You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
77 lines
2.7 KiB
77 lines
2.7 KiB
=pod |
|
|
|
=head1 NAME |
|
|
|
SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain |
|
|
|
=head1 SYNOPSIS |
|
|
|
#include <openssl/ssl.h> |
|
|
|
long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size); |
|
long SSL_CTX_get_max_cert_list(SSL_CTX *ctx); |
|
|
|
long SSL_set_max_cert_list(SSL *ssl, long size); |
|
long SSL_get_max_cert_list(SSL *ctx); |
|
|
|
=head1 DESCRIPTION |
|
|
|
SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's |
|
certificate chain for all SSL objects created from B<ctx> to be <size> bytes. |
|
The SSL objects inherit the setting valid for B<ctx> at the time |
|
L<SSL_new(3)|SSL_new(3)> is being called. |
|
|
|
SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>. |
|
|
|
SSL_set_max_cert_list() sets the maximum size allowed for the peer's |
|
certificate chain for B<ssl> to be <size> bytes. This setting stays valid |
|
until a new value is set. |
|
|
|
SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>. |
|
|
|
=head1 NOTES |
|
|
|
During the handshake process, the peer may send a certificate chain. |
|
The TLS/SSL standard does not give any maximum size of the certificate chain. |
|
The OpenSSL library handles incoming data by a dynamically allocated buffer. |
|
In order to prevent this buffer from growing without bounds due to data |
|
received from a faulty or malicious peer, a maximum size for the certificate |
|
chain is set. |
|
|
|
The default value for the maximum certificate chain size is 100kB (30kB |
|
on the 16bit DOS platform). This should be sufficient for usual certificate |
|
chains (OpenSSL's default maximum chain length is 10, see |
|
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates |
|
without special extensions have a typical size of 1-2kB). |
|
|
|
For special applications it can be necessary to extend the maximum certificate |
|
chain size allowed to be sent by the peer, see e.g. the work on |
|
"Internet X.509 Public Key Infrastructure Proxy Certificate Profile" |
|
and "TLS Delegation Protocol" at http://www.ietf.org/ and |
|
http://www.globus.org/ . |
|
|
|
Under normal conditions it should never be necessary to set a value smaller |
|
than the default, as the buffer is handled dynamically and only uses the |
|
memory actually required by the data sent by the peer. |
|
|
|
If the maximum certificate chain size allowed is exceeded, the handshake will |
|
fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error. |
|
|
|
=head1 RETURN VALUES |
|
|
|
SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously |
|
set value. |
|
|
|
SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently |
|
set value. |
|
|
|
=head1 SEE ALSO |
|
|
|
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, |
|
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> |
|
|
|
=head1 HISTORY |
|
|
|
SSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7. |
|
|
|
=cut
|
|
|