diff options
author | Lutz Jänicke <jaenicke@openssl.org> | 2001-09-11 13:08:51 +0000 |
---|---|---|
committer | Lutz Jänicke <jaenicke@openssl.org> | 2001-09-11 13:08:51 +0000 |
commit | c0f5dd070b7fa701b0d72e909206bffd4b7031dc (patch) | |
tree | 8ef1b563b58c37398ce1ff1707b5e531f654793a /doc | |
parent | 9d7a8d3578af0728855803ef119be6ca2c79b2a5 (diff) | |
download | openssl-c0f5dd070b7fa701b0d72e909206bffd4b7031dc.tar.gz |
Make maximum certifcate chain size accepted from the peer application
settable (proposed by "Douglas E. Engert" <deengert@anl.gov>).
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ssl/SSL_CTX_set_max_cert_list.pod | 77 | ||||
-rw-r--r-- | doc/ssl/ssl.pod | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/doc/ssl/SSL_CTX_set_max_cert_list.pod b/doc/ssl/SSL_CTX_set_max_cert_list.pod new file mode 100644 index 0000000000..da68cb9fc2 --- /dev/null +++ b/doc/ssl/SSL_CTX_set_max_cert_list.pod @@ -0,0 +1,77 @@ +=pod + +=head1 NAME + +SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size); + long SSL_CTX_get_max_cert_list(SSL_CTX *ctx); + + long SSL_set_max_cert_list(SSL *ssl, long size); + long SSL_get_max_cert_list(SSL *ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's +certificate chain for all SSL objects created from B<ctx> to be <size> bytes. +The SSL objects inherit the setting valid for B<ctx> at the time +L<SSL_new(3)|SSL_new(3)> is being called. + +SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>. + +SSL_set_max_cert_list() sets the maximum size allowed for the peer's +certificate chain for B<ssl> to be <size> bytes. This setting stays valid +until a new value is set. + +SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>. + +=head1 NOTES + +During the handshake process, the peer may send a certificate chain. +The TLS/SSL standard does not give any maximum size of the certificate chain. +The OpenSSL library handles incoming data by a dynamically allocated buffer. +In order to prevent this buffer from growing without bounds due to data +received from a faulty or malicious peer, a maximum size for the certificate +chain is set. + +The default value for the maximum certificate chain size is 100kB (30kB +on the 16bit DOS platform). This should be sufficient for usual certificate +chains (OpenSSL's default maximum chain length is 10, see +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates +without special extensions have a typical size of 1-2kB). + +For special applications it can be necessary to extend the maximum certificate +chain size allowed to be sent by the peer, see e.g. the work on +"Internet X.509 Public Key Infrastructure Proxy Certificate Profile" +and "TLS Delegation Protocol" at http://www.ietf.org/ and +http://www.globus.org/ . + +Under normal conditions it should never be necessary to set a value smaller +than the default, as the buffer is handled dynamically and only uses the +memory actually required by the data sent by the peer. + +If the maximum certificate chain size allowed is exceeded, the handshake will +fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error. + +=head1 RETURN VALUES + +SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously +set value. + +SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently +set value. + +=head1 SEE ALSO + +L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> + +=head1 HISTORY + +SSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7. + +=cut diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 6845f4f76d..89b321edec 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -669,6 +669,7 @@ L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>, L<SSL_CTX_set_generate_session_id(3)|SSL_CTX_set_generate_session_id(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>, +L<SSL_CTX_set_max_cert_list(3)|SSL_CTX_set_max_cert_list(3)>, L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>, |