diff options
| author | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:29:07 -0800 |
|---|---|---|
| committer | Garrett D'Amore <garrett@damore.org> | 2024-11-23 14:45:46 -0800 |
| commit | 9bbb1340c37a4a3b3a8477b058077a38d77230f7 (patch) | |
| tree | 36fbe2e7475b701bd335530f2b20bb03bf241049 /docs | |
| parent | b4ef0f3b1f365beb76a7c1bc1b6ae455cb58dfbc (diff) | |
| download | nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.gz nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.tar.bz2 nng-9bbb1340c37a4a3b3a8477b058077a38d77230f7.zip | |
tls: add a mutual authentication test
Also, make it clearer that TLS keys and certificates can only
be set once on a configuration. (mbedTLS makes this confusing!)
This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/man/nng_tls_config_own_cert.3tls.adoc | 8 | ||||
| -rw-r--r-- | docs/ref/migrate/nng1.md | 7 | ||||
| -rw-r--r-- | docs/ref/xref.md | 2 |
3 files changed, 12 insertions, 5 deletions
diff --git a/docs/man/nng_tls_config_own_cert.3tls.adoc b/docs/man/nng_tls_config_own_cert.3tls.adoc index 66027305..814bc94c 100644 --- a/docs/man/nng_tls_config_own_cert.3tls.adoc +++ b/docs/man/nng_tls_config_own_cert.3tls.adoc @@ -18,7 +18,6 @@ nng_tls_config_own_cert - configure own certificate and key [source, c] ---- #include <nng/nng.h> -#include <nng/supplemental/tls/tls.h> int nng_tls_config_own_cert(nng_tls_config *cfg, const char *cert, const char *key, const char *pass); @@ -38,10 +37,9 @@ have it, and will have to in order to validate this certificate anyway). The _key_ may be encrypted with a password, in which can be supplied in _pass_. The value `NULL` should be supplied for _pass_ if the key is not encrypted. -On servers, it is possible to call this function multiple times for the -same configuration. -This can be useful for specifying different parameters -to be used for different cryptographic algorithms. +This cannot be called more than once for a given TLS configuration. +(Earlier versions of NNG allowed this, but it was never used, brittle, +and the source of confusion.) The certificate located in _cert_ and _key_ must be NUL (`\0`) terminated C strings containing diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md index 2b305b75..cb7bc539 100644 --- a/docs/ref/migrate/nng1.md +++ b/docs/ref/migrate/nng1.md @@ -60,6 +60,13 @@ Support for very old TLS versions 1.0 and 1.1 is removed. Further, the `NNG_TLS_1_0` and `NNG_TLS_1_1` constants are also removed. Applications should use `NNG_TLS_1_2` or even `NNG_TLS_1_3` instead. +## Only One TLS Key/Cert Per Configuration + +The ability to configure multiple keys and certificates for a given TLS configuration object is removed. +(The [`nng_tls_config_own_cert`] will return [`NNG_EBUSY`] if it has already been called for the configuration.) +The intended purpose was to support alternative cryptographic algorithms, but this is not necessary, was never +used, and was error prone. + ## Support for Local Addresses in Dial URLs Removed NNG 1.x had an undocumented ability to specify the local address to bind diff --git a/docs/ref/xref.md b/docs/ref/xref.md index d36f96e8..5e030bed 100644 --- a/docs/ref/xref.md +++ b/docs/ref/xref.md @@ -98,6 +98,8 @@ [`nng_recv`]: /TODO.md [`nng_listener_get_url`]: /TODO.md [`nng_dialer_get_url`]: /TODO.md +[`nng_tls_config`]: /TODO.md +[`nng_tls_config_own_cert`]: /TODO.md <!-- Macros --> |