This is the cl+ssl Reference Manual, generated automatically by Declt version 4.0 beta 2 "William Riker" on Sun Jun 15 03:41:40 2025 GMT+0.
cl+ssl/cl+ssl.asdcl+ssl/src/package.lispcl+ssl/src/reload.lispcl+ssl/src/ffi.lispcl+ssl/src/bio.lispcl+ssl/src/conditions.lispcl+ssl/src/ssl-funcall.lispcl+ssl/src/init.lispcl+ssl/src/ffi-buffer-all.lispcl+ssl/src/ffi-buffer.lispcl+ssl/src/ffi-buffer-clisp.lispcl+ssl/src/streams.lispcl+ssl/src/x509.lispcl+ssl/src/random.lispcl+ssl/src/context.lispcl+ssl/src/verify-hostname.lispcl+ssl/config/src/config.lispThe main system appears first, followed by any subsystem dependency.
cl+sslCommon Lisp interface to OpenSSL.
Eric Marsden, Jochen Schmidt, David Lichteblau
MIT
cl+ssl/config (system).
cffi (system).
trivial-gray-streams (system).
flexi-streams (system).
bordeaux-threads (system).
trivial-garbage (system).
uiop (system).
usocket (system).
alexandria (system).
trivial-features (system).
sb-posix (system)., for feature :sbcl
sb-bsd-sockets (system)., for feature (:and :sbcl :win32)
src (module).
cl+ssl/configEric Marsden, Jochen Schmidt, David Lichteblau
MIT
cffi (system).
src (module).
Modules are listed depth-first from the system components tree.
cl+ssl/srccl+ssl (system).
package.lisp (file).
reload.lisp (file).
ffi.lisp (file).
bio.lisp (file).
conditions.lisp (file).
ssl-funcall.lisp (file).
init.lisp (file).
ffi-buffer-all.lisp (file).
ffi-buffer.lisp (file).
ffi-buffer-clisp.lisp (file).
streams.lisp (file).
x509.lisp (file).
random.lisp (file).
context.lisp (file).
verify-hostname.lisp (file).
cl+ssl/config/srccl+ssl/config (system).
config.lisp (file).
Files are sorted by type and then listed depth-first from the systems components trees.
cl+ssl/cl+ssl.asdcl+ssl/src/package.lispcl+ssl/src/reload.lispcl+ssl/src/ffi.lispcl+ssl/src/bio.lispcl+ssl/src/conditions.lispcl+ssl/src/ssl-funcall.lispcl+ssl/src/init.lispcl+ssl/src/ffi-buffer-all.lispcl+ssl/src/ffi-buffer.lispcl+ssl/src/ffi-buffer-clisp.lispcl+ssl/src/streams.lispcl+ssl/src/x509.lispcl+ssl/src/random.lispcl+ssl/src/context.lispcl+ssl/src/verify-hostname.lispcl+ssl/config/src/config.lispcl+ssl/src/reload.lisppackage.lisp (file).
src (module).
detect-custom-openssl-installations-if-macos (function).
detect-macos-custom-openssl-installations (function).
cl+ssl/src/ffi.lispreload.lisp (file).
src (module).
+ssl-op-no-sslv2+ (constant).
+ssl-op-no-sslv3+ (constant).
+ssl-op-no-tlsv1+ (constant).
+ssl-op-no-tlsv1-1+ (constant).
+ssl-op-no-tlsv1-2+ (constant).
+ssl-sess-cache-both+ (constant).
+ssl-sess-cache-client+ (constant).
+ssl-sess-cache-no-auto-clear+ (constant).
+ssl-sess-cache-no-internal+ (constant).
+ssl-sess-cache-no-internal-lookup+ (constant).
+ssl-sess-cache-no-internal-store+ (constant).
+ssl-sess-cache-off+ (constant).
+ssl-sess-cache-server+ (constant).
+ssl-verify-client-once+ (constant).
+ssl-verify-fail-if-no-peer-cert+ (constant).
+ssl-verify-none+ (constant).
+ssl-verify-peer+ (constant).
ssl-ctx-free (function).
x509-free (function).
*cl+ssl-crypto-foreign-function-names* (special variable).
*cl+ssl-ssl-foreign-function-names* (special variable).
*late-bound-foreign-function-pointers* (special variable).
+crypto-lock+ (constant).
+crypto-read+ (constant).
+crypto-unlock+ (constant).
+crypto-write+ (constant).
+dtls1-2-version+ (constant).
+dtls1-version+ (constant).
+err_lib_none+ (constant).
+err_r_fatal+ (constant).
+err_r_internal_error+ (constant).
+gen-dirname+ (constant).
+gen-dns+ (constant).
+gen-ediparty+ (constant).
+gen-email+ (constant).
+gen-ipadd+ (constant).
+gen-othername+ (constant).
+gen-rid+ (constant).
+gen-uri+ (constant).
+gen-x400+ (constant).
+nid-commonname+ (constant).
+nid-subject-alt-name+ (constant).
+openssl-version-patch-characters+ (special variable).
+openssl-version-status-strings+ (special variable).
+rsa_f4+ (constant).
+ssl-ctrl-options+ (constant).
+ssl-ctrl-set-max-proto-version+ (constant).
+ssl-ctrl-set-min-proto-version+ (constant).
+ssl-filetype-asn1+ (constant).
+ssl-filetype-default+ (constant).
+ssl-filetype-pem+ (constant).
+ssl-op-all+ (constant).
+ssl-op-ignore-unexpected-eof+ (constant).
+ssl3-version+ (constant).
+ssl_ctrl_mode+ (constant).
+ssl_ctrl_set_sess_cache_mode+ (constant).
+ssl_mode_accept_moving_write_buffer+ (constant).
