HEX
Server: nginx/1.28.1
System: Linux 10-41-63-61 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64
User: www (1001)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /usr/local/openssl/man/man3/
Upload Files
File: //usr/local/openssl/man/man3/SSL_CTX_set_client_CA_list.3
.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "SSL_CTX_set_client_CA_list 3"
.TH SSL_CTX_set_client_CA_list 3 2019-12-20 1.0.2u OpenSSL
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA,
SSL_add_client_CA \- set list of CAs sent to the client when requesting a
client certificate
.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\& 
\& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
\& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
\& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
\& int SSL_add_client_CA(SSL *ssl, X509 *cacert);
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for \fBctx\fR.
.PP
\&\fBSSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for the chosen \fBssl\fR, overriding the
setting valid for \fBssl\fR's SSL_CTX object.
.PP
\&\fBSSL_CTX_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
\&\fBctx\fR.
.PP
\&\fBSSL_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's SSL_CTX object.
.SH NOTES
.IX Header "NOTES"
When a TLS/SSL server requests a client certificate (see
\&\fBSSL_CTX_set_verify\|(3)\fR), it sends a list of CAs, for which
it will accept certificates, to the client.
.PP
This list must explicitly be set using \fBSSL_CTX_set_client_CA_list()\fR for
\&\fBctx\fR and \fBSSL_set_client_CA_list()\fR for the specific \fBssl\fR. The list
specified overrides the previous setting. The CAs listed do not become
trusted (\fBlist\fR only contains the names, not the complete certificates); use
\&\fBSSL_CTX_load_verify_locations\fR\|(3) 
to additionally load them for verification.
.PP
If the list of acceptable CAs is compiled in a file, the
\&\fBSSL_load_client_CA_file\fR\|(3)
function can be used to help importing the necessary data.
.PP
\&\fBSSL_CTX_add_client_CA()\fR and \fBSSL_add_client_CA()\fR can be used to add additional
items the list of client CAs. If no list was specified before using
\&\fBSSL_CTX_set_client_CA_list()\fR or \fBSSL_set_client_CA_list()\fR, a new client
CA list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
.PP
These functions are only useful for TLS/SSL servers.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_client_CA_list()\fR and \fBSSL_set_client_CA_list()\fR do not return
diagnostic information.
.PP
\&\fBSSL_CTX_add_client_CA()\fR and \fBSSL_add_client_CA()\fR have the following return
values:
.IP 0 4
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
the X509_NAME could not be extracted from \fBcacert\fR. Check the error stack
to find out the reason.
.IP 1 4
.IX Item "1"
The operation succeeded.
.SH EXAMPLES
.IX Header "EXAMPLES"
Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
.PP
.Vb 1
\&  SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(3),
\&\fBSSL_get_client_CA_list\fR\|(3),
\&\fBSSL_load_client_CA_file\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
@ Telegram