAC key matching the
5053 requested key name and and also the key name which should be used
5054 at the moment. If the requested key name and the returned key name
5055 differ it means that this session ticket was created with an
5056 expired key and need to be renewed. In this case OpenSSL will call
5057 the callback again with no key name to create a new session ticket
5058 based on the old one.
5059
5060 The key must be at least 32 byte of random data which can be
5061 created with RAND_bytes. Internally the first 16 byte are used as
5062 key in AES-128 encryption while the next 16 byte are used for the
5063 SHA-256 HMAC. The key name are binary data and must be exactly 16
5064 byte long.
5065
5066 Example:
5067
5068 Net::SSLeay::RAND_bytes(my $oldkey,32);
5069 Net::SSLeay::RAND_bytes(my $newkey,32);
5070 my $oldkey_name = pack("a16",'oldsecret');
5071 my $newkey_name = pack("a16",'newsecret');
5072
5073 my @keys = (
5074 [ $newkey_name, $newkey ], # current active key
5075 [ $oldkey_name, $oldkey ], # already expired
5076 );
5077
5078 Net::SSLeay::CTX_set_tlsext_ticket_getkey_cb($server2->_ctx, sub {
5079 my ($mykeys,$name) = @_;
5080
5081 # return (current_key, current_key_name) if no name given
5082 return ($mykeys->[0][1],$mykeys->[0][0]) if ! $name;
5083
5084 # return (matching_key, current_key_name) if we find a key matching
5085 # the given name
5086 for(my $i = 0; $i<@$mykeys; $i++) {
5087 next if $name ne $mykeys->[$i][0];
5088 return ($mykeys->[$i][1],$mykeys->[0][0]);
5089 }
5090
5091 # no matching key found
5092 return;
5093 },\@keys);
5094
5095 This function is based on the OpenSSL function
5096 SSL_CTX_set_tlsext_ticket_key_cb but provides a simpler to use
5097 interface. For more information see
5098 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html>
5099
5100 • set_session_ticket_ext_cb
5101
5102 Setup callback for TLS session tickets (stateless session reuse).
5103
5104 Net::SSLeay::set_session_ticket_ext_cb($ssl, $func, $data);
5105 # $ssl - value corresponding to openssl's SSL structure
5106 # $func - perl reference to callback function
5107 # $data - [optional] data that will be passed to callback function when invoked
5108 #
5109 # returns: no return value
5110
5111 The callback function will be called like:
5112 getticket($ssl,$ticket,$data) -> $return_value
5113
5114 # $ssl is a value corresponding to openssl's SSL structure #
5115 $ticket is a value of received TLS session ticket (can also be
5116 empty) # $data is the data passed to set_session_ticket_ext_cb #
5117 $return_value is either 0 (failure) or 1 (success)
5118
5119 This function is based on the OpenSSL function
5120 SSL_set_session_ticket_ext_cb.
5121
5122 • set_session_ticket_ext
5123
5124 Set TLS session ticket (stateless session reuse).
5125
5126 Net::SSLeay::set_session_ticket_ext($ssl, $ticket);
5127 # $ssl - value corresponding to openssl's SSL structure
5128 # $ticket - is a value of TLS session ticket which client will send (can also be empty string)
5129 #
5130 # returns: no return value
5131
5132 The callback function will be called like:
5133 getticket($ssl,$ticket,$data) -> $return_value
5134
5135 # $ssl is a value corresponding to openssl's SSL structure #
5136 $ticket is a value of received TLS session ticket (can also be
5137 empty) # $data is the data passed to set_session_ticket_ext_cb #
5138 $return_value is either 0 (failure) or 1 (success)
5139
5140 This function is based on the OpenSSL function
5141 SSL_set_session_ticket_ext_cb.
5142
5143 • set_shutdown
5144
5145 Sets the shutdown state of $ssl to $mode.
5146
5147 Net::SSLeay::set_shutdown($ssl, $mode);
5148 # $ssl - value corresponding to openssl's SSL structure
5149 # $mode - (integer) shutdown mode:
5150 # 0 - No shutdown
5151 # 1 - SSL_SENT_SHUTDOWN
5152 # 2 - SSL_RECEIVED_SHUTDOWN
5153 # 3 - SSL_RECEIVED_SHUTDOWN+SSL_SENT_SHUTDOWN
5154 #
5155 # returns: no return value
5156
5157 Check openssl doc
5158 <http://www.openssl.org/docs/ssl/SSL_set_shutdown.html>
5159
5160 • set_ssl_method
5161
5162 Sets a new TLS/SSL method for a particular $ssl object.
5163
5164 my $rv = Net::SSLeay::set_ssl_method($ssl, $method);
5165 # $ssl - value corresponding to openssl's SSL structure
5166 # $method - value corresponding to openssl's SSL_METHOD structure
5167 #
5168 # returns: 1 on success, 0 on failure
5169
5170 Check openssl doc
5171 <http://www.openssl.org/docs/ssl/SSL_CTX_set_ssl_version.html>
5172
5173 • set_tmp_dh
5174
5175 Sets DH parameters to be used to be $dh.
5176
5177 my $rv = Net::SSLeay::set_tmp_dh($ssl, $dh);
5178 # $ssl - value corresponding to openssl's SSL structure
5179 # $dh - value corresponding to openssl's DH structure
5180 #
5181 # returns: 1 on success, 0 on failure
5182
5183 Check openssl doc
5184 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
5185
5186 • set_tmp_dh_callback
5187
5188 Sets the callback function for $ssl to be used when a DH parameters
5189 are required to $dh_cb.
5190
5191 ??? (does this function really work?)
5192
5193 Net::SSLeay::set_tmp_dh_callback($ssl, $dh);
5194 # $ssl - value corresponding to openssl's SSL structure
5195 # $dh_cb - pointer to function ???
5196 #
5197 # returns: no return value
5198
5199 Check openssl doc
5200 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html>
5201
5202 • set_tmp_rsa
5203
5204 Sets the temporary/ephemeral RSA key to be used in $ssl to be $rsa.
5205
5206 my $rv = Net::SSLeay::set_tmp_rsa($ssl, $rsa);
5207 # $ssl - value corresponding to openssl's SSL structure
5208 # $rsa - value corresponding to openssl's RSA structure
5209 #
5210 # returns: 1 on success, 0 on failure
5211
5212 Example:
5213
5214 $rsakey = Net::SSLeay::RSA_generate_key();
5215 Net::SSLeay::set_tmp_rsa($ssl, $rsakey);
5216 Net::SSLeay::RSA_free($rsakey);
5217
5218 Check openssl doc
5219 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
5220
5221 • set_tmp_rsa_callback
5222
5223 Sets the callback function for $ssl to be used when a
5224 temporary/ephemeral RSA key is required to $tmp_rsa_callback.
5225
5226 ??? (does this function really work?)
5227
5228 Net::SSLeay::set_tmp_rsa_callback($ssl, $tmp_rsa_callback);
5229 # $ssl - value corresponding to openssl's SSL structure
5230 # $tmp_rsa_callback - (function pointer) ???
5231 #
5232 # returns: no return value
5233
5234 Check openssl doc
5235 <http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html>
5236
5237 • set_trust
5238
5239 my $rv = Net::SSLeay::set_trust($ssl, $trust);
5240 # $ssl - value corresponding to openssl's SSL structure
5241 # $trust - (integer) trust identifier
5242 #
5243 # returns: the original value
5244
5245 For more details about $trust values see "CTX_set_trust".
5246
5247 • shutdown
5248
5249 Shuts down an active TLS/SSL connection. It sends the 'close
5250 notify' shutdown alert to the peer.
5251
5252 my $rv = Net::SSLeay::shutdown($ssl);
5253 # $ssl - value corresponding to openssl's SSL structure
5254 #
5255 # returns: 1 - shutdown was successfully completed
5256 # 0 - shutdown is not yet finished,
5257 # -1 - shutdown was not successful
5258
5259 Check openssl doc
5260 <http://www.openssl.org/docs/ssl/SSL_shutdown.html>
5261
5262 • state_string
5263
5264 Returns a 6 letter string indicating the current state of the SSL
5265 object $ssl.
5266
5267 my $rv = Net::SSLeay::state_string($ssl);
5268 # $ssl - value corresponding to openssl's SSL structure
5269 #
5270 # returns: 6-letter string
5271
5272 Check openssl doc
5273 <http://www.openssl.org/docs/ssl/SSL_state_string.html>
5274
5275 • state_string_long
5276
5277 Returns a string indicating the current state of the SSL object
5278 $ssl.
5279
5280 my $rv = Net::SSLeay::state_string_long($ssl);
5281 # $ssl - value corresponding to openssl's SSL structure
5282 #
5283 # returns: state strings
5284
5285 Check openssl doc
5286 <http://www.openssl.org/docs/ssl/SSL_state_string.html>
5287
5288 • set_default_passwd_cb
5289
5290 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5291 requires at least OpenSSL 1.1.0f. Not needed with LibreSSL.
5292
5293 Sets the default password callback called when loading/storing a
5294 PEM certificate with encryption for $ssl.
5295
5296 Net::SSLeay::set_default_passwd_cb($ssl, $func);
5297 # $ssl - value corresponding to openssl's SSL structure
5298 # $func - perl reference to callback function
5299 #
5300 # returns: no return value
5301
5302 Check openssl doc
5303 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
5304
5305 • set_default_passwd_cb_userdata
5306
5307 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5308 requires at least OpenSSL 1.1.0f. Not needed with LibreSSL.
5309
5310 Sets a pointer to userdata which will be provided to the password
5311 callback of $ssl on invocation.
5312
5313 Net::SSLeay::set_default_passwd_cb_userdata($ssl, $userdata);
5314 # $ssl - value corresponding to openssl's SSL structure
5315 # $userdata - data that will be passed to callback function when invoked
5316 #
5317 # returns: no return value
5318
5319 Check openssl doc
5320 <http://www.openssl.org/docs/ssl/SSL_CTX_set_default_passwd_cb.html>
5321
5322 • use_PrivateKey
5323
5324 Adds $pkey as private key to $ssl.
5325
5326 my $rv = Net::SSLeay::use_PrivateKey($ssl, $pkey);
5327 # $ssl - value corresponding to openssl's SSL structure
5328 # $pkey - value corresponding to openssl's EVP_PKEY structure
5329 #
5330 # returns: 1 on success, otherwise check out the error stack to find out the reason
5331
5332 Check openssl doc
5333 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5334
5335 • use_PrivateKey_ASN1
5336
5337 Adds the private key of type $pk stored in $data to $ssl.
5338
5339 my $rv = Net::SSLeay::use_PrivateKey_ASN1($pk, $ssl, $d, $len);
5340 # $pk - (integer) key type, NID of corresponding algorithm
5341 # $ssl - value corresponding to openssl's SSL structure
5342 # $data - key data (binary)
5343 # $len - length of $data
5344 #
5345 # returns: 1 on success, otherwise check out the error stack to find out the reason
5346
5347 Check openssl doc
5348 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5349
5350 • use_PrivateKey_file
5351
5352 Adds the first private key found in $file to $ssl.
5353
5354 my $rv = Net::SSLeay::use_PrivateKey_file($ssl, $file, $type);
5355 # $ssl - value corresponding to openssl's SSL structure
5356 # $file - (string) file name
5357 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5358 #
5359 # returns: 1 on success, otherwise check out the error stack to find out the reason
5360
5361 Check openssl doc
5362 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5363
5364 • use_RSAPrivateKey
5365
5366 Adds $rsa as RSA private key to $ssl.
5367
5368 my $rv = Net::SSLeay::use_RSAPrivateKey($ssl, $rsa);
5369 # $ssl - value corresponding to openssl's SSL structure
5370 # $rsa - value corresponding to openssl's RSA structure
5371 #
5372 # returns: 1 on success, otherwise check out the error stack to find out the reason
5373
5374 Check openssl doc
5375 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5376
5377 • use_RSAPrivateKey_ASN1
5378
5379 Adds RSA private key stored in $data to $ssl.
5380
5381 my $rv = Net::SSLeay::use_RSAPrivateKey_ASN1($ssl, $data, $len);
5382 # $ssl - value corresponding to openssl's SSL structure
5383 # $data - key data (binary)
5384 # $len - length of $data
5385 #
5386 # returns: 1 on success, otherwise check out the error stack to find out the reason
5387
5388 Check openssl doc
5389 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5390
5391 • use_RSAPrivateKey_file
5392
5393 Adds the first RSA private key found in $file to $ssl.
5394
5395 my $rv = Net::SSLeay::use_RSAPrivateKey_file($ssl, $file, $type);
5396 # $ssl - value corresponding to openssl's SSL structure
5397 # $file - (string) file name
5398 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5399 #
5400 # returns: 1 on success, otherwise check out the error stack to find out the reason
5401
5402 Check openssl doc
5403 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5404
5405 • use_certificate
5406
5407 Loads the certificate $x into $ssl.
5408
5409 my $rv = Net::SSLeay::use_certificate($ssl, $x);
5410 # $ssl - value corresponding to openssl's SSL structure
5411 # $x - value corresponding to openssl's X509 structure
5412 #
5413 # returns: 1 on success, otherwise check out the error stack to find out the reason
5414
5415 Check openssl doc
5416 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5417
5418 • use_certificate_ASN1
5419
5420 Loads the ASN1 encoded certificate from $data to $ssl.
5421
5422 my $rv = Net::SSLeay::use_certificate_ASN1($ssl, $data, $len);
5423 # $ssl - value corresponding to openssl's SSL structure
5424 # $data - certificate data (binary)
5425 # $len - length of $data
5426 #
5427 # returns: 1 on success, otherwise check out the error stack to find out the reason
5428
5429 Check openssl doc
5430 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5431
5432 • use_certificate_chain_file
5433
5434 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
5435 requires at least OpenSSL 1.1.0
5436
5437 Loads a certificate chain from $file into $ssl. The certificates
5438 must be in PEM format and must be sorted starting with the
5439 subject's certificate (actual client or server certificate),
5440 followed by intermediate CA certificates if applicable, and ending
5441 at the highest level (root) CA.
5442
5443 my $rv = Net::SSLeay::use_certificate_chain_file($ssl, $file);
5444 # $ssl - value corresponding to openssl's SSL structure
5445 # $file - (string) file name
5446 #
5447 # returns: 1 on success, otherwise check out the error stack to find out the reason
5448
5449 Check openssl doc
5450 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5451
5452 • use_certificate_file
5453
5454 Loads the first certificate stored in $file into $ssl.
5455
5456 my $rv = Net::SSLeay::use_certificate_file($ssl, $file, $type);
5457 # $ssl - value corresponding to openssl's SSL structure
5458 # $file - (string) file name
5459 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
5460 #
5461 # returns: 1 on success, otherwise check out the error stack to find out the reason
5462
5463 Check openssl doc
5464 <http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html>
5465
5466 • get_version
5467
5468 Returns SSL/TLS protocol name
5469
5470 my $rv = Net::SSLeay::get_version($ssl);
5471 # $ssl - value corresponding to openssl's SSL structure
5472 #
5473 # returns: (string) protocol name, see OpenSSL manual for the full list
5474 # TLSv1
5475 # TLSv1.3
5476
5477 Check openssl doc
5478 <https://www.openssl.org/docs/manmaster/man3/SSL_get_version.html>
5479
5480 • version
5481
5482 Returns SSL/TLS protocol version
5483
5484 my $rv = Net::SSLeay::version($ssl);
5485 # $ssl - value corresponding to openssl's SSL structure
5486 #
5487 # returns: (integer) protocol version, see OpenSSL manual for the full list
5488 # 0x0301 - TLS1_VERSION (TLSv1)
5489 # 0xFEFF - DTLS1_VERSION (DTLSv1)
5490
5491 Check openssl doc
5492 <https://www.openssl.org/docs/manmaster/man3/SSL_version.html>
5493
5494 • client_version
5495
5496 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5497 requires at least OpenSSL 1.1.0, not in LibreSSL
5498
5499 Returns TLS protocol version used by the client when initiating the
5500 connection
5501
5502 my $rv = Net::SSLeay::client_version($ssl);
5503 # $ssl - value corresponding to openssl's SSL structure
5504 #
5505 # returns: (integer) protocol version, see OpenSSL manual for the full list
5506 # 0x0301 - TLS1_VERSION (TLSv1)
5507 # 0xFEFF - DTLS1_VERSION (DTLSv1)
5508
5509 Check openssl doc
5510 <https://www.openssl.org/docs/manmaster/man3/SSL_client_version.html>
5511
5512 • is_dtls
5513
5514 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5515 requires at least OpenSSL 1.1.0, not in LibreSSL
5516
5517 my $rv = Net::SSLeay::is_dtls($ssl);
5518 # $ssl - value corresponding to openssl's SSL structure
5519 #
5520 # returns: (integer) zero or one
5521 # 0 - connection is not using DTLS
5522 # 1 - connection is using DTLS
5523
5524 Check openssl doc
5525 <https://www.openssl.org/docs/manmaster/man3/SSL_is_dtls.html>
5526
5527 • want
5528
5529 Returns state information for the SSL object $ssl.
5530
5531 my $rv = Net::SSLeay::want($ssl);
5532 # $ssl - value corresponding to openssl's SSL structure
5533 #
5534 # returns: state
5535 # 1 - SSL_NOTHING
5536 # 2 - SSL_WRITING
5537 # 3 - SSL_READING
5538 # 4 - SSL_X509_LOOKUP
5539
5540 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_want.html>
5541
5542 • write
5543
5544 Writes data from the buffer $data into the specified $ssl
5545 connection.
5546
5547 my $rv = Net::SSLeay::write($ssl, $data);
5548 # $ssl - value corresponding to openssl's SSL structure
5549 # $data - data to be written
5550 #
5551 # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection
5552 # 0 - write not successful, probably the underlying connection was closed
5553 # <0 - error
5554
5555 Check openssl doc <http://www.openssl.org/docs/ssl/SSL_write.html>
5556
5557 • write_ex
5558
5559 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5560 requires at least OpenSSL 1.1.1, not in LibreSSL
5561
5562 Writes data from the buffer $data into the specified $ssl
5563 connection.
5564
5565 my ($len, $rv) = Net::SSLeay::write_ex($ssl, $data);
5566 # $ssl - value corresponding to openssl's SSL structure
5567 # $data - data to be written
5568 #
5569 # returns a list: two-item list consisting of number of bytes written,
5570 # and return code from SSL_write_ex()
5571
5572 Check openssl doc
5573 <https://www.openssl.org/docs/manmaster/man3/SSL_write_ex.html>
5574
5575 • write_partial
5576
5577 NOTE: Does not exactly correspond to any low level API function
5578
5579 Writes a fragment of data in $data from the buffer $data into the
5580 specified $ssl connection. This is a non-blocking function like
5581 Net::SSLeay::write().
5582
5583 my $rv = Net::SSLeay::write_partial($ssl, $from, $count, $data);
5584 # $ssl - value corresponding to openssl's SSL structure
5585 # $from - (integer) offset from the beginning of $data
5586 # $count - (integer) length of data to be written
5587 # $data - data buffer
5588 #
5589 # returns: >0 - (success) number of bytes actually written to the TLS/SSL connection
5590 # 0 - write not successful, probably the underlying connection was closed
5591 # <0 - error
5592
5593 • set_tlsext_host_name
5594
5595 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
5596 requires at least openssl-0.9.8f
5597
5598 Sets TLS servername extension on SLL object $ssl to value $name.
5599
5600 my $rv = set_tlsext_host_name($ssl, $name);
5601 # $ssl - value corresponding to openssl's SSL structure
5602 # $name - (string) name to be set
5603 #
5604 # returns: 1 on success, 0 on failure
5605
5606 Low level API: RAND_* related functions
5607
5608 Check openssl doc related to RAND stuff
5609 <http://www.openssl.org/docs/crypto/rand.html>
5610
5611 • RAND_add
5612
5613 Mixes the $num bytes at $buf into the PRNG state.
5614
5615 Net::SSLeay::RAND_add($buf, $num, $entropy);
5616 # $buf - buffer with data to be mixed into the PRNG state
5617 # $num - number of bytes in $buf
5618 # $entropy - estimate of how much randomness is contained in $buf (in bytes)
5619 #
5620 # returns: no return value
5621
5622 Check openssl doc
5623 <http://www.openssl.org/docs/crypto/RAND_add.html>
5624
5625 • RAND_seed
5626
5627 Equivalent to "RAND_add" when $num == $entropy.
5628
5629 Net::SSLeay::RAND_seed($buf); # Perlishly figures out buf size
5630 # $buf - buffer with data to be mixed into the PRNG state
5631 # $num - number of bytes in $buf
5632 #
5633 # returns: no return value
5634
5635 Check openssl doc
5636 <http://www.openssl.org/docs/crypto/RAND_add.html>
5637
5638 • RAND_status
5639
5640 Gives PRNG status (seeded enough or not).
5641
5642 my $rv = Net::SSLeay::RAND_status();
5643 #returns: 1 if the PRNG has been seeded with enough data, 0 otherwise
5644
5645 Check openssl doc
5646 <http://www.openssl.org/docs/crypto/RAND_add.html>
5647
5648 • RAND_bytes
5649
5650 Puts $num cryptographically strong pseudo-random bytes into $buf.
5651
5652 my $rv = Net::SSLeay::RAND_bytes($buf, $num);
5653 # $buf - buffer where the random data will be stored
5654 # $num - the size (in bytes) of requested random data
5655 #
5656 # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure
5657
5658 Check openssl doc
5659 <http://www.openssl.org/docs/manmaster/man3/RAND_bytes.html>
5660
5661 • RAND_priv_bytes
5662
5663 COMPATIBILITY: not available in Net-SSLeay-1.85 and before;
5664 requires at least OpenSSL 1.1.1, not in LibreSSL
5665
5666 Puts $num cryptographically strong pseudo-random bytes into $buf.
5667
5668 my $rv = Net::SSLeay::RAND_priv_bytes($buf, $num);
5669 # $buf - buffer where the random data will be stored
5670 # $num - the size (in bytes) of requested random data
5671 #
5672 # returns: 1 on success, -1 if not supported by the current RAND method, or 0 on other failure
5673
5674 RAND_priv_bytes has the same semantics as RAND_bytes, but see see
5675 the documentation for more information.
5676
5677 Check openssl doc
5678 <http://www.openssl.org/docs/manmaster/man3/RAND_priv_bytes.html>
5679
5680 • RAND_pseudo_bytes
5681
5682 Puts $num pseudo-random (not necessarily unpredictable) bytes into
5683 $buf.
5684
5685 my $rv = Net::SSLeay::RAND_pseudo_bytes($buf, $num);
5686 # $buf - buffer where the random data will be stored
5687 # $num - the size (in bytes) of requested random data
5688 #
5689 # returns: 1 if the bytes generated are cryptographically strong, 0 otherwise
5690
5691 Check openssl doc
5692 <http://www.openssl.org/docs/crypto/RAND_bytes.html>
5693
5694 • RAND_cleanup
5695
5696 Erase the PRNG state.
5697
5698 Net::SSLeay::RAND_cleanup();
5699 # no args, no return value
5700
5701 Check openssl doc
5702 <http://www.openssl.org/docs/crypto/RAND_cleanup.html>
5703
5704 • RAND_egd_bytes
5705
5706 Queries the entropy gathering daemon EGD on socket $path for $bytes
5707 bytes.
5708
5709 my $rv = Net::SSLeay::RAND_egd_bytes($path, $bytes);
5710 # $path - path to a socket of entropy gathering daemon EGD
5711 # $bytes - number of bytes we want from EGD
5712 #
5713 # returns: the number of bytes read from the daemon on success, and -1 on failure
5714
5715 Check openssl doc
5716 <http://www.openssl.org/docs/crypto/RAND_egd.html>
5717
5718 • RAND_file_name
5719
5720 Generates a default path for the random seed file.
5721
5722 my $file = Net::SSLeay::RAND_file_name($num);
5723 # $num - maximum size of returned file name
5724 #
5725 # returns: string with file name on success, '' (empty string) on failure
5726
5727 Check openssl doc
5728 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5729
5730 • RAND_load_file
5731
5732 COMPATIBILITY: Is no longer functional on LibreSSL
5733
5734 Reads $max_bytes of bytes from $file_name and adds them to the
5735 PRNG.
5736
5737 my $rv = Net::SSLeay::RAND_load_file($file_name, $max_bytes);
5738 # $file_name - the name of file
5739 # $max_bytes - bytes to read from $file_name; -1 => the complete file is read
5740 #
5741 # returns: the number of bytes read
5742
5743 Check openssl doc
5744 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5745
5746 • RAND_write_file
5747
5748 Writes 1024 random bytes to $file_name which can be used to
5749 initialize the PRNG by calling "RAND_load_file" in a later session.