+tls1-1-version+ (constant).
+tls1-2-version+ (constant).
+tls1-3-version+ (constant).
+tls1-version+ (constant).
+v-asn1-bmpstring+ (constant).
+v-asn1-iastring+ (constant).
+v-asn1-octet-string+ (constant).
+v-asn1-printablestring+ (constant).
+v-asn1-teletexstring+ (constant).
+v-asn1-universalstring+ (constant).
+v-asn1-utf8string+ (constant).
+x509-v-ok+ (constant).
asn1-string-data (function).
asn1-string-length (function).
asn1-string-type (function).
asn1-time-check (function).
asn1-utctime-check (function).
asn1_string_st-tclass (class).
bio-clear-flags (function).
bio-free (function).
bio-meth-new (function).
bio-new (function).
bio-new-index (function).
bio-new-socket (function).
bio-set-create (function).
bio-set-ctrl (function).
bio-set-destroy (function).
bio-set-fd (function).
bio-set-flags (function).
bio-set-gets (function).
bio-set-init (function).
bio-set-puts (function).
bio-set-read (function).
bio-set-write (function).
bio-test-flags (function).
close-socket (function).
compat-openssl-version (function).
compat-ssl-get1-peer-certificate (function).
crypto-num-locks (function).
crypto-set-id-callback (function).
crypto-set-locking-callback (function).
d2i-x509 (function).
defcfun-late-bound (macro).
defcfun-versioned (macro).
define-crypto-function (macro).
define-crypto-function-ex (macro).
define-ssl-function (macro).
define-ssl-function-ex (macro).
encode-openssl-version (function).
encode-openssl-version-impl (function).
err-add-error-data (macro).
err-add-error-txt (function).
err-error-string (function).
err-get-error (function).
err-get-next-error-library (function).
err-new (function).
err-print-errors (function).
err-put-error (function).
err-set-debug (function).
err-set-error (macro).
evp-get-digest-by-name (function).
evp-md-get-size (function).
evp-md-size (function).
general-name-tclass (class).
general-names-free (function).
libresslp (function).
openssl-add-all-digests (function).
openssl-is-at-least (function).
openssl-is-not-even (function).
openssl-sk-num (function).
openssl-sk-value (function).
openssl-version-num (function).
openssl-version-patch (type).
openssl-version-status (type).
openssl-version-status-p (function).
pem-read-x509 (function).
pem-write-x509 (function).
rand-bytes (function).
rand-seed (function).
rsa-free (function).
rsa-generate-key (function).
sk-general-name-num (function).
sk-general-name-value (function).
sk-num (function).
sk-value (function).
ssl-accept (function).
ssl-connect (function).
ssl-ctrl (function).
ssl-ctx-ctrl (function).
ssl-ctx-load-verify-locations (function).
ssl-ctx-new (function).
ssl-ctx-set-cipher-list (function).
ssl-ctx-set-ciphersuites (function).
ssl-ctx-set-client-ca-list (function).
ssl-ctx-set-default-passwd-cb (function).
ssl-ctx-set-default-verify-dir (function).
ssl-ctx-set-default-verify-file (function).
ssl-ctx-set-default-verify-paths (function).
ssl-ctx-set-max-proto-version (function).
ssl-ctx-set-min-proto-version (function).
ssl-ctx-set-options (function).
ssl-ctx-set-session-cache-mode (function).
ssl-ctx-set-tmp-rsa-callback (function).
ssl-ctx-set-verify (function).
ssl-ctx-set-verify-depth (function).
ssl-ctx-use-certificate-chain-file (function).
ssl-ctx-use-privatekey-file (function).
ssl-ctx-use-rsa-privatekey-file (function).
ssl-eay (function).
ssl-free (function).
ssl-get-error (function).
ssl-get-fd (function).
ssl-get-peer-certificate (function).
ssl-get-verify-result (function).
ssl-get-version (function).
ssl-get0-alpn-selected (function).
ssl-get1-peer-certificate (function).
ssl-library-init (function).
ssl-load-client-ca-file (function).
ssl-load-error-strings (function).
ssl-new (function).
ssl-read (function).
ssl-set-accept-state (function).
ssl-set-alpn-protos (function).
ssl-set-bio (function).
ssl-set-cipher-list (function).
ssl-set-ciphersuites (function).
ssl-set-connect-state (function).
ssl-set-fd (function).
ssl-set-tlsext-host-name (function).
ssl-shutdown (function).
ssl-tlsv1-1-client-method (function).
ssl-tlsv1-1-method (function).
ssl-tlsv1-1-server-method (function).
ssl-tlsv1-2-client-method (function).
ssl-tlsv1-2-method (function).
ssl-tlsv1-2-server-method (function).
ssl-tlsv1-client-method (function).
ssl-tlsv1-method (function).
ssl-tlsv1-server-method (function).
ssl-use-certificate-file (function).
ssl-use-privatekey-file (function).
ssl-use-rsa-privatekey-file (function).
ssl-v23-client-method (function).
ssl-v23-method (function).
ssl-v23-server-method (function).
ssl-v3-client-method (function).
ssl-v3-method (function).
ssl-v3-server-method (function).
ssl-write (function).
tls-method (function).
x509-digest (function).
x509-get-ext-d2i (function).
x509-get-issuer-name (function).
x509-get-subject-name (function).
x509-get0-not-after (function).
x509-get0-not-before (function).
x509-name-entry-get-data (function).
x509-name-get-entry (function).
x509-name-get-index-by-nid (function).
x509-name-oneline (function).
x509-store-ctx-get-error (function).
cl+ssl/src/bio.lispffi.lisp (file).
src (module).
*bio-blockp* (special variable).
*bio-is-opaque* (special variable).
