提交 913592d2 编写于 作者: D Dr. Stephen Henson

SSL configuration module docs

Reviewed-by: NRichard Levitte <levitte@openssl.org>
上级 43d956fa
...@@ -208,6 +208,34 @@ For example: ...@@ -208,6 +208,34 @@ For example:
fips_mode = on fips_mode = on
=head2 SSL CONFIGURATION MODULE
This module has the name B<ssl_conf> which points to a section containing
SSL configurations.
Each line in the SSL configuration section contains the name of the
configuration and the section containing it.
Each configuration section consists of command value pairs for B<SSL_CONF>.
Each pair will be passed to a B<SSL_CTX> or B<SSL> structure if it calls
SSL_CTX_config() or SSL_config() with the appropriate configuration name.
Note: any characters before an initial dot in the configuration section are
ignored so the same command can be used multiple times.
For example:
ssl_conf = ssl_sect
[ssl_sect]
server = server_section
[server_section]
RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem
Ciphers = ALL:!RC4
=head1 NOTES =head1 NOTES
......
=pod
=head1 NAME
SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure.
=head1 SYNOPSIS
#include <openssl/ssl.h>
int SSL_CTX_config(SSL_CTX *ctx, const char *name);
int SSL_config(SSL *s, const char *name);
=head1 DESCRIPTION
The functions SSL_CTX_config() and SSL_config() configure an B<SSL_CTX> or
B<SSL> structure using the configuration B<name>.
=head1 NOTES
By calling SSL_CTX_config() or SSL_config() an application can perform many
complex tasks based on the contents of the configuration file: greatly
simplifying application configuration code. A degree of future proofing
can also be achieved: an application can support configuration features
in newer versions of OpenSSL automatically.
A configuration file must have been previously loaded, for example using
CONF_modules_load_file(). See L<config(3)> for details of the configuration
file syntax.
=head1 RETURN VALUES
SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error
occurred.
=head1 EXAMPLE
If the file "config.cnf" contains the following:
testapp = test_sect
[test_sect]
# list of confuration modules
ssl_conf = ssl_sect
[ssl_sect]
server = server_section
[server_section]
RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem
Ciphers = ALL:!RC4
An application could call:
if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) {
fprintf(stderr, "Error processing config file\n");
goto err;
}
ctx = SSL_CTX_new(TLS_server_method());
if (SSL_CTX_config(ctx, "server") == 0) {
fprintf(stderr, "Error configuring server.\n");
goto err;
}
In this example two certificates and the cipher list are configured without
the need for any additional application code.
=head1 SEE ALSO
L<config(3)>,
L<SSL_CONF_cmd(3)>,
L<CONF_modules_load_file(3)>
=head1 HISTORY
SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0
=cut
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册