diff options
| author |   jsing <jsing@openbsd.org> | 2016-08-22 14:55:59 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-08-22 14:55:59 +0000 |
| commit | 55272e791e8761e9e22ccec7985f6a67b353362d (patch) | |
| tree | e99d76979710a452eda038cbee08395145948362 /lib/libtls/tls_init.3 | |
| parent | Create contexts for server side SNI - these include the additional SSL_CTX (diff) | |
| download | wireguard-openbsd-55272e791e8761e9e22ccec7985f6a67b353362d.tar.xz wireguard-openbsd-55272e791e8761e9e22ccec7985f6a67b353362d.zip | |
Provide an API that enables server side SNI support - add the ability to
provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and
allow the server to determine what servername the client requested (via
tls_conn_servername()).
ok beck@
Diffstat (limited to 'lib/libtls/tls_init.3')
| -rw-r--r-- | lib/libtls/tls_init.3 | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index cd984500355..4d7367408be 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.66 2016/08/18 15:43:12 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.67 2016/08/22 14:55:59 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 18 2016 $ +.Dd $Mdocdate: August 22 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -24,6 +24,8 @@ .Nm tls_config_new , .Nm tls_config_free , .Nm tls_config_parse_protocols , +.Nm tls_config_add_keypair_file , +.Nm tls_config_add_keypair_mem , .Nm tls_config_set_alpn , .Nm tls_config_set_ca_file , .Nm tls_config_set_ca_path , @@ -57,6 +59,7 @@ .Nm tls_peer_cert_notafter , .Nm tls_conn_alpn_selected , .Nm tls_conn_cipher , +.Nm tls_conn_servername , .Nm tls_conn_version , .Nm tls_load_file , .Nm tls_client , @@ -90,6 +93,10 @@ .Ft "int" .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" .Ft "int" +.Fn tls_config_add_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file" +.Ft "int" +.Fn tls_config_add_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len" +.Ft "int" .Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn" .Ft "int" .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" @@ -156,6 +163,8 @@ .Ft "const char *" .Fn tls_conn_cipher "struct tls *ctx" .Ft "const char *" +.Fn tls_conn_servername "struct tls *ctx" +.Ft "const char *" .Fn tls_conn_version "struct tls *ctx" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" @@ -301,6 +310,16 @@ The following functions modify a configuration by setting parameters (the configuration options may only apply to clients, to servers or to both): .Bl -bullet -offset four .It +.Fn tls_config_add_keypair_file +adds an additional public certificate and private key from the specified files, +used as an alternative certificate for Server Name Indication. +.Em (Server) +.It +.Fn tls_config_set_keypair_mem +adds an additional public certificate and private key from memory, +used as an alternative certificate for Server Name Indication. +.Em (Server) +.It .Fn tls_config_set_alpn sets the ALPN protocols that are supported. The alpn string is a comma separated list of protocols, in order of preference. @@ -445,6 +464,12 @@ connected to .Ar ctx . .Em (Server and client) .It +.Fn tls_conn_servername +returns a string corresponding to the servername that the client connected to +.Ar ctx +requested by sending a TLS Server Name Indication extension. +.Em (Server) +.It .Fn tls_conn_version returns a string corresponding to a TLS version negotiated with the peer connected to |