*bio-lisp-method* (special variable).
*bio-socket* (special variable).
*file-name* (special variable).
*lib-num-for-errors* (special variable).
*lisp-bio-type* (special variable).
+bio-type-socket+ (constant).
+bio_ctrl_eof+ (constant).
+bio_ctrl_flush+ (constant).
+bio_flags_in_eof+ (constant).
+bio_flags_io_special+ (constant).
+bio_flags_read+ (constant).
+bio_flags_rws+ (constant).
+bio_flags_should_retry+ (constant).
+bio_flags_write+ (constant).
+bio_type_descriptor+ (constant).
+bio_type_source_sink+ (constant).
bio-clear-flags-slots (function).
bio-init (function).
bio-method-tclass (class).
bio-new-lisp (function).
bio-set-flags-slots (function).
bio-tclass (class).
bio-test-flags-slots (function).
clear-retry-flags (function).
compat-bio-clear-flags (function).
compat-bio-set-flags (function).
compat-bio-test-flags (function).
lisp-bio-type (function).
make-bio-lisp-method (function).
make-bio-lisp-method-opaque (function).
make-bio-lisp-method-slots (function).
put-to-openssl-error-queue (function).
set-retry-read (function).
with-bio-input-from-string (macro).
with-bio-output-to-string (macro).
cl+ssl/src/conditions.lispbio.lisp (file).
src (module).
ssl-error-code (reader method).
ssl-error-initialize (condition).
ssl-error-stream (reader method).
ssl-error-verify (condition).
*ssl-verify-error-alist* (special variable).
+ssl-error-none+ (constant).
+ssl-error-ssl+ (constant).
+ssl-error-syscall+ (constant).
+ssl-error-want-connect+ (constant).
+ssl-error-want-read+ (constant).
+ssl-error-want-write+ (constant).
+ssl-error-want-x509-lookup+ (constant).
+ssl-error-zero-return+ (constant).
asn1-error (condition).
cl+ssl-error (condition).
collect-verify-error (function).
collecting-verify-error (macro).
collecting-verify-error-impl (function).
err-print-errors-to-string (function).
format-ssl-error-queue (function).
invalid-asn1-string (condition).
printed-queue (reader method).
read-ssl-error-queue (function).
server-certificate-missing (condition).
ssl-error (condition).
ssl-error-call (condition).
ssl-error-handle (reader method).
ssl-error-none (condition).
ssl-error-queue (reader method).
ssl-error-reason (reader method).
ssl-error-ret (reader method).
ssl-error-ssl (condition).
ssl-error-ssl-verify-error (reader method).
(setf ssl-error-ssl-verify-error) (writer method).
ssl-error-syscall (condition).
ssl-error-want-connect (condition).
ssl-error-want-read (condition).
ssl-error-want-something (condition).
ssl-error-want-write (condition).
ssl-error-want-x509-lookup (condition).
ssl-error-zero-return (condition).
ssl-error/handle (condition).
ssl-signal-error (function).
ssl-verify-error-code (function).
ssl-verify-error-keyword (function).
cl+ssl/src/ssl-funcall.lispconditions.lisp (file).
src (module).
ensure-ssl-funcall (function).
input-wait (function).
nonblocking-ssl-funcall (function).
output-wait (function).
seconds-until-deadline (function).
cl+ssl/src/init.lispssl-funcall.lisp (file).
src (module).
ensure-initialized (function).
reload (function).
use-certificate-chain-file (function).
with-pem-password (macro).
*global-lock* (special variable).
*locks* (special variable).
*pem-password* (special variable).
*ssl-check-verify-p* (special variable).
*ssl-global-context* (special variable).
*ssl-global-method* (special variable).
*thread-counter* (special variable).
*threads* (special variable).
*tmp-rsa-key-1024* (special variable).
*tmp-rsa-key-2048* (special variable).
*tmp-rsa-key-512* (special variable).
default-ssl-method (function).
init-prng (function).
initialize (function).
ssl-initialized-p (function).
cl+ssl/src/ffi-buffer-all.lispcl+ssl/src/ffi-buffer.lisp(:not :clisp)
ffi-buffer-all.lisp (file).
src (module).
b/s-replace (function).
(setf buffer-elt) (setf expander).
buffer-elt (function).
buffer-length (function).
make-buffer (function).
s/b-replace (function).
set-buffer-elt (function).
with-pointer-to-vector-data (macro).
cl+ssl/src/ffi-buffer-clisp.lisp:clisp
ffi-buffer.lisp (file).
ffi-buffer-all.lisp (file).
src (module).
cl+ssl/src/streams.lispffi-buffer-clisp.lisp (file).
ffi-buffer.lisp (file).
ffi-buffer-all.lisp (file).
src (module).
*default-buffer-size* (special variable).
*default-cipher-list* (special variable).
*default-unwrap-stream-p* (special variable).
*make-ssl-client-stream-verify-default* (special variable).
close (method).
get-selected-alpn-protocol (function).
initialize-instance (method).
make-ssl-client-stream (function).
make-ssl-server-stream (function).
open-stream-p (method).
print-object (method).
ssl-check-verify-p (function).
(setf ssl-check-verify-p) (function).
ssl-load-global-verify-locations (function).
ssl-set-global-default-verify-paths (function).
ssl-stream-x509-certificate (function).
stream-element-type (method).
stream-fd (generic function).
stream-finish-output (method).
stream-force-output (method).
stream-listen (method).
stream-read-byte (method).
stream-read-sequence (method).
stream-write-byte (method).
stream-write-sequence (method).
handle-external-format (function).
install-handle-and-bio (function).
install-key-and-cert (function).
install-nonblock-flag (function).
make-alpn-proto-string (function).
maybe-verify-client-stream (function).
ssl-close-callback (reader method).
