Module mesalink::libssl::ssl [−][src]
Expand description
Implementations of OpenSSL SSL APIs. Please also refer to the header file at mesalink/openssl/ssl.h
Synopsis
This sub-module implements the necessary APIs to establish a TLS session. All the APIs are compatible to their OpenSSL counterparts.
Usage
The first step is to create a SSL_CTX
object with SSL_CTX_new
.
Then SSL_CTX_use_certificate_chain_file
and SSL_CTX_use_PrivateKey_file
must be called to set up the certificate and private key if the context is
to be used in a TLS server.
When a TCP socket has been created, an SSL
object can be created with
SSL_new
. Afterwards, the socket can be assigned to the SSL
object with
SSL_set_fd
.
Then the TLS handshake is performed using SSL_connect
or SSL_accept
for
a client or a server respectively. SSL_read
and SSL_write
are used to
read and write data on the TLS connection. Finally, SSL_shutdown
can be
used to shut down the connection.
Structs
An OpenSSL Cipher object
A global context structure which is created by a server or a client once per
program. It holds default values for SSL
objects which are later created
for individual connections.
A dispatch structure describing the internal ssl library methods/functions which implement the various protocol versions such as TLS v1.2.
The main TLS structure which is created by a server or client per established connection.
Functions
SSL_CIPHER_get_bits
- return the number of secret bits used for cipher. If
alg_bits is not NULL, it contains the number of bits processed by the chosen
algorithm. If cipher is NULL, 0 is returned.
SSL_CIPHER_get_name
- return a pointer to the name of cipher. If the
argument is the NULL pointer, a pointer to the constant value “NONE” is
returned.
SSL_CIPHER_get_version
- returns string which indicates the SSL/TLS protocol
version that first defined the cipher. This is currently SSLv2 or
TLSv1/SSLv3. In some cases it should possibly return “TLSv1.2” but does not;
use SSL_CIPHER_description() instead. If cipher is NULL, “(NONE)” is
returned.
SSL_CTX_check_private_key
- check the consistency of a private key with the
corresponding certificate loaded into ctx
SSL_CTX_free
- free an allocated SSL_CTX object
SSL_CTX_get_session_cache_mode
- return the currently used cache mode
SSL_CTX_load_verify_locations
- specifies the locations for ctx, at which
CA certificates for verification purposes are located. The certificates
available via CAfile and CApath are trusted.
SSL_CTX_new
- create a new SSL_CTX object as framework to establish TLS/SSL
enabled connections.
SSL_CTX_sess_get_cache_size
- return the currently session cache size
SSL_CTX_sess_set_cache_size
- return the currently session cache size
SSL_CTX_set_session_cache_mode
- enable/disable session caching by setting
the operational mode for ctx to
SSL_CTX_set_verify
sets the verification flags for ctx to be mode and
The verify_callback function is ignored for now.
SSL_CTX_use_PrivateKey
adds pkey as private key to ctx
SSL_CTX_use_PrivateKey_ASN1
- load the ASN1 encoded certificate into
ssl_ctx.
SSL_CTX_use_PrivateKey_file
- add the first private key found in file to
ctx. The formatting type of the certificate must be specified from the known
types SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1.
SSL_CTX_use_certificate
loads the certificate x into ctx. The rest of the
certificates needed to form the complete certificate chain can be specified
using the SSL_CTX_add_extra_chain_cert
function.
SSL_CTX_use_certificate_ASN1
- load the ASN1 encoded certificate
into ssl_ctx.
SSL_CTX_use_certificate_chain_file
- load a certificate chain from file
into ctx. The certificates must be in PEM format and must be sorted starting
with the subject’s certificate (actual client or server certificate),
followed by intermediate CA certificates if applicable, and ending at the
highest level (root) CA.
SSL_accept
- wait for a TLS client to initiate the TLS handshake. The
communication channel must already have been set and assigned to the ssl by
setting SSL_set_fd.
SSL_check_private_key
- check the consistency of a private key with the
corresponding certificate loaded into ssl
SSL_connect
- initiate the TLS handshake with a server. The communication
channel must already have been set and assigned to the ssl with SSL_set_fd.
