From: Dr. Stephen Henson Date: Thu, 9 Jul 2015 17:43:30 +0000 (+0100) Subject: SSL configuration module docs X-Git-Tag: OpenSSL_1_1_0-pre2~178 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=913592d2c58571a39540d8e4aeb3ea3b4db6a9f0;ds=sidebyside SSL configuration module docs Reviewed-by: Richard Levitte --- diff --git a/doc/apps/config.pod b/doc/apps/config.pod index 9547bc53bb..474b4787af 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -208,6 +208,34 @@ For example: fips_mode = on +=head2 SSL CONFIGURATION MODULE + +This module has the name B which points to a section containing +SSL configurations. + +Each line in the SSL configuration section contains the name of the +configuration and the section containing it. + +Each configuration section consists of command value pairs for B. +Each pair will be passed to a B or B structure if it calls +SSL_CTX_config() or SSL_config() with the appropriate configuration name. + +Note: any characters before an initial dot in the configuration section are +ignored so the same command can be used multiple times. + +For example: + + ssl_conf = ssl_sect + + [ssl_sect] + + server = server_section + + [server_section] + + RSA.Certificate = server-rsa.pem + ECDSA.Certificate = server-ecdsa.pem + Ciphers = ALL:!RC4 =head1 NOTES diff --git a/doc/ssl/SSL_CTX_config.pod b/doc/ssl/SSL_CTX_config.pod new file mode 100644 index 0000000000..0cf93dd99a --- /dev/null +++ b/doc/ssl/SSL_CTX_config.pod @@ -0,0 +1,84 @@ +=pod + +=head1 NAME + +SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure. + +=head1 SYNOPSIS + + #include + + int SSL_CTX_config(SSL_CTX *ctx, const char *name); + int SSL_config(SSL *s, const char *name); + +=head1 DESCRIPTION + +The functions SSL_CTX_config() and SSL_config() configure an B or +B structure using the configuration B. + +=head1 NOTES + +By calling SSL_CTX_config() or SSL_config() an application can perform many +complex tasks based on the contents of the configuration file: greatly +simplifying application configuration code. A degree of future proofing +can also be achieved: an application can support configuration features +in newer versions of OpenSSL automatically. + +A configuration file must have been previously loaded, for example using +CONF_modules_load_file(). See L for details of the configuration +file syntax. + +=head1 RETURN VALUES + +SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error +occurred. + +=head1 EXAMPLE + +If the file "config.cnf" contains the following: + + testapp = test_sect + + [test_sect] + # list of confuration modules + + ssl_conf = ssl_sect + + [ssl_sect] + + server = server_section + + [server_section] + + RSA.Certificate = server-rsa.pem + ECDSA.Certificate = server-ecdsa.pem + Ciphers = ALL:!RC4 + +An application could call: + + if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) { + fprintf(stderr, "Error processing config file\n"); + goto err; + } + + ctx = SSL_CTX_new(TLS_server_method()); + + if (SSL_CTX_config(ctx, "server") == 0) { + fprintf(stderr, "Error configuring server.\n"); + goto err; + } + +In this example two certificates and the cipher list are configured without +the need for any additional application code. + +=head1 SEE ALSO + +L, +L, +L + +=head1 HISTORY + +SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0 + +=cut