(setf ssl-close-callback) (writer method).
ssl-server-stream (class).
ssl-stream (class).
ssl-stream-certificate (reader method).
(setf ssl-stream-certificate) (writer method).
ssl-stream-deadline (reader method).
(setf ssl-stream-deadline) (writer method).
ssl-stream-handle (method).
ssl-stream-handle (reader method).
(setf ssl-stream-handle) (writer method).
ssl-stream-input-buffer (reader method).
(setf ssl-stream-input-buffer) (writer method).
ssl-stream-key (reader method).
(setf ssl-stream-key) (writer method).
ssl-stream-output-buffer (reader method).
(setf ssl-stream-output-buffer) (writer method).
ssl-stream-output-pointer (reader method).
(setf ssl-stream-output-pointer) (writer method).
ssl-stream-peeked-byte (reader method).
(setf ssl-stream-peeked-byte) (writer method).
ssl-stream-socket (reader method).
(setf ssl-stream-socket) (writer method).
ssl-verify-init (function).
while (macro).
with-new-ssl (macro).
x509-certificate-names (function).
cl+ssl/src/x509.lispstreams.lisp (file).
src (module).
certificate-fingerprint (function).
certificate-not-after-time (function).
certificate-not-before-time (function).
certificate-subject-common-names (function).
decode-certificate (generic function).
decode-certificate-from-file (function).
asn1-iastring-char-p (function).
asn1-iastring-p (function).
asn1-printable-char-p (function).
asn1-printable-string-p (function).
asn1-string-bytes-vector (function).
asn1-teletex-char-p (function).
asn1-teletex-string-p (function).
cert-format-from-path (function).
certificate-alt-names (function).
certificate-dns-alt-names (function).
certificate-pem (function).
copy-bytes-to-lisp-vector (function).
decode-asn1-string (generic function).
decode-asn1-time (function).
slurp-stream (function).
try-get-asn1-string-data (function).
x509-cert-from-pem (function).
cl+ssl/src/random.lispx509.lisp (file).
src (module).
random-bytes (function).
cl+ssl/src/context.lisprandom.lisp (file).
src (module).
make-context (function).
with-global-context (macro).
add-verify-locations (function).
call-with-global-context (function).
ssl-ctx-set-verify-location (function).
validate-verify-location (function).
verify-location-not-found-error (condition).
cl+ssl/src/verify-hostname.lispcontext.lisp (file).
src (module).
verify-hostname (function).
case-insensitive-match (function).
check-single-wildcard (function).
check-two-labels-after-wildcard (function).
check-wildcard-in-leftmost-label (function).
hostname-verification-error (condition).
maybe-try-match-wildcard (function).
remove-trailing-dot (function).
try-match-hostname (function).
try-match-hostnames (function).
try-match-wildcard (function).
unable-to-decode-common-name (condition).
unable-to-match-altnames (condition).
unable-to-match-common-name (condition).
validate-and-parse-wildcard-identifier (function).
wildcard-not-in-a-label (function).
cl+ssl/config/src/config.lispsrc (module).
define-libcrypto-path (macro).
define-libssl-path (macro).
*libcrypto-override* (special variable).
*libssl-override* (special variable).
Packages are listed by definition order.
cl+ssl/configBy default cl+ssl searches for OpenSSL shared libraries
in platform-dependent default locations.
To explicitly specify what to load, use the cl+ssl/config
module before loading cl+ssl:
(ql:quickload "cl+ssl/config")
(cl+ssl/config:define-libssl-path "/opt/local/lib/libssl.dylib")
(cl+ssl/config:define-libcrypto-path "/opt/local/lib/libcrypto.dylib")
(ql:quickload "cl+ssl")
The PATH parameter of those two macros is not evaluated.
This is dictated by CFFI. So either use a literal
or compute it at the macro-expansion time.
You may need to rebuild cl+ssl for the changed paths to have effect. This depends on CFFI and the FFI implementation of your Lisp.
common-lisp.
define-libcrypto-path (macro).
define-libssl-path (macro).
*libcrypto-override* (special variable).
*libssl-override* (special variable).
cl+sslcommon-lisp.
trivial-gray-streams.
*default-buffer-size* (special variable).
*default-cipher-list* (special variable).
*default-unwrap-stream-p* (special variable).
*make-ssl-client-stream-verify-default* (special variable).
+ssl-op-no-sslv2+ (constant).
+ssl-op-no-sslv3+ (constant).
+ssl-op-no-tlsv1+ (constant).
+ssl-op-no-tlsv1-1+ (constant).
+ssl-op-no-tlsv1-2+ (constant).
+ssl-sess-cache-both+ (constant).
+ssl-sess-cache-client+ (constant).
+ssl-sess-cache-no-auto-clear+ (constant).
+ssl-sess-cache-no-internal+ (constant).
+ssl-sess-cache-no-internal-lookup+ (constant).
+ssl-sess-cache-no-internal-store+ (constant).
+ssl-sess-cache-off+ (constant).
+ssl-sess-cache-server+ (constant).
+ssl-verify-client-once+ (constant).
+ssl-verify-fail-if-no-peer-cert+ (constant).
+ssl-verify-none+ (constant).
+ssl-verify-peer+ (constant).
certificate-fingerprint (function).
certificate-not-after-time (function).
certificate-not-before-time (function).
certificate-subject-common-names (function).
decode-certificate (generic function).
decode-certificate-from-file (function).
ensure-initialized (function).
get-selected-alpn-protocol (function).
make-context (function).
make-ssl-client-stream (function).
make-ssl-server-stream (function).
random-bytes (function).
reload (function).
ssl-check-verify-p (function).
