OpenBSD manual page server

NAME

SSL_CTX_add_extra_chain_cert, SSL_CTX_get_extra_chain_certs_only, SSL_CTX_get_extra_chain_certs, SSL_CTX_clear_extra_chain_certs — add, retrieve, and clear extra chain certificates

SYNOPSIS

#include <openssl/ssl.h>

long
SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);

long
SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs);

long
SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs);

long
SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);

DESCRIPTION

SSL_CTX_add_extra_chain_cert() adds the certificate x509 to the extra chain certificates associated with ctx. Several certificates can be added one after another.

SSL_CTX_get_extra_chain_certs_only() retrieves an internal pointer to the stack of extra chain certificates associated with ctx, or set *certs to NULL if there are none.

SSL_CTX_get_extra_chain_certs() does the same except that it retrieves an internal pointer to the chain associated with the certificate if there are no extra chain certificates.

SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates associated with ctx.

These functions are implemented as macros.

When sending a certificate chain, extra chain certificates are sent in order following the end entity certificate.

If no chain is specified, the library will try to complete the chain from the available CA certificates in the trusted CA storage, see SSL_CTX_load_verify_locations(3).

The x509 certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the SSL_CTX is destroyed. An application should not free the x509 object, nor the *certs object retrieved by SSL_CTX_get_extra_chain_certs().

RETURN VALUES

These functions return 1 on success or 0 for failure. Check out the error stack to find out the reason for failure.

SEE ALSO

ssl(3), SSL_CTX_add1_chain_cert(3), SSL_CTX_ctrl(3), SSL_CTX_load_verify_locations(3), SSL_CTX_set_client_cert_cb(3), SSL_CTX_use_certificate(3)

HISTORY

SSL_CTX_add_extra_chain_cert() first appeared in SSLeay 0.9.1 and has been available since OpenBSD 2.6.

SSL_CTX_get_extra_chain_certs() and SSL_CTX_clear_extra_chain_certs() first appeared in OpenSSL 1.0.1 and have been available since OpenBSD 5.3.

SSL_CTX_get_extra_chain_certs_only() first appeared in OpenSSL 1.0.2 and has been available since OpenBSD 6.7.

CAVEATS

Certificates added with SSL_CTX_add_extra_chain_cert() are ignored when certificates are also available that have been added using the functions documented in SSL_CTX_set1_chain(3).

Only one set of extra chain certificates can be specified per SSL_CTX structure using SSL_CTX_add_extra_chain_cert(). Different chains for different certificates (for example if both RSA and DSA certificates are specified by the same server) or different SSL structures with the same parent SSL_CTX require using the functions documented in SSL_CTX_set1_chain(3) instead.