5750
5751 my $rv = Net::SSLeay::RAND_write_file($file_name);
5752 # $file_name - the name of file
5753 #
5754 # returns: the number of bytes written, and -1 if the bytes written were generated without appropriate seed
5755
5756 Check openssl doc
5757 <http://www.openssl.org/docs/crypto/RAND_load_file.html>
5758
5759 • RAND_poll
5760
5761 Collects some entropy from operating system and adds it to the
5762 PRNG.
5763
5764 my $rv = Net::SSLeay::RAND_poll();
5765 # returns: 1 on success, 0 on failure (unable to gather reasonable entropy)
5766
5767 Low level API: OBJ_* related functions
5768
5769 • OBJ_cmp
5770
5771 Compares ASN1_OBJECT $a to ASN1_OBJECT $b.
5772
5773 my $rv = Net::SSLeay::OBJ_cmp($a, $b);
5774 # $a - value corresponding to openssl's ASN1_OBJECT structure
5775 # $b - value corresponding to openssl's ASN1_OBJECT structure
5776 #
5777 # returns: if the two are identical 0 is returned
5778
5779 Check openssl doc
5780 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5781
5782 • OBJ_dup
5783
5784 Returns a copy/duplicate of $o.
5785
5786 my $rv = Net::SSLeay::OBJ_dup($o);
5787 # $o - value corresponding to openssl's ASN1_OBJECT structure
5788 #
5789 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5790
5791 Check openssl doc
5792 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5793
5794 • OBJ_nid2ln
5795
5796 Returns long name for given NID $n.
5797
5798 my $rv = Net::SSLeay::OBJ_nid2ln($n);
5799 # $n - (integer) NID
5800 #
5801 # returns: (string) long name e.g. 'commonName'
5802
5803 Check openssl doc
5804 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5805
5806 • OBJ_ln2nid
5807
5808 Returns NID corresponding to given long name $n.
5809
5810 my $rv = Net::SSLeay::OBJ_ln2nid($s);
5811 # $s - (string) long name e.g. 'commonName'
5812 #
5813 # returns: (integer) NID
5814
5815 • OBJ_nid2sn
5816
5817 Returns short name for given NID $n.
5818
5819 my $rv = Net::SSLeay::OBJ_nid2sn($n);
5820 # $n - (integer) NID
5821 #
5822 # returns: (string) short name e.g. 'CN'
5823
5824 Example:
5825
5826 print Net::SSLeay::OBJ_nid2sn(&Net::SSLeay::NID_commonName);
5827
5828 • OBJ_sn2nid
5829
5830 Returns NID corresponding to given short name $s.
5831
5832 my $rv = Net::SSLeay::OBJ_sn2nid($s);
5833 # $s - (string) short name e.g. 'CN'
5834 #
5835 # returns: (integer) NID
5836
5837 Example:
5838
5839 print "NID_commonName constant=", &Net::SSLeay::NID_commonName;
5840 print "OBJ_sn2nid('CN')=", Net::SSLeay::OBJ_sn2nid('CN');
5841
5842 • OBJ_nid2obj
5843
5844 Returns ASN1_OBJECT for given NID $n.
5845
5846 my $rv = Net::SSLeay::OBJ_nid2obj($n);
5847 # $n - (integer) NID
5848 #
5849 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5850
5851 Check openssl doc
5852 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5853
5854 • OBJ_obj2nid
5855
5856 Returns NID corresponding to given ASN1_OBJECT $o.
5857
5858 my $rv = Net::SSLeay::OBJ_obj2nid($o);
5859 # $o - value corresponding to openssl's ASN1_OBJECT structure
5860 #
5861 # returns: (integer) NID
5862
5863 Check openssl doc
5864 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5865
5866 • OBJ_txt2obj
5867
5868 Converts the text string s into an ASN1_OBJECT structure. If
5869 $no_name is 0 then long names (e.g. 'commonName') and short names
5870 (e.g. 'CN') will be interpreted as well as numerical forms (e.g.
5871 '2.5.4.3'). If $no_name is 1 only the numerical form is acceptable.
5872
5873 my $rv = Net::SSLeay::OBJ_txt2obj($s, $no_name);
5874 # $s - text string to be converted
5875 # $no_name - (integer) 0 or 1
5876 #
5877 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
5878
5879 Check openssl doc
5880 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5881
5882 • OBJ_obj2txt
5883
5884 Converts the ASN1_OBJECT a into a textual representation.
5885
5886 Net::SSLeay::OBJ_obj2txt($a, $no_name);
5887 # $a - value corresponding to openssl's ASN1_OBJECT structure
5888 # $no_name - (integer) 0 or 1
5889 #
5890 # returns: textual representation e.g. 'commonName' ($no_name=0), '2.5.4.3' ($no_name=1)
5891
5892 Check openssl doc
5893 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5894
5895 • OBJ_txt2nid
5896
5897 Returns NID corresponding to text string $s which can be a long
5898 name, a short name or the numerical representation of an object.
5899
5900 my $rv = Net::SSLeay::OBJ_txt2nid($s);
5901 # $s - (string) e.g. 'commonName' or 'CN' or '2.5.4.3'
5902 #
5903 # returns: (integer) NID
5904
5905 Example:
5906
5907 my $nid = Net::SSLeay::OBJ_txt2nid('2.5.4.3');
5908 Net::SSLeay::OBJ_nid2sn($n);
5909
5910 Check openssl doc
5911 <http://www.openssl.org/docs/crypto/OBJ_nid2obj.html>
5912
5913 Low level API: ASN1_INTEGER_* related functions
5914
5915 • ASN1_INTEGER_new
5916
5917 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5918
5919 Creates a new ASN1_INTEGER structure.
5920
5921 my $rv = Net::SSLeay::ASN1_INTEGER_new();
5922 #
5923 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
5924
5925 • ASN1_INTEGER_free
5926
5927 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5928
5929 Free an allocated ASN1_INTEGER structure.
5930
5931 Net::SSLeay::ASN1_INTEGER_free($i);
5932 # $i - value corresponding to openssl's ASN1_INTEGER structure
5933 #
5934 # returns: no return value
5935
5936 • ASN1_INTEGER_get
5937
5938 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5939
5940 Returns integer value of given ASN1_INTEGER object.
5941
5942 BEWARE: If the value stored in ASN1_INTEGER is greater than max.
5943 integer that can be stored in 'long' type (usually 32bit but may
5944 vary according to platform) then this function will return -1. For
5945 getting large ASN1_INTEGER values consider using
5946 "P_ASN1_INTEGER_get_dec" or "P_ASN1_INTEGER_get_hex".
5947
5948 my $rv = Net::SSLeay::ASN1_INTEGER_get($a);
5949 # $a - value corresponding to openssl's ASN1_INTEGER structure
5950 #
5951 # returns: integer value of ASN1_INTEGER object in $a
5952
5953 • ASN1_INTEGER_set
5954
5955 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5956
5957 Sets value of given ASN1_INTEGER object to value $val
5958
5959 BEWARE: $val has max. limit (= max. integer that can be stored in
5960 'long' type). For setting large ASN1_INTEGER values consider using
5961 "P_ASN1_INTEGER_set_dec" or "P_ASN1_INTEGER_set_hex".
5962
5963 my $rv = Net::SSLeay::ASN1_INTEGER_set($i, $val);
5964 # $i - value corresponding to openssl's ASN1_INTEGER structure
5965 # $val - integer value
5966 #
5967 # returns: 1 on success, 0 on failure
5968
5969 • P_ASN1_INTEGER_get_dec
5970
5971 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5972
5973 Returns string with decimal representation of integer value of
5974 given ASN1_INTEGER object.
5975
5976 Net::SSLeay::P_ASN1_INTEGER_get_dec($i);
5977 # $i - value corresponding to openssl's ASN1_INTEGER structure
5978 #
5979 # returns: string with decimal representation
5980
5981 • P_ASN1_INTEGER_get_hex
5982
5983 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5984
5985 Returns string with hexadecimal representation of integer value of
5986 given ASN1_INTEGER object.
5987
5988 Net::SSLeay::P_ASN1_INTEGER_get_hex($i);
5989 # $i - value corresponding to openssl's ASN1_INTEGER structure
5990 #
5991 # returns: string with hexadecimal representation
5992
5993 • P_ASN1_INTEGER_set_dec
5994
5995 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
5996
5997 Sets value of given ASN1_INTEGER object to value $val (decimal
5998 string, suitable for large integers)
5999
6000 Net::SSLeay::P_ASN1_INTEGER_set_dec($i, $str);
6001 # $i - value corresponding to openssl's ASN1_INTEGER structure
6002 # $str - string with decimal representation
6003 #
6004 # returns: 1 on success, 0 on failure
6005
6006 • P_ASN1_INTEGER_set_hex
6007
6008 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6009
6010 Sets value of given ASN1_INTEGER object to value $val (hexadecimal
6011 string, suitable for large integers)
6012
6013 Net::SSLeay::P_ASN1_INTEGER_set_hex($i, $str);
6014 # $i - value corresponding to openssl's ASN1_INTEGER structure
6015 # $str - string with hexadecimal representation
6016 #
6017 # returns: 1 on success, 0 on failure
6018
6019 Low level API: ASN1_STRING_* related functions
6020
6021 • P_ASN1_STRING_get
6022
6023 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6024
6025 Returns string value of given ASN1_STRING object.
6026
6027 Net::SSLeay::P_ASN1_STRING_get($s, $utf8_decode);
6028 # $s - value corresponding to openssl's ASN1_STRING structure
6029 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
6030 #
6031 # returns: string
6032
6033 $string = Net::SSLeay::P_ASN1_STRING_get($s);
6034 #is the same as:
6035 $string = Net::SSLeay::P_ASN1_STRING_get($s, 0);
6036
6037 Low level API: ASN1_TIME_* related functions
6038
6039 • ASN1_TIME_new
6040
6041 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6042
6043 my $time = ASN1_TIME_new();
6044 # returns: value corresponding to openssl's ASN1_TIME structure
6045
6046 • ASN1_TIME_free
6047
6048 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6049
6050 ASN1_TIME_free($time);
6051 # $time - value corresponding to openssl's ASN1_TIME structure
6052
6053 • ASN1_TIME_set
6054
6055 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
6056
6057 ASN1_TIME_set($time, $t);
6058 # $time - value corresponding to openssl's ASN1_TIME structure
6059 # $t - time value in seconds since 1.1.1970
6060
6061 BEWARE: It is platform dependent how this function will handle
6062 dates after 2038. Although perl's integer is large enough the
6063 internal implementation of this function is dependent on the size
6064 of time_t structure (32bit time_t has problem with 2038).
6065
6066 If you want to safely set date and time after 2038 use function
6067 "P_ASN1_TIME_set_isotime".
6068
6069 • P_ASN1_TIME_get_isotime
6070
6071 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
6072 requires at least openssl-0.9.7e
6073
6074 NOTE: Does not exactly correspond to any low level API function
6075
6076 Gives ISO-8601 string representation of ASN1_TIME structure.
6077
6078 my $datetime_string = P_ASN1_TIME_get_isotime($time);
6079 # $time - value corresponding to openssl's ASN1_TIME structure
6080 #
6081 # returns: datetime string like '2033-05-16T20:39:37Z' or '' on failure
6082
6083 The output format is compatible with module
6084 DateTime::Format::RFC3339
6085
6086 • P_ASN1_TIME_set_isotime
6087
6088 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
6089 requires at least openssl-0.9.7e
6090
6091 NOTE: Does not exactly correspond to any low level API function
6092
6093 Sets time and date value of ANS1_time structure.
6094
6095 my $rv = P_ASN1_TIME_set_isotime($time, $string);
6096 # $time - value corresponding to openssl's ASN1_TIME structure
6097 # $string - ISO-8601 timedate string like '2033-05-16T20:39:37Z'
6098 #
6099 # returns: 1 on success, 0 on failure
6100
6101 The $string parameter has to be in full form like
6102 "2012-03-22T23:55:33" or "2012-03-22T23:55:33Z" or
6103 "2012-03-22T23:55:33CET". Short forms like "2012-03-22T23:55" or
6104 "2012-03-22" are not supported.
6105
6106 • P_ASN1_TIME_put2string
6107
6108 COMPATIBILITY: not available in Net-SSLeay-1.42 and before, has
6109 bugs with openssl-0.9.8i
6110
6111 NOTE: Does not exactly correspond to any low level API function
6112
6113 Gives string representation of ASN1_TIME structure.
6114
6115 my $str = P_ASN1_TIME_put2string($time);
6116 # $time - value corresponding to openssl's ASN1_TIME structure
6117 #
6118 # returns: datetime string like 'May 16 20:39:37 2033 GMT'
6119
6120 • P_ASN1_UTCTIME_put2string
6121
6122 NOTE: deprecated function, only for backward compatibility, just an
6123 alias for "P_ASN1_TIME_put2string"
6124
6125 Low level API: X509_* related functions
6126
6127 • X509_new
6128
6129 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6130
6131 Allocates and initializes a X509 structure.
6132
6133 my $rv = Net::SSLeay::X509_new();
6134 #
6135 # returns: value corresponding to openssl's X509 structure (0 on failure)
6136
6137 Check openssl doc
6138 <http://www.openssl.org/docs/crypto/X509_new.html>
6139
6140 • X509_free
6141
6142 Frees up the X509 structure.
6143
6144 Net::SSLeay::X509_free($a);
6145 # $a - value corresponding to openssl's X509 structure
6146 #
6147 # returns: no return value
6148
6149 Check openssl doc
6150 <http://www.openssl.org/docs/crypto/X509_new.html>
6151
6152 • X509_check_host
6153
6154 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6155 requires at least OpenSSL 1.0.2.
6156 X509_CHECK_FLAG_NEVER_CHECK_SUBJECT requires OpenSSL 1.1.0.
6157
6158 Checks if the certificate Subject Alternative Name (SAN) or Subject
6159 CommonName (CN) matches the specified host name.
6160
6161 my $rv = Net::SSLeay::X509_check_host($cert, $name, $flags, $peername);
6162 # $cert - value corresponding to openssl's X509 structure
6163 # $name - host name to check
6164 # $flags (optional, default: 0) - can be the bitwise OR of:
6165 # &Net::SSLeay::X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
6166 # &Net::SSLeay::X509_CHECK_FLAG_NO_WILDCARDS
6167 # &Net::SSLeay::X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
6168 # &Net::SSLeay::X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
6169 # &Net::SSLeay::X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
6170 # &Net::SSLeay::X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
6171 # $peername (optional) - If not omitted and $host matches $cert,
6172 # a copy of the matching SAN or CN from
6173 # the peer certificate is stored in $peername.
6174 #
6175 # returns:
6176 # 1 for a successful match
6177 # 0 for a failed match
6178 # -1 for an internal error
6179 # -2 if the input is malformed
6180
6181 Check openssl doc
6182 <https://www.openssl.org/docs/crypto/X509_check_host.html>.
6183
6184 • X509_check_email
6185
6186 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6187 requires at least OpenSSL 1.0.2.
6188
6189 Checks if the certificate matches the specified email address.
6190
6191 my $rv = Net::SSLeay::X509_check_email($cert, $address, $flags);
6192 # $cert - value corresponding to openssl's X509 structure
6193 # $address - email address to check
6194 # $flags (optional, default: 0) - see X509_check_host()
6195 #
6196 # returns: see X509_check_host()
6197
6198 Check openssl doc
6199 <https://www.openssl.org/docs/crypto/X509_check_email.html>.
6200
6201 • X509_check_ip
6202
6203 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6204 requires at least OpenSSL 1.0.2.
6205
6206 Checks if the certificate matches the specified IPv4 or IPv6
6207 address.
6208
6209 my $rv = Net::SSLeay::X509_check_ip($cert, $address, $flags);
6210 # $cert - value corresponding to openssl's X509 structure
6211 # $address - IP address to check in binary format, in network byte order
6212 # $flags (optional, default: 0) - see X509_check_host()
6213 #
6214 # returns: see X509_check_host()
6215
6216 Check openssl doc
6217 <https://www.openssl.org/docs/crypto/X509_check_ip.html>.
6218
6219 • X509_check_ip_asc
6220
6221 COMPATIBILITY: not available in Net-SSLeay-1.68 and before;
6222 requires at least OpenSSL 1.0.2.
6223
6224 Checks if the certificate matches the specified IPv4 or IPv6
6225 address.
6226
6227 my $rv = Net::SSLeay::X509_check_ip_asc($cert, $address, $flags);
6228 # $cert - value corresponding to openssl's X509 structure
6229 # $address - IP address to check in text representation
6230 # $flags (optional, default: 0) - see X509_check_host()
6231 #
6232 # returns: see X509_check_host()
6233
6234 Check openssl doc
6235 <https://www.openssl.org/docs/crypto/X509_check_ip_asc.html>.
6236
6237 • X509_certificate_type
6238
6239 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6240
6241 Returns bitmask with type of certificate $x.
6242
6243 my $rv = Net::SSLeay::X509_certificate_type($x);
6244 # $x - value corresponding to openssl's X509 structure
6245 #
6246 # returns: (integer) bitmask with certificate type
6247
6248 #to decode bitmask returned by this function use these constants:
6249 &Net::SSLeay::EVP_PKS_DSA
6250 &Net::SSLeay::EVP_PKS_EC
6251 &Net::SSLeay::EVP_PKS_RSA
6252 &Net::SSLeay::EVP_PKT_ENC
6253 &Net::SSLeay::EVP_PKT_EXCH
6254 &Net::SSLeay::EVP_PKT_EXP
6255 &Net::SSLeay::EVP_PKT_SIGN
6256 &Net::SSLeay::EVP_PK_DH
6257 &Net::SSLeay::EVP_PK_DSA
6258 &Net::SSLeay::EVP_PK_EC
6259 &Net::SSLeay::EVP_PK_RSA
6260
6261 • X509_digest
6262
6263 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6264
6265 Computes digest/fingerprint of X509 $data using $type hash
6266 function.
6267
6268 my $digest_value = Net::SSLeay::X509_digest($data, $type);
6269 # $data - value corresponding to openssl's X509 structure
6270 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
6271 #
6272 # returns: hash value (binary)
6273
6274 #to get printable (hex) value of digest use:
6275 print unpack('H*', $digest_value);
6276
6277 • X509_issuer_and_serial_hash
6278
6279 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6280
6281 Sort of a checksum of issuer name and serial number of X509
6282 certificate $x. The result is not a full hash (e.g. sha-1), it is
6283 kind-of-a-hash truncated to the size of 'unsigned long' (32 bits).
6284 The resulting value might differ across different openssl versions
6285 for the same X509 certificate.
6286
6287 my $rv = Net::SSLeay::X509_issuer_and_serial_hash($x);
6288 # $x - value corresponding to openssl's X509 structure
6289 #
6290 # returns: number representing checksum
6291
6292 • X509_issuer_name_hash
6293
6294 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6295
6296 Sort of a checksum of issuer name of X509 certificate $x. The
6297 result is not a full hash (e.g. sha-1), it is kind-of-a-hash
6298 truncated to the size of 'unsigned long' (32 bits). The resulting
6299 value might differ across different openssl versions for the same
6300 X509 certificate.
6301
6302 my $rv = Net::SSLeay::X509_issuer_name_hash($x);
6303 # $x - value corresponding to openssl's X509 structure
6304 #
6305 # returns: number representing checksum
6306
6307 • X509_subject_name_hash
6308
6309 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6310
6311 Sort of a checksum of subject name of X509 certificate $x. The
6312 result is not a full hash (e.g. sha-1), it is kind-of-a-hash
6313 truncated to the size of 'unsigned long' (32 bits). The resulting
6314 value might differ across different openssl versions for the same
6315 X509 certificate.
6316
6317 my $rv = Net::SSLeay::X509_subject_name_hash($x);
6318 # $x - value corresponding to openssl's X509 structure
6319 #
6320 # returns: number representing checksum
6321
6322 • X509_pubkey_digest
6323
6324 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6325 requires at least openssl-0.9.7
6326
6327 Computes digest/fingerprint of public key from X509 certificate
6328 $data using $type hash function.
6329
6330 my $digest_value = Net::SSLeay::X509_pubkey_digest($data, $type);
6331 # $data - value corresponding to openssl's X509 structure
6332 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
6333 #
6334 # returns: hash value (binary)
6335
6336 #to get printable (hex) value of digest use:
6337 print unpack('H*', $digest_value);
6338
6339 • X509_set_issuer_name
6340
6341 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6342
6343 Sets issuer of X509 certificate $x to $name.
6344
6345 my $rv = Net::SSLeay::X509_set_issuer_name($x, $name);
6346 # $x - value corresponding to openssl's X509 structure
6347 # $name - value corresponding to openssl's X509_NAME structure
6348 #
6349 # returns: 1 on success, 0 on failure
6350
6351 • X509_set_pubkey
6352
6353 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6354
6355 Sets public key of X509 certificate $x to $pkey.
6356
6357 my $rv = Net::SSLeay::X509_set_pubkey($x, $pkey);
6358 # $x - value corresponding to openssl's X509 structure
6359 # $pkey - value corresponding to openssl's EVP_PKEY structure
6360 #
6361 # returns: 1 on success, 0 on failure
6362
6363 • X509_set_serialNumber
6364
6365 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6366
6367 Sets serial number of X509 certificate $x to $serial.
6368
6369 my $rv = Net::SSLeay::X509_set_serialNumber($x, $serial);
6370 # $x - value corresponding to openssl's X509 structure
6371 # $serial - value corresponding to openssl's ASN1_INTEGER structure
6372 #
6373 # returns: 1 on success, 0 on failure
6374
6375 #to create $serial value use one of these:
6376 $serial = Net::SSLeay::P_ASN1_INTEGER_set_hex('45ad6f');
6377 $serial = Net::SSLeay::P_ASN1_INTEGER_set_dec('7896541238529631478');
6378 $serial = Net::SSLeay::ASN1_INTEGER_set(45896);
6379
6380 • X509_set_subject_name
6381
6382 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6383
6384 Sets subject of X509 certificate $x to $name.
6385
6386 my $rv = Net::SSLeay::X509_set_subject_name($x, $name);
6387 # $x - value corresponding to openssl's X509 structure
6388 # $name - value corresponding to openssl's X509_NAME structure
6389 #
6390 # returns: 1 on success, 0 on failure
6391
6392 • X509_set_version
6393
6394 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6395
6396 Set 'version' value for X509 certificate $ to $version.
6397
6398 my $rv = Net::SSLeay::X509_set_version($x, $version);
6399 # $x - value corresponding to openssl's X509 structure
6400 # $version - (integer) version number
6401 #
6402 # returns: 1 on success, 0 on failure
6403
6404 • X509_sign
6405
6406 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6407
6408 Sign X509 certificate $x with private key $pkey (using digest
6409 algorithm $md).
6410
6411 my $rv = Net::SSLeay::X509_sign($x, $pkey, $md);
6412 # $x - value corresponding to openssl's X509 structure
6413 # $pkey - value corresponding to openssl's EVP_PKEY structure
6414 # $md - value corresponding to openssl's EVP_MD structure
6415 #
6416 # returns: 1 on success, 0 on failure
6417
6418 • X509_verify
6419
6420 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6421
6422 Verifies X509 object $a using public key $r (pubkey of issuing CA).
6423
6424 my $rv = Net::SSLeay::X509_verify($x, $r);
6425 # $x - value corresponding to openssl's X509 structure
6426 # $r - value corresponding to openssl's EVP_PKEY structure
6427 #
6428 # returns: 0 - verify failure, 1 - verify OK, <0 - error
6429
6430 • X509_get_ext_count
6431
6432 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6433
6434 Returns the total number of extensions in X509 object $x.
6435
6436 my $rv = Net::SSLeay::X509_get_ext_count($x);
6437 # $x - value corresponding to openssl's X509 structure
6438 #
6439 # returns: count of extensions
6440
6441 • X509_get_pubkey
6442
6443 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6444
6445 Returns public key corresponding to given X509 object $x.
6446
6447 my $rv = Net::SSLeay::X509_get_pubkey($x);
6448 # $x - value corresponding to openssl's X509 structure
6449 #
6450 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
6451
6452 NOTE: This method returns only the public key's key bits, without
6453 the algorithm or parameters. Use "X509_get_X509_PUBKEY()" to
6454 return the full public key (SPKI) instead.
6455
6456 • X509_get_X509_PUBKEY
6457
6458 COMPATIBILITY: not available in Net-SSLeay-1.72 and before
6459
6460 Returns the full public key (SPKI) of given X509 certificate $x.
6461
6462 Net::SSLeay::X509_get_X509_PUBKEY($x);
6463 # $x - value corresponding to openssl's X509 structure
6464 #
6465 # returns: public key data in DER format (binary)
6466
6467 • X509_get_serialNumber
6468
6469 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6470
6471 Returns serial number of X509 certificate $x.
6472
6473 my $rv = Net::SSLeay::X509_get_serialNumber($x);
6474 # $x - value corresponding to openssl's X509 structure
6475 #
6476 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
6477
6478 See "P_ASN1_INTEGER_get_dec", "P_ASN1_INTEGER_get_hex" or
6479 "ASN1_INTEGER_get" to decode ASN1_INTEGER object.
6480
6481 • X509_get0_serialNumber
6482
6483 COMPATIBILITY: available in Net-SSLeay-1.86 onwards
6484
6485 X509_get0_serialNumber() is the same as X509_get_serialNumber()
6486 except it accepts a const parameter and returns a const result.
6487
6488 • X509_get_version
6489
6490 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6491
6492 Returns 'version' value of given X509 certificate $x.
6493
6494 my $rv = Net::SSLeay::X509_get_version($x);
6495 # $x - value corresponding to openssl's X509 structure
6496 #
6497 # returns: (integer) version
6498
6499 • X509_get_ext
6500
6501 Returns X509_EXTENSION from $x509 based on given position/index.
6502
6503 my $rv = Net::SSLeay::X509_get_ext($x509, $index);
6504 # $x509 - value corresponding to openssl's X509 structure
6505 # $index - (integer) position/index of extension within $x509
6506 #
6507 # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure)
6508
6509 • X509_get_ext_by_NID
6510
6511 Returns X509_EXTENSION from $x509 based on given NID.
6512
6513 my $rv = Net::SSLeay::X509_get_ext_by_NID($x509, $nid, $loc);
6514 # $x509 - value corresponding to openssl's X509 structure
6515 # $nid - (integer) NID value
6516 # $loc - (integer) position to start lookup at
6517 #
6518 # returns: position/index of extension, negative value on error
6519 # call Net::SSLeay::X509_get_ext($x509, $rv) to get the actual extension
6520
6521 • X509_get_fingerprint
6522
6523 Returns fingerprint of certificate $cert.
6524
6525 NOTE: Does not exactly correspond to any low level API function.
6526 The implementation is basen on openssl's "X509_digest()".
6527
6528 Net::SSLeay::X509_get_fingerprint($x509, $type);
6529 # $x509 - value corresponding to openssl's X509 structure
6530 # $type - (string) digest type, currently supported values:
6531 # "md5"
6532 # "sha1"
6533 # "sha256"
6534 # "ripemd160"
6535 #
6536 # returns: certificate digest - hexadecimal string (NOT binary data!)
6537
6538 • X509_get_issuer_name
6539
6540 Return an X509_NAME object representing the issuer of the
6541 certificate $cert.
6542
6543 my $rv = Net::SSLeay::X509_get_issuer_name($cert);
6544 # $cert - value corresponding to openssl's X509 structure
6545 #
6546 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
6547
6548 • X509_get_notAfter
6549
6550 Return an object giving the time after which the certificate $cert
6551 is not valid.