(setf ssl-check-verify-p) (function).
ssl-ctx-free (function).
ssl-error-code (generic reader).
ssl-error-initialize (condition).
ssl-error-stream (generic reader).
ssl-error-verify (condition).
ssl-load-global-verify-locations (function).
ssl-set-global-default-verify-paths (function).
ssl-stream-x509-certificate (function).
stream-fd (generic function).
use-certificate-chain-file (function).
verify-hostname (function).
with-global-context (macro).
with-pem-password (macro).
x509-free (function).
*bio-blockp* (special variable).
*bio-is-opaque* (special variable).
*bio-lisp-method* (special variable).
*bio-socket* (special variable).
*cl+ssl-crypto-foreign-function-names* (special variable).
*cl+ssl-ssl-foreign-function-names* (special variable).
*file-name* (special variable).
*global-lock* (special variable).
*late-bound-foreign-function-pointers* (special variable).
*lib-num-for-errors* (special variable).
*lisp-bio-type* (special variable).
*locks* (special variable).
*pem-password* (special variable).
*ssl-check-verify-p* (special variable).
*ssl-global-context* (special variable).
*ssl-global-method* (special variable).
*ssl-verify-error-alist* (special variable).
*thread-counter* (special variable).
*threads* (special variable).
*tmp-rsa-key-1024* (special variable).
*tmp-rsa-key-2048* (special variable).
*tmp-rsa-key-512* (special variable).
+bio-type-socket+ (constant).
+bio_ctrl_eof+ (constant).
+bio_ctrl_flush+ (constant).
+bio_flags_in_eof+ (constant).
+bio_flags_io_special+ (constant).
+bio_flags_read+ (constant).
+bio_flags_rws+ (constant).
+bio_flags_should_retry+ (constant).
+bio_flags_write+ (constant).
+bio_type_descriptor+ (constant).
+bio_type_source_sink+ (constant).
+crypto-lock+ (constant).
+crypto-read+ (constant).
+crypto-unlock+ (constant).
+crypto-write+ (constant).
+dtls1-2-version+ (constant).
+dtls1-version+ (constant).
+err_lib_none+ (constant).
+err_r_fatal+ (constant).
+err_r_internal_error+ (constant).
+gen-dirname+ (constant).
+gen-dns+ (constant).
+gen-ediparty+ (constant).
+gen-email+ (constant).
+gen-ipadd+ (constant).
+gen-othername+ (constant).
+gen-rid+ (constant).
+gen-uri+ (constant).
+gen-x400+ (constant).
+nid-commonname+ (constant).
+nid-subject-alt-name+ (constant).
+openssl-version-patch-characters+ (special variable).
+openssl-version-status-strings+ (special variable).
+rsa_f4+ (constant).
+ssl-ctrl-options+ (constant).
+ssl-ctrl-set-max-proto-version+ (constant).
+ssl-ctrl-set-min-proto-version+ (constant).
+ssl-error-none+ (constant).
+ssl-error-ssl+ (constant).
+ssl-error-syscall+ (constant).
+ssl-error-want-connect+ (constant).
+ssl-error-want-read+ (constant).
+ssl-error-want-write+ (constant).
+ssl-error-want-x509-lookup+ (constant).
+ssl-error-zero-return+ (constant).
+ssl-filetype-asn1+ (constant).
+ssl-filetype-default+ (constant).
+ssl-filetype-pem+ (constant).
+ssl-op-all+ (constant).
+ssl-op-ignore-unexpected-eof+ (constant).
+ssl3-version+ (constant).
+ssl_ctrl_mode+ (constant).
+ssl_ctrl_set_sess_cache_mode+ (constant).
+ssl_mode_accept_moving_write_buffer+ (constant).
+tls1-1-version+ (constant).
+tls1-2-version+ (constant).
+tls1-3-version+ (constant).
+tls1-version+ (constant).
+v-asn1-bmpstring+ (constant).
+v-asn1-iastring+ (constant).
+v-asn1-octet-string+ (constant).
+v-asn1-printablestring+ (constant).
+v-asn1-teletexstring+ (constant).
+v-asn1-universalstring+ (constant).
+v-asn1-utf8string+ (constant).
+x509-v-ok+ (constant).
add-verify-locations (function).
asn1-error (condition).
asn1-iastring-char-p (function).
asn1-iastring-p (function).
asn1-printable-char-p (function).
asn1-printable-string-p (function).
asn1-string-bytes-vector (function).
asn1-string-data (function).
asn1-string-length (function).
asn1-string-type (function).
asn1-teletex-char-p (function).
asn1-teletex-string-p (function).
asn1-time-check (function).
asn1-utctime-check (function).
asn1_string_st-tclass (class).
b/s-replace (function).
bio-clear-flags (function).
bio-clear-flags-slots (function).
bio-free (function).
bio-init (function).
bio-meth-new (function).
bio-method-tclass (class).
bio-new (function).
bio-new-index (function).
bio-new-lisp (function).
bio-new-socket (function).
bio-set-create (function).
bio-set-ctrl (function).
bio-set-destroy (function).
bio-set-fd (function).
bio-set-flags (function).
bio-set-flags-slots (function).
bio-set-gets (function).
bio-set-init (function).
bio-set-puts (function).
bio-set-read (function).
bio-set-write (function).
bio-tclass (class).
bio-test-flags (function).
bio-test-flags-slots (function).
