@@ -120,11 +120,12 @@
- -alpn list
- List of protocols to offer during Application-Layer - Protocol Negotiation (ALPN). For example: h2, http/1.1, etc.
+ Protocol Negotiation (ALPN). For example: h2 and + http/1.1, but not h3 or quic.- -cadir dir
- Set the CA certificates path. The default directory is platform specific and can be set at compile time. This can be overridden via the SSL_CERT_DIR environment variable.
- -cafile filename
@@ -434,22 +435,23 @@ As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the -command, -password, and -validate_command options passed to either of tls::socket or tls::import. +If the callback generates an error, the bgerror command with be +invoked with the error information.
- -command callback
- - Invokes the specified callback script at - several points during the OpenSSL handshake. - Values returned from the callback are ignored. - Arguments appended to the script upon callback take one of the - following forms: + Invokes the specified callback script at several points + during the OpenSSL handshake and use. See below for the possible + arguments passed to the callback script. Values returned from the + callback are ignored.
@@ -517,24 +519,41 @@
@@ -477,11 +479,11 @@
handshake, alert, connect, accept
.- Possible values for minor are:
start, done, read, write, loop, exit
.- The message argument is a descriptive string which may be generated either by
+SSL_state_string_long()
or by -SSL_alert_desc_string_long()
, depending on context.SSL_alert_desc_string_long()
, depending on the context.- For alerts, the possible values for type are:
warning, fatal, and unknown
. For others,info
is used.
- -password callback
- Invokes the specified callback script when OpenSSL needs to - obtain a password. The callback should return the password as a string. - No arguments are appended to the script upon callback. + obtain a password. See below for the possible arguments passed to + the callback script. See below for valid return values. + +
+
+ ++ +
- + password rwflag size +
+- + Invoked when loading or storing a PEM certificate with encryption. + Where rwflag is 0 for reading/decryption or 1 for + writing/encryption (can prompt user to confirm) and + size is the max password length in bytes. + The callback should return the password as a string. +
- -validatecommand callback
- Invokes the specified callback script during handshake in - order to validate the provided value(s). + order to validate the provided value(s). See below for the possible + arguments passed to the callback script. To reject the value and abort connection, the callback should return 0. - To accept the value, it should return 1. To reject the value, but - continue the connection, it should return 2. + To accept the value and continue the connection, it should return 1. + To reject the value, but continue the connection, it should return 2.
@@ -545,10 +564,11 @@
- For servers, this form of callback is invoked when the client ALPN extension is received. Where protocol is the first -alpn specified protocol common to the both the client and server. If none, the first client specified protocol is used. + Called after hello and ALPN callbacks.