NAME    [Toc]    [Back]

       SSL_CTX_set_client_CA_list,        SSL_set_client_CA_list,
       SSL_CTX_add_client_CA, SSL_add_client_CA - Set list of CAs
       sent to the client when requesting a client certificate

SYNOPSIS    [Toc]    [Back]

       #include <openssl/ssl.h>

       void SSL_CTX_set_client_CA_list(
               SSL_CTX  *ctx,  STACK_OF(X509_NAME)  *list ); void
       SSL_set_client_CA_list(
               SSL   *s,   STACK_OF(X509_NAME)   *list   );   int
       SSL_CTX_add_client_CA(
               SSL_CTX     *ctx,     X509    *cacert    );    int
       SSL_add_client_CA(
               SSL *ssl, X509 *cacert );

DESCRIPTION    [Toc]    [Back]

       The SSL_CTX_set_client_CA_list() function sets the list of
       CAs  sent  to the client when requesting a client certificate
 for ctx.

       The SSL_set_client_CA_list() function sets the list of CAs
       sent  to  the  client when requesting a client certificate
       for the chosen ssl, overriding the setting valid for ssl's
       SSL_CTX object.

       The  SSL_CTX_add_client_CA()  function  adds  the  CA name
       extracted from cacert to the  list  of  CAs  sent  to  the
       client when requesting a client certificate for ctx.

       The   SSL_add_client_CA()   function   adds  the  CA  name
       extracted from cacert to the  list  of  CAs  sent  to  the
       client when requesting a client certificate for the chosen
       ssl,  overriding  the  setting  valid  for  ssl's  SSL_CTX
       object.

NOTES    [Toc]    [Back]

       When  a  TLS/SSL server requests a client certificate (see
       SSL_CTX_set_verify_options()), it sends a list of CAs, for
       which it will accept certificates, to the client.

       This    list    can    be   explicitly   set   using   the
       SSL_CTX_set_client_CA_list()  function  for  ctx  and  the
       SSL_set_client_CA_list()  function  for  the specific ssl.
       The list specified overrides the previous setting. The CAs
       listed  do  not  become  trusted  (list  only contains the
       names,   not   the   complete   certificates);   use   the
       SSL_CTX_load_verify_locations()  function  to additionally
       load them for verification.

       If the list of acceptable CAs is compiled in a  file,  the
       SSL_load_client_CA_file()  function  can  be  used to help
       import the necessary data.

       The SSL_CTX_add_client_CA() and SSL_add_client_CA()  functions
  can  be used to add additional items to the list of
       client  CAs.  If  no  list  was  specified  before   using
       SSL_CTX_set_client_CA_list()  or SSL_set_client_CA_list(),
       a new client CA list for ctx or ssl  (as  appropriate)  is
       opened.

       These functions are only useful for TLS/SSL servers.

RETURN VALUES    [Toc]    [Back]

       The            SSL_CTX_set_client_CA_list()            and
       SSL_set_client_CA_list() functions do not return  diagnostic
 information.

       The  SSL_CTX_add_client_CA() and SSL_add_client_CA() functions
 have the following return values: 1

              The operation succeeded.  0

              A     failure      while      manipulating      the
              STACK_OF(X509_NAME)    object   occurred   or   the
              X509_NAME could not be extracted from cacert. Check
              the error stack to find the reason.

EXAMPLES    [Toc]    [Back]

       Scan  all  certificates in CAfile and list them as acceptable
            CAs:            SSL_CTX_set_client_CA_list
       (ctx,SSL_load_client_CA_file(CAfile));

SEE ALSO    [Toc]    [Back]

       Functions:        ssl(3),       SSL_get_client_CA_list(3),
       SSL_load_client_CA_file(3),      SSL_CTX_load_verify_locations(3)



                                    SSL_CTX_set_client_CA_list(3)