6552
6553 my $rv = Net::SSLeay::X509_get_notAfter($cert);
6554 # $cert - value corresponding to openssl's X509 structure
6555 #
6556 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6557
6558 To get human readable/printable form the return value you can use:
6559
6560 my $time = Net::SSLeay::X509_get_notAfter($cert);
6561 print "notAfter=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n";
6562
6563 • X509_get_notBefore
6564
6565 Return an object giving the time before which the certificate $cert
6566 is not valid
6567
6568 my $rv = Net::SSLeay::X509_get_notBefore($cert);
6569 # $cert - value corresponding to openssl's X509 structure
6570 #
6571 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6572
6573 To get human readable/printable form the return value you can use:
6574
6575 my $time = Net::SSLeay::X509_get_notBefore($cert);
6576 print "notBefore=", Net::SSLeay::P_ASN1_TIME_get_isotime($time), "\n";
6577
6578 • X509_get_subjectAltNames
6579
6580 NOTE: Does not exactly correspond to any low level API function.
6581
6582 Returns the list of alternative subject names from X509 certificate
6583 $cert.
6584
6585 my @rv = Net::SSLeay::X509_get_subjectAltNames($cert);
6586 # $cert - value corresponding to openssl's X509 structure
6587 #
6588 # returns: list containing pairs - name_type (integer), name_value (string)
6589 # where name_type can be:
6590 # 0 - GEN_OTHERNAME
6591 # 1 - GEN_EMAIL
6592 # 2 - GEN_DNS
6593 # 3 - GEN_X400
6594 # 4 - GEN_DIRNAME
6595 # 5 - GEN_EDIPARTY
6596 # 6 - GEN_URI
6597 # 7 - GEN_IPADD
6598 # 8 - GEN_RID
6599
6600 Note: type 7 - GEN_IPADD contains the IP address as a packed binary
6601 address. GEN_RID is available in Net-SSLeay-1.90 and later. Maximum
6602 length for returned RID string is currently 2500. Invalid and
6603 overly long RID values are skipped and not returned. GEN_X400 and
6604 GEN_EDIPARTY are not supported and will not be returned even when
6605 present in the certificate.
6606
6607 • X509_get_subject_name
6608
6609 Returns the subject of the certificate $cert.
6610
6611 my $rv = Net::SSLeay::X509_get_subject_name($cert);
6612 # $cert - value corresponding to openssl's X509 structure
6613 #
6614 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
6615
6616 • X509_gmtime_adj
6617
6618 Adjust th ASN1_TIME object to the timestamp (in GMT).
6619
6620 my $rv = Net::SSLeay::X509_gmtime_adj($s, $adj);
6621 # $s - value corresponding to openssl's ASN1_TIME structure
6622 # $adj - timestamp (seconds since 1.1.1970)
6623 #
6624 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
6625
6626 BEWARE: this function may fail for dates after 2038 as it is
6627 dependent on time_t size on your system (32bit time_t does not work
6628 after 2038). Consider using "P_ASN1_TIME_set_isotime" instead).
6629
6630 • X509_load_cert_crl_file
6631
6632 Takes PEM file and loads all X509 certificates and X509 CRLs from
6633 that file into X509_LOOKUP structure.
6634
6635 my $rv = Net::SSLeay::X509_load_cert_crl_file($ctx, $file, $type);
6636 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6637 # $file - (string) file name
6638 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6639 # if not FILETYPE_PEM then behaves as Net::SSLeay::X509_load_cert_file()
6640 #
6641 # returns: 1 on success, 0 on failure
6642
6643 • X509_load_cert_file
6644
6645 Loads/adds X509 certificate from $file to X509_LOOKUP structure
6646
6647 my $rv = Net::SSLeay::X509_load_cert_file($ctx, $file, $type);
6648 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6649 # $file - (string) file name
6650 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6651 #
6652 # returns: 1 on success, 0 on failure
6653
6654 • X509_load_crl_file
6655
6656 Loads/adds X509 CRL from $file to X509_LOOKUP structure
6657
6658 my $rv = Net::SSLeay::X509_load_crl_file($ctx, $file, $type);
6659 # $ctx - value corresponding to openssl's X509_LOOKUP structure
6660 # $file - (string) file name
6661 # $type - (integer) type - use constants &Net::SSLeay::FILETYPE_PEM or &Net::SSLeay::FILETYPE_ASN1
6662 #
6663 # returns: 1 on success, 0 on failure
6664
6665 • X509_policy_level_get0_node
6666
6667 ??? (more info needed)
6668
6669 my $rv = Net::SSLeay::X509_policy_level_get0_node($level, $i);
6670 # $level - value corresponding to openssl's X509_POLICY_LEVEL structure
6671 # $i - (integer) index/position
6672 #
6673 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6674
6675 • X509_policy_level_node_count
6676
6677 ??? (more info needed)
6678
6679 my $rv = Net::SSLeay::X509_policy_level_node_count($level);
6680 # $level - value corresponding to openssl's X509_POLICY_LEVEL structure
6681 #
6682 # returns: (integer) node count
6683
6684 • X509_policy_node_get0_parent
6685
6686 ??? (more info needed)
6687
6688 my $rv = Net::SSLeay::X509_policy_node_get0_parent($node);
6689 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6690 #
6691 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6692
6693 • X509_policy_node_get0_policy
6694
6695 ??? (more info needed)
6696
6697 my $rv = Net::SSLeay::X509_policy_node_get0_policy($node);
6698 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6699 #
6700 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6701
6702 • X509_policy_node_get0_qualifiers
6703
6704 ??? (more info needed)
6705
6706 my $rv = Net::SSLeay::X509_policy_node_get0_qualifiers($node);
6707 # $node - value corresponding to openssl's X509_POLICY_NODE structure
6708 #
6709 # returns: value corresponding to openssl's STACK_OF(POLICYQUALINFO) structure (0 on failure)
6710
6711 • X509_policy_tree_free
6712
6713 ??? (more info needed)
6714
6715 Net::SSLeay::X509_policy_tree_free($tree);
6716 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6717 #
6718 # returns: no return value
6719
6720 • X509_policy_tree_get0_level
6721
6722 ??? (more info needed)
6723
6724 my $rv = Net::SSLeay::X509_policy_tree_get0_level($tree, $i);
6725 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6726 # $i - (integer) level index
6727 #
6728 # returns: value corresponding to openssl's X509_POLICY_LEVEL structure (0 on failure)
6729
6730 • X509_policy_tree_get0_policies
6731
6732 ??? (more info needed)
6733
6734 my $rv = Net::SSLeay::X509_policy_tree_get0_policies($tree);
6735 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6736 #
6737 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6738
6739 • X509_policy_tree_get0_user_policies
6740
6741 ??? (more info needed)
6742
6743 my $rv = Net::SSLeay::X509_policy_tree_get0_user_policies($tree);
6744 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6745 #
6746 # returns: value corresponding to openssl's X509_POLICY_NODE structure (0 on failure)
6747
6748 • X509_policy_tree_level_count
6749
6750 ??? (more info needed)
6751
6752 my $rv = Net::SSLeay::X509_policy_tree_level_count($tree);
6753 # $tree - value corresponding to openssl's X509_POLICY_TREE structure
6754 #
6755 # returns: (integer) count
6756
6757 • X509_verify_cert_error_string
6758
6759 Returns a human readable error string for verification error $n.
6760
6761 my $rv = Net::SSLeay::X509_verify_cert_error_string($n);
6762 # $n - (long) numeric error code
6763 #
6764 # returns: error string
6765
6766 Check openssl doc
6767 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
6768
6769 • P_X509_add_extensions
6770
6771 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6772
6773 Adds one or more X509 extensions to X509 object $x.
6774
6775 my $rv = Net::SSLeay::P_X509_add_extensions($x, $ca_cert, $nid, $value);
6776 # $x - value corresponding to openssl's X509 structure
6777 # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier)
6778 # $nid - NID identifying extension to be set
6779 # $value - extension value
6780 #
6781 # returns: 1 on success, 0 on failure
6782
6783 You can set more extensions at once:
6784
6785 my $rv = Net::SSLeay::P_X509_add_extensions($x509, $ca_cert,
6786 &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
6787 &Net::SSLeay::NID_subject_key_identifier => 'hash',
6788 &Net::SSLeay::NID_authority_key_identifier => 'keyid',
6789 &Net::SSLeay::NID_authority_key_identifier => 'issuer',
6790 &Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
6791 &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
6792 &Net::SSLeay::NID_netscape_cert_type => 'server',
6793 &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.dom.com,DNS:s2.dom.com,DNS:s3.dom.com',
6794 );
6795
6796 • P_X509_copy_extensions
6797
6798 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6799
6800 Copies X509 extensions from X509_REQ object to X509 object - handy
6801 when you need to turn X509_REQ into X509 certificate.
6802
6803 Net::SSLeay::P_X509_copy_extensions($x509_req, $x509, $override);
6804 # $x509_req - value corresponding to openssl's X509_REQ structure
6805 # $x509 - value corresponding to openssl's X509 structure
6806 # $override - (integer) flag indication whether to override already existing items in $x509 (default 1)
6807 #
6808 # returns: 1 on success, 0 on failure
6809
6810 • P_X509_get_crl_distribution_points
6811
6812 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6813 requires at least openssl-0.9.7
6814
6815 Get the list of CRL distribution points from X509 certificate.
6816
6817 my @cdp = Net::SSLeay::P_X509_get_crl_distribution_points($x509);
6818 # $x509 - value corresponding to openssl's X509 structure
6819 #
6820 # returns: list of distribution points (usually URLs)
6821
6822 • P_X509_get_ext_key_usage
6823
6824 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
6825 requires at least openssl-0.9.7
6826
6827 Gets the list of extended key usage of given X509 certificate
6828 $cert.
6829
6830 my @ext_usage = Net::SSLeay::P_X509_get_ext_key_usage($cert, $format);
6831 # $cert - value corresponding to openssl's X509 structure
6832 # $format - choose type of return values: 0=OIDs, 1=NIDs, 2=shortnames, 3=longnames
6833 #
6834 # returns: list of values
6835
6836 Examples:
6837
6838 my @extkeyusage_oid = Net::SSLeay::P_X509_get_ext_key_usage($x509,0);
6839 # returns for example: ("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2")
6840
6841 my @extkeyusage_nid = Net::SSLeay::P_X509_get_ext_key_usage($x509,1);
6842 # returns for example: (129, 130)
6843
6844 my @extkeyusage_sn = Net::SSLeay::P_X509_get_ext_key_usage($x509,2);
6845 # returns for example: ("serverAuth", "clientAuth")
6846
6847 my @extkeyusage_ln = Net::SSLeay::P_X509_get_ext_key_usage($x509,3);
6848 # returns for example: ("TLS Web Server Authentication", "TLS Web Client Authentication")
6849
6850 • P_X509_get_key_usage
6851
6852 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6853
6854 Gets the list of key usage of given X509 certificate $cert.
6855
6856 my @keyusage = Net::SSLeay::P_X509_get_key_usage($cert);
6857 # $cert - value corresponding to openssl's X509 structure
6858 #
6859 # returns: list of key usage values which can be none, one or more from the following list:
6860 # "digitalSignature"
6861 # "nonRepudiation"
6862 # "keyEncipherment"
6863 # "dataEncipherment"
6864 # "keyAgreement"
6865 # "keyCertSign"
6866 # "cRLSign"
6867 # "encipherOnly"
6868 # "decipherOnly"
6869
6870 • P_X509_get_netscape_cert_type
6871
6872 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6873
6874 Gets the list of Netscape cert types of given X509 certificate
6875 $cert.
6876
6877 Net::SSLeay::P_X509_get_netscape_cert_type($cert);
6878 # $cert - value corresponding to openssl's X509 structure
6879 #
6880 # returns: list of Netscape type values which can be none, one or more from the following list:
6881 # "client"
6882 # "server"
6883 # "email"
6884 # "objsign"
6885 # "reserved"
6886 # "sslCA"
6887 # "emailCA"
6888 # "objCA"
6889
6890 • P_X509_get_pubkey_alg
6891
6892 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6893
6894 Returns ASN1_OBJECT corresponding to X509 certificate public key
6895 algorithm.
6896
6897 my $rv = Net::SSLeay::P_X509_get_pubkey_alg($x);
6898 # $x - value corresponding to openssl's X509 structure
6899 #
6900 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6901
6902 To get textual representation use:
6903
6904 my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_pubkey_alg($x509));
6905 # returns for example: "rsaEncryption"
6906
6907 • P_X509_get_signature_alg
6908
6909 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
6910
6911 Returns ASN1_OBJECT corresponding to X509 signarite key algorithm.
6912
6913 my $rv = Net::SSLeay::P_X509_get_signature_alg($x);
6914 # $x - value corresponding to openssl's X509 structure
6915 #
6916 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
6917
6918 To get textual representation use:
6919
6920 my $alg = Net::SSLeay::OBJ_obj2txt(Net::SSLeay::P_X509_get_signature_alg($x509))
6921 # returns for example: "sha1WithRSAEncryption"
6922
6923 • sk_X509_new_null
6924
6925 Returns a new, empty, STACK_OF(X509) structure.
6926
6927 my $rv = Net::SSLeay::sk_X509_new_null();
6928 #
6929 # returns: value corresponding to openssl's STACK_OF(X509) structure
6930
6931 • sk_X509_push
6932
6933 Pushes an X509 structure onto a STACK_OF(X509) structure.
6934
6935 my $rv = Net::SSLeay::sk_X509_push($sk_x509, $x509);
6936 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6937 # $x509 - value corresponding to openssl's X509 structure
6938 #
6939 # returns: total number of elements after the operation, 0 on failure
6940
6941 • sk_X509_pop
6942
6943 Pops an single X509 structure from a STACK_OF(X509) structure.
6944
6945 my $x509 = NetSSLeay::sk_X509_pop($sk_x509)
6946 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6947 #
6948 # returns: a pointer to an X509 structure, undef on failure
6949
6950 Check openssl doc
6951 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_pop.html>
6952
6953 • sk_X509_shift
6954
6955 Shifts an single X509 structure onto a STACK_OF(X509) structure.
6956
6957 my $x509 = NetSSLeay::sk_X509_shift($sk_x509, $x509)
6958 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6959 # $x509 - value corresponding to openssl's X509 structure
6960 #
6961 # returns: a pointer to an X509 structure, undef on failure
6962
6963 Check openssl doc
6964 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_shift.html>
6965
6966 • sk_X509_unshift
6967
6968 Unshifts an single X509 structure from a STACK_OF(X509) structure.
6969
6970 my $rv = NetSSLeay::sk_X509_unshift($sk_x509)
6971 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6972 #
6973 # returns: total number of elements after the operation, 0 on failure
6974
6975 Check openssl doc
6976 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_unshift.html>
6977
6978 • sk_X509_insert
6979
6980 Inserts a single X509 structure into a STACK_OF(X509) at the
6981 specified index.
6982
6983 my $rv = Net::SSLeay::sk_X509_insert($sk_x509, $x509, index);
6984 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
6985 # $x509 - value corresponding to openssl's X509 structure
6986 # index - integer - 0 based index
6987 #
6988 # returns: total number of elements after the operation, 0 on failure
6989
6990 Check openssl doc
6991 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_insert.html>
6992
6993 • sk_X509_delete
6994
6995 Delete a single X509 structure from a STACK_OF(X509) at the
6996 specified index.
6997
6998 my $x509 = Net::SSLeay::sk_X509_delete($sk_x509, index);
6999 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7000 # index - integer - 0 based index
7001 #
7002 # returns: a pointer to an X509 structure, undef on failure
7003
7004 Check openssl doc
7005 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_delete.html>
7006
7007 • sk_X509_value
7008
7009 Return a single X509 structure from a STACK_OF(X509) at the
7010 specified index.
7011
7012 my $x509 = Net::SSLeay::sk_X509_value($sk_x509, index)
7013 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7014 # index - integer - 0 based index
7015 #
7016 # returns: a pointer to an X509 structure, undef on failure
7017
7018 Check openssl doc
7019 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_value.html>
7020
7021 • sk_X509_num
7022
7023 Return the number of X509 elements in a STACK_OF(X509).
7024
7025 my $num = Net::SSLeay::sk_X509_num($sk_x509);
7026 # $sk_x509 - value corresponding to openssl's STACK_OF(X509) structure
7027 #
7028 # returns: the number of elements in the stack, -1 if the passed stack is NULL
7029
7030 Check openssl doc
7031 <https://www.openssl.org/docs/manmaster/man3/sk_TYPE_num.html>
7032
7033 Low level API: X509_REQ_* related functions
7034
7035 • X509_REQ_new
7036
7037 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7038
7039 Creates a new X509_REQ structure.
7040
7041 my $rv = Net::SSLeay::X509_REQ_new();
7042 #
7043 # returns: value corresponding to openssl's X509_REQ structure (0 on failure)
7044
7045 • X509_REQ_free
7046
7047 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7048
7049 Free an allocated X509_REQ structure.
7050
7051 Net::SSLeay::X509_REQ_free($x);
7052 # $x - value corresponding to openssl's X509_REQ structure
7053 #
7054 # returns: no return value
7055
7056 • X509_REQ_add1_attr_by_NID
7057
7058 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7059
7060 Adds an attribute whose name is defined by a NID $nid. The field
7061 value to be added is in $bytes.
7062
7063 my $rv = Net::SSLeay::X509_REQ_add1_attr_by_NID($req, $nid, $type, $bytes);
7064 # $req - value corresponding to openssl's X509_REQ structure
7065 # $nid - (integer) NID value
7066 # $type - (integer) type of data in $bytes (see below)
7067 # $bytes - data to be set
7068 #
7069 # returns: 1 on success, 0 on failure
7070
7071 # values for $type - use constants:
7072 &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data
7073 &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data
7074
7075 • X509_REQ_digest
7076
7077 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7078
7079 Computes digest/fingerprint of X509_REQ $data using $type hash
7080 function.
7081
7082 my $digest_value = Net::SSLeay::X509_REQ_digest($data, $type);
7083 # $data - value corresponding to openssl's X509_REQ structure
7084 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7085 #
7086 # returns: hash value (binary)
7087
7088 #to get printable (hex) value of digest use:
7089 print unpack('H*', $digest_value);
7090
7091 • X509_REQ_get_attr_by_NID
7092
7093 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7094
7095 Retrieve the next index matching $nid after $lastpos ($lastpos
7096 should initially be set to -1).
7097
7098 my $rv = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid, $lastpos=-1);
7099 # $req - value corresponding to openssl's X509_REQ structure
7100 # $nid - (integer) NID value
7101 # $lastpos - [optional] (integer) index where to start search (default -1)
7102 #
7103 # returns: index (-1 if there are no more entries)
7104
7105 Note: use "P_X509_REQ_get_attr" to get the actual attribute value -
7106 e.g.
7107
7108 my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid);
7109 my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index);
7110
7111 • X509_REQ_get_attr_by_OBJ
7112
7113 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7114
7115 Retrieve the next index matching $obj after $lastpos ($lastpos
7116 should initially be set to -1).
7117
7118 my $rv = Net::SSLeay::X509_REQ_get_attr_by_OBJ($req, $obj, $lastpos=-1);
7119 # $req - value corresponding to openssl's X509_REQ structure
7120 # $obj - value corresponding to openssl's ASN1_OBJECT structure
7121 # $lastpos - [optional] (integer) index where to start search (default -1)
7122 #
7123 # returns: index (-1 if there are no more entries)
7124
7125 Note: use "P_X509_REQ_get_attr" to get the actual attribute value -
7126 e.g.
7127
7128 my $index = Net::SSLeay::X509_REQ_get_attr_by_NID($req, $nid);
7129 my @attr_values = Net::SSLeay::P_X509_REQ_get_attr($req, $index);
7130
7131 • X509_REQ_get_attr_count
7132
7133 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7134
7135 Returns the total number of attributes in $req.
7136
7137 my $rv = Net::SSLeay::X509_REQ_get_attr_count($req);
7138 # $req - value corresponding to openssl's X509_REQ structure
7139 #
7140 # returns: (integer) items count
7141
7142 • X509_REQ_get_pubkey
7143
7144 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7145
7146 Returns public key corresponding to given X509_REQ object $x.
7147
7148 my $rv = Net::SSLeay::X509_REQ_get_pubkey($x);
7149 # $x - value corresponding to openssl's X509_REQ structure
7150 #
7151 # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure)
7152
7153 • X509_REQ_get_subject_name
7154
7155 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7156
7157 Returns X509_NAME object corresponding to subject name of given
7158 X509_REQ object $x.
7159
7160 my $rv = Net::SSLeay::X509_REQ_get_subject_name($x);
7161 # $x - value corresponding to openssl's X509_REQ structure
7162 #
7163 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7164
7165 • X509_REQ_get_version
7166
7167 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7168
7169 Returns 'version' value for given X509_REQ object $x.
7170
7171 my $rv = Net::SSLeay::X509_REQ_get_version($x);
7172 # $x - value corresponding to openssl's X509_REQ structure
7173 #
7174 # returns: (integer) version e.g. 0 = "version 1"
7175
7176 • X509_REQ_set_pubkey
7177
7178 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7179
7180 Sets public key of given X509_REQ object $x to $pkey.
7181
7182 my $rv = Net::SSLeay::X509_REQ_set_pubkey($x, $pkey);
7183 # $x - value corresponding to openssl's X509_REQ structure
7184 # $pkey - value corresponding to openssl's EVP_PKEY structure
7185 #
7186 # returns: 1 on success, 0 on failure
7187
7188 • X509_REQ_set_subject_name
7189
7190 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7191
7192 Sets subject name of given X509_REQ object $x to X509_NAME object
7193 $name.
7194
7195 my $rv = Net::SSLeay::X509_REQ_set_subject_name($x, $name);
7196 # $x - value corresponding to openssl's X509_REQ structure
7197 # $name - value corresponding to openssl's X509_NAME structure
7198 #
7199 # returns: 1 on success, 0 on failure
7200
7201 • X509_REQ_set_version
7202
7203 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7204
7205 Sets 'version' of given X509_REQ object $x to $version.
7206
7207 my $rv = Net::SSLeay::X509_REQ_set_version($x, $version);
7208 # $x - value corresponding to openssl's X509_REQ structure
7209 # $version - (integer) e.g. 0 = "version 1"
7210 #
7211 # returns: 1 on success, 0 on failure
7212
7213 • X509_REQ_sign
7214
7215 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7216
7217 Sign X509_REQ object $x with private key $pk (using digest
7218 algorithm $md).
7219
7220 my $rv = Net::SSLeay::X509_REQ_sign($x, $pk, $md);
7221 # $x - value corresponding to openssl's X509_REQ structure
7222 # $pk - value corresponding to openssl's EVP_PKEY structure (requestor's private key)
7223 # $md - value corresponding to openssl's EVP_MD structure
7224 #
7225 # returns: 1 on success, 0 on failure
7226
7227 • X509_REQ_verify
7228
7229 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7230
7231 Verifies X509_REQ object $x using public key $r (pubkey of
7232 requesting party).
7233
7234 my $rv = Net::SSLeay::X509_REQ_verify($x, $r);
7235 # $x - value corresponding to openssl's X509_REQ structure
7236 # $r - value corresponding to openssl's EVP_PKEY structure
7237 #
7238 # returns: 0 - verify failure, 1 - verify OK, <0 - error
7239
7240 • P_X509_REQ_add_extensions
7241
7242 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7243
7244 Adds one or more X509 extensions to X509_REQ object $x.
7245
7246 my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x, $nid, $value);
7247 # $x - value corresponding to openssl's X509_REQ structure
7248 # $nid - NID identifying extension to be set
7249 # $value - extension value
7250 #
7251 # returns: 1 on success, 0 on failure
7252
7253 You can set more extensions at once:
7254
7255 my $rv = Net::SSLeay::P_X509_REQ_add_extensions($x509_req,
7256 &Net::SSLeay::NID_key_usage => 'digitalSignature,keyEncipherment',
7257 &Net::SSLeay::NID_basic_constraints => 'CA:FALSE',
7258 &Net::SSLeay::NID_ext_key_usage => 'serverAuth,clientAuth',
7259 &Net::SSLeay::NID_netscape_cert_type => 'server',
7260 &Net::SSLeay::NID_subject_alt_name => 'DNS:s1.com,DNS:s2.com',
7261 &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.com/crl1,URI:http://pki.com/crl2',
7262 );
7263
7264 • P_X509_REQ_get_attr
7265
7266 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7267 requires at least openssl-0.9.7
7268
7269 Returns attribute value for X509_REQ's attribute at index $n.
7270
7271 Net::SSLeay::P_X509_REQ_get_attr($req, $n);
7272 # $req - value corresponding to openssl's X509_REQ structure
7273 # $n - (integer) attribute index
7274 #
7275 # returns: value corresponding to openssl's ASN1_STRING structure
7276
7277 Low level API: X509_CRL_* related functions
7278
7279 • X509_CRL_new
7280
7281 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7282
7283 Creates a new X509_CRL structure.
7284
7285 my $rv = Net::SSLeay::X509_CRL_new();
7286 #
7287 # returns: value corresponding to openssl's X509_CRL structure (0 on failure)
7288
7289 • X509_CRL_free
7290
7291 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7292
7293 Free an allocated X509_CRL structure.
7294
7295 Net::SSLeay::X509_CRL_free($x);
7296 # $x - value corresponding to openssl's X509_CRL structure
7297 #
7298 # returns: no return value
7299
7300 • X509_CRL_digest
7301
7302 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7303
7304 Computes digest/fingerprint of X509_CRL $data using $type hash
7305 function.