(setf buffer-elt) (setf expander).
buffer-elt (function).
buffer-length (function).
call-with-global-context (function).
case-insensitive-match (function).
cert-format-from-path (function).
certificate-alt-names (function).
certificate-dns-alt-names (function).
certificate-pem (function).
check-single-wildcard (function).
check-two-labels-after-wildcard (function).
check-wildcard-in-leftmost-label (function).
cl+ssl-error (condition).
clear-retry-flags (function).
close-socket (function).
collect-verify-error (function).
collecting-verify-error (macro).
collecting-verify-error-impl (function).
compat-bio-clear-flags (function).
compat-bio-set-flags (function).
compat-bio-test-flags (function).
compat-openssl-version (function).
compat-ssl-get1-peer-certificate (function).
copy-bytes-to-lisp-vector (function).
crypto-num-locks (function).
crypto-set-id-callback (function).
crypto-set-locking-callback (function).
d2i-x509 (function).
decode-asn1-string (generic function).
decode-asn1-time (function).
default-ssl-method (function).
defcfun-late-bound (macro).
defcfun-versioned (macro).
define-crypto-function (macro).
define-crypto-function-ex (macro).
define-ssl-function (macro).
define-ssl-function-ex (macro).
detect-custom-openssl-installations-if-macos (function).
detect-macos-custom-openssl-installations (function).
encode-openssl-version (function).
encode-openssl-version-impl (function).
ensure-ssl-funcall (function).
err-add-error-data (macro).
err-add-error-txt (function).
err-error-string (function).
err-get-error (function).
err-get-next-error-library (function).
err-new (function).
err-print-errors (function).
err-print-errors-to-string (function).
err-put-error (function).
err-set-debug (function).
err-set-error (macro).
evp-get-digest-by-name (function).
evp-md-get-size (function).
evp-md-size (function).
format-ssl-error-queue (function).
general-name-tclass (class).
general-names-free (function).
handle-external-format (function).
hostname-verification-error (condition).
init-prng (function).
initialize (function).
input-wait (function).
install-handle-and-bio (function).
install-key-and-cert (function).
install-nonblock-flag (function).
invalid-asn1-string (condition).
libresslp (function).
lisp-bio-type (function).
make-alpn-proto-string (function).
make-bio-lisp-method (function).
make-bio-lisp-method-opaque (function).
make-bio-lisp-method-slots (function).
make-buffer (function).
maybe-try-match-wildcard (function).
maybe-verify-client-stream (function).
nonblocking-ssl-funcall (function).
openssl-add-all-digests (function).
openssl-is-at-least (function).
openssl-is-not-even (function).
openssl-sk-num (function).
openssl-sk-value (function).
openssl-version-num (function).
openssl-version-patch (type).
openssl-version-status (type).
openssl-version-status-p (function).
output-wait (function).
pem-read-x509 (function).
pem-write-x509 (function).
printed-queue (generic reader).
put-to-openssl-error-queue (function).
rand-bytes (function).
rand-seed (function).
read-ssl-error-queue (function).
remove-trailing-dot (function).
rsa-free (function).
rsa-generate-key (function).
s/b-replace (function).
seconds-until-deadline (function).
server-certificate-missing (condition).
set-buffer-elt (function).
set-retry-read (function).
sk-general-name-num (function).
sk-general-name-value (function).
sk-num (function).
sk-value (function).
slurp-stream (function).
ssl-accept (function).
ssl-close-callback (generic reader).
(setf ssl-close-callback) (generic writer).
ssl-connect (function).
ssl-ctrl (function).
ssl-ctx-ctrl (function).
ssl-ctx-load-verify-locations (function).
ssl-ctx-new (function).
ssl-ctx-set-cipher-list (function).
ssl-ctx-set-ciphersuites (function).
ssl-ctx-set-client-ca-list (function).
ssl-ctx-set-default-passwd-cb (function).
ssl-ctx-set-default-verify-dir (function).
ssl-ctx-set-default-verify-file (function).
ssl-ctx-set-default-verify-paths (function).
ssl-ctx-set-max-proto-version (function).
ssl-ctx-set-min-proto-version (function).
ssl-ctx-set-options (function).
ssl-ctx-set-session-cache-mode (function).
ssl-ctx-set-tmp-rsa-callback (function).
ssl-ctx-set-verify (function).
ssl-ctx-set-verify-depth (function).
ssl-ctx-set-verify-location (function).
ssl-ctx-use-certificate-chain-file (function).
ssl-ctx-use-privatekey-file (function).
ssl-ctx-use-rsa-privatekey-file (function).
ssl-eay (function).
ssl-error (condition).
ssl-error-call (condition).
ssl-error-handle (generic reader).
ssl-error-none (condition).
ssl-error-queue (generic reader).
ssl-error-reason (generic reader).
ssl-error-ret (generic reader).
ssl-error-ssl (condition).
ssl-error-ssl-verify-error (generic reader).
(setf ssl-error-ssl-verify-error) (generic writer).
ssl-error-syscall (condition).
ssl-error-want-connect (condition).
ssl-error-want-read (condition).
ssl-error-want-something (condition).
ssl-error-want-write (condition).
ssl-error-want-x509-lookup (condition).
ssl-error-zero-return (condition).
ssl-error/handle (condition).
ssl-free (function).
ssl-get-error (function).
ssl-get-fd (function).
ssl-get-peer-certificate (function).
ssl-get-verify-result (function).
ssl-get-version (function).
ssl-get0-alpn-selected (function).
ssl-get1-peer-certificate (function).
ssl-initialized-p (function).
ssl-library-init (function).
ssl-load-client-ca-file (function).
ssl-load-error-strings (function).
ssl-new (function).
ssl-read (function).
ssl-server-stream (class).
ssl-set-accept-state (function).
ssl-set-alpn-protos (function).
ssl-set-bio (function).
ssl-set-cipher-list (function).
ssl-set-ciphersuites (function).
ssl-set-connect-state (function).
ssl-set-fd (function).
ssl-set-tlsext-host-name (function).
ssl-shutdown (function).
ssl-signal-error (function).
ssl-stream (class).
ssl-stream-certificate (generic reader).
