OLD | NEW |
1 | 1 |
2 Bundle of old SSLeay documentation files [OBSOLETE!] | 2 Bundle of old SSLeay documentation files [OBSOLETE!] |
3 | 3 |
4 *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** | 4 *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** |
5 | 5 |
6 OBSOLETE means that nothing in this document should be trusted. This | 6 OBSOLETE means that nothing in this document should be trusted. This |
7 document is provided mostly for historical purposes (it wasn't even up | 7 document is provided mostly for historical purposes (it wasn't even up |
8 to date at the time SSLeay 0.8.1 was released) and as inspiration. If | 8 to date at the time SSLeay 0.8.1 was released) and as inspiration. If |
9 you copy some snippet of code from this document, please _check_ that | 9 you copy some snippet of code from this document, please _check_ that |
10 it really is correct from all points of view. For example, you can | 10 it really is correct from all points of view. For example, you can |
11 check with the other documents in this directory tree, or by comparing | 11 check with the other documents in this directory tree, or by comparing |
12 with relevant parts of the include files. | 12 with relevant parts of the include files. |
13 | 13 |
14 People have done the mistake of trusting what's written here. Please | 14 People have done the mistake of trusting what's written here. Please |
15 don't do that. | 15 don't do that. |
16 | 16 |
17 *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** | 17 *** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! *** |
18 | 18 |
19 | 19 |
20 ==== readme ======================================================== | 20 ==== readme ======================================================== |
21 | 21 |
22 This is the old 0.6.6 docuementation. Most of the cipher stuff is still | 22 This is the old 0.6.6 docuementation. Most of the cipher stuff is still |
23 relevent but I'm working (very slowly) on new docuemtation. | 23 relevent but I'm working (very slowly) on new documentation. |
24 The current version can be found online at | 24 The current version can be found online at |
25 | 25 |
26 http://www.cryptsoft.com/ssleay/doc | 26 http://www.cryptsoft.com/ssleay/doc |
27 | 27 |
28 ==== API.doc ======================================================== | 28 ==== API.doc ======================================================== |
29 | 29 |
30 SSL - SSLv2/v3/v23 etc. | 30 SSL - SSLv2/v3/v23 etc. |
31 | 31 |
32 BIO - methods and how they plug together | 32 BIO - methods and how they plug together |
33 | 33 |
(...skipping 507 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
541 Ok, where to begin.... | 541 Ok, where to begin.... |
542 In the begining, when SSLeay was small (April 1995), there | 542 In the begining, when SSLeay was small (April 1995), there |
543 were but few applications, they did happily cohabit in | 543 were but few applications, they did happily cohabit in |
544 the one bin directory. Then over time, they did multiply and grow, | 544 the one bin directory. Then over time, they did multiply and grow, |
545 and they started to look like microsoft software; 500k to print 'hello world'. | 545 and they started to look like microsoft software; 500k to print 'hello world'. |
546 A new approach was needed. They were coalessed into one 'Monolithic' | 546 A new approach was needed. They were coalessed into one 'Monolithic' |
547 application, ssleay. This one program is composed of many programs that | 547 application, ssleay. This one program is composed of many programs that |
548 can all be compiled independantly. | 548 can all be compiled independantly. |
549 | 549 |
550 ssleay has 3 modes of operation. | 550 ssleay has 3 modes of operation. |
551 1) If the ssleay binaray has the name of one of its component programs, it | 551 1) If the ssleay binary has the name of one of its component programs, it |
552 executes that program and then exits. This can be achieve by using hard or | 552 executes that program and then exits. This can be achieved by using hard or |