7306
7307 my $digest_value = Net::SSLeay::X509_CRL_digest($data, $type);
7308 # $data - value corresponding to openssl's X509_CRL structure
7309 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7310 #
7311 # returns: hash value (binary)
7312
7313 Example:
7314
7315 my $x509_crl
7316 my $md = Net::SSLeay::EVP_get_digestbyname("sha1");
7317 my $digest_value = Net::SSLeay::X509_CRL_digest($x509_crl, $md);
7318 #to get printable (hex) value of digest use:
7319 print "digest=", unpack('H*', $digest_value), "\n";
7320
7321 • X509_CRL_get_ext
7322
7323 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7324
7325 Returns X509_EXTENSION from $x509 based on given position/index.
7326
7327 my $rv = Net::SSLeay::X509_CRL_get_ext($x509, $index);
7328 # $x509 - value corresponding to openssl's X509_CRL structure
7329 # $index - (integer) position/index of extension within $x509
7330 #
7331 # returns: value corresponding to openssl's X509_EXTENSION structure (0 on failure)
7332
7333 • X509_CRL_get_ext_by_NID
7334
7335 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7336
7337 Returns X509_EXTENSION from $x509 based on given NID.
7338
7339 my $rv = Net::SSLeay::X509_CRL_get_ext_by_NID($x509, $nid, $loc);
7340 # $x509 - value corresponding to openssl's X509_CRL structure
7341 # $nid - (integer) NID value
7342 # $loc - (integer) position to start lookup at
7343 #
7344 # returns: position/index of extension, negative value on error
7345 # call Net::SSLeay::X509_CRL_get_ext($x509, $rv) to get the actual extension
7346
7347 • X509_CRL_get_ext_count
7348
7349 COMPATIBILITY: not available in Net-SSLeay-1.54 and before
7350
7351 Returns the total number of extensions in X509_CRL object $x.
7352
7353 my $rv = Net::SSLeay::X509_CRL_get_ext_count($x);
7354 # $x - value corresponding to openssl's X509_CRL structure
7355 #
7356 # returns: count of extensions
7357
7358 • X509_CRL_get_issuer
7359
7360 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7361
7362 Returns X509_NAME object corresponding to the issuer of X509_CRL
7363 $x.
7364
7365 my $rv = Net::SSLeay::X509_CRL_get_issuer($x);
7366 # $x - value corresponding to openssl's X509_CRL structure
7367 #
7368 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7369
7370 See other "X509_NAME_*" functions to get more info from X509_NAME
7371 structure.
7372
7373 • X509_CRL_get_lastUpdate
7374
7375 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7376
7377 Returns 'lastUpdate' date-time value of X509_CRL object $x.
7378
7379 my $rv = Net::SSLeay::X509_CRL_get_lastUpdate($x);
7380 # $x - value corresponding to openssl's X509_CRL structure
7381 #
7382 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
7383
7384 • X509_CRL_get_nextUpdate
7385
7386 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7387
7388 Returns 'nextUpdate' date-time value of X509_CRL object $x.
7389
7390 my $rv = Net::SSLeay::X509_CRL_get_nextUpdate($x);
7391 # $x - value corresponding to openssl's X509_CRL structure
7392 #
7393 # returns: value corresponding to openssl's ASN1_TIME structure (0 on failure)
7394
7395 • X509_CRL_get_version
7396
7397 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7398
7399 Returns 'version' value of given X509_CRL structure $x.
7400
7401 my $rv = Net::SSLeay::X509_CRL_get_version($x);
7402 # $x - value corresponding to openssl's X509_CRL structure
7403 #
7404 # returns: (integer) version
7405
7406 • X509_CRL_set_issuer_name
7407
7408 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7409 requires at least openssl-0.9.7
7410
7411 Sets the issuer of X509_CRL object $x to X509_NAME object $name.
7412
7413 my $rv = Net::SSLeay::X509_CRL_set_issuer_name($x, $name);
7414 # $x - value corresponding to openssl's X509_CRL structure
7415 # $name - value corresponding to openssl's X509_NAME structure
7416 #
7417 # returns: 1 on success, 0 on failure
7418
7419 • X509_CRL_set_lastUpdate
7420
7421 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7422 requires at least openssl-0.9.7
7423
7424 Sets 'lastUpdate' value of X509_CRL object $x to $tm.
7425
7426 my $rv = Net::SSLeay::X509_CRL_set_lastUpdate($x, $tm);
7427 # $x - value corresponding to openssl's X509_CRL structure
7428 # $tm - value corresponding to openssl's ASN1_TIME structure
7429 #
7430 # returns: 1 on success, 0 on failure
7431
7432 • X509_CRL_set_nextUpdate
7433
7434 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7435 requires at least openssl-0.9.7
7436
7437 Sets 'nextUpdate' value of X509_CRL object $x to $tm.
7438
7439 my $rv = Net::SSLeay::X509_CRL_set_nextUpdate($x, $tm);
7440 # $x - value corresponding to openssl's X509_CRL structure
7441 # $tm - value corresponding to openssl's ASN1_TIME structure
7442 #
7443 # returns: 1 on success, 0 on failure
7444
7445 • X509_CRL_set_version
7446
7447 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7448 requires at least openssl-0.9.7
7449
7450 Sets 'version' value of given X509_CRL structure $x to $version.
7451
7452 my $rv = Net::SSLeay::X509_CRL_set_version($x, $version);
7453 # $x - value corresponding to openssl's X509_CRL structure
7454 # $version - (integer) version number (1 = version 2 CRL)
7455 #
7456 # returns: 1 on success, 0 on failure
7457
7458 Note that if you want to use any X509_CRL extension you need to set
7459 "version 2 CRL" - "Net::SSLeay::X509_CRL_set_version($x, 1)".
7460
7461 • X509_CRL_sign
7462
7463 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7464
7465 Sign X509_CRL object $x with private key $pkey (using digest
7466 algorithm $md).
7467
7468 my $rv = Net::SSLeay::X509_CRL_sign($x, $pkey, $md);
7469 # $x - value corresponding to openssl's X509_CRL structure
7470 # $pkey - value corresponding to openssl's EVP_PKEY structure
7471 # $md - value corresponding to openssl's EVP_MD structure
7472 #
7473 # returns: 1 on success, 0 on failure
7474
7475 • X509_CRL_sort
7476
7477 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7478 requires at least openssl-0.9.7
7479
7480 Sorts the data of X509_CRL object so it will be written in serial
7481 number order.
7482
7483 my $rv = Net::SSLeay::X509_CRL_sort($x);
7484 # $x - value corresponding to openssl's X509_CRL structure
7485 #
7486 # returns: 1 on success, 0 on failure
7487
7488 • X509_CRL_verify
7489
7490 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7491
7492 Verifies X509_CRL object $a using public key $r (pubkey of issuing
7493 CA).
7494
7495 my $rv = Net::SSLeay::X509_CRL_verify($a, $r);
7496 # $a - value corresponding to openssl's X509_CRL structure
7497 # $r - value corresponding to openssl's EVP_PKEY structure
7498 #
7499 # returns: 0 - verify failure, 1 - verify OK, <0 - error
7500
7501 • P_X509_CRL_add_revoked_serial_hex
7502
7503 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7504 requires at least openssl-0.9.7
7505
7506 Adds given serial number $serial_hex to X509_CRL object $crl.
7507
7508 Net::SSLeay::P_X509_CRL_add_revoked_serial_hex($crl, $serial_hex, $rev_time, $reason_code, $comp_time);
7509 # $crl - value corresponding to openssl's X509_CRL structure
7510 # $serial_hex - string (hexadecimal) representation of serial number
7511 # $rev_time - (revocation time) value corresponding to openssl's ASN1_TIME structure
7512 # $reason_code - [optional] (integer) reason code (see below) - default 0
7513 # $comp_time - [optional] (compromise time) value corresponding to openssl's ASN1_TIME structure
7514 #
7515 # returns: no return value
7516
7517 reason codes:
7518 0 - unspecified
7519 1 - keyCompromise
7520 2 - CACompromise
7521 3 - affiliationChanged
7522 4 - superseded
7523 5 - cessationOfOperation
7524 6 - certificateHold
7525 7 - removeFromCRL
7526
7527 • P_X509_CRL_get_serial
7528
7529 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7530 requires at least openssl-0.9.7
7531
7532 Returns serial number of X509_CRL object.
7533
7534 my $rv = Net::SSLeay::P_X509_CRL_get_serial($crl);
7535 # $crl - value corresponding to openssl's X509_CRL structure
7536 #
7537 # returns: value corresponding to openssl's ASN1_INTEGER structure (0 on failure)
7538
7539 • P_X509_CRL_set_serial
7540
7541 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7542 requires at least openssl-0.9.7
7543
7544 Sets serial number of X509_CRL object to $crl_number.
7545
7546 my $rv = Net::SSLeay::P_X509_CRL_set_serial($crl, $crl_number);
7547 # $crl - value corresponding to openssl's X509_CRL structure
7548 # $crl_number - value corresponding to openssl's ASN1_INTEGER structure
7549 #
7550 # returns: 1 on success, 0 on failure
7551
7552 • P_X509_CRL_add_extensions
7553
7554 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
7555
7556 Adds one or more X509 extensions to X509 CRL object $x.
7557
7558 my $rv = Net::SSLeay::P_X509_CRL_add_extensions($x, $ca_cert, $nid, $value);
7559 # $x - value corresponding to openssl's X509 CRL structure
7560 # $ca_cert - value corresponding to openssl's X509 structure (issuer's cert - necessary for sertting NID_authority_key_identifier)
7561 # $nid - NID identifying extension to be set
7562 # $value - extension value
7563 #
7564 # returns: 1 on success, 0 on failure
7565
7566 For more details see "P_X509_add_extensions".
7567
7568 Low level API: X509_EXTENSION_* related functions
7569
7570 • X509_EXTENSION_get_critical
7571
7572 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7573
7574 Returns 'critical' flag of given X509_EXTENSION object $ex.
7575
7576 my $rv = Net::SSLeay::X509_EXTENSION_get_critical($ex);
7577 # $ex - value corresponding to openssl's X509_EXTENSION structure
7578 #
7579 # returns: (integer) 1 - critical, 0 - noncritical
7580
7581 • X509_EXTENSION_get_data
7582
7583 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7584
7585 Returns value (raw data) of X509_EXTENSION object $ne.
7586
7587 my $rv = Net::SSLeay::X509_EXTENSION_get_data($ne);
7588 # $ne - value corresponding to openssl's X509_EXTENSION structure
7589 #
7590 # returns: value corresponding to openssl's ASN1_OCTET_STRING structure (0 on failure)
7591
7592 Note: you can use "P_ASN1_STRING_get" to convert ASN1_OCTET_STRING
7593 into perl scalar variable.
7594
7595 • X509_EXTENSION_get_object
7596
7597 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7598
7599 Returns OID (ASN1_OBJECT) of X509_EXTENSION object $ne.
7600
7601 my $rv = Net::SSLeay::X509_EXTENSION_get_object($ex);
7602 # $ex - value corresponding to openssl's X509_EXTENSION structure
7603 #
7604 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
7605
7606 • X509V3_EXT_print
7607
7608 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7609
7610 Returns string representation of given X509_EXTENSION object $ext.
7611
7612 Net::SSLeay::X509V3_EXT_print($ext, $flags, $utf8_decode);
7613 # $ext - value corresponding to openssl's X509_EXTENSION structure
7614 # $flags - [optional] (integer) Currently the flag argument is unused and should be set to 0
7615 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
7616 #
7617 # returns: no return value
7618
7619 • X509V3_EXT_d2i
7620
7621 Parses an extension and returns its internal structure.
7622
7623 my $rv = Net::SSLeay::X509V3_EXT_d2i($ext);
7624 # $ext - value corresponding to openssl's X509_EXTENSION structure
7625 #
7626 # returns: pointer ???
7627
7628 Low level API: X509_NAME_* related functions
7629
7630 • X509_NAME_ENTRY_get_data
7631
7632 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7633
7634 Retrieves the field value of $ne in and ASN1_STRING structure.
7635
7636 my $rv = Net::SSLeay::X509_NAME_ENTRY_get_data($ne);
7637 # $ne - value corresponding to openssl's X509_NAME_ENTRY structure
7638 #
7639 # returns: value corresponding to openssl's ASN1_STRING structure (0 on failure)
7640
7641 Check openssl doc
7642 <http://www.openssl.org/docs/crypto/X509_NAME_ENTRY_get_object.html>
7643
7644 • X509_NAME_ENTRY_get_object
7645
7646 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7647
7648 Retrieves the field name of $ne in and ASN1_OBJECT structure.
7649
7650 my $rv = Net::SSLeay::X509_NAME_ENTRY_get_object($ne);
7651 # $ne - value corresponding to openssl's X509_NAME_ENTRY structure
7652 #
7653 # returns: value corresponding to openssl's ASN1_OBJECT structure (0 on failure)
7654
7655 Check openssl doc
7656 <http://www.openssl.org/docs/crypto/X509_NAME_ENTRY_get_object.html>
7657
7658 • X509_NAME_new
7659
7660 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
7661 requires at least openssl-0.9.5
7662
7663 Creates a new X509_NAME structure. Adds a field whose name is
7664 defined by a string $field. The field value to be added is in
7665 $bytes.
7666
7667 my $rv = Net::SSLeay::X509_NAME_new();
7668 #
7669 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7670
7671 • X509_NAME_hash
7672
7673 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
7674 requires at least openssl-0.9.5
7675
7676 Sort of a checksum of issuer name $name. The result is not a full
7677 hash (e.g. sha-1), it is kind-of-a-hash truncated to the size of
7678 'unsigned long' (32 bits). The resulting value might differ across
7679 different openssl versions for the same X509 certificate.
7680
7681 my $rv = Net::SSLeay::X509_NAME_hash($name);
7682 # $name - value corresponding to openssl's X509_NAME structure
7683 #
7684 # returns: number representing checksum
7685
7686 • X509_NAME_add_entry_by_txt
7687
7688 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7689 requires at least openssl-0.9.5
7690
7691 Adds a field whose name is defined by a string $field. The field
7692 value to be added is in $bytes.
7693
7694 my $rv = Net::SSLeay::X509_NAME_add_entry_by_txt($name, $field, $type, $bytes, $len, $loc, $set);
7695 # $name - value corresponding to openssl's X509_NAME structure
7696 # $field - (string) field definition (name) - e.g. "organizationName"
7697 # $type - (integer) type of data in $bytes (see below)
7698 # $bytes - data to be set
7699 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7700 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7701 #
7702 # returns: 1 on success, 0 on failure
7703
7704 # values for $type - use constants:
7705 &Net::SSLeay::MBSTRING_UTF8 - $bytes contains utf8 encoded data
7706 &Net::SSLeay::MBSTRING_ASC - $bytes contains ASCII data
7707
7708 Unicode note: when passing non-ascii (unicode) string in $bytes do
7709 not forget to set "$flags = &Net::SSLeay::MBSTRING_UTF8" and encode
7710 the perl $string via "$bytes = encode('utf-8', $string)".
7711
7712 Check openssl doc
7713 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7714
7715 • X509_NAME_add_entry_by_NID
7716
7717 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7718 requires at least openssl-0.9.5
7719
7720 Adds a field whose name is defined by a NID $nid. The field value
7721 to be added is in $bytes.
7722
7723 my $rv = Net::SSLeay::X509_NAME_add_entry_by_NID($name, $nid, $type, $bytes, $len, $loc, $set);
7724 # $name - value corresponding to openssl's X509_NAME structure
7725 # $nid - (integer) field definition - NID value
7726 # $type - (integer) type of data in $bytes (see below)
7727 # $bytes - data to be set
7728 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7729 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7730 #
7731 # returns: 1 on success, 0 on failure
7732
7733 Check openssl doc
7734 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7735
7736 • X509_NAME_add_entry_by_OBJ
7737
7738 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
7739 requires at least openssl-0.9.5
7740
7741 Adds a field whose name is defined by a object (OID) $obj . The
7742 field value to be added is in $bytes.
7743
7744 my $rv = Net::SSLeay::X509_NAME_add_entry_by_OBJ($name, $obj, $type, $bytes, $len, $loc, $set);
7745 # $name - value corresponding to openssl's X509_NAME structure
7746 # $obj - field definition - value corresponding to openssl's ASN1_OBJECT structure
7747 # $type - (integer) type of data in $bytes (see below)
7748 # $bytes - data to be set
7749 # $loc - [optional] (integer) index where the new entry is inserted: if it is -1 (default) it is appended
7750 # $set - [optional] (integer) determines how the new type is added. If it is 0 (default) a new RDN is created
7751 #
7752 # returns: 1 on success, 0 on failure
7753
7754 Check openssl doc
7755 <http://www.openssl.org/docs/crypto/X509_NAME_add_entry_by_txt.html>
7756
7757 • X509_NAME_cmp
7758
7759 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7760
7761 Compares two X509_NAME obejcts.
7762
7763 my $rv = Net::SSLeay::X509_NAME_cmp($a, $b);
7764 # $a - value corresponding to openssl's X509_NAME structure
7765 # $b - value corresponding to openssl's X509_NAME structure
7766 #
7767 # returns: 0 if $a matches $b; non zero otherwise
7768
7769 • X509_NAME_digest
7770
7771 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7772
7773 Computes digest/fingerprint of X509_NAME $data using $type hash
7774 function.
7775
7776 my $digest_value = Net::SSLeay::X509_NAME_digest($data, $type);
7777 # $data - value corresponding to openssl's X509_NAME structure
7778 # $type - value corresponding to openssl's EVP_MD structure - e.g. got via EVP_get_digestbyname()
7779 #
7780 # returns: hash value (binary)
7781
7782 #to get printable (hex) value of digest use:
7783 print unpack('H*', $digest_value);
7784
7785 • X509_NAME_entry_count
7786
7787 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7788
7789 Returns the total number of entries in $name.
7790
7791 my $rv = Net::SSLeay::X509_NAME_entry_count($name);
7792 # $name - value corresponding to openssl's X509_NAME structure
7793 #
7794 # returns: (integer) entries count
7795
7796 Check openssl doc
7797 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7798
7799 • X509_NAME_get_entry
7800
7801 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7802
7803 Retrieves the X509_NAME_ENTRY from $name corresponding to index
7804 $loc. Acceptable values for $loc run from 0 to
7805 "Net::SSLeay::X509_NAME_entry_count($name)- 1". The value returned
7806 is an internal pointer which must not be freed.
7807
7808 my $rv = Net::SSLeay::X509_NAME_get_entry($name, $loc);
7809 # $name - value corresponding to openssl's X509_NAME structure
7810 # $loc - (integer) index of wanted entry
7811 #
7812 # returns: value corresponding to openssl's X509_NAME_ENTRY structure (0 on failure)
7813
7814 Check openssl doc
7815 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7816
7817 • X509_NAME_print_ex
7818
7819 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
7820
7821 Returns a string with human readable version of $name.
7822
7823 Net::SSLeay::X509_NAME_print_ex($name, $flags, $utf8_decode);
7824 # $name - value corresponding to openssl's X509_NAME structure
7825 # $flags - [optional] conversion flags (default XN_FLAG_RFC2253) - see below
7826 # $utf8_decode - [optional] 0 or 1 whether the returned value should be utf8 decoded (default=0)
7827 #
7828 # returns: string representation of $name
7829
7830 #available conversion flags - use constants:
7831 &Net::SSLeay::XN_FLAG_COMPAT
7832 &Net::SSLeay::XN_FLAG_DN_REV
7833 &Net::SSLeay::XN_FLAG_DUMP_UNKNOWN_FIELDS
7834 &Net::SSLeay::XN_FLAG_FN_ALIGN
7835 &Net::SSLeay::XN_FLAG_FN_LN
7836 &Net::SSLeay::XN_FLAG_FN_MASK
7837 &Net::SSLeay::XN_FLAG_FN_NONE
7838 &Net::SSLeay::XN_FLAG_FN_OID
7839 &Net::SSLeay::XN_FLAG_FN_SN
7840 &Net::SSLeay::XN_FLAG_MULTILINE
7841 &Net::SSLeay::XN_FLAG_ONELINE
7842 &Net::SSLeay::XN_FLAG_RFC2253
7843 &Net::SSLeay::XN_FLAG_SEP_COMMA_PLUS
7844 &Net::SSLeay::XN_FLAG_SEP_CPLUS_SPC
7845 &Net::SSLeay::XN_FLAG_SEP_MASK
7846 &Net::SSLeay::XN_FLAG_SEP_MULTILINE
7847 &Net::SSLeay::XN_FLAG_SEP_SPLUS_SPC
7848 &Net::SSLeay::XN_FLAG_SPC_EQ
7849
7850 Most likely you will be fine with default:
7851
7852 Net::SSLeay::X509_NAME_print_ex($name, &Net::SSLeay::XN_FLAG_RFC2253);
7853
7854 Or you might want RFC2253-like output without utf8 chars escaping:
7855
7856 use Net::SSLeay qw/XN_FLAG_RFC2253 ASN1_STRFLGS_ESC_MSB/;
7857 my $flag_rfc22536_utf8 = (XN_FLAG_RFC2253) & (~ ASN1_STRFLGS_ESC_MSB);
7858 my $result = Net::SSLeay::X509_NAME_print_ex($name, $flag_rfc22536_utf8, 1);
7859
7860 Check openssl doc
7861 <http://www.openssl.org/docs/crypto/X509_NAME_print_ex.html>
7862
7863 • X509_NAME_get_text_by_NID
7864
7865 Retrieves the text from the first entry in name which matches $nid,
7866 if no such entry exists -1 is returned.
7867
7868 openssl note: this is a legacy function which has various
7869 limitations which makes it of minimal use in practice. It can only
7870 find the first matching entry and will copy the contents of the
7871 field verbatim: this can be highly confusing if the target is a
7872 multicharacter string type like a BMPString or a UTF8String.
7873
7874 Net::SSLeay::X509_NAME_get_text_by_NID($name, $nid);
7875 # $name - value corresponding to openssl's X509_NAME structure
7876 # $nid - NID value (integer)
7877 #
7878 # returns: text value
7879
7880 Check openssl doc
7881 <http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html>
7882
7883 • X509_NAME_oneline
7884
7885 Return an ASCII version of $name.
7886
7887 Net::SSLeay::X509_NAME_oneline($name);
7888 # $name - value corresponding to openssl's X509_NAME structure
7889 #
7890 # returns: (string) ASCII version of $name
7891
7892 Check openssl doc
7893 <http://www.openssl.org/docs/crypto/X509_NAME_print_ex.html>
7894
7895 • sk_X509_NAME_free
7896
7897 Free an allocated STACK_OF(X509_NAME) structure.
7898
7899 Net::SSLeay::sk_X509_NAME_free($sk);
7900 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7901 #
7902 # returns: no return value
7903
7904 • sk_X509_NAME_num
7905
7906 Return number of items in STACK_OF(X509_NAME)
7907
7908 my $rv = Net::SSLeay::sk_X509_NAME_num($sk);
7909 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7910 #
7911 # returns: number of items
7912
7913 • sk_X509_NAME_value
7914
7915 Returns X509_NAME from position $index in STACK_OF(X509_NAME)
7916
7917 my $rv = Net::SSLeay::sk_X509_NAME_value($sk, $i);
7918 # $sk - value corresponding to openssl's STACK_OF(X509_NAME) structure
7919 # $i - (integer) index/position
7920 #
7921 # returns: value corresponding to openssl's X509_NAME structure (0 on failure)
7922
7923 • add_file_cert_subjects_to_stack
7924
7925 Add a file of certs to a stack. All certs in $file that are not
7926 already in the $stackCAs will be added.
7927
7928 my $rv = Net::SSLeay::add_file_cert_subjects_to_stack($stackCAs, $file);
7929 # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure
7930 # $file - (string) filename
7931 #
7932 # returns: 1 on success, 0 on failure
7933
7934 • add_dir_cert_subjects_to_stack
7935
7936 Add a directory of certs to a stack. All certs in $dir that are not
7937 already in the $stackCAs will be added.
7938
7939 my $rv = Net::SSLeay::add_dir_cert_subjects_to_stack($stackCAs, $dir);
7940 # $stackCAs - value corresponding to openssl's STACK_OF(X509_NAME) structure
7941 # $dir - (string) the directory to append from. All files in this directory will be examined as potential certs. Any that are acceptable to SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will be included.
7942 #
7943 # returns: 1 on success, 0 on failure
7944
7945 Low level API: X509_STORE_* related functions
7946
7947 • X509_STORE_CTX_new
7948
7949 returns a newly initialised X509_STORE_CTX structure.
7950
7951 • X509_STORE_CTX_init
7952
7953 X509_STORE_CTX_init() sets up an X509_STORE_CTX for a subsequent
7954 verification operation. It must be called before each call to
7955 X509_verify_cert().
7956
7957 Net::SSLeay::X509_STORE_CTX_init($x509_store_ctx, $x509_store,
7958 $x509, $chain);
7959
7960 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7961 structure (required) # $x509_store - value corresponding to
7962 openssl's X509_STORE structure (optional) # $x509 - value
7963 corresponding to openssl's X509 structure (optional) # $chain -
7964 value corresponding to openssl's STACK_OF(X509) structure
7965 (optional)
7966
7967 Check openssl doc
7968 <https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_init.html>
7969
7970 • X509_STORE_CTX_free
7971
7972 Frees an X509_STORE_CTX structure.
7973
7974 Net::SSLeay::X509_STORE_CTX_free($x509_store_ctx);
7975
7976 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7977 structure
7978
7979 • X509_verify_cert
7980
7981 The X509_verify_cert() function attempts to discover and validate a
7982 certificate chain based on parameters in ctx. A complete
7983 description of the process is contained in the verify(1) manual
7984 page.
7985
7986 If this function returns 0, use X509_STORE_CTX_get_error to get
7987 additional error information.
7988
7989 my $rv = Net::SSLeay::X509_verify_cert($x509_store_ctx); #
7990 $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX
7991 structure # # returns: 1 if a complete chain can be built and
7992 validated, otherwise 0
7993
7994 Check openssl doc
7995 <https://www.openssl.org/docs/manmaster/man3/X509_verify_cert.html>
7996
7997 • X509_STORE_CTX_get_current_cert
7998
7999 Returns the certificate in ctx which caused the error or 0 if no
8000 certificate is relevant.
8001
8002 my $rv = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
8003 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8004 #
8005 # returns: value corresponding to openssl's X509 structure (0 on failure)
8006
8007 Check openssl doc
8008 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8009
8010 • X509_STORE_CTX_get0_cert
8011
8012 COMPATIBILITY: not available in Net-SSLeay-1.88 and before;
8013 requires at least OpenSSL 1.1.0pre6 or LibreSSL 2.7.0
8014
8015 Returns an internal pointer to the certificate being verified by
8016 the ctx.
