diff options
Diffstat (limited to 'doc/ssl/SSL_CTX_set_max_cert_list.pod')
-rw-r--r-- | doc/ssl/SSL_CTX_set_max_cert_list.pod | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/doc/ssl/SSL_CTX_set_max_cert_list.pod b/doc/ssl/SSL_CTX_set_max_cert_list.pod deleted file mode 100644 index da68cb9fc240..000000000000 --- a/doc/ssl/SSL_CTX_set_max_cert_list.pod +++ /dev/null @@ -1,77 +0,0 @@ -=pod - -=head1 NAME - -SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain - -=head1 SYNOPSIS - - #include <openssl/ssl.h> - - long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size); - long SSL_CTX_get_max_cert_list(SSL_CTX *ctx); - - long SSL_set_max_cert_list(SSL *ssl, long size); - long SSL_get_max_cert_list(SSL *ctx); - -=head1 DESCRIPTION - -SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's -certificate chain for all SSL objects created from B<ctx> to be <size> bytes. -The SSL objects inherit the setting valid for B<ctx> at the time -L<SSL_new(3)|SSL_new(3)> is being called. - -SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>. - -SSL_set_max_cert_list() sets the maximum size allowed for the peer's -certificate chain for B<ssl> to be <size> bytes. This setting stays valid -until a new value is set. - -SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>. - -=head1 NOTES - -During the handshake process, the peer may send a certificate chain. -The TLS/SSL standard does not give any maximum size of the certificate chain. -The OpenSSL library handles incoming data by a dynamically allocated buffer. -In order to prevent this buffer from growing without bounds due to data -received from a faulty or malicious peer, a maximum size for the certificate -chain is set. - -The default value for the maximum certificate chain size is 100kB (30kB -on the 16bit DOS platform). This should be sufficient for usual certificate -chains (OpenSSL's default maximum chain length is 10, see -L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates -without special extensions have a typical size of 1-2kB). - -For special applications it can be necessary to extend the maximum certificate -chain size allowed to be sent by the peer, see e.g. the work on -"Internet X.509 Public Key Infrastructure Proxy Certificate Profile" -and "TLS Delegation Protocol" at http://www.ietf.org/ and -http://www.globus.org/ . - -Under normal conditions it should never be necessary to set a value smaller -than the default, as the buffer is handled dynamically and only uses the -memory actually required by the data sent by the peer. - -If the maximum certificate chain size allowed is exceeded, the handshake will -fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error. - -=head1 RETURN VALUES - -SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously -set value. - -SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently -set value. - -=head1 SEE ALSO - -L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, -L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> - -=head1 HISTORY - -SSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7. - -=cut |