553 symbolic links, or failing that, just renaming the binary. | 553 symbolic links, or failing that, just renaming the binary. |
554 2) If the first argument to ssleay is the name of one of the component | 554 2) If the first argument to ssleay is the name of one of the component |
555 programs, that program runs that program and then exits. | 555 programs, that program runs that program and then exits. |
556 3) If there are no arguments, ssleay enters a 'command' mode. Each line is | 556 3) If there are no arguments, ssleay enters a 'command' mode. Each line is |
557 interpreted as a program name plus arguments. After each 'program' is run, | 557 interpreted as a program name plus arguments. After each 'program' is run, |
558 ssleay returns to the comand line. | 558 ssleay returns to the comand line. |
559 | 559 |
560 dgst - message digests | 560 dgst - message digests |
561 enc - encryption and base64 encoding | 561 enc - encryption and base64 encoding |
562 | 562 |
(...skipping 615 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1178 - 'Method' is the BIO method. | 1178 - 'Method' is the BIO method. |
1179 - 'callback', when configured, is called before and after | 1179 - 'callback', when configured, is called before and after |
1180 each BIO method is called for that particular BIO. This | 1180 each BIO method is called for that particular BIO. This |
1181 is intended primarily for debugging and of informational feedback. | 1181 is intended primarily for debugging and of informational feedback. |
1182 - 'init' is 0 when the BIO can be used for operation. | 1182 - 'init' is 0 when the BIO can be used for operation. |
1183 Often, after a BIO is created, a number of operations may | 1183 Often, after a BIO is created, a number of operations may |
1184 need to be performed before it is available for use. An | 1184 need to be performed before it is available for use. An |
1185 example is for BIO_s_sock(). A socket needs to be | 1185 example is for BIO_s_sock(). A socket needs to be |
1186 assigned to the BIO before it can be used. | 1186 assigned to the BIO before it can be used. |
1187 - 'shutdown', this flag indicates if the underlying | 1187 - 'shutdown', this flag indicates if the underlying |
1188 » comunication primative being used should be closed/freed | 1188 » communication primitive being used should be closed/freed |
1189 when the BIO is closed. | 1189 when the BIO is closed. |
1190 - 'flags' is used to hold extra state. It is primarily used | 1190 - 'flags' is used to hold extra state. It is primarily used |
1191 to hold information about why a non-blocking operation | 1191 to hold information about why a non-blocking operation |
1192 failed and to record startup protocol information for the | 1192 failed and to record startup protocol information for the |
1193 SSL BIO. | 1193 SSL BIO. |
1194 - 'num' and 'ptr' are used to hold instance specific state | 1194 - 'num' and 'ptr' are used to hold instance specific state |
1195 like file descriptors or local data structures. | 1195 like file descriptors or local data structures. |
1196 - 'next_bio' is used by filter BIOs to hold the pointer of the | 1196 - 'next_bio' is used by filter BIOs to hold the pointer of the |
1197 next BIO in the chain. written data is sent to this BIO and | 1197 next BIO in the chain. written data is sent to this BIO and |
1198 data read is taken from it. | 1198 data read is taken from it. |
(...skipping 593 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1792 int BN_zero(BIGNUM *a) | 1792 int BN_zero(BIGNUM *a) |
1793 Set 'a' to hold the value zero. | 1793 Set 'a' to hold the value zero. |
1794 This is a=0. | 1794 This is a=0. |
1795 | 1795 |
1796 int BN_set_word(BIGNUM *a, unsigned long w); | 1796 int BN_set_word(BIGNUM *a, unsigned long w); |
1797 Set 'a' to hold the value of 'w'. 'w' is an unsigned long. | 1797 Set 'a' to hold the value of 'w'. 'w' is an unsigned long. |
1798 This is a=w. | 1798 This is a=w. |
1799 | 1799 |
1800 unsigned long BN_get_word(BIGNUM *a); | 1800 unsigned long BN_get_word(BIGNUM *a); |
