SSL configuration module docs
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Dr. Stephen Henson
parent
43d956fa65
commit
913592d2c5
@ -208,6 +208,34 @@ For example:
|
||||
|
||||
fips_mode = on
|
||||
|
||||
=head2 SSL CONFIGURATION MODULE
|
||||
|
||||
This module has the name B<ssl_conf> which points to a section containing
|
||||
SSL configurations.
|
||||
|
||||
Each line in the SSL configuration section contains the name of the
|
||||
configuration and the section containing it.
|
||||
|
||||
Each configuration section consists of command value pairs for B<SSL_CONF>.
|
||||
Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls
|
||||
SSL_CTX_config() or SSL_config() with the appropriate configuration name.
|
||||
|
||||
Note: any characters before an initial dot in the configuration section are
|
||||
ignored so the same command can be used multiple times.
|
||||
|
||||
For example:
|
||||
|
||||
ssl_conf = ssl_sect
|
||||
|
||||
[ssl_sect]
|
||||
|
||||
server = server_section
|
||||
|
||||
[server_section]
|
||||
|
||||
RSA.Certificate = server-rsa.pem
|
||||
ECDSA.Certificate = server-ecdsa.pem
|
||||
Ciphers = ALL:!RC4
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
|
||||
84
doc/ssl/SSL_CTX_config.pod
Normal file
84
doc/ssl/SSL_CTX_config.pod
Normal file
@ -0,0 +1,84 @@
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure.
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
int SSL_CTX_config(SSL_CTX *ctx, const char *name);
|
||||
int SSL_config(SSL *s, const char *name);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The functions SSL_CTX_config() and SSL_config() configure an B<SSL_CTX> or
|
||||
B<SSL> structure using the configuration B<name>.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
By calling SSL_CTX_config() or SSL_config() an application can perform many
|
||||
complex tasks based on the contents of the configuration file: greatly
|
||||
simplifying application configuration code. A degree of future proofing
|
||||
can also be achieved: an application can support configuration features
|
||||
in newer versions of OpenSSL automatically.
|
||||
|
||||
A configuration file must have been previously loaded, for example using
|
||||
CONF_modules_load_file(). See L<config(3)> for details of the configuration
|
||||
file syntax.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error
|
||||
occurred.
|
||||
|
||||
=head1 EXAMPLE
|
||||
|
||||
If the file "config.cnf" contains the following:
|
||||
|
||||
testapp = test_sect
|
||||
|
||||
[test_sect]
|
||||
# list of confuration modules
|
||||
|
||||
ssl_conf = ssl_sect
|
||||
|
||||
[ssl_sect]
|
||||
|
||||
server = server_section
|
||||
|
||||
[server_section]
|
||||
|
||||
RSA.Certificate = server-rsa.pem
|
||||
ECDSA.Certificate = server-ecdsa.pem
|
||||
Ciphers = ALL:!RC4
|
||||
|
||||
An application could call:
|
||||
|
||||
if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) {
|
||||
fprintf(stderr, "Error processing config file\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
ctx = SSL_CTX_new(TLS_server_method());
|
||||
|
||||
if (SSL_CTX_config(ctx, "server") == 0) {
|
||||
fprintf(stderr, "Error configuring server.\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
In this example two certificates and the cipher list are configured without
|
||||
the need for any additional application code.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<config(3)>,
|
||||
L<SSL_CONF_cmd(3)>,
|
||||
L<CONF_modules_load_file(3)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0
|
||||
|
||||
=cut
|
||||
Loading…
Reference in New Issue
Block a user