8017
8018 my $x509 = Net::SSLeay::X509_STORE_CTX_get0_cert($x509_store_ctx);
8019 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8020 #
8021 # returns: value corresponding to openssl's X509 structure
8022
8023 Check openssl doc
8024 <https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get0_cert.html>
8025
8026 • X509_STORE_CTX_get1_chain
8027
8028 Returns a returns a complete validate chain if a previous call to
8029 X509_verify_cert() is successful.
8030
8031 my $rv = Net::SSLeay::X509_STORE_CTX_get1_chain($x509_store_ctx);
8032 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8033 #
8034 # returns: value corresponding to openssl's STACK_OF(X509) structure
8035
8036 Check openssl doc
8037 <https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get1_chain.html>
8038
8039 • X509_STORE_CTX_get_error
8040
8041 Returns the error code of $ctx.
8042
8043 my $rv = Net::SSLeay::X509_STORE_CTX_get_error($x509_store_ctx);
8044 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8045 #
8046 # returns: (integer) error code
8047
8048 For more info about erro code values check function
8049 "get_verify_result".
8050
8051 Check openssl doc
8052 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8053
8054 • X509_STORE_CTX_get_error_depth
8055
8056 Returns the depth of the error. This is a non-negative integer
8057 representing where in the certificate chain the error occurred. If
8058 it is zero it occurred in the end entity certificate, one if it is
8059 the certificate which signed the end entity certificate and so on.
8060
8061 my $rv = Net::SSLeay::X509_STORE_CTX_get_error_depth($x509_store_ctx);
8062 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8063 #
8064 # returns: (integer) depth
8065
8066 Check openssl doc
8067 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8068
8069 • X509_STORE_CTX_get_ex_data
8070
8071 Is used to retrieve the information for $idx from $x509_store_ctx.
8072
8073 my $rv = Net::SSLeay::X509_STORE_CTX_get_ex_data($x509_store_ctx, $idx);
8074 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8075 # $idx - (integer) index for application specific data
8076 #
8077 # returns: pointer to ???
8078
8079 • X509_STORE_CTX_set_ex_data
8080
8081 Is used to store application data at arg for idx into
8082 $x509_store_ctx.
8083
8084 my $rv = Net::SSLeay::X509_STORE_CTX_set_ex_data($x509_store_ctx, $idx, $data);
8085 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8086 # $idx - (integer) ???
8087 # $data - (pointer) ???
8088 #
8089 # returns: 1 on success, 0 on failure
8090
8091 • X509_STORE_CTX_set_cert
8092
8093 Sets the certificate to be verified in $x509_store_ctx to $x.
8094
8095 Net::SSLeay::X509_STORE_CTX_set_cert($x509_store_ctx, $x);
8096 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8097 # $x - value corresponding to openssl's X509 structure
8098 #
8099 # returns: no return value
8100
8101 Check openssl doc
8102 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_new.html>
8103
8104 • X509_STORE_new
8105
8106 Returns a newly initialized X509_STORE structure.
8107
8108 my $rv = Net::SSLeay::X509_STORE_new(); # # returns: value
8109 corresponding to openssl's X509_STORE structure (0 on failure)
8110
8111 • X509_STORE_free
8112
8113 Frees an X509_STORE structure
8114
8115 Net::SSLeay::X509_STORE_free($x509_store); # $x509_store - value
8116 corresponding to openssl's X509_STORE structure
8117
8118 • X509_STORE_add_lookup
8119
8120 Adds a lookup to an X509_STORE for a given lookup method.
8121
8122 my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; my $rv =
8123 Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); # $method
8124 - value corresponding to openssl's X509_LOOKUP_METHOD structure #
8125 $x509_store - value corresponding to openssl's X509_STORE structure
8126 # # returns: value corresponding to openssl's X509_LOOKUP structure
8127
8128 Check openssl doc
8129 <https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
8130
8131 • X509_STORE_CTX_set_error
8132
8133 Sets the error code of $ctx to $s. For example it might be used in
8134 a verification callback to set an error based on additional checks.
8135
8136 Net::SSLeay::X509_STORE_CTX_set_error($x509_store_ctx, $s);
8137 # $x509_store_ctx - value corresponding to openssl's X509_STORE_CTX structure
8138 # $s - (integer) error id
8139 #
8140 # returns: no return value
8141
8142 Check openssl doc
8143 <http://www.openssl.org/docs/crypto/X509_STORE_CTX_get_error.html>
8144
8145 • X509_STORE_add_cert
8146
8147 Adds X509 certificate $x into the X509_STORE $store.
8148
8149 my $rv = Net::SSLeay::X509_STORE_add_cert($store, $x);
8150 # $store - value corresponding to openssl's X509_STORE structure
8151 # $x - value corresponding to openssl's X509 structure
8152 #
8153 # returns: 1 on success, 0 on failure
8154
8155 • X509_STORE_add_crl
8156
8157 Adds X509 CRL $x into the X509_STORE $store.
8158
8159 my $rv = Net::SSLeay::X509_STORE_add_crl($store, $x);
8160 # $store - value corresponding to openssl's X509_STORE structure
8161 # $x - value corresponding to openssl's X509_CRL structure
8162 #
8163 # returns: 1 on success, 0 on failure
8164
8165 • X509_STORE_set1_param
8166
8167 ??? (more info needed)
8168
8169 my $rv = Net::SSLeay::X509_STORE_set1_param($store, $pm);
8170 # $store - value corresponding to openssl's X509_STORE structure
8171 # $pm - value corresponding to openssl's X509_VERIFY_PARAM structure
8172 #
8173 # returns: 1 on success, 0 on failure
8174
8175 • X509_LOOKUP_hash_dir
8176
8177 Returns an X509_LOOKUP structure that instructs an X509_STORE to
8178 load files from a directory containing certificates with filenames
8179 in the format hash.N or crls with filenames in the format hash.rN
8180
8181 my $rv = Net::SSLeay::X509_LOOKUP_hash_dir(); # # returns: value
8182 corresponding to openssl's X509_LOOKUP_METHOD structure, with the
8183 hashed directory method
8184
8185 Check openssl doc
8186 <https://www.openssl.org/docs/man1.1.1/man3/X509_load_crl_file.html>
8187
8188 • X509_LOOKUP_add_dir
8189
8190 Add a directory to an X509_LOOKUP structure, usually obtained from
8191 X509_STORE_add_lookup.
8192
8193 my $method = &Net::SSLeay::X509_LOOKUP_hash_dir; my $lookup =
8194 Net::SSLeay::X509_STORE_add_lookup($x509_store, $method); my $type
8195 = &Net::SSLeay::X509_FILETYPE_PEM;
8196 Net::SSLeay::X509_LOOKUP_add_dir($lookup, $dir, $type); # $lookup -
8197 value corresponding to openssl's X509_LOOKUP structure # $dir -
8198 string path to a directory s# $type - constant corresponding to the
8199 type of file in the directory - can be X509_FILETYPE_PEM,
8200 X509_FILETYPE_DEFAULT, or X509_FILETYPE_ASN1
8201
8202 • X509_STORE_set_flags
8203
8204 Net::SSLeay::X509_STORE_set_flags($ctx, $flags);
8205 # $ctx - value corresponding to openssl's X509_STORE structure
8206 # $flags - (unsigned long) flags to be set (bitmask)
8207 #
8208 # returns: no return value
8209
8210 #to create $flags value use corresponding constants like
8211 $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK();
8212
8213 For more details about $flags bitmask see
8214 "X509_VERIFY_PARAM_set_flags".
8215
8216 • X509_STORE_set_purpose
8217
8218 Net::SSLeay::X509_STORE_set_purpose($ctx, $purpose);
8219 # $ctx - value corresponding to openssl's X509_STORE structure
8220 # $purpose - (integer) purpose identifier
8221 #
8222 # returns: no return value
8223
8224 For more details about $purpose identifier check "CTX_set_purpose".
8225
8226 • X509_STORE_set_trust
8227
8228 Net::SSLeay::X509_STORE_set_trust($ctx, $trust);
8229 # $ctx - value corresponding to openssl's X509_STORE structure
8230 # $trust - (integer) trust identifier
8231 #
8232 # returns: no return value
8233
8234 For more details about $trust identifier check "CTX_set_trust".
8235
8236 Low Level API: X509_INFO related functions
8237
8238 • sk_X509_INFO_num
8239
8240 Returns the number of values in a STACK_OF(X509_INFO) structure.
8241
8242 my $rv = Net::SSLeay::sk_X509_INFO_num($sk_x509_info);
8243 # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure
8244 #
8245 # returns: number of values in $sk_X509_info
8246
8247 • sk_X509_INFO_value
8248
8249 Returns the value of a STACK_OF(X509_INFO) structure at a given
8250 index.
8251
8252 my $rv = Net::SSLeay::sk_X509_INFO_value($sk_x509_info, $index);
8253 # $sk_x509_info - value corresponding to openssl's STACK_OF(X509_INFO) structure
8254 # $index - index into the stack
8255 #
8256 # returns: value corresponding to openssl's X509_INFO structure at the given index
8257
8258 • P_X509_INFO_get_x509
8259
8260 Returns the X509 structure stored in an X509_INFO structure.
8261
8262 my $rv = Net::SSLeay::P_X509_INFO_get_x509($x509_info);
8263 # $x509_info - value corresponding to openssl's X509_INFO structure
8264 #
8265 # returns: value corresponding to openssl's X509 structure
8266
8267 Low level API: X509_VERIFY_PARAM_* related functions
8268
8269 • X509_VERIFY_PARAM_add0_policy
8270
8271 Enables policy checking (it is disabled by default) and adds
8272 $policy to the acceptable policy set.
8273
8274 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_policy($param, $policy);
8275 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8276 # $policy - value corresponding to openssl's ASN1_OBJECT structure
8277 #
8278 # returns: 1 on success, 0 on failure
8279
8280 Check openssl doc
8281 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8282
8283 • X509_VERIFY_PARAM_add0_table
8284
8285 ??? (more info needed)
8286
8287 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add0_table($param);
8288 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8289 #
8290 # returns: 1 on success, 0 on failure
8291
8292 • X509_VERIFY_PARAM_add1_host
8293
8294 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8295 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8296
8297 Adds an additional reference identifier that can match the peer's
8298 certificate.
8299
8300 my $rv = Net::SSLeay::X509_VERIFY_PARAM_add1_host($param, $name);
8301 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8302 # $name - (string) name to be set
8303 #
8304 # returns: 1 on success, 0 on failure
8305
8306 See also OpenSSL docs, "X509_VERIFY_PARAM_set1_host" and
8307 "X509_VERIFY_PARAM_set_hostflags" for more information, including
8308 wildcard matching.
8309
8310 Check openssl doc
8311 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8312
8313 • X509_VERIFY_PARAM_clear_flags
8314
8315 Clears the flags $flags in param.
8316
8317 my $rv = Net::SSLeay::X509_VERIFY_PARAM_clear_flags($param, $flags);
8318 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8319 # $flags - (unsigned long) flags to be set (bitmask)
8320 #
8321 # returns: 1 on success, 0 on failure
8322
8323 For more details about $flags bitmask see
8324 "X509_VERIFY_PARAM_set_flags".
8325
8326 Check openssl doc
8327 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8328
8329 • X509_VERIFY_PARAM_free
8330
8331 Frees up the X509_VERIFY_PARAM structure.
8332
8333 Net::SSLeay::X509_VERIFY_PARAM_free($param);
8334 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8335 #
8336 # returns: no return value
8337
8338 • X509_VERIFY_PARAM_get0_peername
8339
8340 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8341 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8342
8343 Returns the DNS hostname or subject CommonName from the peer
8344 certificate that matched one of the reference identifiers.
8345
8346 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get0_peername($param);
8347 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8348 #
8349 # returns: (string) name e.g. '*.example.com' or undef
8350
8351 Check openssl doc
8352 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8353
8354 • X509_VERIFY_PARAM_get_depth
8355
8356 Returns the current verification depth.
8357
8358 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_depth($param);
8359 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8360 #
8361 # returns: (ineger) depth
8362
8363 Check openssl doc
8364 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8365
8366 • X509_VERIFY_PARAM_get_flags
8367
8368 Returns the current verification flags.
8369
8370 my $rv = Net::SSLeay::X509_VERIFY_PARAM_get_flags($param);
8371 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8372 #
8373 # returns: (unsigned long) flags to be set (bitmask)
8374
8375 For more details about returned flags bitmask see
8376 "X509_VERIFY_PARAM_set_flags".
8377
8378 Check openssl doc
8379 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8380
8381 • X509_VERIFY_PARAM_set_flags
8382
8383 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_flags($param, $flags);
8384 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8385 # $flags - (unsigned long) flags to be set (bitmask)
8386 #
8387 # returns: 1 on success, 0 on failure
8388
8389 #to create $flags value use corresponding constants like
8390 $flags = Net::SSLeay::X509_V_FLAG_CRL_CHECK();
8391
8392 For more details about $flags bitmask, see the OpenSSL docs below.
8393
8394 Check openssl doc
8395 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8396
8397 • X509_VERIFY_PARAM_inherit
8398
8399 ??? (more info needed)
8400
8401 my $rv = Net::SSLeay::X509_VERIFY_PARAM_inherit($to, $from);
8402 # $to - value corresponding to openssl's X509_VERIFY_PARAM structure
8403 # $from - value corresponding to openssl's X509_VERIFY_PARAM structure
8404 #
8405 # returns: 1 on success, 0 on failure
8406
8407 • X509_VERIFY_PARAM_lookup
8408
8409 Finds X509_VERIFY_PARAM by name.
8410
8411 my $rv = Net::SSLeay::X509_VERIFY_PARAM_lookup($name);
8412 # $name - (string) name we want to find
8413 #
8414 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure)
8415
8416 • X509_VERIFY_PARAM_new
8417
8418 Creates a new X509_VERIFY_PARAM structure.
8419
8420 my $rv = Net::SSLeay::X509_VERIFY_PARAM_new();
8421 #
8422 # returns: value corresponding to openssl's X509_VERIFY_PARAM structure (0 on failure)
8423
8424 • X509_VERIFY_PARAM_set1
8425
8426 Sets the name of X509_VERIFY_PARAM structure $to to the same value
8427 as the name of X509_VERIFY_PARAM structure $from.
8428
8429 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1($to, $from);
8430 # $to - value corresponding to openssl's X509_VERIFY_PARAM structure
8431 # $from - value corresponding to openssl's X509_VERIFY_PARAM structure
8432 #
8433 # returns: 1 on success, 0 on failure
8434
8435 • X509_VERIFY_PARAM_set1_email
8436
8437 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8438 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8439
8440 Sets the expected RFC822 email address to email.
8441
8442 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_email($param, $email);
8443 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8444 # $email - (string) email to be set
8445 #
8446 # returns: 1 on success, 0 on failure
8447
8448 Check openssl doc
8449 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8450
8451 • X509_VERIFY_PARAM_set1_host
8452
8453 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8454 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8455
8456 Sets the expected DNS hostname to name clearing any previously
8457 specified host name or names.
8458
8459 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_host($param, $name);
8460 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8461 # $name - (string) name to be set
8462 #
8463 # returns: 1 on success, 0 on failure
8464
8465 See also OpenSSL docs, "X509_VERIFY_PARAM_add1_host" and
8466 "X509_VERIFY_PARAM_set_hostflags" for more information, including
8467 wildcard matching.
8468
8469 Check openssl doc
8470 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8471
8472 • X509_VERIFY_PARAM_set1_ip
8473
8474 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8475 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8476
8477 Sets the expected IP address to ip.
8478
8479 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_ip($param, $ip);
8480 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8481 # $ip - (binary) 4 octet IPv4 or 16 octet IPv6 address
8482 #
8483 # returns: 1 on success, 0 on failure
8484
8485 Check openssl doc
8486 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8487
8488 • X509_VERIFY_PARAM_set1_ip_asc
8489
8490 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8491 requires at least OpenSSL 1.0.2-beta1 or LibreSSL 2.7.0
8492
8493 Sets the expected IP address to ipasc.
8494
8495 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_asc($param, $ipasc);
8496 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8497 # $ip - (string) IPv4 or IPv6 address
8498 #
8499 # returns: 1 on success, 0 on failure
8500
8501 Check openssl doc
8502 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8503
8504 • X509_VERIFY_PARAM_set1_name
8505
8506 Sets the name of X509_VERIFY_PARAM structure $param to $name.
8507
8508 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_name($param, $name);
8509 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8510 # $name - (string) name to be set
8511 #
8512 # returns: 1 on success, 0 on failure
8513
8514 • X509_VERIFY_PARAM_set1_policies
8515
8516 Enables policy checking (it is disabled by default) and sets the
8517 acceptable policy set to policies. Any existing policy set is
8518 cleared. The policies parameter can be 0 to clear an existing
8519 policy set.
8520
8521 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set1_policies($param, $policies);
8522 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8523 # $policies - value corresponding to openssl's STACK_OF(ASN1_OBJECT) structure
8524 #
8525 # returns: 1 on success, 0 on failure
8526
8527 Check openssl doc
8528 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8529
8530 • X509_VERIFY_PARAM_set_depth
8531
8532 Sets the maximum verification depth to depth. That is the maximum
8533 number of untrusted CA certificates that can appear in a chain.
8534
8535 Net::SSLeay::X509_VERIFY_PARAM_set_depth($param, $depth);
8536 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8537 # $depth - (integer) depth to be set
8538 #
8539 # returns: no return value
8540
8541 Check openssl doc
8542 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8543
8544 • X509_VERIFY_PARAM_set_hostflags
8545
8546 COMPATIBILITY: not available in Net-SSLeay-1.82 and before;
8547 requires at least OpenSSL 1.0.2-beta2 or LibreSSL 2.7.0
8548
8549 Net::SSLeay::X509_VERIFY_PARAM_set_hostflags($param, $flags);
8550 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8551 # $flags - (unsigned int) flags to be set (bitmask)
8552 #
8553 # returns: no return value
8554
8555 See also OpenSSL docs, "X509_VERIFY_PARAM_add1_host" and
8556 "X509_VERIFY_PARAM_set1_host" for more information. The flags for
8557 controlling wildcard checks and other features are defined in
8558 OpenSSL docs.
8559
8560 Check openssl doc
8561 <https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8562
8563 • X509_VERIFY_PARAM_set_purpose
8564
8565 Sets the verification purpose in $param to $purpose. This
8566 determines the acceptable purpose of the certificate chain, for
8567 example SSL client or SSL server.
8568
8569 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_purpose($param, $purpose);
8570 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8571 # $purpose - (integer) purpose identifier
8572 #
8573 # returns: 1 on success, 0 on failure
8574
8575 For more details about $purpose identifier check "CTX_set_purpose".
8576
8577 Check openssl doc
8578 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8579
8580 • X509_VERIFY_PARAM_set_time
8581
8582 Sets the verification time in $param to $t. Normally the current
8583 time is used.
8584
8585 Net::SSLeay::X509_VERIFY_PARAM_set_time($param, $t);
8586 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8587 # $t - (time_t) time in seconds since 1.1.1970
8588 #
8589 # returns: no return value
8590
8591 Check openssl doc
8592 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8593
8594 • X509_VERIFY_PARAM_set_trust
8595
8596 Sets the trust setting in $param to $trust.
8597
8598 my $rv = Net::SSLeay::X509_VERIFY_PARAM_set_trust($param, $trust);
8599 # $param - value corresponding to openssl's X509_VERIFY_PARAM structure
8600 # $trust - (integer) trust identifier
8601 #
8602 # returns: 1 on success, 0 on failure
8603
8604 For more details about $trust identifier check "CTX_set_trust".
8605
8606 Check openssl doc
8607 <http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html>
8608
8609 • X509_VERIFY_PARAM_table_cleanup
8610
8611 ??? (more info needed)
8612
8613 Net::SSLeay::X509_VERIFY_PARAM_table_cleanup();
8614 #
8615 # returns: no return value
8616
8617 Low level API: Cipher (EVP_CIPHER_*) related functions
8618
8619 • EVP_get_cipherbyname
8620
8621 COMPATIBILITY: not available in Net-SSLeay-1.45 and before
8622
8623 Returns an EVP_CIPHER structure when passed a cipher name.
8624
8625 my $rv = Net::SSLeay::EVP_get_cipherbyname($name);
8626 # $name - (string) cipher name e.g. 'aes-128-cbc', 'camellia-256-ecb', 'des-ede', ...
8627 #
8628 # returns: value corresponding to openssl's EVP_CIPHER structure
8629
8630 Check openssl doc
8631 <http://www.openssl.org/docs/crypto/EVP_EncryptInit.html>
8632
8633 Low level API: Digest (EVP_MD_*) related functions
8634
8635 • OpenSSL_add_all_digests
8636
8637 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8638
8639 Net::SSLeay::OpenSSL_add_all_digests();
8640 # no args, no return value
8641
8642 http://www.openssl.org/docs/crypto/OpenSSL_add_all_algorithms.html
8643
8644 • P_EVP_MD_list_all
8645
8646 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8647 requires at least openssl-1.0.0
8648
8649 NOTE: Does not exactly correspond to any low level API function
8650
8651 my $rv = Net::SSLeay::P_EVP_MD_list_all();
8652 #
8653 # returns: arrayref - list of available digest names
8654
8655 The returned digest names correspond to values expected by
8656 "EVP_get_digestbyname".
8657
8658 Note that some of the digests are available by default and some
8659 only after calling "OpenSSL_add_all_digests".
8660
8661 • EVP_get_digestbyname
8662
8663 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8664
8665 my $rv = Net::SSLeay::EVP_get_digestbyname($name);
8666 # $name - string with digest name
8667 #
8668 # returns: value corresponding to openssl's EVP_MD structure
8669
8670 The $name param can be:
8671
8672 md2
8673 md4
8674 md5
8675 mdc2
8676 ripemd160
8677 sha
8678 sha1
8679 sha224
8680 sha256
8681 sha512
8682 whirlpool
8683
8684 Or better check the supported digests by calling
8685 "P_EVP_MD_list_all".
8686
8687 • EVP_MD_type
8688
8689 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8690
8691 my $rv = Net::SSLeay::EVP_MD_type($md);
8692 # $md - value corresponding to openssl's EVP_MD structure
8693 #
8694 # returns: the NID (integer) of the OBJECT IDENTIFIER representing the given message digest
8695
8696 • EVP_MD_size
8697
8698 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8699
8700 my $rv = Net::SSLeay::EVP_MD_size($md);
8701 # $md - value corresponding to openssl's EVP_MD structure
8702 #
8703 # returns: the size of the message digest in bytes (e.g. 20 for SHA1)
8704
8705 • EVP_MD_CTX_md
8706
8707 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8708 requires at least openssl-0.9.7
8709
8710 Net::SSLeay::EVP_MD_CTX_md($ctx);
8711 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8712 #
8713 # returns: value corresponding to openssl's EVP_MD structure
8714
8715 • EVP_MD_CTX_create
8716
8717 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8718 requires at least openssl-0.9.7
8719
8720 Allocates, initializes and returns a digest context.
8721
8722 my $rv = Net::SSLeay::EVP_MD_CTX_create();
8723 #
8724 # returns: value corresponding to openssl's EVP_MD_CTX structure
8725
8726 The complete idea behind EVP_MD_CTX looks like this example:
8727
8728 Net::SSLeay::OpenSSL_add_all_digests();
8729
8730 my $md = Net::SSLeay::EVP_get_digestbyname("sha1");
8731 my $ctx = Net::SSLeay::EVP_MD_CTX_create();
8732 Net::SSLeay::EVP_DigestInit($ctx, $md);
8733
8734 while(my $chunk = get_piece_of_data()) {
8735 Net::SSLeay::EVP_DigestUpdate($ctx,$chunk);
8736 }
8737
8738 my $result = Net::SSLeay::EVP_DigestFinal($ctx);
8739 Net::SSLeay::EVP_MD_CTX_destroy($ctx);
8740
8741 print "digest=", unpack('H*', $result), "\n"; #print hex value
8742
8743 • EVP_DigestInit_ex
8744
8745 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8746 requires at least openssl-0.9.7
8747
8748 Sets up digest context $ctx to use a digest $type from ENGINE
8749 $impl, $ctx must be initialized before calling this function, type
8750 will typically be supplied by a function such as
8751 "EVP_get_digestbyname". If $impl is 0 then the default
8752 implementation of digest $type is used.
8753
8754 my $rv = Net::SSLeay::EVP_DigestInit_ex($ctx, $type, $impl);
8755 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8756 # $type - value corresponding to openssl's EVP_MD structure
8757 # $impl - value corresponding to openssl's ENGINE structure
8758 #
8759 # returns: 1 for success and 0 for failure
8760
8761 • EVP_DigestInit
8762
8763 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8764 requires at least openssl-0.9.7
8765
8766 Behaves in the same way as "EVP_DigestInit_ex" except the passed
8767 context $ctx does not have to be initialized, and it always uses
8768 the default digest implementation.
8769
8770 my $rv = Net::SSLeay::EVP_DigestInit($ctx, $type);
8771 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8772 # $type - value corresponding to openssl's EVP_MD structure
8773 #
8774 # returns: 1 for success and 0 for failure
8775
8776 • EVP_MD_CTX_destroy
8777
8778 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8779 requires at least openssl-0.9.7
8780
8781 Cleans up digest context $ctx and frees up the space allocated to
8782 it, it should be called only on a context created using
8783 "EVP_MD_CTX_create".
8784
8785 Net::SSLeay::EVP_MD_CTX_destroy($ctx);
8786 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8787 #
8788 # returns: no return value
8789
8790 • EVP_DigestUpdate
8791
8792 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8793 requires at least openssl-0.9.7
8794
8795 my $rv = Net::SSLeay::EVP_DigestUpdate($ctx, $data);
8796 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8797 # $data - data to be hashed
8798 #
8799 # returns: 1 for success and 0 for failure
8800
8801 • EVP_DigestFinal_ex
8802
8803 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8804 requires at least openssl-0.9.7
8805
8806 Retrieves the digest value from $ctx. After calling
8807 "EVP_DigestFinal_ex" no additional calls to "EVP_DigestUpdate" can
8808 be made, but "EVP_DigestInit_ex" can be called to initialize a new
8809 digest operation.
