diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 5a1e7fc08c..2020d3168f 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -720,20 +720,22 @@ void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ); * \brief Set the data required to verify peer certificate * * \param ssl SSL context - * \param ca_chain trusted CA chain + * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) * \param ca_crl trusted CA CRLs * \param peer_cn expected peer CommonName (or NULL) - * - * \note TODO: add two more parameters: depth and crl */ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, x509_crl *ca_crl, const char *peer_cn ); /** - * \brief Set own certificate and private key + * \brief Set own certificate chain and private key + * + * Note: own_cert should contain IN order from the bottom + * up your certificate chain. The top certificate (self-signed) + * can be omitted. * * \param ssl SSL context - * \param own_cert own public certificate + * \param own_cert own public certificate chain * \param rsa_key own private RSA key */ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, @@ -747,8 +749,12 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, * of the callback parameters, with the only change being * that the rsa_context * is a void * in the callbacks) * + * Note: own_cert should contain IN order from the bottom + * up your certificate chain. The top certificate (self-signed) + * can be omitted. + * * \param ssl SSL context - * \param own_cert own public certificate + * \param own_cert own public certificate chain * \param rsa_key alternate implementation private RSA key * \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt() * \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign() diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6e047dcc06..0d7a4180f7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -127,9 +127,12 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags ) #if defined(POLARSSL_FS_IO) #define USAGE_IO \ - " ca_file=%%s default: \"\" (pre-loaded)\n" \ - " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ - " crt_file=%%s default: \"\" (pre-loaded)\n" \ + " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded)\n" \ + " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded) (overrides ca_file)\n" \ + " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ + " default: \"\" (pre-loaded)\n" \ " key_file=%%s default: \"\" (pre-loaded)\n" #else #define USAGE_IO \ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f6cf4870af..cc94e5ca7d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -184,9 +184,12 @@ int my_ciphersuites[] = #if defined(POLARSSL_FS_IO) #define USAGE_IO \ - " ca_file=%%s default: \"\" (pre-loaded)\n" \ - " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ - " crt_file=%%s default: \"\" (pre-loaded)\n" \ + " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded)\n" \ + " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded) (overrides ca_file)\n" \ + " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ + " default: \"\" (pre-loaded)\n" \ " key_file=%%s default: \"\" (pre-loaded)\n" #else #define USAGE_IO \