1801 Returns 'a' in an unsigned long. Not remarkably, often 'a' will | 1801 Returns 'a' in an unsigned long. Not remarkably, often 'a' will |
1802 » be biger than a word, in which case 0xffffffffL is returned. | 1802 » be bigger than a word, in which case 0xffffffffL is returned. |
1803 | 1803 |
1804 Word Operations | 1804 Word Operations |
1805 These functions are much more efficient that the normal bignum arithmetic | 1805 These functions are much more efficient that the normal bignum arithmetic |
1806 operations. | 1806 operations. |
1807 | 1807 |
1808 BN_ULONG BN_mod_word(BIGNUM *a, unsigned long w); | 1808 BN_ULONG BN_mod_word(BIGNUM *a, unsigned long w); |
1809 Return the remainder of 'a' divided by 'w'. | 1809 Return the remainder of 'a' divided by 'w'. |
1810 This is return(a%w). | 1810 This is return(a%w). |
1811 | 1811 |
1812 int BN_add_word(BIGNUM *a, unsigned long w); | 1812 int BN_add_word(BIGNUM *a, unsigned long w); |
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2051 #define PEM_read_bio_PKCS7(bp,x,cb) | 2051 #define PEM_read_bio_PKCS7(bp,x,cb) |
2052 #define PEM_read_bio_DHparams(bp,x,cb) | 2052 #define PEM_read_bio_DHparams(bp,x,cb) |
2053 int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); | 2053 int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); |
2054 RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)()); | 2054 RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)()); |
2055 | 2055 |
2056 Now you will notice that macros like | 2056 Now you will notice that macros like |
2057 #define PEM_write_X509(fp,x) \ | 2057 #define PEM_write_X509(fp,x) \ |
2058 PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \ | 2058 PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \ |
2059 (char *)x, NULL,NULL,0,NULL) | 2059 (char *)x, NULL,NULL,0,NULL) |
2060 Don't do encryption normally. If you want to PEM encrypt your X509 structure, | 2060 Don't do encryption normally. If you want to PEM encrypt your X509 structure, |
2061 either just call PEM_ASN1_write directly or just define you own | 2061 either just call PEM_ASN1_write directly or just define your own |
2062 macro variant. As you can see, this macro just sets all encryption related | 2062 macro variant. As you can see, this macro just sets all encryption related |
2063 parameters to NULL. | 2063 parameters to NULL. |
2064 | 2064 |
2065 | 2065 |
2066 -------------------------- | 2066 -------------------------- |
2067 The SSL library. | 2067 The SSL library. |
2068 | 2068 |
2069 #define SSL_set_info_callback(ssl,cb) | 2069 #define SSL_set_info_callback(ssl,cb) |
2070 #define SSL_CTX_set_info_callback(ctx,cb) | 2070 #define SSL_CTX_set_info_callback(ctx,cb) |
2071 void callback(SSL *ssl,int location,int ret) | 2071 void callback(SSL *ssl,int location,int ret) |
(...skipping 3487 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5559 cached SSL_SESSIONS (which can be reused) and the certificate lookup | 5559 cached SSL_SESSIONS (which can be reused) and the certificate lookup |
5560 information. Each SSL structure needs to be associated with a SSL_CTX. | 5560 information. Each SSL structure needs to be associated with a SSL_CTX. |
5561 Normally only one SSL_CTX structure is needed per program. | 5561 Normally only one SSL_CTX structure is needed per program. |
5562 | 5562 |
5563 SSL_CTX *SSL_CTX_new(void ); | 5563 SSL_CTX *SSL_CTX_new(void ); |
5564 void SSL_CTX_free(SSL_CTX *); | 5564 void SSL_CTX_free(SSL_CTX *); |
5565 These 2 functions create and destroy SSL_CTX structures | 5565 These 2 functions create and destroy SSL_CTX structures |
5566 | 5566 |
5567 The SSL_CTX has a session_cache_mode which is by default, | 5567 The SSL_CTX has a session_cache_mode which is by default, |
5568 in SSL_SESS_CACHE_SERVER mode. What this means is that the library | 5568 in SSL_SESS_CACHE_SERVER mode. What this means is that the library |
5569 will automatically add new session-id's to the cache apon sucsessful | 5569 will automatically add new session-id's to the cache upon successful |
5570 SSL_accept() calls. | 5570 SSL_accept() calls. |