8810
8811 my $digest_value = Net::SSLeay::EVP_DigestFinal_ex($ctx);
8812 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8813 #
8814 # returns: hash value (binary)
8815
8816 #to get printable (hex) value of digest use:
8817 print unpack('H*', $digest_value);
8818
8819 • EVP_DigestFinal
8820
8821 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8822 requires at least openssl-0.9.7
8823
8824 Similar to "EVP_DigestFinal_ex" except the digest context ctx is
8825 automatically cleaned up.
8826
8827 my $rv = Net::SSLeay::EVP_DigestFinal($ctx);
8828 # $ctx - value corresponding to openssl's EVP_MD_CTX structure
8829 #
8830 # returns: hash value (binary)
8831
8832 #to get printable (hex) value of digest use:
8833 print unpack('H*', $digest_value);
8834
8835 • MD2
8836
8837 COMPATIBILITY: no supported by default in openssl-1.0.0
8838
8839 Computes MD2 from given $data (all data needs to be loaded into
8840 memory)
8841
8842 my $digest = Net::SSLeay::MD2($data);
8843 print "digest(hexadecimal)=", unpack('H*', $digest);
8844
8845 • MD4
8846
8847 Computes MD4 from given $data (all data needs to be loaded into
8848 memory)
8849
8850 my $digest = Net::SSLeay::MD4($data);
8851 print "digest(hexadecimal)=", unpack('H*', $digest);
8852
8853 • MD5
8854
8855 Computes MD5 from given $data (all data needs to be loaded into
8856 memory)
8857
8858 my $digest = Net::SSLeay::MD5($data);
8859 print "digest(hexadecimal)=", unpack('H*', $digest);
8860
8861 • RIPEMD160
8862
8863 Computes RIPEMD160 from given $data (all data needs to be loaded
8864 into memory)
8865
8866 my $digest = Net::SSLeay::RIPEMD160($data);
8867 print "digest(hexadecimal)=", unpack('H*', $digest);
8868
8869 • SHA1
8870
8871 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8872
8873 Computes SHA1 from given $data (all data needs to be loaded into
8874 memory)
8875
8876 my $digest = Net::SSLeay::SHA1($data);
8877 print "digest(hexadecimal)=", unpack('H*', $digest);
8878
8879 • SHA256
8880
8881 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8882 requires at least openssl-0.9.8
8883
8884 Computes SHA256 from given $data (all data needs to be loaded into
8885 memory)
8886
8887 my $digest = Net::SSLeay::SHA256($data);
8888 print "digest(hexadecimal)=", unpack('H*', $digest);
8889
8890 • SHA512
8891
8892 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8893 requires at least openssl-0.9.8
8894
8895 Computes SHA512 from given $data (all data needs to be loaded into
8896 memory)
8897
8898 my $digest = Net::SSLeay::SHA512($data);
8899 print "digest(hexadecimal)=", unpack('H*', $digest);
8900
8901 • EVP_Digest
8902
8903 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8904 requires at least openssl-0.9.7
8905
8906 Computes "any" digest from given $data (all data needs to be loaded
8907 into memory)
8908
8909 my $md = Net::SSLeay::EVP_get_digestbyname("sha1"); #or any other algorithm
8910 my $digest = Net::SSLeay::EVP_Digest($data, $md);
8911 print "digest(hexadecimal)=", unpack('H*', $digest);
8912
8913 • EVP_sha1
8914
8915 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8916
8917 my $md = Net::SSLeay::EVP_sha1();
8918 #
8919 # returns: value corresponding to openssl's EVP_MD structure
8920
8921 • EVP_sha256
8922
8923 COMPATIBILITY: requires at least openssl-0.9.8
8924
8925 my $md = Net::SSLeay::EVP_sha256();
8926 #
8927 # returns: value corresponding to openssl's EVP_MD structure
8928
8929 • EVP_sha512
8930
8931 COMPATIBILITY: not available in Net-SSLeay-1.42 and before;
8932 requires at least openssl-0.9.8
8933
8934 my $md = Net::SSLeay::EVP_sha512();
8935 #
8936 # returns: value corresponding to openssl's EVP_MD structure
8937
8938 • EVP_add_digest
8939
8940 my $rv = Net::SSLeay::EVP_add_digest($digest);
8941 # $digest - value corresponding to openssl's EVP_MD structure
8942 #
8943 # returns: 1 on success, 0 otherwise
8944
8945 Low level API: CIPHER_* related functions
8946
8947 • CIPHER_get_name
8948
8949 COMPATIBILITY: not available in Net-SSLeay-1.42 and before
8950
8951 Returns name of the cipher used.
8952
8953 my $rv = Net::SSLeay::CIPHER_get_name($cipher);
8954 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8955 #
8956 # returns: (string) cipher name e.g. 'DHE-RSA-AES256-SHA', '(NONE)' if $cipher is undefined.
8957
8958 Check openssl doc
8959 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html>
8960
8961 Example:
8962
8963 my $ssl_cipher = Net::SSLeay::get_current_cipher($ssl);
8964 my $cipher_name = Net::SSLeay::CIPHER_get_name($ssl_cipher);
8965
8966 • CIPHER_description
8967
8968 COMPATIBILITY: doesn't work correctly in Net-SSLeay-1.88 and before
8969
8970 Returns a textual description of the cipher used.
8971
8972 my $rv = Net::SSLeay::CIPHER_description($cipher);
8973 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8974 #
8975 # returns: (string) cipher description e.g. 'DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1'
8976
8977 Check openssl doc
8978 <https://www.openssl.org/docs/ssl/SSL_CIPHER_description.html>
8979
8980 • CIPHER_get_bits
8981
8982 COMPATIBILITY: $alg_bits doesn't work correctly in Net-SSLeay-1.88
8983 and before
8984
8985 Returns the number of secret bits used for cipher.
8986
8987 my $rv = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits);
8988 # $cipher - value corresponding to openssl's SSL_CIPHER structure
8989 # $alg_bits - [optional] empty scalar for storing additional return value
8990 #
8991 # returns: (integer) number of secret bits, 0 on error
8992 # (integer) in $alg_bits for bits processed by the chosen algorithm
8993
8994 Check openssl doc
8995 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_bits.html>
8996
8997 Example:
8998
8999 # bits and alg_bits are not equal for e.g., TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
9000 # RFC 8422 name TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
9001 my $alg_bits;
9002 my $bits = Net::SSLeay::CIPHER_get_bits($cipher, $alg_bits);
9003 #my $bits = Net::SSLeay::CIPHER_get_bits($cipher);
9004 print "bits: $bits, alg_bits: $alg_bits\n";
9005
9006 • CIPHER_get_version
9007
9008 COMPATIBILITY: not available in Net-SSLeay-1.88 and before
9009
9010 Returns version of SSL/TLS protocol that first defined the cipher
9011
9012 my $rv = Net::SSLeay::CIPHER_get_version($cipher);
9013 # $cipher - value corresponding to openssl's SSL_CIPHER structure
9014 #
9015 # returns: (string) cipher name e.g. 'TLSv1/SSLv3' with some libraries, 'TLSv1.0' or 'TLSv1.3', '(NONE)' if $cipher is undefined.
9016
9017 Check openssl doc
9018 <https://www.openssl.org/docs/ssl/SSL_CIPHER_get_version.html>
9019
9020 Low level API: RSA_* related functions
9021
9022 • RSA_generate_key
9023
9024 Generates a key pair and returns it in a newly allocated RSA
9025 structure. The pseudo-random number generator must be seeded prior
9026 to calling RSA_generate_key.
9027
9028 my $rv = Net::SSLeay::RSA_generate_key($bits, $e, $perl_cb, $perl_cb_arg);
9029 # $bits - (integer) modulus size in bits e.g. 512, 1024, 2048
9030 # $e - (integer) public exponent, an odd number, typically 3, 17 or 65537
9031 # $perl_cb - [optional] reference to perl callback function
9032 # $perl_cb_arg - [optional] data that will be passed to callback function when invoked
9033 #
9034 # returns: value corresponding to openssl's RSA structure (0 on failure)
9035
9036 Check openssl doc
9037 <http://www.openssl.org/docs/crypto/RSA_generate_key.html>
9038
9039 • RSA_free
9040
9041 Frees the RSA structure and its components. The key is erased
9042 before the memory is returned to the system.
9043
9044 Net::SSLeay::RSA_free($r);
9045 # $r - value corresponding to openssl's RSA structure
9046 #
9047 # returns: no return value
9048
9049 Check openssl doc <http://www.openssl.org/docs/crypto/RSA_new.html>
9050
9051 • RSA_get_key_parameters
9052
9053 Returns a list of pointers to BIGNUMs representing the parameters
9054 of the key in this order: (n, e, d, p, q, dmp1, dmq1, iqmp)
9055 Caution: returned list consists of SV pointers to BIGNUMs, which
9056 would need to be blessed as Crypt::OpenSSL::Bignum for further use
9057
9058 my (@params) = RSA_get_key_parameters($r);
9059
9060 Low level API: BIO_* related functions
9061
9062 • BIO_eof
9063
9064 Returns 1 if the BIO has read EOF, the precise meaning of 'EOF'
9065 varies according to the BIO type.
9066
9067 my $rv = Net::SSLeay::BIO_eof($s);
9068 # $s - value corresponding to openssl's BIO structure
9069 #
9070 # returns: 1 if EOF has been reached 0 otherwise
9071
9072 Check openssl doc
9073 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9074
9075 • BIO_f_ssl
9076
9077 Returns the SSL BIO method. This is a filter BIO which is a wrapper
9078 round the OpenSSL SSL routines adding a BIO 'flavour' to SSL I/O.
9079
9080 my $rv = Net::SSLeay::BIO_f_ssl();
9081 #
9082 # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure)
9083
9084 Check openssl doc
9085 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9086
9087 • BIO_free
9088
9089 Frees up a single BIO.
9090
9091 my $rv = Net::SSLeay::BIO_free($bio;);
9092 # $bio; - value corresponding to openssl's BIO structure
9093 #
9094 # returns: 1 on success, 0 on failure
9095
9096 Check openssl doc <http://www.openssl.org/docs/crypto/BIO_new.html>
9097
9098 • BIO_new
9099
9100 Returns a new BIO using method $type
9101
9102 my $rv = Net::SSLeay::BIO_new($type);
9103 # $type - value corresponding to openssl's BIO_METHOD structure
9104 #
9105 # returns: value corresponding to openssl's BIO structure (0 on failure)
9106
9107 Check openssl doc <http://www.openssl.org/docs/crypto/BIO_new.html>
9108
9109 • BIO_new_buffer_ssl_connect
9110
9111 Creates a new BIO chain consisting of a buffering BIO, an SSL BIO
9112 (using ctx) and a connect BIO.
9113
9114 my $rv = Net::SSLeay::BIO_new_buffer_ssl_connect($ctx);
9115 # $ctx - value corresponding to openssl's SSL_CTX structure
9116 #
9117 # returns: value corresponding to openssl's BIO structure (0 on failure)
9118
9119 Check openssl doc
9120 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9121
9122 • BIO_new_file
9123
9124 Creates a new file BIO with mode $mode the meaning of mode is the
9125 same as the stdio function fopen(). The BIO_CLOSE flag is set on
9126 the returned BIO.
9127
9128 my $rv = Net::SSLeay::BIO_new_file($filename, $mode);
9129 # $filename - (string) filename
9130 # $mode - (string) opening mode (as mode by stdio function fopen)
9131 #
9132 # returns: value corresponding to openssl's BIO structure (0 on failure)
9133
9134 Check openssl doc
9135 <http://www.openssl.org/docs/crypto/BIO_s_file.html>
9136
9137 • BIO_new_ssl
9138
9139 Allocates an SSL BIO using SSL_CTX ctx and using client mode if
9140 client is non zero.
9141
9142 my $rv = Net::SSLeay::BIO_new_ssl($ctx, $client);
9143 # $ctx - value corresponding to openssl's SSL_CTX structure
9144 # $client - (integer) 0 or 1 - indicates ssl client mode
9145 #
9146 # returns: value corresponding to openssl's BIO structure (0 on failure)
9147
9148 Check openssl doc
9149 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9150
9151 • BIO_new_ssl_connect
9152
9153 Creates a new BIO chain consisting of an SSL BIO (using ctx)
9154 followed by a connect BIO.
9155
9156 my $rv = Net::SSLeay::BIO_new_ssl_connect($ctx);
9157 # $ctx - value corresponding to openssl's SSL_CTX structure
9158 #
9159 # returns: value corresponding to openssl's BIO structure (0 on failure)
9160
9161 Check openssl doc
9162 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9163
9164 • BIO_pending
9165
9166 Return the number of pending characters in the BIOs read buffers.
9167
9168 my $rv = Net::SSLeay::BIO_pending($s);
9169 # $s - value corresponding to openssl's BIO structure
9170 #
9171 # returns: the amount of pending data
9172
9173 Check openssl doc
9174 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9175
9176 • BIO_wpending
9177
9178 Return the number of pending characters in the BIOs write buffers.
9179
9180 my $rv = Net::SSLeay::BIO_wpending($s);
9181 # $s - value corresponding to openssl's BIO structure
9182 #
9183 # returns: the amount of pending data
9184
9185 Check openssl doc
9186 <http://www.openssl.org/docs/crypto/BIO_ctrl.html>
9187
9188 • BIO_read
9189
9190 Read the underlying descriptor.
9191
9192 Net::SSLeay::BIO_read($s, $max);
9193 # $s - value corresponding to openssl's BIO structure
9194 # $max - [optional] max. bytes to read (if not specified, the value 32768 is used)
9195 #
9196 # returns: data
9197
9198 Check openssl doc
9199 <http://www.openssl.org/docs/crypto/BIO_read.html>
9200
9201 • BIO_write
9202
9203 Attempts to write data from $buffer to BIO $b.
9204
9205 my $rv = Net::SSLeay::BIO_write($b, $buffer);
9206 # $b - value corresponding to openssl's BIO structure
9207 # $buffer - data
9208 #
9209 # returns: amount of data successfully written
9210 # or that no data was successfully read or written if the result is 0 or -1
9211 # or -2 when the operation is not implemented in the specific BIO type
9212
9213 Check openssl doc
9214 <http://www.openssl.org/docs/crypto/BIO_read.html>
9215
9216 • BIO_s_mem
9217
9218 Return the memory BIO method function.
9219
9220 my $rv = Net::SSLeay::BIO_s_mem();
9221 #
9222 # returns: value corresponding to openssl's BIO_METHOD structure (0 on failure)
9223
9224 Check openssl doc
9225 <http://www.openssl.org/docs/crypto/BIO_s_mem.html>
9226
9227 • BIO_ssl_copy_session_id
9228
9229 Copies an SSL session id between BIO chains from and to. It does
9230 this by locating the SSL BIOs in each chain and calling
9231 SSL_copy_session_id() on the internal SSL pointer.
9232
9233 my $rv = Net::SSLeay::BIO_ssl_copy_session_id($to, $from);
9234 # $to - value corresponding to openssl's BIO structure
9235 # $from - value corresponding to openssl's BIO structure
9236 #
9237 # returns: 1 on success, 0 on failure
9238
9239 Check openssl doc
9240 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9241
9242 • BIO_ssl_shutdown
9243
9244 Closes down an SSL connection on BIO chain bio. It does this by
9245 locating the SSL BIO in the chain and calling SSL_shutdown() on its
9246 internal SSL pointer.
9247
9248 Net::SSLeay::BIO_ssl_shutdown($ssl_bio);
9249 # $ssl_bio - value corresponding to openssl's BIO structure
9250 #
9251 # returns: no return value
9252
9253 Check openssl doc
9254 <http://www.openssl.org/docs/crypto/BIO_f_ssl.html>
9255
9256 Low level API: Server side Server Name Indication (SNI) support
9257
9258 • set_tlsext_host_name
9259
9260 TBA
9261
9262 • get_servername
9263
9264 TBA
9265
9266 • get_servername_type
9267
9268 TBA
9269
9270 • CTX_set_tlsext_servername_callback
9271
9272 COMPATIBILITY: requires at least OpenSSL 0.9.8f
9273
9274 This function is used in a server to support Server side Server
9275 Name Indication (SNI).
9276
9277 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, $code)
9278 # $ctx - SSL context
9279 # $code - reference to a subroutine that will be called when a new connection is being initiated
9280 #
9281 # returns: no return value
9282
9283 On the client side: use set_tlsext_host_name($ssl, $servername)
9284 before initiating the SSL connection.
9285
9286 On the server side: Set up an additional SSL_CTX() for each
9287 different certificate;
9288
9289 Add a servername callback to each SSL_CTX() using
9290 CTX_set_tlsext_servername_callback();
9291
9292 The callback function is required to retrieve the client-supplied
9293 servername with get_servername(ssl). Figure out the right SSL_CTX
9294 to go with that host name, then switch the SSL object to that
9295 SSL_CTX with set_SSL_CTX().
9296
9297 Example:
9298
9299 # set callback
9300 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx,
9301 sub {
9302 my $ssl = shift;
9303 my $h = Net::SSLeay::get_servername($ssl);
9304 Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h};
9305 } );
9306
9307 More complete example:
9308
9309 # ... initialize Net::SSLeay
9310
9311 my %hostnames = (
9312 'sni1' => { cert=>'sni1.pem', key=>'sni1.key' },
9313 'sni2' => { cert=>'sni2.pem', key=>'sni2.key' },
9314 );
9315
9316 # create a new context for each certificate/key pair
9317 for my $name (keys %hostnames) {
9318 $hostnames{$name}->{ctx} = Net::SSLeay::CTX_new or die;
9319 Net::SSLeay::CTX_set_cipher_list($hostnames{$name}->{ctx}, 'ALL');
9320 Net::SSLeay::set_cert_and_key($hostnames{$name}->{ctx},
9321 $hostnames{$name}->{cert}, $hostnames{$name}->{key}) or die;
9322 }
9323
9324 # create default context
9325 my $ctx = Net::SSLeay::CTX_new or die;
9326 Net::SSLeay::CTX_set_cipher_list($ctx, 'ALL');
9327 Net::SSLeay::set_cert_and_key($ctx, 'cert.pem','key.pem') or die;
9328
9329 # set callback
9330 Net::SSLeay::CTX_set_tlsext_servername_callback($ctx, sub {
9331 my $ssl = shift;
9332 my $h = Net::SSLeay::get_servername($ssl);
9333 Net::SSLeay::set_SSL_CTX($ssl, $hostnames{$h}->{ctx}) if exists $hostnames{$h};
9334 } );
9335
9336 # ... later
9337
9338 $s = Net::SSLeay::new($ctx);
9339 Net::SSLeay::set_fd($s, fileno($accepted_socket));
9340 Net::SSLeay::accept($s);
9341
9342 Low level API: NPN (next protocol negotiation) related functions
9343
9344 NPN is being replaced with ALPN, a more recent TLS extension for
9345 application protocol negotiation that's in process of being adopted by
9346 IETF. Please look below for APLN API description.
9347
9348 Simple approach for using NPN support looks like this:
9349
9350 ### client side
9351 use Net::SSLeay;
9352 use IO::Socket::INET;
9353
9354 Net::SSLeay::initialize();
9355 my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
9356 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9357 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9358 Net::SSLeay::CTX_set_next_proto_select_cb($ctx, ['http1.1','spdy/2']);
9359 my $ssl = Net::SSLeay::new($ctx) or die;
9360 Net::SSLeay::set_fd($ssl, fileno($sock)) or die;
9361 Net::SSLeay::connect($ssl);
9362
9363 warn "client:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl), "\n";
9364 warn "client:last_status=", Net::SSLeay::P_next_proto_last_status($ssl), "\n";
9365
9366 ### server side
9367 use Net::SSLeay;
9368 use IO::Socket::INET;
9369
9370 Net::SSLeay::initialize();
9371 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9372 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9373 Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
9374 Net::SSLeay::CTX_set_next_protos_advertised_cb($ctx, ['spdy/2','http1.1']);
9375 my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
9376
9377 while (1) {
9378 my $ssl = Net::SSLeay::new($ctx);
9379 warn("server:waiting for incoming connection...\n");
9380 my $fd = $sock->accept();
9381 Net::SSLeay::set_fd($ssl, $fd->fileno);
9382 Net::SSLeay::accept($ssl);
9383 warn "server:negotiated=",Net::SSLeay::P_next_proto_negotiated($ssl),"\n";
9384 my $got = Net::SSLeay::read($ssl);
9385 Net::SSLeay::ssl_write_all($ssl, "length=".length($got));
9386 Net::SSLeay::free($ssl);
9387 $fd->close();
9388 }
9389 # check with: openssl s_client -connect localhost:5443 -nextprotoneg http/1.1,spdy/2
9390
9391 Please note that the selection (negotiation) is performed by client
9392 side, the server side simply advertise the list of supported protocols.
9393
9394 Advanced approach allows you to implement your own negotiation
9395 algorithm.
9396
9397 #see below documentation for:
9398 Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data);
9399 Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data);
9400
9401 Detection of NPN support (works even in older Net::SSLeay versions):
9402
9403 use Net::SSLeay;
9404
9405 if (exists &Net::SSLeay::P_next_proto_negotiated) {
9406 # do NPN stuff
9407 }
9408
9409 • CTX_set_next_proto_select_cb
9410
9411 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9412 requires at least openssl-1.0.1
9413
9414 NOTE: You need CTX_set_next_proto_select_cb on client side of SSL
9415 connection.
9416
9417 Simple usage - in this case a "common" negotiation algorithm (as
9418 implemented by openssl's function SSL_select_next_proto) is used.
9419
9420 $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $arrayref);
9421 # $ctx - value corresponding to openssl's SSL_CTX structure
9422 # $arrayref - list of accepted protocols - e.g. ['http1.0', 'http1.1']
9423 #
9424 # returns: 0 on success, 1 on failure
9425
9426 Advanced usage (you probably do not need this):
9427
9428 $rv = Net::SSleay::CTX_set_next_proto_select_cb($ctx, $perl_callback_function, $callback_data);
9429 # $ctx - value corresponding to openssl's SSL_CTX structure
9430 # $perl_callback_function - reference to perl function
9431 # $callback_data - [optional] data to passed to callback function when invoked
9432 #
9433 # returns: 0 on success, 1 on failure
9434
9435 # where callback function looks like
9436 sub npn_advertised_cb_invoke {
9437 my ($ssl, $arrayref_proto_list_advertised_by_server, $callback_data) = @_;
9438 my $status;
9439 # ...
9440 $status = 1; #status can be:
9441 # 0 - OPENSSL_NPN_UNSUPPORTED
9442 # 1 - OPENSSL_NPN_NEGOTIATED
9443 # 2 - OPENSSL_NPN_NO_OVERLAP
9444 return $status, ['http1.1','spdy/2']; # the callback has to return 2 values
9445 }
9446
9447 To undefine/clear this callback use:
9448
9449 Net::SSleay::CTX_set_next_proto_select_cb($ctx, undef);
9450
9451 • CTX_set_next_protos_advertised_cb
9452
9453 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9454 requires at least openssl-1.0.1
9455
9456 NOTE: You need CTX_set_next_proto_select_cb on server side of SSL
9457 connection.
9458
9459 Simple usage:
9460
9461 $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $arrayref);
9462 # $ctx - value corresponding to openssl's SSL_CTX structure
9463 # $arrayref - list of advertised protocols - e.g. ['http1.0', 'http1.1']
9464 #
9465 # returns: 0 on success, 1 on failure
9466
9467 Advanced usage (you probably do not need this):
9468
9469 $rv = Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, $perl_callback_function, $callback_data);
9470 # $ctx - value corresponding to openssl's SSL_CTX structure
9471 # $perl_callback_function - reference to perl function
9472 # $callback_data - [optional] data to passed to callback function when invoked
9473 #
9474 # returns: 0 on success, 1 on failure
9475
9476 # where callback function looks like
9477 sub npn_advertised_cb_invoke {
9478 my ($ssl, $callback_data) = @_;
9479 # ...
9480 return ['http1.1','spdy/2']; # the callback has to return arrayref
9481 }
9482
9483 To undefine/clear this callback use:
9484
9485 Net::SSleay::CTX_set_next_protos_advertised_cb($ctx, undef);
9486
9487 • P_next_proto_negotiated
9488
9489 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9490 requires at least openssl-1.0.1
9491
9492 Returns the name of negotiated protocol for given SSL connection
9493 $ssl.
9494
9495 $rv = Net::SSLeay::P_next_proto_negotiated($ssl)
9496 # $ssl - value corresponding to openssl's SSL structure
9497 #
9498 # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error)
9499
9500 • P_next_proto_last_status
9501
9502 COMPATIBILITY: not available in Net-SSLeay-1.45 and before;
9503 requires at least openssl-1.0.1
9504
9505 Returns the result of the last negotiation for given SSL connection
9506 $ssl.
9507
9508 $rv = Net::SSLeay::P_next_proto_last_status($ssl)
9509 # $ssl - value corresponding to openssl's SSL structure
9510 #
9511 # returns: (integer) negotiation status
9512 # 0 - OPENSSL_NPN_UNSUPPORTED
9513 # 1 - OPENSSL_NPN_NEGOTIATED
9514 # 2 - OPENSSL_NPN_NO_OVERLAP
9515
9516 Low level API: ALPN (application layer protocol negotiation) related
9517 functions
9518
9519 Application protocol can be negotiated via two different mechanisms
9520 employing two different TLS extensions: NPN (obsolete) and ALPN
9521 (recommended).
9522
9523 The API is rather similar, with slight differences reflecting protocol
9524 specifics. In particular, with ALPN the protocol negotiation takes
9525 place on server, while with NPN the client implements the protocol
9526 negotiation logic.
