Index Index for
Section 3
Index Alphabetical
listing for S
Bottom of page Bottom of
page		 

SSL_CTX_set_client_CA_list(3)


NAME

  SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
  SSL_add_client_CA - Set list of CAs sent to the client when requesting a
  client certificate


SYNOPSIS

  #include <openssl/ssl.h>

  void SSL_CTX_set_client_CA_list(
	  SSL_CTX *ctx, STACK_OF(X509_NAME) *list );

  void SSL_set_client_CA_list(
	  SSL *s, STACK_OF(X509_NAME) *list );

  int SSL_CTX_add_client_CA(
	  SSL_CTX *ctx, X509 *cacert );

  int SSL_add_client_CA(
	  SSL *ssl, X509 *cacert );


DESCRIPTION

  The SSL_CTX_set_client_CA_list() function sets the list of CAs sent to the
  client when requesting a client certificate for ctx.

  The SSL_set_client_CA_list() function sets the list of CAs sent to the
  client when requesting a client certificate for the chosen ssl, overriding
  the setting valid for ssl's SSL_CTX object.

  The SSL_CTX_add_client_CA() function adds the CA name extracted from cacert
  to the list of CAs sent to the client when requesting a client certificate
  for ctx.

  The SSL_add_client_CA() function adds the CA name extracted from cacert to
  the list of CAs sent to the client when requesting a client certificate for
  the chosen ssl, overriding the setting valid for ssl's SSL_CTX object.


NOTES

  When a TLS/SSL server requests a client certificate (see
  SSL_CTX_set_verify_options()), it sends a list of CAs, for which it will
  accept certificates, to the client.

  This list can be explicitly set using the SSL_CTX_set_client_CA_list()
  function for ctx and the SSL_set_client_CA_list() function for the specific
  ssl. The list specified overrides the previous setting. The CAs listed do
  not become trusted (list only contains the names, not the complete
  certificates); use the SSL_CTX_load_verify_locations() function to
  additionally load them for verification.

  If the list of acceptable CAs is compiled in a file, the
  SSL_load_client_CA_file() function can be used to help import the necessary
  data.

  The SSL_CTX_add_client_CA() and SSL_add_client_CA() functions can be used
  to add additional items to the list of client CAs. If no list was specified
  before using SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a
  new client CA list for ctx or ssl (as appropriate) is opened.

  These functions are only useful for TLS/SSL servers.


RETURN VALUES

  The SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() functions do
  not return diagnostic information.

  The SSL_CTX_add_client_CA() and SSL_add_client_CA() functions have the
  following return values:

    ·  1

       The operation succeeded.

    ·  0

       A failure while manipulating the STACK_OF(X509_NAME) object occurred
       or the X509_NAME could not be extracted from cacert. Check the error
       stack to find the reason.


EXAMPLES

  Scan all certificates in CAfile and list them as acceptable CAs:

       SSL_CTX_set_client_CA_list (ctx,SSL_load_client_CA_file(CAfile));


SEE ALSO

  Functions: ssl(3), SSL_get_client_CA_list(3), SSL_load_client_CA_file(3),
  SSL_CTX_load_verify_locations(3)

Index Index for
Section 3
Index Alphabetical
listing for S
Top of page Top of
page