@@ -120,11 +120,12 @@
-alpn list
List of protocols to offer during Application-Layer - Protocol Negotiation (ALPN). For example: h2, http/1.1, etc.
+ Protocol Negotiation (ALPN). For example: h2 and + http/1.1, but not h3 or quic.
-cadir dir
Set the CA certificates path. The default directory is platform specific and can be set at compile time. This can be overridden via the SSL_CERT_DIR environment variable.
-cafile filename
@@ -434,22 +435,23 @@ As indicated above, individual channels can be given their own callbacks to handle intermediate processing by the OpenSSL library, using the -command, -password, and -validate_command options passed to either of tls::socket or tls::import. +If the callback generates an error, the bgerror command with be +invoked with the error information.

-command callback
- Invokes the specified callback script at - several points during the OpenSSL handshake. - Values returned from the callback are ignored. - Arguments appended to the script upon callback take one of the - following forms: + Invokes the specified callback script at several points + during the OpenSSL handshake and use. See below for the possible + arguments passed to the callback script. Values returned from the + callback are ignored.

@@ -477,11 +479,11 @@ handshake, alert, connect, accept.
  • Possible values for minor are: start, done, read, write, loop, exit.
  • The message argument is a descriptive string which may be generated either by SSL_state_string_long() or by - SSL_alert_desc_string_long(), depending on context.
    • + SSL_alert_desc_string_long(), depending on the context.
  • For alerts, the possible values for type are: warning, fatal, and unknown. For others, info is used.
    • @@ -517,24 +519,41 @@
    -password callback
    Invokes the specified callback script when OpenSSL needs to - obtain a password. The callback should return the password as a string. - No arguments are appended to the script upon callback. + obtain a password. See below for the possible arguments passed to + the callback script. See below for valid return values. + +
    +
    + +
    + +
    + password rwflag size +
    +
    + Invoked when loading or storing a PEM certificate with encryption. + Where rwflag is 0 for reading/decryption or 1 for + writing/encryption (can prompt user to confirm) and + size is the max password length in bytes. + The callback should return the password as a string. +

    -validatecommand callback
    Invokes the specified callback script during handshake in - order to validate the provided value(s). + order to validate the provided value(s). See below for the possible + arguments passed to the callback script. To reject the value and abort connection, the callback should return 0. - To accept the value, it should return 1. To reject the value, but - continue the connection, it should return 2. + To accept the value and continue the connection, it should return 1. + To reject the value, but continue the connection, it should return 2.

    @@ -545,10 +564,11 @@
    For servers, this form of callback is invoked when the client ALPN extension is received. Where protocol is the first -alpn specified protocol common to the both the client and server. If none, the first client specified protocol is used. + Called after hello and ALPN callbacks.