| Allegro CL version 9.0 Unrevised from 8.2 to 9.0. 8.2 version |
Arguments: &key method certificate key certificate-password method verify max-depth ca-file ca-directory ciphers crl-check crl-file prefer-server-cipher-order
This function was added by a patch (to versions 8.2 and 9.0) released in April, 2014. You must have updated (with sys:update-allegro or related technique) to use this function.
This function creates and returns an SSL context object (an instance
of the class excl::ssl-context
) suitable for use as
the value of the context keyword argument
to make-ssl-client-stream.
The context has values for all relevant arguments. For the arguments method, ciphers, verify, max-depth, and prefer-server-cipher-order, specifying a value in a call to make-ssl-client-stream which is also passed a context object as the value of the context argument causes the associated argument value to be local to that connection (i.e. the specified argument value overrides the value in the context object). The value for the arguments certificate, key, ca-file, ca-directory, certificate-password, crl-file, and crl-check cannot be overridden when a context is provided. It is an error to supply a context and values for any of those arguments.
The keyword arguments are:
:tlsv1+
) this argument allows control over the
SSL protocol handshake process. Supported SSL protocols are SSLv2,
SSLv3, TLSv1, TLSv1.1, and TLSv1.2 from oldest to newest. The method
keyword argument can be:
:sslv2
,
:sslv3
, :tlsv1
,
:tlsv1.1
, and
:tlsv1.2
. This provide the ability to specify
precisely which ssl methods one wants to allow, helping to mitigate
downgrade attacks to weaker methods (anything before tlsv1).
:tlsv1+
: support TLSv1,
TLSv1.1, and
TLSv1.2. This is the default.
:sslv3+
: support SSLv3, TLSv1,
TLSv1.1, and
TLSv1.2.
:sslv23
: the server will handle SSLv2, SSLv3, and
TLSv1. The highest protocol version that is common between the client
and server will be selected. This method allows for best
compatibility. This option is out of date but supported for backward
compatibility.
:sslv2
: the server will only handle SSLv2. This
option is not recommended as SSLv2 has known security issues (such as
susceptibility to man In the middle attacks).
:sslv3
: the server will only handle SSLv3. This
option is not recommended as SSLv3 has known security issues (such as
susceptibility to man In the middle attacks).
:tlsv1
: the server will only handle TLSv1.
nil
) this argument names a file which
contains one or more PEM-encoded certificates. The first (or only)
certificate in the file will be used to identify the client (in the
case of make-ssl-client-stream). Optionally,
subsequent entries in the file may be used to supply intermediate CA
certificates (also known as a certificate chain).
nil
) this argument is a string or pathname
naming a file containing the private RSA key corresponding the the
public key in the certificate. The file must be in PEM format. The key
can be stored in an encrypted form which requires a pass phrase to
read, but in that case the certificate-password must also be
specified. If the key is stored in the certificate file, then you
needn't specify the key argument.
nil
) this argument, if specified, should
be a string. If the private key stored with the certificate inside the
file named by the certificate argument is encrypted, then this value
is used as the key to decrypt it.
:optional
) this argument can
be nil
, :optional
, or
:required
. Due to the way OpenSSL is implemented,
the behavior of peer verification differs for servers and
clients; here is the behavior for clients:
:verify nil
means that no automatic verification
will occur on the server-supplied certificate. Manual verification can
be done using get-ssl-peer-certificate and
get-ssl-verify-result.
:verify :optional
means that the server's
certificate (if supplied) will be automatically verified during SSL
handshake. If verification fails, an error will be generated during
SSL handshake. This is the default for client streams.
:verify :required
means that the server's
certificate will be automatically verified during SSL handshake. If
the server does not supply a certificate or if verification of the
supplied certificate fails, an error will be generated during SSL
handshake.
nil
) this argument specifies the name of a
directory containing a series of trusted Intermediate CA or Root CA
certificate files that will be used during peer certificate
verification. Each file in the directory should contain one
certificate. The files should be named based on the hash value of the
certificate subject name. If more than one certificate with the same
hash value exists, the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the ordering of the
extension number, regardless of other properties of the
certificates. Use the c_rehash (available via standard OpenSSL
distributions) utility to create the necessary links.
nil
) this argument controls certificate
revocation list (CRL) checking. Its value may
be nil
(the default) for no CRL
checking, t
for CRL checking of the peer's
certificate (if provided by the peer), or :all
for
CRL checking of all components of the peer's supplied certificate
chain. If this argument is non-nil
, the
verify argument must also be
non-nil
. If you enable CRL checking, you must
supply a proper PEM-encoded CRL, even if it contains zero
revocations. If you do not supply a CRL, peer verification will never
succeed.
nil
or
not supplied, defaults to the value of
the ca-file argument. It is
acceptable for CRL to be included amongst other PEM-encoded
certificates.
See socket.htm for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.
Copyright (c) 1998-2019, Franz Inc. Oakland, CA., USA. All rights reserved.
This page was not revised from the 8.2 page.
Created 2012.5.30.
| Allegro CL version 9.0 Unrevised from 8.2 to 9.0. 8.2 version |