5571 If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added | 5571 If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added |
5572 to the cache. | 5572 to the cache. |
5573 SSL_set_session_cache_mode(ctx,mode) will set the 'mode' and | 5573 SSL_set_session_cache_mode(ctx,mode) will set the 'mode' and |
5574 SSL_get_session_cache_mode(ctx) will get the cache 'mode'. | 5574 SSL_get_session_cache_mode(ctx) will get the cache 'mode'. |
5575 The modes can be | 5575 The modes can be |
5576 SSL_SESS_CACHE_OFF - no caching | 5576 SSL_SESS_CACHE_OFF - no caching |
5577 SSL_SESS_CACHE_CLIENT - only SSL_connect() | 5577 SSL_SESS_CACHE_CLIENT - only SSL_connect() |
5578 SSL_SESS_CACHE_SERVER - only SSL_accept() | 5578 SSL_SESS_CACHE_SERVER - only SSL_accept() |
5579 SSL_SESS_NO_CACHE_BOTH - Either SSL_accept() or SSL_connect(). | 5579 SSL_SESS_NO_CACHE_BOTH - Either SSL_accept() or SSL_connect(). |
5580 If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are | 5580 If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are |
5581 not automatically removed each 255, SSL_connect()s or SSL_accept()s. | 5581 not automatically removed each 255, SSL_connect()s or SSL_accept()s. |
5582 | 5582 |
5583 By default, apon every 255 successful SSL_connect() or SSL_accept()s, | 5583 By default, upon every 255 successful SSL_connect() or SSL_accept()s, |
5584 the cache is flush. Please note that this could be expensive on | 5584 the cache is flush. Please note that this could be expensive on |
5585 a heavily loaded SSL server, in which case, turn this off and | 5585 a heavily loaded SSL server, in which case, turn this off and |
5586 clear the cache of old entries 'manually' (with one of the functions | 5586 clear the cache of old entries 'manually' (with one of the functions |
5587 listed below) every few hours. Perhaps I should up this number, it is hard | 5587 listed below) every few hours. Perhaps I should up this number, it is hard |
5588 to say. Remember, the '255' new calls is just a mechanims to get called | 5588 to say. Remember, the '255' new calls is just a mechanism to get called |
5589 every now and then, in theory at most 255 new session-id's will have been | 5589 every now and then, in theory at most 255 new session-id's will have been |
5590 added but if 100 are added every minute, you would still have | 5590 added but if 100 are added every minute, you would still have |
5591 500 in the cache before any would start being flushed (assuming a 3 minute | 5591 500 in the cache before any would start being flushed (assuming a 3 minute |
5592 timeout).. | 5592 timeout).. |
5593 | 5593 |
5594 int SSL_CTX_sess_hits(SSL_CTX *ctx); | 5594 int SSL_CTX_sess_hits(SSL_CTX *ctx); |
5595 int SSL_CTX_sess_misses(SSL_CTX *ctx); | 5595 int SSL_CTX_sess_misses(SSL_CTX *ctx); |
5596 int SSL_CTX_sess_timeouts(SSL_CTX *ctx); | 5596 int SSL_CTX_sess_timeouts(SSL_CTX *ctx); |
5597 These 3 functions return statistics about the SSL_CTX. These 3 are the | 5597 These 3 functions return statistics about the SSL_CTX. These 3 are the |
5598 number of session id reuses. hits is the number of reuses, misses are the | 5598 number of session id reuses. hits is the number of reuses, misses are the |
(...skipping 22 matching lines...) Expand all Loading... |
5621 SSL_SESSION *get_session_callback(unsigned char *sess_id,int sess_id_len, | 5621 SSL_SESSION *get_session_callback(unsigned char *sess_id,int sess_id_len, |
5622 int *copy); | 5622 int *copy); |
5623 | 5623 |
5624 The get_session_callback is intended to return null if no session id is found. | 5624 The get_session_callback is intended to return null if no session id is found. |
5625 The reference count on the SSL_SESSION in incremented by the SSL library, | 5625 The reference count on the SSL_SESSION in incremented by the SSL library, |
5626 if copy is 1. Otherwise, the reference count is not modified. | 5626 if copy is 1. Otherwise, the reference count is not modified. |
5627 | 5627 |
5628 void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and | 5628 void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and |
