diff options
| author | Garrett D'Amore <garrett@damore.org> | 2018-01-11 14:58:09 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2018-01-16 08:45:11 -0800 |
| commit | bbf012364d9f1482b16c97b8bfd2fd07130446ca (patch) | |
| tree | 2cb45903b0d5aa756d44f27b39a99c318a99a9a2 /docs/nng_tls_config_ca_chain.adoc | |
| parent | 18229bbb69423d64d0a1b98bcf4bf3e24fba3aa4 (diff) | |
| download | nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.tar.gz nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.tar.bz2 nng-bbf012364d9f1482b16c97b8bfd2fd07130446ca.zip | |
fixes #201 TLS configuration should support files for certificates and keys
This adds support for configuration of TLS websockets using the files
for keys, certificates, and CRLs. Significant changes to the websocket,
TLS, and HTTP layers were made here. We now expect TLS configuration to
be tied to the HTTP layer, and the HTTP code creates default configuration
objects based on the URL supplied. (HTTP dialers and listeners are now
created with a URL rather than a sockaddr, giving them access to the scheme
as well.)
We fixed several bugs affecting TLS validation, and added a test suite
that confirms that validation works as it should. We also fixed an orphaned
socket during HTTP negotiation, responsible for an occasional assertion
error if the http handshake does not complete successfully. Finally several
use-after-free races were closed.
TLS layer changes include reporting of handshake failures using newly
created "standard" error codes for peer authentication and cryptographic
failures.
The use of the '*' wild card in URLs at bind time is no longer supported
for websocket at least.
Documentation updates for all this are in place as well.
Diffstat (limited to 'docs/nng_tls_config_ca_chain.adoc')
| -rw-r--r-- | docs/nng_tls_config_ca_chain.adoc | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/docs/nng_tls_config_ca_chain.adoc b/docs/nng_tls_config_ca_chain.adoc index 2888c032..dcf29a65 100644 --- a/docs/nng_tls_config_ca_chain.adoc +++ b/docs/nng_tls_config_ca_chain.adoc @@ -25,24 +25,23 @@ SYNOPSIS #include <nng/nng.h> int nng_tls_config_ca_cert(nni_tls_config *cfg, const char *chain, - const char *crl) + const char *crl); ----------- DESCRIPTION ----------- The `nng_tls_config_ca_chain()` function configures a certificate or -certificate chain to be used when validating peers using the configuragion +certificate chain to be used when validating peers using the configuration 'cfg'. -NOTE: This function *must* be called when the TLS authentication mode SYNOPSIS -`NNG_TLS_AUTH_MODE_REQUIRED` or `NNG_TLS_AUTH_MODE_OPTIONAL`. It will have -no effect if the authentication mode is `NNG_TLS_AUTH_MODE_NONE`. +NOTE: Certificates *must* be configured when using the authentication mode +`NNG_TLS_AUTH_MODE_REQUIRED`. TIP: This function may be called multiple times, to add additional chains to a configuration, without affecting those added previously. -The certificates located in 'chain' must be a NUL terminated C string in +The certificates located in 'chain' must be a zero-terminated C string in https://tools.ietf.org/html/rfc7468[PEM] format. Multiple certificates may appear concatenated together, with the leaf certificate listed first. together. @@ -68,6 +67,7 @@ SEE ALSO <<nng_strerror#,nng_strerror(3)>>, <<nng_tls_config_alloc#,nng_tls_config_alloc(3)>>, <<nng_tls_config_auth_mode#,nng_tls_config_auth_mode(3)>>, +<<nng_tls_config_ca_file#,nng_tls_config_ca_file(3)>>, <<nng#,nng(7)>> |