1=pod 2 3=head1 NAME 4 5SSL_CTX_set_tlsext_status_cb, 6SSL_CTX_get_tlsext_status_cb, 7SSL_CTX_set_tlsext_status_arg, 8SSL_CTX_get_tlsext_status_arg, 9SSL_CTX_set_tlsext_status_type, 10SSL_CTX_get_tlsext_status_type, 11SSL_set_tlsext_status_type, 12SSL_get_tlsext_status_type, 13SSL_get_tlsext_status_ocsp_resp, 14SSL_set_tlsext_status_ocsp_resp 15- OCSP Certificate Status Request functions 16 17=head1 SYNOPSIS 18 19 #include <openssl/tls1.h> 20 21 long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *)); 22 long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *)); 23 24 long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); 25 long SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg); 26 27 long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type); 28 long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx); 29 30 long SSL_set_tlsext_status_type(SSL *s, int type); 31 long SSL_get_tlsext_status_type(SSL *s); 32 33 long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); 34 long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); 35 36=head1 DESCRIPTION 37 38A client application may request that a server send back an OCSP status response 39(also known as OCSP stapling). To do so the client should call the 40SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL 41objects. Alternatively an application can call the SSL_set_tlsext_status_type() 42function on an individual SSL object prior to the start of the handshake. 43Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value 44should be passed in the B<type> argument. Calling 45SSL_CTX_get_tlsext_status_type() will return the type B<TLSEXT_STATUSTYPE_ocsp> 46previously set via SSL_CTX_set_tlsext_status_type() or -1 if not set. 47 48The client should additionally provide a callback function to decide what to do 49with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The 50callback function should determine whether the returned OCSP response is 51acceptable or not. The callback will be passed as an argument the value 52previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the 53callback will not be called in the event of a handshake where session resumption 54occurs (because there are no Certificates exchanged in such a handshake). 55The callback previously set via SSL_CTX_set_tlsext_status_cb() can be retrieved 56by calling SSL_CTX_get_tlsext_status_cb(), and the argument by calling 57SSL_CTX_get_tlsext_status_arg(). 58 59On the client side SSL_get_tlsext_status_type() can be used to determine whether 60the client has previously called SSL_set_tlsext_status_type(). It will return 61B<TLSEXT_STATUSTYPE_ocsp> if it has been called or -1 otherwise. On the server 62side SSL_get_tlsext_status_type() can be used to determine whether the client 63requested OCSP stapling. If the client requested it then this function will 64return B<TLSEXT_STATUSTYPE_ocsp>, or -1 otherwise. 65 66The response returned by the server can be obtained via a call to 67SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point 68to the OCSP response data and the return value will be the length of that data. 69Typically a callback would obtain an OCSP_RESPONSE object from this data via a 70call to the d2i_OCSP_RESPONSE() function. If the server has not provided any 71response data then B<*resp> will be NULL and the return value from 72SSL_get_tlsext_status_ocsp_resp() will be -1. 73 74A server application must also call the SSL_CTX_set_tlsext_status_cb() function 75if it wants to be able to provide clients with OCSP Certificate Status 76responses. Typically the server callback would obtain the server certificate 77that is being sent back to the client via a call to SSL_get_certificate(); 78obtain the OCSP response to be sent back; and then set that response data by 79calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should 80be provided in the B<resp> argument, and the length of that data should be in 81the B<len> argument. 82 83=head1 RETURN VALUES 84 85The callback when used on the client side should return a negative value on 86error; 0 if the response is not acceptable (in which case the handshake will 87fail) or a positive value if it is acceptable. 88 89The callback when used on the server side should return with either 90SSL_TLSEXT_ERR_OK (meaning that the OCSP response that has been set should be 91returned), SSL_TLSEXT_ERR_NOACK (meaning that an OCSP response should not be 92returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has 93occurred). 94 95SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(), 96SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and 97SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success. 98 99SSL_CTX_get_tlsext_status_type() returns the value previously set by 100SSL_CTX_set_tlsext_status_type(), or -1 if not set. 101 102SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data 103or -1 if there is no OCSP response data. 104 105SSL_get_tlsext_status_type() returns B<TLSEXT_STATUSTYPE_ocsp> on the client 106side if SSL_set_tlsext_status_type() was previously called, or on the server 107side if the client requested OCSP stapling. Otherwise -1 is returned. 108 109=head1 HISTORY 110 111The SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type() 112and SSL_CTX_set_tlsext_status_type() functions were added in OpenSSL 1.1.0. 113 114=head1 COPYRIGHT 115 116Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. 117 118Licensed under the OpenSSL license (the "License"). You may not use 119this file except in compliance with the License. You can obtain a copy 120in the file LICENSE in the source distribution or at 121L<https://www.openssl.org/source/license.html>. 122 123=cut 124