SourceVu will show references to mbedtls_ssl_conf_own_cert() from the following samples and libraries:
Symbols ![]()
loading...
Files ![]()
loading...
mbedtls_ssl_conf_own_cert() function
Set own certificate chain and private key
Syntax
int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
mbedtls_x509_crt *own_cert,
mbedtls_pk_context *pk_key );
Implemented in ![]()
ssl_tls.c:7266
Return value
0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
Notes
own_cert should contain in order from the bottom up your certificate chain. The top certificate (self-signed) can be omitted. On server, this function can be called multiple times to provision more than one cert/key pair (eg one ECDSA, one RSA with SHA-256, one RSA with SHA-1). An adequate certificate will be selected according to the client's advertised capabilities. In case mutliple certificates are adequate, preference is given to the one set by the first call to this function, then second, etc. On client, only the first call has any effect. That is, only one client certificate can be provisioned. The server's preferences in its CertficateRequest message will be ignored and our only cert will be sent regardless of whether it matches those preferences - the server can then decide what it wants to do with it. The provided \p pk_key needs to match the public key in the first certificate in \p own_cert, or all handshakes using that certificate will fail. It is your responsibility to ensure that; this function will not perform any check. You may use mbedtls_pk_check_pair() in order to perform this check yourself, but be aware that this function can be computationally expensive on some key types.
Related Functions
Found 22 other functions taking a ![]()
mbedtls_ssl_config
argument:
Function
Description
Initialize an SSL configuration context Just makes the context ready for mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
Load reasonnable default SSL configuration values. (You need to call mbedtls_ssl_config_init() first.)
Free an SSL configuration context
Set the data required to verify peer certificate
Set up an SSL context for use \warning The conf structure will be accessed during the session. It must not be modified or freed as long as the session is active. \warning This function must be called exactly once per context. Calling mbedtls_ssl_setup again is not supported, even if no session is active.
Set the random number generator callback
Set the certificate verification mode Default: NONE on server, REQUIRED on client MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked (default on server) (insecure on client) MBEDTLS_SSL_VERIFY_OPTIONAL: peer certificate is checked, however the handshake continues even if verification failed; mbedtls_ssl_get_verify_result() can be called after the handshake is complete. MBEDTLS_SSL_VERIFY_REQUIRED: peer *must* present a valid certificate, handshake is aborted if verification failed. (default on client)
Set the current endpoint type
Set the transport type (TLS or DTLS). Default: TLS
Set the timeout period for mbedtls_ssl_read() (Default: no timeout.)
Set the session cache callbacks (server-side only) If not set, no session resuming is done (except if session tickets are enabled too). The session cache has the responsibility to check for stale entries based on timeout. See RFC 5246 for recommendations. Warning: session.peer_cert is cleared by the SSL/TLS layer on connection shutdown, so do not cache the pointer! Either set it to NULL or make a full copy of the certificate. The get callback is called once during the initial handshake to enable session resuming. The get function has the following parameters: (void *parameter, mbedtls_ssl_session *session) If a valid entry is found, it should fill the master of the session object with the cached values and return 0, return 1 otherwise. Optionally peer_cert can be set as well if it is properly present in cache entry. The set callback is called once during the initial handshake to enable session resuming after the entire handshake has been finished. The set function has the following parameters: (void *parameter, const mbedtls_ssl_session *session). The function should create a cache entry for future retrieval based on the data in the session structure and should keep in mind that the mbedtls_ssl_session object presented (and all its referenced data) is cleared by the SSL/TLS layer when the connection is terminated. It is recommended to add metadata to determine if an entry is still valid in the future. Return 0 if successfully cached, return 1 otherwise.
Set the list of allowed ciphersuites and the preference order. First in the list has the highest preference. (Overrides all version-specific lists) The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config. Note: The server uses its own preferences over the preference of the client unless MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol. (Only useful on the server side) The ciphersuites array is not copied, and must remain valid for the lifetime of the ssl_config.
Set the X.509 security profile used for verification
Set the allowed curves in order of preference. (Default: all defined curves.) On server: this only affects selection of the ECDHE curve; the curves used for ECDH and ECDSA are determined by the list of available certificates instead. On client: this affects the list of curves offered for any use. The server can override our preference order. Both sides: limits the set of curves accepted for use in ECDHE and in the peer's end-entity certificate.
Set the allowed hashes for signatures during the handshake. (Default: all available hashes except MD5.)
Set the maximum supported version sent from the client side and/or accepted at the server side (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
Set the minimum accepted SSL/TLS protocol version (Default: TLS 1.0)
Whether to send a list of acceptable CAs in CertificateRequest messages. (Default: do send)
Prevent or allow legacy renegotiation. (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to be established even if the peer does not support secure renegotiation, but does not allow renegotiation to take place if not secure. (Interoperable and secure option) MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations with non-upgraded peers. Allowing legacy renegotiation makes the connection vulnerable to specific man in the middle attacks. (See RFC 5746) (Most interoperable and least secure option) MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections if peer does not support secure renegotiation. Results in interoperability issues with non-upgraded peers that do not support renegotiation altogether. (Most secure option, interoperability issues)
Set the verification callback (Optional). If set, the verify callback is called for each certificate in the chain. For implementation information, please see \c mbedtls_x509_crt_verify()
Set the debug callback The callback has the following argument: void * opaque context for the callback int debug level const char * file name int line number const char * message