(setf ssl-stream-certificate) (generic writer).
ssl-stream-deadline (generic reader).
(setf ssl-stream-deadline) (generic writer).
ssl-stream-handle (generic function).
(setf ssl-stream-handle) (generic writer).
ssl-stream-input-buffer (generic reader).
(setf ssl-stream-input-buffer) (generic writer).
ssl-stream-key (generic reader).
(setf ssl-stream-key) (generic writer).
ssl-stream-output-buffer (generic reader).
(setf ssl-stream-output-buffer) (generic writer).
ssl-stream-output-pointer (generic reader).
(setf ssl-stream-output-pointer) (generic writer).
ssl-stream-peeked-byte (generic reader).
(setf ssl-stream-peeked-byte) (generic writer).
ssl-stream-socket (generic reader).
(setf ssl-stream-socket) (generic writer).
ssl-tlsv1-1-client-method (function).
ssl-tlsv1-1-method (function).
ssl-tlsv1-1-server-method (function).
ssl-tlsv1-2-client-method (function).
ssl-tlsv1-2-method (function).
ssl-tlsv1-2-server-method (function).
ssl-tlsv1-client-method (function).
ssl-tlsv1-method (function).
ssl-tlsv1-server-method (function).
ssl-use-certificate-file (function).
ssl-use-privatekey-file (function).
ssl-use-rsa-privatekey-file (function).
ssl-v23-client-method (function).
ssl-v23-method (function).
ssl-v23-server-method (function).
ssl-v3-client-method (function).
ssl-v3-method (function).
ssl-v3-server-method (function).
ssl-verify-error-code (function).
ssl-verify-error-keyword (function).
ssl-verify-init (function).
ssl-write (function).
tls-method (function).
try-get-asn1-string-data (function).
try-match-hostname (function).
try-match-hostnames (function).
try-match-wildcard (function).
unable-to-decode-common-name (condition).
unable-to-match-altnames (condition).
unable-to-match-common-name (condition).
validate-and-parse-wildcard-identifier (function).
validate-verify-location (function).
verify-location-not-found-error (condition).
while (macro).
wildcard-not-in-a-label (function).
with-bio-input-from-string (macro).
with-bio-output-to-string (macro).
with-new-ssl (macro).
with-pointer-to-vector-data (macro).
x509-cert-from-pem (function).
x509-certificate-names (function).
x509-digest (function).
x509-get-ext-d2i (function).
x509-get-issuer-name (function).
x509-get-subject-name (function).
x509-get0-not-after (function).
x509-get0-not-before (function).
x509-name-entry-get-data (function).
x509-name-get-entry (function).
x509-name-get-index-by-nid (function).
x509-name-oneline (function).
x509-store-ctx-get-error (function).
Definitions are sorted by export status, category, package, and then by lexicographic order.
Enable both +SSL-SESS-CACHE-CLIENT+ and +SSL-SESS-CACHE-SERVER+ at the same time.
Client sessions are added to the session cache.
As there is no reliable way for the OpenSSL library to know whether a session should be reused
or which session to choose (due to the abstract BIO layer the SSL engine does not have details
about the connection), the application must select the session to be reused by using the
SSL-SET-SESSION function. This option is not activated by default.
Normally the session cache is checked for expired sessions every 255 connections using the SSL-CTX-FLUSH-SESSIONS function. Since this may lead to a delay which cannot be controlled, the automatic flushing may be disabled and SSL-CTX-FLUSH-SESSIONS can be called explicitly by the application.
Enable both +SSL-SESS-CACHE-NO-INTERNAL-LOOKUP+ and +SSL-SESS-CACHE-NO-INTERNAL-STORE+ at the same time.
By setting this flag, session-resume operations in an SSL/TLS server will not automatically look up sessions in the internal cache, even if sessions are automatically stored there. If external session caching callbacks are in use, this flag guarantees that all lookups are directed to the external cache. As automatic lookup only applies for SSL/TLS servers, the flag has no effect on clients.
Depending on the presence of +SSL-SESS-CACHE-CLIENT+ and/or +SSL-SESS-CACHE-SERVER+, sessions negotiated in an SSL/TLS handshake may be cached for possible reuse. Normally a new session is added to the internal cache as well as any external session caching (callback) that is configured for the SSL_CTX. This flag will prevent sessions being stored in the internal cache (though the application can add them manually using SSL-CTX-ADD-SESSION). Note: in any SSL/TLS servers where external caching is configured, any successful session lookups in the external cache (ie. for session-resume requests) would normally be copied into the local cache before processing continues - this flag prevents these additions to the internal cache as well.
No session caching for client or server takes place.
Server sessions are added to the session cache.
When a client proposes a session to be reused, the server looks for the corresponding session
in (first) the internal session cache (unless +SSL-SESS-CACHE-NO-INTERNAL-LOOKUP+ is set), then
(second) in the external cache if available. If the session is found, the server will try to
reuse the session. This is the default.
The default size for input and output buffers of SSL-STREAM objects
Default value for UNWRAP-STREAM-P function parameter.
If true (the default), cl+ssl will try to extract file descriptor
from the given TCP Lisp stream and tell OpenSSL to use a socket BIO
based on that file descriptor;
otherwise use a Lisp BIO wrapping the TCP Lisp stream.
Helps to mitigate the change in default behaviour of
MAKE-SSL-CLIENT-STREAM - previously it worked as if :VERIFY NIL
but then :VERIFY :REQUIRED became the default on non-Windows platforms.
Change this variable if you want the previous behaviour.
Define the path where libcrypto resides to be PATH (not evaluated). This macro should be used before loading CL+SSL.
Define the path where libssl resides to be PATH (not evaluated). This macro should be used before loading CL+SSL.