9527
9528 With ALPN, the most basic implementation looks like this:
9529
9530 ### client side
9531 use Net::SSLeay;
9532 use IO::Socket::INET;
9533
9534 Net::SSLeay::initialize();
9535 my $sock = IO::Socket::INET->new(PeerAddr=>'encrypted.google.com:443') or die;
9536 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9537 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9538 Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9539 my $ssl = Net::SSLeay::new($ctx) or die;
9540 Net::SSLeay::set_fd($ssl, fileno($sock)) or die;
9541 Net::SSLeay::connect($ssl);
9542
9543 warn "client:selected=",Net::SSLeay::P_alpn_selected($ssl), "\n";
9544
9545 ### server side
9546 use Net::SSLeay;
9547 use IO::Socket::INET;
9548
9549 Net::SSLeay::initialize();
9550 my $ctx = Net::SSLeay::CTX_tlsv1_new() or die;
9551 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
9552 Net::SSLeay::set_cert_and_key($ctx, "cert.pem", "key.pem");
9553 Net::SSLeay::CTX_set_alpn_select_cb($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9554 my $sock = IO::Socket::INET->new(LocalAddr=>'localhost', LocalPort=>5443, Proto=>'tcp', Listen=>20) or die;
9555
9556 while (1) {
9557 my $ssl = Net::SSLeay::new($ctx);
9558 warn("server:waiting for incoming connection...\n");
9559 my $fd = $sock->accept();
9560 Net::SSLeay::set_fd($ssl, $fd->fileno);
9561 Net::SSLeay::accept($ssl);
9562 warn "server:selected=",Net::SSLeay::P_alpn_selected($ssl),"\n";
9563 my $got = Net::SSLeay::read($ssl);
9564 Net::SSLeay::ssl_write_all($ssl, "length=".length($got));
9565 Net::SSLeay::free($ssl);
9566 $fd->close();
9567 }
9568 # check with: openssl s_client -connect localhost:5443 -alpn spdy/3,http/1.1
9569
9570 Advanced approach allows you to implement your own negotiation
9571 algorithm.
9572
9573 #see below documentation for:
9574 Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data);
9575
9576 Detection of ALPN support (works even in older Net::SSLeay versions):
9577
9578 use Net::SSLeay;
9579
9580 if (exists &Net::SSLeay::P_alpn_selected) {
9581 # do ALPN stuff
9582 }
9583
9584 • CTX_set_alpn_select_cb
9585
9586 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9587 requires at least openssl-1.0.2
9588
9589 NOTE: You need CTX_set_alpn_select_cb on server side of TLS
9590 connection.
9591
9592 Simple usage - in this case a "common" negotiation algorithm (as
9593 implemented by openssl's function SSL_select_next_proto) is used.
9594
9595 $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $arrayref);
9596 # $ctx - value corresponding to openssl's SSL_CTX structure
9597 # $arrayref - list of accepted protocols - e.g. ['http/2.0', 'http/1.1', 'spdy/3']
9598 #
9599 # returns: 0 on success, 1 on failure
9600
9601 Advanced usage (you probably do not need this):
9602
9603 $rv = Net::SSleay::CTX_set_alpn_select_cb($ctx, $perl_callback_function, $callback_data);
9604 # $ctx - value corresponding to openssl's SSL_CTX structure
9605 # $perl_callback_function - reference to perl function
9606 # $callback_data - [optional] data to passed to callback function when invoked
9607 #
9608 # returns: 0 on success, 1 on failure
9609
9610 # where callback function looks like
9611 sub alpn_select_cb_invoke {
9612 my ($ssl, $arrayref_proto_list_advertised_by_client, $callback_data) = @_;
9613 # ...
9614 if ($negotiated) {
9615 return 'http/2.0';
9616 } else {
9617 return undef;
9618 }
9619 }
9620
9621 To undefine/clear this callback use:
9622
9623 Net::SSleay::CTX_set_alpn_select_cb($ctx, undef);
9624
9625 • set_alpn_protos
9626
9627 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9628 requires at least openssl-1.0.2
9629
9630 NOTE: You need set_alpn_protos on client side of TLS connection.
9631
9632 This adds list of supported application layer protocols to
9633 ClientHello message sent by a client. It advertises the
9634 enumeration of supported protocols:
9635
9636 Net::SSLeay::set_alpn_protos($ssl, ['http/1.1', 'http/2.0', 'spdy/3]);
9637 # returns 0 on success
9638
9639 • CTX_set_alpn_protos
9640
9641 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9642 requires at least openssl-1.0.2
9643
9644 NOTE: You need CTX_set_alpn_protos on client side of TLS
9645 connection.
9646
9647 This adds list of supported application layer protocols to
9648 ClientHello message sent by a client. It advertises the
9649 enumeration of supported protocols:
9650
9651 Net::SSLeay::CTX_set_alpn_protos($ctx, ['http/1.1', 'http/2.0', 'spdy/3]);
9652 # returns 0 on success
9653
9654 • P_alpn_selected
9655
9656 COMPATIBILITY: not available in Net-SSLeay-1.55 and before;
9657 requires at least openssl-1.0.2
9658
9659 Returns the name of negotiated protocol for given TLS connection
9660 $ssl.
9661
9662 $rv = Net::SSLeay::P_alpn_selected($ssl)
9663 # $ssl - value corresponding to openssl's SSL structure
9664 #
9665 # returns: (string) negotiated protocol name (or undef if no negotiation was done or failed with fatal error)
9666
9667 Low level API: DANE Support
9668
9669 OpenSSL version 1.0.2 adds preliminary support RFC6698 Domain
9670 Authentication of Named Entities (DANE) Transport Layer Association
9671 within OpenSSL
9672
9673 • SSL_get_tlsa_record_byname
9674
9675 COMPATIBILITY: DELETED from net-ssleay, since it is not supported
9676 by OpenSSL
9677
9678 In order to facilitate DANE there is additional interface,
9679 SSL_get_tlsa_record_byname, accepting hostname, port and socket
9680 type that returns packed TLSA record. In order to make it even
9681 easier there is additional SSL_ctrl function that calls
9682 SSL_get_tlsa_record_byname for you. Latter is recommended for
9683 programmers that wish to maintain broader binary compatibility,
9684 e.g. make application work with both 1.0.2 and prior version (in
9685 which case call to SSL_ctrl with new code returning error would
9686 have to be ignored when running with prior version).
9687
9688 Net::SSLeay::get_tlsa_record_byname($name, $port, $type);
9689
9690 Low level API: Other functions
9691
9692 • COMP_add_compression_method
9693
9694 Adds the compression method cm with the identifier id to the list
9695 of available compression methods. This list is globally maintained
9696 for all SSL operations within this application. It cannot be set
9697 for specific SSL_CTX or SSL objects.
9698
9699 my $rv = Net::SSLeay::COMP_add_compression_method($id, $cm);
9700 # $id - (integer) compression method id
9701 # 0 to 63: methods defined by the IETF
9702 # 64 to 192: external party methods assigned by IANA
9703 # 193 to 255: reserved for private use
9704 #
9705 # $cm - value corresponding to openssl's COMP_METHOD structure
9706 #
9707 # returns: 0 on success, 1 on failure (check the error queue to find out the reason)
9708
9709 Check openssl doc
9710 <http://www.openssl.org/docs/ssl/SSL_COMP_add_compression_method.html>
9711
9712 • DH_free
9713
9714 Frees the DH structure and its components. The values are erased
9715 before the memory is returned to the system.
9716
9717 Net::SSLeay::DH_free($dh);
9718 # $dh - value corresponding to openssl's DH structure
9719 #
9720 # returns: no return value
9721
9722 Check openssl doc <http://www.openssl.org/docs/crypto/DH_new.html>
9723
9724 • FIPS_mode_set
9725
9726 Enable or disable FIPS mode in a FIPS capable OpenSSL.
9727
9728 Net::SSLeay:: FIPS_mode_set($enable);
9729 # $enable - (integer) 1 to enable, 0 to disable
9730
9731 Low level API: EC related functions
9732
9733 • CTX_set_tmp_ecdh
9734
9735 TBA
9736
9737 • EC_KEY_free
9738
9739 TBA
9740
9741 • EC_KEY_new_by_curve_name
9742
9743 TBA
9744
9745 • EC_KEY_generate_key
9746
9747 Generates a EC key and returns it in a newly allocated EC_KEY
9748 structure. The EC key then can be used to create a PKEY which can
9749 be used in calls like X509_set_pubkey.
9750
9751 my $key = Net::SSLeay::EVP_PKEY_new();
9752 my $ec = Net::SSLeay::EC_KEY_generate_key($curve);
9753 Net::SSLeay::EVP_PKEY_assign_EC_KEY($key,$ec);
9754
9755 # $curve - curve name like 'secp521r1' or the matching Id (integer) of the curve
9756 #
9757 # returns: value corresponding to openssl's EC_KEY structure (0 on failure)
9758
9759 This function has no equivalent in OpenSSL but combines multiple
9760 OpenSSL functions for an easier interface.
9761
9762 • CTX_set_ecdh_auto, set_ecdh_auto
9763
9764 These functions enable or disable the automatic curve selection on
9765 the server side by calling SSL_CTX_set_ecdh_auto or
9766 SSL_set_ecdh_auto respectively. If enabled the highest preference
9767 curve is automatically used for ECDH temporary keys used during key
9768 exchange. This function is no longer available for OpenSSL 1.1.0
9769 or higher.
9770
9771 Net::SSLeay::CTX_set_ecdh_auto($ctx,1);
9772 Net::SSLeay::set_ecdh_auto($ssl,1);
9773
9774 • CTX_set1_curves_list, set1_curves_list
9775
9776 These functions set the supported curves (in order of preference)
9777 by calling SSL_CTX_set1_curves_list or SSL_set1_curves_list
9778 respectively. For a TLS client these curves are offered to the
9779 server in the supported curves extension while on the server side
9780 these are used to determine the shared curve. These functions are
9781 only available since OpenSSL 1.1.0.
9782
9783 Net::SSLeay::CTX_set1_curves_list($ctx,"P-521:P-384:P-256");
9784 Net::SSLeay::set1_curves_list($ssl,"P-521:P-384:P-256");
9785
9786 • CTX_set1_groups_list, set1_groups_list
9787
9788 These functions set the supported groups (in order of preference)
9789 by calling SSL_CTX_set1_groups_list or SSL_set1_groups_list
9790 respectively. This is practically the same as CTX_set1_curves_list
9791 and set1_curves_list except that all DH groups can be given as
9792 supported by TLS 1.3. These functions are only available since
9793 OpenSSL 1.1.1.
9794
9795 Net::SSLeay::CTX_set1_groups_list($ctx,"P-521:P-384:P-256");
9796 Net::SSLeay::set1_groups_list($ssl,"P-521:P-384:P-256");
9797
9798 Constants
9799 There are many openssl constants available in Net::SSLeay. You can use
9800 them like this:
9801
9802 use Net::SSLeay;
9803 print &Net::SSLeay::NID_commonName;
9804 #or
9805 print Net::SSLeay::NID_commonName();
9806
9807 Or you can import them and use:
9808
9809 use Net::SSLeay qw/NID_commonName/;
9810 print &NID_commonName;
9811 #or
9812 print NID_commonName();
9813 #or
9814 print NID_commonName;
9815
9816 The constants names are derived from openssl constants, however
9817 constants starting with "SSL_" prefix have name with "SSL_" part
9818 stripped - e.g. openssl's constant "SSL_OP_ALL" is available as
9819 "Net::SSleay::OP_ALL"
9820
9821 The list of all available constant names:
9822
9823 ASN1_STRFLGS_ESC_CTRL NID_netscape R_UNKNOWN_REMOTE_ERROR_TYPE
9824 ASN1_STRFLGS_ESC_MSB NID_netscape_base_url R_UNKNOWN_STATE
9825 ASN1_STRFLGS_ESC_QUOTE NID_netscape_ca_policy_url R_X509_LIB
9826 ASN1_STRFLGS_RFC2253 NID_netscape_ca_revocation_url SENT_SHUTDOWN
9827 CB_ACCEPT_EXIT NID_netscape_cert_extension SESSION_ASN1_VERSION
9828 CB_ACCEPT_LOOP NID_netscape_cert_sequence SESS_CACHE_BOTH
9829 CB_ALERT NID_netscape_cert_type SESS_CACHE_CLIENT
9830 CB_CONNECT_EXIT NID_netscape_comment SESS_CACHE_NO_AUTO_CLEAR
9831 CB_CONNECT_LOOP NID_netscape_data_type SESS_CACHE_NO_INTERNAL
9832 CB_EXIT NID_netscape_renewal_url SESS_CACHE_NO_INTERNAL_LOOKUP
9833 CB_HANDSHAKE_DONE NID_netscape_revocation_url SESS_CACHE_NO_INTERNAL_STORE
9834 CB_HANDSHAKE_START NID_netscape_ssl_server_name SESS_CACHE_OFF
9835 CB_LOOP NID_ns_sgc SESS_CACHE_SERVER
9836 CB_READ NID_organizationName SSL3_VERSION
9837 CB_READ_ALERT NID_organizationalUnitName SSLEAY_BUILT_ON
9838 CB_WRITE NID_pbeWithMD2AndDES_CBC SSLEAY_CFLAGS
9839 CB_WRITE_ALERT NID_pbeWithMD2AndRC2_CBC SSLEAY_DIR
9840 ERROR_NONE NID_pbeWithMD5AndCast5_CBC SSLEAY_PLATFORM
9841 ERROR_SSL NID_pbeWithMD5AndDES_CBC SSLEAY_VERSION
9842 ERROR_SYSCALL NID_pbeWithMD5AndRC2_CBC ST_ACCEPT
9843 ERROR_WANT_ACCEPT NID_pbeWithSHA1AndDES_CBC ST_BEFORE
9844 ERROR_WANT_CONNECT NID_pbeWithSHA1AndRC2_CBC ST_CONNECT
9845 ERROR_WANT_READ NID_pbe_WithSHA1And128BitRC2_CBC ST_INIT
9846 ERROR_WANT_WRITE NID_pbe_WithSHA1And128BitRC4 ST_OK
9847 ERROR_WANT_X509_LOOKUP NID_pbe_WithSHA1And2_Key_TripleDES_CBC ST_READ_BODY
9848 ERROR_ZERO_RETURN NID_pbe_WithSHA1And3_Key_TripleDES_CBC ST_READ_HEADER
9849 EVP_PKS_DSA NID_pbe_WithSHA1And40BitRC2_CBC TLS1_1_VERSION
9850 EVP_PKS_EC NID_pbe_WithSHA1And40BitRC4 TLS1_2_VERSION
9851 EVP_PKS_RSA NID_pbes2 TLS1_3_VERSION
9852 EVP_PKT_ENC NID_pbmac1 TLS1_VERSION
9853 EVP_PKT_EXCH NID_pkcs TLSEXT_STATUSTYPE_ocsp
9854 EVP_PKT_EXP NID_pkcs3 VERIFY_CLIENT_ONCE
9855 EVP_PKT_SIGN NID_pkcs7 VERIFY_FAIL_IF_NO_PEER_CERT
9856 EVP_PK_DH NID_pkcs7_data VERIFY_NONE
9857 EVP_PK_DSA NID_pkcs7_digest VERIFY_PEER
9858 EVP_PK_EC NID_pkcs7_encrypted VERIFY_POST_HANDSHAKE
9859 EVP_PK_RSA NID_pkcs7_enveloped V_OCSP_CERTSTATUS_GOOD
9860 FILETYPE_ASN1 NID_pkcs7_signed V_OCSP_CERTSTATUS_REVOKED
9861 FILETYPE_PEM NID_pkcs7_signedAndEnveloped V_OCSP_CERTSTATUS_UNKNOWN
9862 F_CLIENT_CERTIFICATE NID_pkcs8ShroudedKeyBag WRITING
9863 F_CLIENT_HELLO NID_pkcs9 X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
9864 F_CLIENT_MASTER_KEY NID_pkcs9_challengePassword X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
9865 F_D2I_SSL_SESSION NID_pkcs9_contentType X509_CHECK_FLAG_NEVER_CHECK_SUBJECT
9866 F_GET_CLIENT_FINISHED NID_pkcs9_countersignature X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
9867 F_GET_CLIENT_HELLO NID_pkcs9_emailAddress X509_CHECK_FLAG_NO_WILDCARDS
9868 F_GET_CLIENT_MASTER_KEY NID_pkcs9_extCertAttributes X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
9869 F_GET_SERVER_FINISHED NID_pkcs9_messageDigest X509_FILETYPE_ASN1
9870 F_GET_SERVER_HELLO NID_pkcs9_signingTime X509_FILETYPE_DEFAULT
9871 F_GET_SERVER_VERIFY NID_pkcs9_unstructuredAddress X509_FILETYPE_PEM
9872 F_I2D_SSL_SESSION NID_pkcs9_unstructuredName X509_LOOKUP
9873 F_READ_N NID_private_key_usage_period X509_PURPOSE_ANY
9874 F_REQUEST_CERTIFICATE NID_rc2_40_cbc X509_PURPOSE_CRL_SIGN
9875 F_SERVER_HELLO NID_rc2_64_cbc X509_PURPOSE_NS_SSL_SERVER
9876 F_SSL_CERT_NEW NID_rc2_cbc X509_PURPOSE_OCSP_HELPER
9877 F_SSL_GET_NEW_SESSION NID_rc2_cfb64 X509_PURPOSE_SMIME_ENCRYPT
9878 F_SSL_NEW NID_rc2_ecb X509_PURPOSE_SMIME_SIGN
9879 F_SSL_READ NID_rc2_ofb64 X509_PURPOSE_SSL_CLIENT
9880 F_SSL_RSA_PRIVATE_DECRYPT NID_rc4 X509_PURPOSE_SSL_SERVER
9881 F_SSL_RSA_PUBLIC_ENCRYPT NID_rc4_40 X509_PURPOSE_TIMESTAMP_SIGN
9882 F_SSL_SESSION_NEW NID_rc5_cbc X509_TRUST_COMPAT
9883 F_SSL_SESSION_PRINT_FP NID_rc5_cfb64 X509_TRUST_EMAIL
9884 F_SSL_SET_FD NID_rc5_ecb X509_TRUST_OBJECT_SIGN
9885 F_SSL_SET_RFD NID_rc5_ofb64 X509_TRUST_OCSP_REQUEST
9886 F_SSL_SET_WFD NID_ripemd160 X509_TRUST_OCSP_SIGN
9887 F_SSL_USE_CERTIFICATE NID_ripemd160WithRSA X509_TRUST_SSL_CLIENT
9888 F_SSL_USE_CERTIFICATE_ASN1 NID_rle_compression X509_TRUST_SSL_SERVER
9889 F_SSL_USE_CERTIFICATE_FILE NID_rsa X509_TRUST_TSA
9890 F_SSL_USE_PRIVATEKEY NID_rsaEncryption X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
9891 F_SSL_USE_PRIVATEKEY_ASN1 NID_rsadsi X509_V_ERR_AKID_SKID_MISMATCH
9892 F_SSL_USE_PRIVATEKEY_FILE NID_safeContentsBag X509_V_ERR_APPLICATION_VERIFICATION
9893 F_SSL_USE_RSAPRIVATEKEY NID_sdsiCertificate X509_V_ERR_CA_KEY_TOO_SMALL
9894 F_SSL_USE_RSAPRIVATEKEY_ASN1 NID_secretBag X509_V_ERR_CA_MD_TOO_WEAK
9895 F_SSL_USE_RSAPRIVATEKEY_FILE NID_serialNumber X509_V_ERR_CERT_CHAIN_TOO_LONG
9896 F_WRITE_PENDING NID_server_auth X509_V_ERR_CERT_HAS_EXPIRED
9897 GEN_DIRNAME NID_sha X509_V_ERR_CERT_NOT_YET_VALID
9898 GEN_DNS NID_sha1 X509_V_ERR_CERT_REJECTED
9899 GEN_EDIPARTY NID_sha1WithRSA X509_V_ERR_CERT_REVOKED
9900 GEN_EMAIL NID_sha1WithRSAEncryption X509_V_ERR_CERT_SIGNATURE_FAILURE
9901 GEN_IPADD NID_shaWithRSAEncryption X509_V_ERR_CERT_UNTRUSTED
9902 GEN_OTHERNAME NID_stateOrProvinceName X509_V_ERR_CRL_HAS_EXPIRED
9903 GEN_RID NID_subject_alt_name X509_V_ERR_CRL_NOT_YET_VALID
9904 GEN_URI NID_subject_key_identifier X509_V_ERR_CRL_PATH_VALIDATION_ERROR
9905 GEN_X400 NID_surname X509_V_ERR_CRL_SIGNATURE_FAILURE
9906 LIBRESSL_VERSION_NUMBER NID_sxnet X509_V_ERR_DANE_NO_MATCH
9907 MBSTRING_ASC NID_time_stamp X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
9908 MBSTRING_BMP NID_title X509_V_ERR_DIFFERENT_CRL_SCOPE
9909 MBSTRING_FLAG NID_undef X509_V_ERR_EE_KEY_TOO_SMALL
9910 MBSTRING_UNIV NID_uniqueIdentifier X509_V_ERR_EMAIL_MISMATCH
9911 MBSTRING_UTF8 NID_x509Certificate X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
9912 MIN_RSA_MODULUS_LENGTH_IN_BYTES NID_x509Crl X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
9913 MODE_ACCEPT_MOVING_WRITE_BUFFER NID_zlib_compression X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
9914 MODE_AUTO_RETRY NOTHING X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
9915 MODE_ENABLE_PARTIAL_WRITE OCSP_RESPONSE_STATUS_INTERNALERROR X509_V_ERR_EXCLUDED_VIOLATION
9916 MODE_RELEASE_BUFFERS OCSP_RESPONSE_STATUS_MALFORMEDREQUEST X509_V_ERR_HOSTNAME_MISMATCH
9917 NID_OCSP_sign OCSP_RESPONSE_STATUS_SIGREQUIRED X509_V_ERR_INVALID_CA
9918 NID_SMIMECapabilities OCSP_RESPONSE_STATUS_SUCCESSFUL X509_V_ERR_INVALID_CALL
9919 NID_X500 OCSP_RESPONSE_STATUS_TRYLATER X509_V_ERR_INVALID_EXTENSION
9920 NID_X509 OCSP_RESPONSE_STATUS_UNAUTHORIZED X509_V_ERR_INVALID_NON_CA
9921 NID_ad_OCSP OPENSSL_BUILT_ON X509_V_ERR_INVALID_POLICY_EXTENSION
9922 NID_ad_ca_issuers OPENSSL_CFLAGS X509_V_ERR_INVALID_PURPOSE
9923 NID_algorithm OPENSSL_DIR X509_V_ERR_IP_ADDRESS_MISMATCH
9924 NID_authority_key_identifier OPENSSL_ENGINES_DIR X509_V_ERR_KEYUSAGE_NO_CERTSIGN
9925 NID_basic_constraints OPENSSL_PLATFORM X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
9926 NID_bf_cbc OPENSSL_VERSION X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
9927 NID_bf_cfb64 OPENSSL_VERSION_NUMBER X509_V_ERR_NO_EXPLICIT_POLICY
9928 NID_bf_ecb OP_ALL X509_V_ERR_NO_VALID_SCTS
9929 NID_bf_ofb64 OP_ALLOW_NO_DHE_KEX X509_V_ERR_OCSP_CERT_UNKNOWN
9930 NID_cast5_cbc OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION X509_V_ERR_OCSP_VERIFY_FAILED
9931 NID_cast5_cfb64 OP_CIPHER_SERVER_PREFERENCE X509_V_ERR_OCSP_VERIFY_NEEDED
9932 NID_cast5_ecb OP_CISCO_ANYCONNECT X509_V_ERR_OUT_OF_MEM
9933 NID_cast5_ofb64 OP_COOKIE_EXCHANGE X509_V_ERR_PATH_LENGTH_EXCEEDED
9934 NID_certBag OP_CRYPTOPRO_TLSEXT_BUG X509_V_ERR_PATH_LOOP
9935 NID_certificate_policies OP_DONT_INSERT_EMPTY_FRAGMENTS X509_V_ERR_PERMITTED_VIOLATION
9936 NID_client_auth OP_ENABLE_MIDDLEBOX_COMPAT X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
9937 NID_code_sign OP_EPHEMERAL_RSA X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
9938 NID_commonName OP_LEGACY_SERVER_CONNECT X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
9939 NID_countryName OP_MICROSOFT_BIG_SSLV3_BUFFER X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
9940 NID_crlBag OP_MICROSOFT_SESS_ID_BUG X509_V_ERR_STORE_LOOKUP
9941 NID_crl_distribution_points OP_MSIE_SSLV2_RSA_PADDING X509_V_ERR_SUBJECT_ISSUER_MISMATCH
9942 NID_crl_number OP_NETSCAPE_CA_DN_BUG X509_V_ERR_SUBTREE_MINMAX
9943 NID_crl_reason OP_NETSCAPE_CHALLENGE_BUG X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
9944 NID_delta_crl OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG X509_V_ERR_SUITE_B_INVALID_ALGORITHM
9945 NID_des_cbc OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG X509_V_ERR_SUITE_B_INVALID_CURVE
9946 NID_des_cfb64 OP_NON_EXPORT_FIRST X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
9947 NID_des_ecb OP_NO_ANTI_REPLAY X509_V_ERR_SUITE_B_INVALID_VERSION
9948 NID_des_ede OP_NO_CLIENT_RENEGOTIATION X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED
9949 NID_des_ede3 OP_NO_COMPRESSION X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
9950 NID_des_ede3_cbc OP_NO_ENCRYPT_THEN_MAC X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
9951 NID_des_ede3_cfb64 OP_NO_QUERY_MTU X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
9952 NID_des_ede3_ofb64 OP_NO_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL
9953 NID_des_ede_cbc OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
9954 NID_des_ede_cfb64 OP_NO_SSL_MASK X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
9955 NID_des_ede_ofb64 OP_NO_SSLv2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
9956 NID_des_ofb64 OP_NO_SSLv3 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
9957 NID_description OP_NO_TICKET X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
9958 NID_desx_cbc OP_NO_TLSv1 X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
9959 NID_dhKeyAgreement OP_NO_TLSv1_1 X509_V_ERR_UNNESTED_RESOURCE
9960 NID_dnQualifier OP_NO_TLSv1_2 X509_V_ERR_UNSPECIFIED
9961 NID_dsa OP_NO_TLSv1_3 X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
9962 NID_dsaWithSHA OP_PKCS1_CHECK_1 X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
9963 NID_dsaWithSHA1 OP_PKCS1_CHECK_2 X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
9964 NID_dsaWithSHA1_2 OP_PRIORITIZE_CHACHA X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
9965 NID_dsa_2 OP_SAFARI_ECDHE_ECDSA_BUG X509_V_FLAG_ALLOW_PROXY_CERTS
9966 NID_email_protect OP_SINGLE_DH_USE X509_V_FLAG_CB_ISSUER_CHECK
9967 NID_ext_key_usage OP_SINGLE_ECDH_USE X509_V_FLAG_CHECK_SS_SIGNATURE
9968 NID_ext_req OP_SSLEAY_080_CLIENT_DH_BUG X509_V_FLAG_CRL_CHECK
9969 NID_friendlyName OP_SSLREF2_REUSE_CERT_TYPE_BUG X509_V_FLAG_CRL_CHECK_ALL
9970 NID_givenName OP_TLSEXT_PADDING X509_V_FLAG_EXPLICIT_POLICY
9971 NID_hmacWithSHA1 OP_TLS_BLOCK_PADDING_BUG X509_V_FLAG_EXTENDED_CRL_SUPPORT
9972 NID_id_ad OP_TLS_D5_BUG X509_V_FLAG_IGNORE_CRITICAL
9973 NID_id_ce OP_TLS_ROLLBACK_BUG X509_V_FLAG_INHIBIT_ANY
9974 NID_id_kp READING X509_V_FLAG_INHIBIT_MAP
9975 NID_id_pbkdf2 RECEIVED_SHUTDOWN X509_V_FLAG_NOTIFY_POLICY
9976 NID_id_pe RSA_3 X509_V_FLAG_NO_ALT_CHAINS
9977 NID_id_pkix RSA_F4 X509_V_FLAG_NO_CHECK_TIME
9978 NID_id_qt_cps R_BAD_AUTHENTICATION_TYPE X509_V_FLAG_PARTIAL_CHAIN
9979 NID_id_qt_unotice R_BAD_CHECKSUM X509_V_FLAG_POLICY_CHECK
9980 NID_idea_cbc R_BAD_MAC_DECODE X509_V_FLAG_POLICY_MASK
9981 NID_idea_cfb64 R_BAD_RESPONSE_ARGUMENT X509_V_FLAG_SUITEB_128_LOS
9982 NID_idea_ecb R_BAD_SSL_FILETYPE X509_V_FLAG_SUITEB_128_LOS_ONLY
9983 NID_idea_ofb64 R_BAD_SSL_SESSION_ID_LENGTH X509_V_FLAG_SUITEB_192_LOS
9984 NID_info_access R_BAD_STATE X509_V_FLAG_TRUSTED_FIRST
9985 NID_initials R_BAD_WRITE_RETRY X509_V_FLAG_USE_CHECK_TIME
9986 NID_invalidity_date R_CHALLENGE_IS_DIFFERENT X509_V_FLAG_USE_DELTAS
9987 NID_issuer_alt_name R_CIPHER_TABLE_SRC_ERROR X509_V_FLAG_X509_STRICT
9988 NID_keyBag R_INVALID_CHALLENGE_LENGTH X509_V_OK
9989 NID_key_usage R_NO_CERTIFICATE_SET XN_FLAG_COMPAT
9990 NID_localKeyID R_NO_CERTIFICATE_SPECIFIED XN_FLAG_DN_REV
9991 NID_localityName R_NO_CIPHER_LIST XN_FLAG_DUMP_UNKNOWN_FIELDS
9992 NID_md2 R_NO_CIPHER_MATCH XN_FLAG_FN_ALIGN
9993 NID_md2WithRSAEncryption R_NO_PRIVATEKEY XN_FLAG_FN_LN
9994 NID_md5 R_NO_PUBLICKEY XN_FLAG_FN_MASK
9995 NID_md5WithRSA R_NULL_SSL_CTX XN_FLAG_FN_NONE
9996 NID_md5WithRSAEncryption R_PEER_DID_NOT_RETURN_A_CERTIFICATE XN_FLAG_FN_OID
9997 NID_md5_sha1 R_PEER_ERROR XN_FLAG_FN_SN
9998 NID_mdc2 R_PEER_ERROR_CERTIFICATE XN_FLAG_MULTILINE
9999 NID_mdc2WithRSA R_PEER_ERROR_NO_CIPHER XN_FLAG_ONELINE
10000 NID_ms_code_com R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE XN_FLAG_RFC2253
10001 NID_ms_code_ind R_PUBLIC_KEY_ENCRYPT_ERROR XN_FLAG_SEP_COMMA_PLUS
10002 NID_ms_ctl_sign R_PUBLIC_KEY_IS_NOT_RSA XN_FLAG_SEP_CPLUS_SPC
10003 NID_ms_efs R_READ_WRONG_PACKET_TYPE XN_FLAG_SEP_MASK
10004 NID_ms_ext_req R_SHORT_READ XN_FLAG_SEP_MULTILINE
10005 NID_ms_sgc R_SSL_SESSION_ID_IS_DIFFERENT XN_FLAG_SEP_SPLUS_SPC
10006 NID_name R_UNABLE_TO_EXTRACT_PUBLIC_KEY XN_FLAG_SPC_EQ
10007
10008 INTERNAL ONLY functions (do not use these)
10009 The following functions are not intended for use from outside of
10010 Net::SSLeay module. They might be removed, renamed or changed without
10011 prior notice in future version.
