From 9f6d13d198bc7918b71e9fbb00281dbfbac0d198 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Thu, 10 Sep 2015 15:47:26 +0000 Subject: document client side certificate verification functionality. ok jsing@ --- lib/libtls/Makefile | 4 +++- lib/libtls/tls_init.3 | 18 ++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) (limited to 'lib/libtls') diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index 6b9270b50aa..fa6279dcb11 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.12 2015/09/10 14:19:01 jmc Exp $ +# $OpenBSD: Makefile,v 1.13 2015/09/10 15:47:25 beck Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -42,6 +42,8 @@ MLINKS+=tls_init.3 tls_config_clear_keys.3 MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3 MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3 MLINKS+=tls_init.3 tls_config_verify.3 +MLINKS+=tls_init.3 tls_config_verify_client.3 +MLINKS+=tls_init.3 tls_config_verify_client_optional.3 MLINKS+=tls_init.3 tls_load_file.3 MLINKS+=tls_init.3 tls_client.3 MLINKS+=tls_init.3 tls_server.3 diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 62f52e4331b..01c931bb419 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.33 2015/09/10 14:57:29 beck Exp $ +.\" $OpenBSD: tls_init.3,v 1.34 2015/09/10 15:47:25 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -106,6 +106,10 @@ .Fn tls_config_insecure_noverifyname "struct tls_config *config" .Ft "void" .Fn tls_config_verify "struct tls_config *config" +.Ft "void" +.Fn tls_config_verify_client "struct tls_config *config" +.Ft "void" +.Fn tls_config_verify_client_optional "struct tls_config *config" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" .Ft "struct tls *" @@ -322,7 +326,7 @@ clears any secret keys from memory. .Fn tls_config_insecure_noverifycert disables certificate verification. Be extremely careful when using this option. -.Em (Client) +.Em (Client and server) .It .Fn tls_config_insecure_noverifyname disables server name verification. @@ -333,6 +337,16 @@ Be careful when using this option. reenables server name and certificate verification. .Em (Client) .It +.Fn tls_config_verify_client +enables client certificate verification, requiring the client to send +a certificate. +.Em (Server) +.It +.Fn tls_config_verify_client_opional +enables client certificate verification, without requiring the client +to send a certificate. +.Em (Server) +.It .Fn tls_load_file loads a certificate or key from disk into memory to be loaded with .Fn tls_config_set_ca_mem , -- cgit v1.2.3