Executes the BODY with *SSL-GLOBAL-CONTEXT* bound to the SSL-CTX.
If AUTO-FREE-P is true the context is freed using SSL-CTX-FREE before exit.
Return the fingerprint of CERTIFICATE as a byte-vector. ALGORITHM is a string designator for the digest algorithm to use (it defaults to SHA-1).
Returns a universal-time representing the time after which the CERTIFICATE is not valid. Signals an ERROR if the CERTIFICATE does not have a properly formatted time.
Returns a universal-time representing the time before which the CERTIFICATE is not valid. Signals an ERROR if the CERTIFICATE does not have a properly formatted time.
In most cases you do *not* need to call this function, because it
is called automatically by all other functions. The only reason to
call it explicitly is to supply the RAND-SEED parameter. In this case
do it before calling any other functions.
Keyword arguments:
METHOD - just leave the default value.
RAND-SEED - an octet sequence to initialize OpenSSL random
number generator. On many platforms, including Linux and
Windows, it may be left NIL (default), because OpenSSL
initializes the random number generator from OS specific
service. But, for example, on Solaris it may be necessary
to supply this value. The minimum length required by OpenSSL
is 128 bits.
See http://www.openssl.org/support/faq.html#USER1 for details.
Hint: do not use Common Lisp RANDOM function to generate the RAND-SEED, because the function usually returns predictable values.
A wrapper around SSL_get0_alpn_selected.
Returns the ALPN protocol selected by server, or NIL if none was selected.
SSL-STREAM is the client ssl stream returned by make-ssl-client-stream.
Creates a new SSL_CTX using SSL_CTX_new and initializes it according to
the specified parameters.
After you’re done using the context, don’t forget to free it using SSL-CTX-FREE.
Exceptions:
SSL-ERROR-INITIALIZE. When underlying SSL_CTX_new fails.
Keyword arguments:
METHOD. Specifies which supported SSL/TLS to use.
If not specified then TLS_method is used on OpenSSL
versions supporing it (on legacy versions SSLv23_method is used).
DISABLED-PROTOCOLS. List of +SSL-OP-NO-* constants. Denotes
disabled SSL/TLS versions. When METHOD not specified
defaults to (LIST +SSL-OP-NO-SSLV2+ +SSL-OP-NO-SSLV3+)
OPTIONS. SSL context options list. Defaults to (list +SSL-OP-ALL+)
SESSION-CACHE-MODE. Enable/Disable session caching.
Defaults to +SSL-SESS-CACHE-SERVER+
VERIFY-LOCATION. Location(s) to load CA from.
Possible values:
:DEFAULT - SSL_CTX_set_default_verify_paths will be called.
:DEFAULT-FILE - SSL_CTX_set_default_verify_file will be called. Requires OpenSSL >= 1.1.0.
:DEFAULT-DIR - SSL_CTX_set_default_verify_dir will be called. Requires OpenSSL >= 1.1.0.
A STRING or a PATHNAME - will be passed to SSL_CTX_load_verify_locations
as file or dir argument depending on wether it’s really
a file or a dir. Must exist on the file system and be available.
A LIST - each value assumed to be either a STRING or a PATHNAME and
will be passed to SSL_CTX_load_verify_locations as described above.
VERIFY-DEPTH. Sets the maximum depth for the certificate chain verification
that shall be allowed for context. Defaults to 100.
VERIFY-MODE. The mode parameter to SSL_CTX_set_verify.
Defaults to +VERIFY-PEER+
VERIFY-CALLBACK. The verify_callback parameter to SSL_CTX_set_verify.
Please note: if specified, must be a CFFI callback i.e. defined as
(DEFCALLBACK :INT ((OK :INT) (SSL-CTX :POINTER)) .. ).
CIPHER-LIST. If specified, must be a string to pass to SSL_CTX_set_cipher_list.
An ERROR is signalled if SSL_CTX_set_cipher_list fails.
PEM-PASSWORD-CALLBACK. Sets the default password callback called when
loading/storing a PEM certificate with encryption.
Please note: this must be CFFI callback i.e. defined as
(CFFI:DEFCALLBACK :INT ((BUF :POINTER) (SIZE :INT) (RWFLAG :INT) (UNUSED :POINTER)) .. ).
Defaults to PEM-PASSWORD-CALLBACK which simply uses password
provided by WITH-PEM-PASSWORD.
Performs TLS/SSL handshake over the specified SOCKET using
the SSL_connect OpenSSL function and returns a Lisp stream that
uses OpenSSL library to encrypt the output data when sending
it to the socket and to decrypt the input received.
Uses a global SSL_CTX instance, which can be overriden
by WITH-GLOBAL-CONTEXT. (The global SSL_CTX is
passed as a parameter to an internall call of SSL_new.)
SOCKET - represents the socket to be wrapped into an SSL stream.
Can be either a Lisp stream (of an implementation-dependent type) for that
socket, or an integer file descriptor of that socket. If that’s a
stream, it will be closed automatically when the SSL stream
is closed. Also, on CCL, (CCL:STREAM-DEADLINE SOCKET) will be used
as a deadline for ’socket BIO’ mode.
See README.md / Usage / Timeouts and Deadlines for more information.
If that’s a file descriptor, it is not closed automatically
(you can use CLOSE-CALLBACK to arrange for that).
UNWRAP-STREAM-P - if true, (STREAM-FD SOCKET) will be attempted
to extract the file descriptor. Otherwise the SOCKET
is left as is. Anyway, if in result we end up with an integer
file descriptor, a socket BIO is used; if we end up with a
stream - Lisp BIO is used. This parameter defaults to
*DEFAULT-UNWRAP-STREAM-P* which is initalized to true.
See README.md / