+++ /dev/null
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, - manipulate allowed for the peer's certificate chain
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
- long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
-
- long SSL_set_max_cert_list(SSL *ssl, long size);
- long SSL_get_max_cert_list(SSL *ctx);
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's
-certificate chain for all SSL objects created from B<ctx> to be <size> bytes.
-The SSL objects inherit the setting valid for B<ctx> at the time
-L<SSL_new(3)|SSL_new(3)> is being called.
-
-SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>.
-
-SSL_set_max_cert_list() sets the maximum size allowed for the peer's
-certificate chain for B<ssl> to be <size> bytes. This setting stays valid
-until a new value is set.
-
-SSL_get_max_cert_list() returns the currently set maximum size for B<ssl>.
-
-=head1 NOTES
-
-During the handshake process, the peer may send a certificate chain.
-The TLS/SSL standard does not give any maximum size of the certificate chain.
-The OpenSSL library handles incoming data by a dynamically allocated buffer.
-In order to prevent this buffer from growing without bounds due to data
-received from a faulty or malicious peer, a maximum size for the certificate
-chain is set.
-
-The default value for the maximum certificate chain size is 100kB (30kB
-on the 16bit DOS platform). This should be sufficient for usual certificate
-chains (OpenSSL's default maximum chain length is 10, see
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates
-without special extensions have a typical size of 1-2kB).
-
-For special applications it can be necessary to extend the maximum certificate
-chain size allowed to be sent by the peer, see e.g. the work on
-"Internet X.509 Public Key Infrastructure Proxy Certificate Profile"
-and "TLS Delegation Protocol" at http://www.ietf.org/ and
-http://www.globus.org/ .
-
-Under normal conditions it should never be necessary to set a value smaller
-than the default, as the buffer is handled dynamically and only uses the
-memory actually required by the data sent by the peer.
-
-If the maximum certificate chain size allowed is exceeded, the handshake will
-fail with a SSL_R_EXCESSIVE_MESSAGE_SIZE error.
-
-=head1 RETURN VALUES
-
-SSL_CTX_set_max_cert_list() and SSL_set_max_cert_list() return the previously
-set value.
-
-SSL_CTX_get_max_cert_list() and SSL_get_max_cert_list() return the currently
-set value.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
-
-=head1 HISTORY
-
-SSL*_set/get_max_cert_list() have been introduced in OpenSSL 0.9.7.
-
-=cut
projects / bcm963xx.git / blobdiff