OpenBSD manual page server

Manual Page Search Parameters

SSL_CTX_ADD1_CHAIN_CERT(3) Library Functions Manual SSL_CTX_ADD1_CHAIN_CERT(3)

SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, SSL_get0_chain_certs, SSL_clear_chain_certsextra chain certificate processing

#include <openssl/ssl.h>

int
SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);

int
SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);

int
SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *cert);

int
SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *cert);

int
SSL_CTX_get0_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **chain);

int
SSL_CTX_clear_chain_certs(SSL_CTX *ctx);

int
SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);

int
SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);

int
SSL_add0_chain_cert(SSL *ssl, X509 *cert);

int
SSL_add1_chain_cert(SSL *ssl, X509 *cert);

int
SSL_get0_chain_certs(SSL *ssl, STACK_OF(X509) **chain);

int
SSL_clear_chain_certs(SSL *ssl);

SSL_CTX_set0_chain() and SSL_CTX_set1_chain() set the certificate chain associated with the current certificate of ctx to chain. The chain is not supposed to include the current certificate itself.

SSL_CTX_add0_chain_cert() and SSL_CTX_add1_chain_cert() append the single certificate cert to the chain associated with the current certificate of ctx.

SSL_CTX_get0_chain_certs() retrieves the chain associated with the current certificate of ctx.

SSL_CTX_clear_chain_certs() clears the existing chain associated with the current certificate of ctx, if any. This is equivalent to calling SSL_CTX_set0_chain() with chain set to NULL.

Each of these functions operates on the current end entity (i.e. server or client) certificate. This is the last certificate loaded or selected on the corresponding ctx structure, for example using SSL_CTX_use_certificate(3).

SSL_set0_chain(), SSL_set1_chain(), SSL_add0_chain_cert(), SSL_add1_chain_cert(), SSL_get0_chain_certs(), and SSL_clear_chain_certs() are similar except that they operate on the ssl connection.

The functions containing a 1 in their name increment the reference count of the supplied certificate or chain, so it must be freed at some point after the operation. Those containing a 0 do not increment reference counts and the supplied certificate or chain must not be freed after the operation.

The chains associated with an SSL_CTX structure are copied to the new SSL structure when SSL_new(3) is called. Existing SSL structures are not affected by any chains subsequently changed in the parent SSL_CTX.

One chain can be set for each key type supported by a server. So, for example, an RSA and a DSA certificate can (and often will) have different chains.

If any certificates are added using these functions, no certificates added using SSL_CTX_add_extra_chain_cert(3) will be used.

These functions return 1 for success or 0 for failure.

ssl(3), SSL_CTX_add_extra_chain_cert(3), SSL_CTX_use_certificate(3)

These functions first appeared in OpenSSL 1.0.2 and have been available since OpenBSD 6.5.

April 5, 2019 OpenBSD-current