summaryrefslogtreecommitdiff
path: root/lib/libtls
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2015-09-10 15:47:26 +0000
committerBob Beck <beck@cvs.openbsd.org>2015-09-10 15:47:26 +0000
commit9f6d13d198bc7918b71e9fbb00281dbfbac0d198 (patch)
tree27c1ba67c205468f3a397afd56eb9b1166f91d90 /lib/libtls
parent2825aaacddf975ed7cafde0352ee35a0f5d9276c (diff)
document client side certificate verification functionality.
ok jsing@
Diffstat (limited to 'lib/libtls')
-rw-r--r--lib/libtls/Makefile4
-rw-r--r--lib/libtls/tls_init.318
2 files changed, 19 insertions, 3 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile
index 6b9270b50aa..fa6279dcb11 100644
--- a/lib/libtls/Makefile
+++ b/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.12 2015/09/10 14:19:01 jmc Exp $
+# $OpenBSD: Makefile,v 1.13 2015/09/10 15:47:25 beck Exp $
CFLAGS+= -Wall -Werror -Wimplicit
CFLAGS+= -DLIBRESSL_INTERNAL
@@ -42,6 +42,8 @@ MLINKS+=tls_init.3 tls_config_clear_keys.3
MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3
MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3
MLINKS+=tls_init.3 tls_config_verify.3
+MLINKS+=tls_init.3 tls_config_verify_client.3
+MLINKS+=tls_init.3 tls_config_verify_client_optional.3
MLINKS+=tls_init.3 tls_load_file.3
MLINKS+=tls_init.3 tls_client.3
MLINKS+=tls_init.3 tls_server.3
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index 62f52e4331b..01c931bb419 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.33 2015/09/10 14:57:29 beck Exp $
+.\" $OpenBSD: tls_init.3,v 1.34 2015/09/10 15:47:25 beck Exp $
.\"
.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
.\"
@@ -106,6 +106,10 @@
.Fn tls_config_insecure_noverifyname "struct tls_config *config"
.Ft "void"
.Fn tls_config_verify "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_verify_client "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_verify_client_optional "struct tls_config *config"
.Ft "uint8_t *"
.Fn tls_load_file "const char *file" "size_t *len" "char *password"
.Ft "struct tls *"
@@ -322,7 +326,7 @@ clears any secret keys from memory.
.Fn tls_config_insecure_noverifycert
disables certificate verification.
Be extremely careful when using this option.
-.Em (Client)
+.Em (Client and server)
.It
.Fn tls_config_insecure_noverifyname
disables server name verification.
@@ -333,6 +337,16 @@ Be careful when using this option.
reenables server name and certificate verification.
.Em (Client)
.It
+.Fn tls_config_verify_client
+enables client certificate verification, requiring the client to send
+a certificate.
+.Em (Server)
+.It
+.Fn tls_config_verify_client_opional
+enables client certificate verification, without requiring the client
+to send a certificate.
+.Em (Server)
+.It
.Fn tls_load_file
loads a certificate or key from disk into memory to be loaded with
.Fn tls_config_set_ca_mem ,