From 243583408c033c9f41e8a1b6f07b6b37d4da030c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 7 Jun 2016 14:33:07 +0100 Subject: Add documentation for the newly added SSL_get_tlsext_status_type() And also for SSL_CTX_get_tlsext_status_type() Reviewed-by: Rich Salz --- doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 36 ++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod index b4033948b5..5c58b23895 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod @@ -2,10 +2,15 @@ =head1 NAME -SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, -SSL_CTX_set_tlsext_status_type, SSL_set_tlsext_status_type, -SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp - OCSP -Certificate Status Request functions +SSL_CTX_set_tlsext_status_cb, +SSL_CTX_set_tlsext_status_arg, +SSL_CTX_set_tlsext_status_type, +SSL_CTX_get_tlsext_status_type, +SSL_set_tlsext_status_type, +SSL_get_tlsext_status_type, +SSL_get_tlsext_status_ocsp_resp, +SSL_set_tlsext_status_ocsp_resp +- OCSP Certificate Status Request functions =head1 SYNOPSIS @@ -16,8 +21,10 @@ Certificate Status Request functions long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type); + long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx); long SSL_set_tlsext_status_type(SSL *s, int type); + long SSL_get_tlsext_status_type(SSL *s); long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); @@ -30,7 +37,9 @@ SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL objects. Alternatively an application can call the SSL_set_tlsext_status_type() function on an individual SSL object prior to the start of the handshake. Currently the only supported type is B. This value -should be passed in the B argument. +should be passed in the B argument. Calling +SSL_CTX_get_tlsext_status_type() will return the type B +previously set via SSL_CTX_set_tlsext_status_type() or -1 if not set. The client should additionally provide a callback function to decide what to do with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The @@ -40,6 +49,13 @@ previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in the event of a handshake where session resumption occurs (because there are no Certificates exchanged in such a handshake). +On the client side SSL_get_tlsext_status_type() can be used to determine whether +the client has previously called SSL_set_tlsext_status_type(). It will return +B if it has been called or -1 otherwise. On the server +side SSL_get_tlsext_status_type() can be used to determine whether the client +requested OCSP stapling. If the client requested it then this function will +return B, or -1 otherwise. + The response returned by the server can be obtained via a call to SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point to the OCSP response data and the return value will be the length of that data. @@ -73,12 +89,20 @@ SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(), SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success. +SSL_CTX_get_tlsext_status_type() returns the value previously set by +SSL_CTX_set_tlsext_status_type(), or -1 if not set. + SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data or -1 if there is no OCSP response data. +SSL_get_tlsext_status_type() returns B on the client +side if SSL_set_tlsext_status_type() was previously called, or on the server +side if the client requested OCSP stapling. Otherwise -1 is returned. + =head1 HISTORY -SSL_CTX_set_tlsext_status_type() was added in OpenSSL 1.1.0. +SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type() and +SSL_CTX_set_tlsext_status_type() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -- cgit v1.2.3