SSL_connect0
- initiate the TLS handshake lazily with a server. The
communication channel must already have been set and assigned to the ssl
with SSL_set_fd. You must call SSL_do_handshake()
to explictly start the
handshake.
SSL_do_handshake
- perform a TLS/SSL handshake
SSL_write
- write num
bytes from the buffer buf
into the
specified ssl
connection.
SSL_free
- free an allocated SSL object
SSL_get_SSL_CTX
- return a pointer to the SSL_CTX object, from which ssl was
created with SSL_new.
SSL_get_cipher
- obtain the name of the currently used cipher.
SSL_get_cipher_bits
- obtain the number of secret/algorithm bits used.
SSL_get_cipher_name
- obtain the name of the currently used cipher.
SSL_get_cipher_version
- returns the protocol name.
SSL_get_current_cipher
- returns a pointer to an SSL_CIPHER object
containing the description of the actually used cipher of a connection
established with the ssl object. See SSL_CIPHER_get_name for more details.
Note that this API allocates memory and needs to be properly freed. freed.
SSL_get_early_data_status
- returns SSL_EARLY_DATA_ACCEPTED if early data
was accepted by the server, SSL_EARLY_DATA_REJECTED if early data was
rejected by the server.
SSL_get_error
- obtain result code for TLS/SSL I/O operation
SSL_get_fd
- return the file descriptor which is linked to ssl.
SSL_get_peer_certificate
- get the X509 certificate of the peer
SSL_get_peer_certificates
- get the X509 certificate chain of the peer
SSL_get_version
- get the protocol information of a connection
SSL_init_logger
turns on debugging output
SSL_is_server
checks if ssl is working in server mode.
For OpenSSL compatibility only.
SSL_new
- create a new SSL structure which is needed to hold the data for a
TLS/SSL connection
SSL_read
- read num
bytes from the specified ssl
into the
buffer buf
.
SSL_set_SSL_CTX
- set the SSL_CTX object of an SSL object.
SSL_set_accept_state
sets ssl to work in server mode.
SSL_set_connect_state
sets ssl to work in client mode.
SSL_set_fd
- set the file descriptor fd as the input/output facility for the
TLS/SSL (encrypted) side of ssl. fd will typically be the socket file
descriptor of a network connection.
SSL_set_tlsext_host_name
- set the server name indication ClientHello
extension to contain the value name.
SSL_shutdown
- shut down a TLS connection
SSL_use_PrivateKey_ASN1
- load the ASN1 encoded certificate into
ssl.
SSL_use_certificate_ASN1
- load the ASN1 encoded certificate
into ssl.
SSL_write
- write num
bytes from the buffer buf
into the
specified ssl
connection.
SSL_write_early_data
- write num
bytes of TLS 1.3 early data from the
buffer buf
into the specified ssl
connection.
This SSL/TLS version is not supported. Always return NULL.
This SSL/TLS version is not supported. Always return NULL.
A general-purpose version-flexible SSL/TLS method. The supported protocols are TLSv1.2 and TLSv1.3.
A general-purpose version-flexible SSL/TLS method. The supported protocols are TLSv1.2 and TLSv1.3.
A general-purpose version-flexible SSL/TLS method. The supported protocols are TLSv1.2 and TLSv1.3.
A general-purpose version-flexible SSL/TLS method. The supported protocols are TLSv1.2 and TLSv1.3.
A general-purpose version-flexible SSL/TLS method. The supported protocols are TLSv1.2 and TLSv1.3.
This SSL/TLS version is not supported. Always return NULL.
This SSL/TLS version is not supported. Always return NULL.
Version-specific method APIs. A TLS/SSL connection established with these methods will only understand the TLSv1.2 protocol.
Version-specific method APIs. A TLS/SSL connection established with these methods will only understand the TLSv1.2 protocol.
Version-specific method APIs. A TLS/SSL connection established with these methods will only understand the TLSv1.3 protocol.
Version-specific method APIs. A TLS/SSL connection established with these methods will only understand the TLSv1.3 protocol.
This SSL/TLS version is not supported. Always return NULL.
This SSL/TLS version is not supported. Always return NULL.
For OpenSSL compatibility only. Always returns 1.
For OpenSSL compatibility only. Always returns 1.