diff options
| author | Todd Short <tshort@akamai.com> | 2015-12-28 09:13:20 -0500 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2018-03-09 10:28:04 -0600 |
| commit | 37933acbeafef6db9a5c5681c1b5174cd91494bc (patch) | |
| tree | 68baa103ddb6b721bca122931479a107e4266273 /include/openssl/sslerr.h | |
| parent | 5936e8884bc6f3b9ff9abf8ebbeb772809882f92 (diff) | |
| download | openssl-new-37933acbeafef6db9a5c5681c1b5174cd91494bc.tar.gz | |
Add SSL/SSL_CTX_use_cert_and_key()
Add functions that will do the work of assigning certificate, privatekey
and chain certs to an SSL or SSL_CTX. If no privatekey is given, use the
publickey. This will permit the keys to pass validation for both ECDSA
and RSA. If a private key has already been set for the certificate, it
is discarded. A real private key can be set later.
This is an all-or-nothing setting of these parameters. Unlike the
SSL/SSL_CTX_use_certificate() and SSL/SSL_CTX_use_PrivateKey() functions,
the existing cert or privatekey is not modified (i.e. parameters copied).
This permits the existing cert/privatekey to be replaced.
It replaces the sequence of:
* SSL_use_certificate()
* SSL_use_privatekey()
* SSL_set1_chain()
And may actually be faster, as multiple checks are consolidated.
The private key can be NULL, if so an ENGINE module needs to contain the
actual private key that is to be used.
Note that ECDH (using the certificate's ECDSA key) ciphers do not work
without the private key being present, based on how the private key is
used in ECDH. ECDH does not offer PFS; ECDHE ciphers should be used instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/1130)
Diffstat (limited to 'include/openssl/sslerr.h')
| -rw-r--r-- | include/openssl/sslerr.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 32fe3662f2..454877df85 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -211,6 +211,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 # define SSL_F_SSL_SET_ALPN_PROTOS 344 # define SSL_F_SSL_SET_CERT 191 +# define SSL_F_SSL_SET_CERT_AND_KEY 621 # define SSL_F_SSL_SET_CIPHER_LIST 271 # define SSL_F_SSL_SET_CT_VALIDATION_CALLBACK 399 # define SSL_F_SSL_SET_FD 192 @@ -566,6 +567,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_MISSING_DSA_SIGNING_CERT 165 # define SSL_R_MISSING_ECDSA_SIGNING_CERT 381 # define SSL_R_MISSING_FATAL 256 +# define SSL_R_MISSING_PARAMETERS 290 # define SSL_R_MISSING_RSA_CERTIFICATE 168 # define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 # define SSL_R_MISSING_RSA_SIGNING_CERT 170 @@ -576,6 +578,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_MISSING_TMP_DH_KEY 171 # define SSL_R_MISSING_TMP_ECDH_KEY 311 # define SSL_R_NOT_ON_RECORD_BOUNDARY 182 +# define SSL_R_NOT_REPLACING_CERTIFICATE 289 # define SSL_R_NOT_SERVER 284 # define SSL_R_NO_APPLICATION_PROTOCOL 235 # define SSL_R_NO_CERTIFICATES_RETURNED 176 @@ -616,6 +619,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_PEM_NAME_TOO_SHORT 392 # define SSL_R_PIPELINE_FAILURE 406 # define SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR 278 +# define SSL_R_PRIVATE_KEY_MISMATCH 288 # define SSL_R_PROTOCOL_IS_SHUTDOWN 207 # define SSL_R_PSK_IDENTITY_NOT_FOUND 223 # define SSL_R_PSK_NO_CLIENT_CB 224 |