5629 int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback. | 5629 int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback. |
5630 | 5630 |
5631 These callbacks are basically indended to be used by processes to | 5631 These callbacks are basically intended to be used by processes to |
5632 send their session-id's to other processes. I currently have not implemented | 5632 send their session-id's to other processes. I currently have not implemented |
5633 non-blocking semantics for these callbacks, it is upto the appication | 5633 non-blocking semantics for these callbacks, it is upto the application |
5634 to make the callbacks effiecent if they require blocking (perhaps | 5634 to make the callbacks efficient if they require blocking (perhaps |
5635 by 'saving' them and then 'posting them' when control returns from | 5635 by 'saving' them and then 'posting them' when control returns from |
5636 the SSL_accept(). | 5636 the SSL_accept(). |
5637 | 5637 |
5638 LHASH *SSL_CTX_sessions(SSL_CTX *ctx) | 5638 LHASH *SSL_CTX_sessions(SSL_CTX *ctx) |
5639 This returns the session cache. The lhash strucutre can be accessed for | 5639 This returns the session cache. The lhash strucutre can be accessed for |
5640 statistics about the cache. | 5640 statistics about the cache. |
5641 | 5641 |
5642 void lh_stats(LHASH *lh, FILE *out); | 5642 void lh_stats(LHASH *lh, FILE *out); |
5643 void lh_node_stats(LHASH *lh, FILE *out); | 5643 void lh_node_stats(LHASH *lh, FILE *out); |
5644 void lh_node_usage_stats(LHASH *lh, FILE *out); | 5644 void lh_node_usage_stats(LHASH *lh, FILE *out); |
(...skipping 937 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6582 Some 'read-ahead' mode information. | 6582 Some 'read-ahead' mode information. |
6583 A previous session-id to re-use. | 6583 A previous session-id to re-use. |
6584 | 6584 |
6585 A connection is made by using SSL_connect or SSL_accept. | 6585 A connection is made by using SSL_connect or SSL_accept. |
6586 When non-blocking IO is being used, there are functions that can be used | 6586 When non-blocking IO is being used, there are functions that can be used |
6587 to determin where and why the SSL_connect or SSL_accept did not complete. | 6587 to determin where and why the SSL_connect or SSL_accept did not complete. |
6588 This information can be used to recall the functions when the 'error' | 6588 This information can be used to recall the functions when the 'error' |
6589 condition has dissapeared. | 6589 condition has dissapeared. |
6590 | 6590 |
6591 After the connection has been made, information can be retrived about the | 6591 After the connection has been made, information can be retrived about the |
6592 SSL session and the session-id values that have been decided apon. | 6592 SSL session and the session-id values that have been decided upon. |
6593 The 'peer' certificate can be retrieved. | 6593 The 'peer' certificate can be retrieved. |
6594 | 6594 |
6595 The session-id values include | 6595 The session-id values include |
6596 'start time' | 6596 'start time' |
6597 'timeout length' | 6597 'timeout length' |
6598 | 6598 |
6599 | 6599 |
6600 | 6600 |
6601 ==== stack.doc ======================================================== | 6601 ==== stack.doc ======================================================== |
6602 | 6602 |
(...skipping 418 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7021 | 7021 |
7022 If you specify a SSLv2 cipher, and the mode is SSLv23 and the server | 7022 If you specify a SSLv2 cipher, and the mode is SSLv23 and the server |
7023 can talk SSLv3, it will claim there is no cipher since you should be | 7023 can talk SSLv3, it will claim there is no cipher since you should be |
7024 using SSLv3. | 7024 using SSLv3. |
7025 | 7025 |
7026 When tracing debug stuff, remember BIO_s_socket() is different to | 7026 When tracing debug stuff, remember BIO_s_socket() is different to |
7027 BIO_s_connect(). | 7027 BIO_s_connect(). |
7028 | 7028 |
7029 BSD/OS assember is not working | 7029 BSD/OS assember is not working |
7030 | 7030 |
OLD | NEW |