10012
10013 Simply DO NOT USE THEM!
10014
10015 • hello
10016
10017 • blength
10018
10019 • constant
10020
10022 One very good example to look at is the implementation of "sslcat()" in
10023 the "SSLeay.pm" file.
10024
10025 The following is a simple SSLeay client (with too little error checking
10026 :-(
10027
10028 #!/usr/bin/perl
10029 use Socket;
10030 use Net::SSLeay qw(die_now die_if_ssl_error) ;
10031 Net::SSLeay::load_error_strings();
10032 Net::SSLeay::SSLeay_add_ssl_algorithms();
10033 Net::SSLeay::randomize();
10034
10035 ($dest_serv, $port, $msg) = @ARGV; # Read command line
10036 $port = getservbyname ($port, 'tcp') unless $port =~ /^\d+$/;
10037 $dest_ip = gethostbyname ($dest_serv);
10038 $dest_serv_params = sockaddr_in($port, $dest_ip);
10039
10040 socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
10041 connect (S, $dest_serv_params) or die "connect: $!";
10042 select (S); $| = 1; select (STDOUT); # Eliminate STDIO buffering
10043
10044 # The network connection is now open, lets fire up SSL
10045
10046 $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
10047 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10048 or die_if_ssl_error("ssl ctx set options");
10049 $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!");
10050 Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno
10051 $res = Net::SSLeay::connect($ssl) and die_if_ssl_error("ssl connect");
10052 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10053
10054 # Exchange data
10055
10056 $res = Net::SSLeay::write($ssl, $msg); # Perl knows how long $msg is
10057 die_if_ssl_error("ssl write");
10058 CORE::shutdown S, 1; # Half close --> No more output, sends EOF to server
10059 $got = Net::SSLeay::read($ssl); # Perl returns undef on failure
10060 die_if_ssl_error("ssl read");
10061 print $got;
10062
10063 Net::SSLeay::free ($ssl); # Tear down connection
10064 Net::SSLeay::CTX_free ($ctx);
10065 close S;
10066
10067 The following is a simple SSLeay echo server (non forking):
10068
10069 #!/usr/bin/perl -w
10070 use Socket;
10071 use Net::SSLeay qw(die_now die_if_ssl_error);
10072 Net::SSLeay::load_error_strings();
10073 Net::SSLeay::SSLeay_add_ssl_algorithms();
10074 Net::SSLeay::randomize();
10075
10076 $our_ip = "\0\0\0\0"; # Bind to all interfaces
10077 $port = 1235;
10078 $sockaddr_template = 'S n a4 x8';
10079 $our_serv_params = pack ($sockaddr_template, &AF_INET, $port, $our_ip);
10080
10081 socket (S, &AF_INET, &SOCK_STREAM, 0) or die "socket: $!";
10082 bind (S, $our_serv_params) or die "bind: $!";
10083 listen (S, 5) or die "listen: $!";
10084 $ctx = Net::SSLeay::CTX_new () or die_now("CTX_new ($ctx): $!");
10085 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10086 or die_if_ssl_error("ssl ctx set options");
10087
10088 # Following will ask password unless private key is not encrypted
10089 Net::SSLeay::CTX_use_RSAPrivateKey_file ($ctx, 'plain-rsa.pem',
10090 &Net::SSLeay::FILETYPE_PEM);
10091 die_if_ssl_error("private key");
10092 Net::SSLeay::CTX_use_certificate_file ($ctx, 'plain-cert.pem',
10093 &Net::SSLeay::FILETYPE_PEM);
10094 die_if_ssl_error("certificate");
10095
10096 while (1) {
10097 print "Accepting connections...\n";
10098 ($addr = accept (NS, S)) or die "accept: $!";
10099 select (NS); $| = 1; select (STDOUT); # Piping hot!
10100
10101 ($af,$client_port,$client_ip) = unpack($sockaddr_template,$addr);
10102 @inetaddr = unpack('C4',$client_ip);
10103 print "$af connection from " .
10104 join ('.', @inetaddr) . ":$client_port\n";
10105
10106 # We now have a network connection, lets fire up SSLeay...
10107
10108 $ssl = Net::SSLeay::new($ctx) or die_now("SSL_new ($ssl): $!");
10109 Net::SSLeay::set_fd($ssl, fileno(NS));
10110
10111 $err = Net::SSLeay::accept($ssl) and die_if_ssl_error('ssl accept');
10112 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10113
10114 # Connected. Exchange some data.
10115
10116 $got = Net::SSLeay::read($ssl); # Returns undef on fail
10117 die_if_ssl_error("ssl read");
10118 print "Got `$got' (" . length ($got) . " chars)\n";
10119
10120 Net::SSLeay::write ($ssl, uc ($got)) or die "write: $!";
10121 die_if_ssl_error("ssl write");
10122
10123 Net::SSLeay::free ($ssl); # Tear down connection
10124 close NS;
10125 }
10126
10127 Yet another echo server. This one runs from "/etc/inetd.conf" so it
10128 avoids all the socket code overhead. Only caveat is opening an rsa key
10129 file - it had better be without any encryption or else it will not know
10130 where to ask for the password. Note how "STDIN" and "STDOUT" are wired
10131 to SSL.
10132
10133 #!/usr/bin/perl
10134 # /etc/inetd.conf
10135 # ssltst stream tcp nowait root /path/to/server.pl server.pl
10136 # /etc/services
10137 # ssltst 1234/tcp
10138
10139 use Net::SSLeay qw(die_now die_if_ssl_error);
10140 Net::SSLeay::load_error_strings();
10141 Net::SSLeay::SSLeay_add_ssl_algorithms();
10142 Net::SSLeay::randomize();
10143
10144 chdir '/key/dir' or die "chdir: $!";
10145 $| = 1; # Piping hot!
10146 open LOG, ">>/dev/console" or die "Can't open log file $!";
10147 select LOG; print "server.pl started\n";
10148
10149 $ctx = Net::SSLeay::CTX_new() or die_now "CTX_new ($ctx) ($!)";
10150 $ssl = Net::SSLeay::new($ctx) or die_now "new ($ssl) ($!)";
10151 Net::SSLeay::set_options($ssl, &Net::SSLeay::OP_ALL)
10152 and die_if_ssl_error("ssl set options");
10153
10154 # We get already open network connection from inetd, now we just
10155 # need to attach SSLeay to STDIN and STDOUT
10156 Net::SSLeay::set_rfd($ssl, fileno(STDIN));
10157 Net::SSLeay::set_wfd($ssl, fileno(STDOUT));
10158
10159 Net::SSLeay::use_RSAPrivateKey_file ($ssl, 'plain-rsa.pem',
10160 Net::SSLeay::FILETYPE_PEM);
10161 die_if_ssl_error("private key");
10162 Net::SSLeay::use_certificate_file ($ssl, 'plain-cert.pem',
10163 Net::SSLeay::FILETYPE_PEM);
10164 die_if_ssl_error("certificate");
10165
10166 Net::SSLeay::accept($ssl) and die_if_ssl_err("ssl accept: $!");
10167 print "Cipher `" . Net::SSLeay::get_cipher($ssl) . "'\n";
10168
10169 $got = Net::SSLeay::read($ssl);
10170 die_if_ssl_error("ssl read");
10171 print "Got `$got' (" . length ($got) . " chars)\n";
10172
10173 Net::SSLeay::write ($ssl, uc($got)) or die "write: $!";
10174 die_if_ssl_error("ssl write");
10175
10176 Net::SSLeay::free ($ssl); # Tear down the connection
10177 Net::SSLeay::CTX_free ($ctx);
10178 close LOG;
10179
10180 There are also a number of example/test programs in the examples
10181 directory:
10182
10183 sslecho.pl - A simple server, not unlike the one above
10184 minicli.pl - Implements a client using low level SSLeay routines
10185 sslcat.pl - Demonstrates using high level sslcat utility function
10186 get_page.pl - Is a utility for getting html pages from secure servers
10187 callback.pl - Demonstrates certificate verification and callback usage
10188 stdio_bulk.pl - Does SSL over Unix pipes
10189 ssl-inetd-serv.pl - SSL server that can be invoked from inetd.conf
10190 httpd-proxy-snif.pl - Utility that allows you to see how a browser
10191 sends https request to given server and what reply
10192 it gets back (very educative :-)
10193 makecert.pl - Creates a self signed cert (does not use this module)
10194
10196 See README and README.* in the distribution directory for installation
10197 guidance on a variety of platforms.
10198
10200 "Net::SSLeay::read()" uses an internal buffer of 32KB, thus no single
10201 read will return more. In practice one read returns much less, usually
10202 as much as fits in one network packet. To work around this, you should
10203 use a loop like this:
10204
10205 $reply = '';
10206 while ($got = Net::SSLeay::read($ssl)) {
10207 last if print_errs('SSL_read');
10208 $reply .= $got;
10209 }
10210
10211 Although there is no built-in limit in "Net::SSLeay::write()", the
10212 network packet size limitation applies here as well, thus use:
10213
10214 $written = 0;
10215
10216 while ($written < length($message)) {
10217 $written += Net::SSLeay::write($ssl, substr($message, $written));
10218 last if print_errs('SSL_write');
10219 }
10220
10221 Or alternatively you can just use the following convenience functions:
10222
10223 Net::SSLeay::ssl_write_all($ssl, $message) or die "ssl write failure";
10224 $got = Net::SSLeay::ssl_read_all($ssl) or die "ssl read failure";
10225
10227 An OpenSSL bug CVE-2015-0290 "OpenSSL Multiblock Corrupted Pointer
10228 Issue" can cause POST requests of over 90kB to fail or crash. This bug
10229 is reported to be fixed in OpenSSL 1.0.2a.
10230
10231 Autoloader emits a
10232
10233 Argument "xxx" isn't numeric in entersub at blib/lib/Net/SSLeay.pm'
10234
10235 warning if die_if_ssl_error is made autoloadable. If you figure out
10236 why, drop me a line.
10237
10238 Callback set using "SSL_set_verify()" does not appear to work. This may
10239 well be an openssl problem (e.g. see "ssl/ssl_lib.c" line 1029). Try
10240 using "SSL_CTX_set_verify()" instead and do not be surprised if even
10241 this stops working in future versions.
10242
10243 Callback and certificate verification stuff is generally too little
10244 tested.
10245
10246 Random numbers are not initialized randomly enough, especially if you
10247 do not have "/dev/random" and/or "/dev/urandom" (such as in Solaris
10248 platforms - but it's been suggested that cryptorand daemon from the
10249 SUNski package solves this). In this case you should investigate third
10250 party software that can emulate these devices, e.g. by way of a named
10251 pipe to some program.
10252
10253 Another gotcha with random number initialization is randomness
10254 depletion. This phenomenon, which has been extensively discussed in
10255 OpenSSL, Apache-SSL, and Apache-mod_ssl forums, can cause your script
10256 to block if you use "/dev/random" or to operate insecurely if you use
10257 "/dev/urandom". What happens is that when too much randomness is drawn
10258 from the operating system's randomness pool then randomness can
10259 temporarily be unavailable. "/dev/random" solves this problem by
10260 waiting until enough randomness can be gathered - and this can take a
10261 long time since blocking reduces activity in the machine and less
10262 activity provides less random events: a vicious circle. "/dev/urandom"
10263 solves this dilemma more pragmatically by simply returning predictable
10264 "random" numbers. Some" /dev/urandom" emulation software however
10265 actually seems to implement "/dev/random" semantics. Caveat emptor.
10266
10267 I've been pointed to two such daemons by Mik Firestone
10268 <mik@@speed.stdio._com> who has used them on Solaris 8:
10269
10270 1. Entropy Gathering Daemon (EGD) at
10271 <http://www.lothar.com/tech/crypto/>
10272
10273 2. Pseudo-random number generating daemon (PRNGD) at
10274 <http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html>
10275
10276 If you are using the low level API functions to communicate with other
10277 SSL implementations, you would do well to call
10278
10279 Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL)
10280 or die_if_ssl_error("ssl ctx set options");
10281
10282 to cope with some well know bugs in some other SSL implementations. The
10283 high level API functions always set all known compatibility options.
10284
10285 Sometimes "sslcat()" (and the high level HTTPS functions that build on
10286 it) is too fast in signaling the EOF to legacy HTTPS servers. This
10287 causes the server to return empty page. To work around this problem you
10288 can set the global variable
10289
10290 $Net::SSLeay::slowly = 1; # Add sleep so broken servers can keep up
10291
10292 HTTP/1.1 is not supported. Specifically this module does not know to
10293 issue or serve multiple http requests per connection. This is a serious
10294 shortcoming, but using the SSL session cache on your server helps to
10295 alleviate the CPU load somewhat.
10296
10297 As of version 1.09 many newer OpenSSL auxiliary functions were added
10298 (from "REM_AUTOMATICALLY_GENERATED_1_09" onwards in "SSLeay.xs").
10299 Unfortunately I have not had any opportunity to test these. Some of
10300 them are trivial enough that I believe they "just work", but others
10301 have rather complex interfaces with function pointers and all. In these
10302 cases you should proceed wit great caution.
10303
10304 This module defaults to using OpenSSL automatic protocol negotiation
10305 code for automatically detecting the version of the SSL/TLS protocol
10306 that the other end talks. With most web servers this works just fine,
10307 but once in a while I get complaints from people that the module does
10308 not work with some web servers. Usually this can be solved by
10309 explicitly setting the protocol version, e.g.
10310
10311 $Net::SSLeay::ssl_version = 2; # Insist on SSLv2
10312 $Net::SSLeay::ssl_version = 3; # Insist on SSLv3
10313 $Net::SSLeay::ssl_version = 10; # Insist on TLSv1
10314 $Net::SSLeay::ssl_version = 11; # Insist on TLSv1.1
10315 $Net::SSLeay::ssl_version = 12; # Insist on TLSv1.2
10316 $Net::SSLeay::ssl_version = 13; # Insist on TLSv1.3
10317
10318 Although the autonegotiation is nice to have, the SSL standards do not
10319 formally specify any such mechanism. Most of the world has accepted the
10320 SSLeay/OpenSSL way of doing it as the de facto standard. But for the
10321 few that think differently, you have to explicitly speak the correct
10322 version. This is not really a bug, but rather a deficiency in the
10323 standards. If a site refuses to respond or sends back some nonsensical
10324 error codes (at the SSL handshake level), try this option before
10325 mailing me.
10326
10327 On some systems, OpenSSL may be compiled without support for SSLv2. If
10328 this is the case, Net::SSLeay will warn if ssl_version has been set to
10329 2.
10330
10331 The high level API returns the certificate of the peer, thus allowing
10332 one to check what certificate was supplied. However, you will only be
10333 able to check the certificate after the fact, i.e. you already sent
10334 your form data by the time you find out that you did not trust them,
10335 oops.
10336
10337 So, while being able to know the certificate after the fact is surely
10338 useful, the security minded would still choose to do the connection and
10339 certificate verification first and only then exchange data with the
10340 site. Currently none of the high level API functions do this, thus you
10341 would have to program it using the low level API. A good place to start
10342 is to see how the "Net::SSLeay::http_cat()" function is implemented.
10343
10344 The high level API functions use a global file handle "SSLCAT_S"
10345 internally. This really should not be a problem because there is no way
10346 to interleave the high level API functions, unless you use threads (but
10347 threads are not very well supported in perl anyway). However, you may
10348 run into problems if you call undocumented internal functions in an
10349 interleaved fashion. The best solution is to "require Net::SSLeay" in
10350 one thread after all the threads have been created.
10351
10353 Random number generator not seeded!!!
10354 (W) This warning indicates that "randomize()" was not able to read
10355 "/dev/random" or "/dev/urandom", possibly because your system does
10356 not have them or they are differently named. You can still use SSL,
10357 but the encryption will not be as strong.
10358
10359 open_tcp_connection: destination host not found:`server' (port 123)
10360 ($!)
10361 Name lookup for host named "server" failed.
10362
10363 open_tcp_connection: failed `server', 123 ($!)
10364 The name was resolved, but establishing the TCP connection failed.
10365
10366 msg 123: 1 - error:140770F8:SSL routines:SSL23_GET_SERVER_HELLO:unknown
10367 proto
10368 SSLeay error string. The first number (123) is the PID, the second
10369 number (1) indicates the position of the error message in SSLeay
10370 error stack. You often see a pile of these messages as errors
10371 cascade.
10372
10373 msg 123: 1 - error:02001002::lib(2) :func(1) :reason(2)
10374 The same as above, but you didn't call load_error_strings() so
10375 SSLeay couldn't verbosely explain the error. You can still find out
10376 what it means with this command:
10377
10378 /usr/local/ssl/bin/ssleay errstr 02001002
10379
10380 Password is being asked for private key
10381 This is normal behaviour if your private key is encrypted. Either
10382 you have to supply the password or you have to use an unencrypted
10383 private key. Scan OpenSSL.org for the FAQ that explains how to do
10384 this (or just study examples/makecert.pl which is used during "make
10385 test" to do just that).
10386
10388 You can mitigate some of the security vulnerabilities that might be
10389 present in your SSL/TLS application:
10390
10391 BEAST Attack
10392 http://blogs.cisco.com/security/beat-the-beast-with-tls/
10393 https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
10394 http://blog.zoller.lu/2011/09/beast-summary-tls-cbc-countermeasures.html
10395
10396 The BEAST attack relies on a weakness in the way CBC mode is used in
10397 SSL/TLS. In OpenSSL versions 0.9.6d and later, the protocol-level
10398 mitigation is enabled by default, thus making it not vulnerable to the
10399 BEAST attack.
10400
10401 Solutions:
10402
10403 • Compile with OpenSSL versions 0.9.6d or later, which enables
10404 SSL_OP_ALL by default
10405
10406 • Ensure SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not enabled (its not
10407 enabled by default)
10408
10409 • Don't support SSLv2, SSLv3
10410
10411 • Actively control the ciphers your server supports with
10412 set_cipher_list:
10413
10414 Net::SSLeay::set_cipher_list($ssl, 'RC4-SHA:HIGH:!ADH');
10415
10416 Session Resumption
10417 http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
10418
10419 The SSL Labs vulnerability test on your SSL server might report in red:
10420
10421 Session resumption No (IDs assigned but not accepted)
10422
10423 This report is not really bug or a vulnerability, since the server will
10424 not accept session resumption requests. However, you can prevent this
10425 noise in the report by disabling the session cache altogether:
10426 Net::SSLeay::CTX_set_session_cache_mode($ssl_ctx,
10427 Net::SSLeay::SESS_CACHE_OFF()); Use 0 if you don't have SESS_CACHE_OFF
10428 constant.
10429
10430 Secure Renegotiation and DoS Attack
10431 https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
10432
10433 This is not a "security flaw," it is more of a DoS vulnerability.
10434
10435 Solutions:
10436
10437 • Do not support SSLv2
10438
10439 • Do not set the SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option
10440
10441 • Compile with OpenSSL 0.9.8m or later
10442
10444 If you encounter a problem with this module that you believe is a bug,
10445 please create a new issue <https://github.com/radiator-software/p5-net-
10446 ssleay/issues/new> in the Net-SSLeay GitHub repository. Please make
10447 sure your bug report includes the following information:
10448
10449 • the code you are trying to run;
10450
10451 • your operating system name and version;
10452
10453 • the output of "perl -V";
10454
10455 • the version of OpenSSL or LibreSSL you are using.
10456
10458 Originally written by Sampo Kellomäki.
10459
10460 Maintained by Florian Ragwitz between November 2005 and January 2010.
10461
10462 Maintained by Mike McCauley between November 2005 and June 2018.
10463
10464 Maintained by Chris Novakovic, Tuure Vartiainen and Heikki Vatiainen
10465 since June 2018.
10466
10468 Copyright (c) 1996-2003 Sampo Kellomäki <sampo@iki.fi>
10469
10470 Copyright (c) 2005-2010 Florian Ragwitz <rafl@debian.org>
10471
10472 Copyright (c) 2005-2018 Mike McCauley <mikem@airspayce.com>
10473
10474 Copyright (c) 2018- Chris Novakovic <chris@chrisn.me.uk>
10475
10476 Copyright (c) 2018- Tuure Vartiainen <vartiait@radiatorsoftware.com>
10477
10478 Copyright (c) 2018- Heikki Vatiainen <hvn@radiatorsoftware.com>
10479
10480 All rights reserved.
10481
10483 This module is released under the terms of the Artistic License 2.0.
10484 For details, see the "LICENSE" file distributed with Net-SSLeay's
10485 source code.
10486
10488 Net::SSLeay::Handle - File handle interface
10489 ./examples - Example servers and a clients
10490 <http://www.openssl.org/> - OpenSSL source, documentation, etc
10491 openssl-users-request@openssl.org - General OpenSSL mailing list
10492 <http://www.ietf.org/rfc/rfc2246.txt> - TLS 1.0 specification
10493 <http://www.w3c.org> - HTTP specifications
10494 <http://www.ietf.org/rfc/rfc2617.txt> - How to send password
10495 <http://www.lothar.com/tech/crypto/> - Entropy Gathering Daemon (EGD)
10496 <http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html>
10497 - pseudo-random number generating daemon (PRNGD)
10498 perl(1)
10499 perlref(1)
10500 perllol(1)
10501 perldoc ~openssl/doc/ssl/SSL_CTX_set_verify.pod
10502
10503
10504
10505perl v5.34.0 2021-07-22 Net::SSLeay(3)