ossl-guide-tls-client-block.7 - OpenGrok cross reference for /freebsd/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7

Lines Matching full:we
33 .\" If the F register is >0, we'll generate index entries on stderr for
75 For example, this can happen if we have sent our request, but we are still
96 The first step is to create an \fBSSL_CTX\fR object for our client. We use the
97 \&\fBSSL_CTX_new\fR\|(3) function for this purpose. We could alternatively use
98 \&\fBSSL_CTX_new_ex\fR\|(3) if we want to associate the \fBSSL_CTX\fR with a particular
100 \&\fBOSSL_LIB_CTX\fR). We pass as an argument the return value of the function
108 \&     * Create an SSL_CTX which we can use to create SSL objects from. We
109 \&     * want an SSL_CTX for creating clients so we use TLS_client_method()
119 Since we are writing a client we must ensure that we verify the server's
120 certificate. We do this by calling the \fBSSL_CTX_set_verify\fR\|(3) function and
138 default store so we call \fBSSL_CTX_set_default_verify_paths\fR\|(3).
148 We would also like to restrict the TLS versions that we are willing to accept to
150 avoided where possible. We can do that using
156 \&     * avoided if possible. We require a minimum TLS version of TLSv1.2.
164 That is all the setup that we need to do for the \fBSSL_CTX\fR, so next we need to
167 case we would expect to reuse the \fBSSL_CTX\fR that we already created each time.
173 function and passing the \fBSSL_CTX\fR we created as an argument.
247 \&     * we can connect to.
251 \&         * Create a TCP socket. We could equally use non\-OpenSSL calls such
253 \&         * functions. But for portability reasons and also so that we get
254 \&         * errors on the OpenSSL stack in the event of a failure we use
268 \&        /* We have a connected socket so break out of the loop */
272 \&    /* Free the address information resources we allocated earlier */
285 sockets \- which is exactly what we want for this example.
287 Once the socket has been created and connected we need to associate it with a
313 Finally we associate the \fBSSL\fR object we created earlier with the \fBBIO\fR using
327 purposes and we need to set the hostname for each one.
334 one we want to connect to. Without this information we may get a handshake
335 failure, or we may get connected to the "default" server which may not be the
336 one we were expecting.
338 To set the SNI hostname data we call the \fBSSL_set_tlsext_host_name\fR\|(3) function
343 \&     * Tell the server during the handshake which hostname we are attempting
355 Secondly, we need to tell OpenSSL what hostname we expect to see in the
358 we do not verify that the hostname in the certificate is what we expect it to be
360 itself. We do this via the \fBSSL_set1_host\fR\|(3) function:
364 \&     * Ensure we check during certificate verification that the server has
365 \&     * supplied a certificate for the hostname that we were expecting.
375 All of the above steps must happen before we attempt to perform the handshake
379 Before we can start sending or receiving application data over a TLS connection
380 the TLS handshake must be performed. We can do this explicitly via the
388 \&         * If the failure is due to a verification error we can get more
399 value of 1 is considered a success. For a simple blocking client we only need
401 indicates that we have failed to connect to the server.
405 signed by a CA in our trusted certificate store. We can use the
409 cause). Otherwise we use the \fBX509_verify_cert_error_string\fR\|(3) function to get
413 Once the handshake is complete we are able to send and receive application data.
415 application level protocol. In this example we are using HTTP 1.0 which is a
420 To send data to the server we use the \fBSSL_write_ex\fR\|(3) function and to receive
421 data from the server we use the \fBSSL_read_ex\fR\|(3) function. In HTTP 1.0 the
423 we are connecting to. For simplicity, we write the HTTP request in three
424 chunks. First we write the start of the request. Secondly we write the hostname
425 we are sending the request to. Finally we send the end of the request.
448 If it is successful then we can proceed to waiting for a response from the
456 \&     * Get up to sizeof(buf) bytes of the response. We keep reading until the
462 \&        * that it is NUL terminated so we use fwrite() to write the exact
463 \&        * number of bytes that we read. The data could be non\-printable or
465 \&        * we\*(Aqre going to print it to stdout anyway.
469 \&    /* In case the response didn\*(Aqt finish with a newline we add one now */
473 We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don't know
474 exactly how much data we are going to receive back so we enter a loop reading
475 blocks of data from the server and printing each block that we receive to the
484 in a 0 return value from \fBSSL_read_ex\fR\|(3) and we need to use the function
489 \&     * Check whether we finished the while loop above normally or as the
491 \&     * code we received from the SSL_read_ex() call. It must be 0 in order
504 If \fBSSL_get_error\fR\|(3) returns \fBSSL_ERROR_ZERO_RETURN\fR then we know that the
508 Once we have finished reading data from the server then we are ready to close
509 the connection down. We do this via the \fBSSL_shutdown\fR\|(3) function which has
511 the server saying that we have finished writing data:
515 \&     * The peer already shutdown gracefully (we know this because of the
516 \&     * SSL_ERROR_ZERO_RETURN above). We should do the same back.
522 \&         * because that means "we\*(Aqve sent a close_notify and we\*(Aqre waiting
523 \&         * for one back". But we already know we got one from the peer
533 precisely a return value of 1 means that we have sent a "close_notify" alert to
534 the server, and that we have also received one back. A return value of 0 means
535 that we have sent a "close_notify" alert to the server, but we have not yet
538 received. However in this case we already know that the server has sent us a
539 "close_notify" because of the SSL_ERROR_ZERO_RETURN that we received from the
540 call to \fBSSL_read_ex\fR\|(3). So this scenario should never happen in practice. We
544 Before the application exits we have to clean up some memory that we allocated.
545 If we are exiting due to an error we might also want to display further
553 \&     * If something bad happened then we will dump the contents of the
561 \&     * Free the resources we allocated. We do not free the BIO object here
563 \&     * via SSL_set_bio(). The BIO will be freed when we free the SSL object.
570 To display errors we make use of the \fBERR_print_errors_fp\fR\|(3) function which
574 We need to free up the \fBSSL\fR object that we created for the connection via the
575 \&\fBSSL_free\fR\|(3) function. Also, since we are not going to be creating any more
576 TLS connections we must also free up the \fBSSL_CTX\fR via a call to
625 The "unable to get local issuer certificate" we saw in the example above means
626 that we have been unable to find the issuer of the server's certificate (or one