Add Copyright and license.

Lots of improvements from OpenSSL:
Document SSL_CTX_clear_extra_chain_certs(3).
Correct SSL_CTX_add_extra_chain_cert(3) first argument type.
Add some new information and improve wording.

1 files changed, 84 insertions, 15 deletions

diff --git a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b7ece448113..c279c1dce23 100644
--- a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,25 +1,85 @@
+.\"	$OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.2 2016/11/30 12:55:25 schwarze Exp $
+.\"	OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
 .\"
-.\"	$OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.1 2016/11/05 15:32:19 schwarze Exp $
+.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
+.\" Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2000, 2002, 2013, 2015 The OpenSSL Project.
+.\" All rights reserved.
 .\"
-.Dd $Mdocdate: November 5 2016 $
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 30 2016 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
-.Nm SSL_CTX_add_extra_chain_cert
-.Nd add certificate to chain
+.Nm SSL_CTX_add_extra_chain_cert ,
+.Nm SSL_CTX_clear_extra_chain_certs
+.Nd add or clear extra chain certificates
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft long
-.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 *x509"
+.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
+.Ft long
+.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
 .Sh DESCRIPTION
 .Fn SSL_CTX_add_extra_chain_cert
 adds the certificate
 .Fa x509
-to the certificate chain presented together with the certificate.
-Several certificates can be added one after the other.
-.Sh NOTES
-When constructing the certificate chain, the chain will be formed from
-these certificates explicitly specified.
+to the extra chain certificates associated with
+.Fa ctx .
+Several certificates can be added one after another.
+.Pp
+.Fn SSL_CTX_clear_extra_chain_certs
+clears all extra chain certificates associated with
+.Fa ctx .
+.Pp
+These functions are implemented as macros.
+.Pp
+When sending a certificate chain, extra chain certificates are sent
+in order following the end entity certificate.
+.Pp
 If no chain is specified, the library will try to complete the chain from the
 available CA certificates in the trusted CA storage, see
 .Xr SSL_CTX_load_verify_locations 3 .
@@ -29,17 +89,26 @@ The x509 certificate provided to
 will be freed by the library when the
 .Vt SSL_CTX
 is destroyed.
-An application
-.Em should not
-free the
+An application should not free the
 .Fa x509
 object.
 .Sh RETURN VALUES
 .Fn SSL_CTX_add_extra_chain_cert
-returns 1 on success.
-Check out the error stack to find out the reason for failure otherwise.
+and
+.Fn SSL_CTX_clear_extra_chain_certs
+return 1 on success or 0 for failure.
+Check out the error stack to find out the reason for failure.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
 .Xr SSL_CTX_set_client_cert_cb 3 ,
 .Xr SSL_CTX_use_certificate 3
+.Sh CAVEATS
+Only one set of extra chain certificates can be specified per
+.Vt SSL_CTX
+structure.
+Different chains for different certificates (for example if both
+RSA and DSA certificates are specified by the same server) or
+different SSL structures with the same parent
+.Vt SSL_CTX
+cannot be specified using this function.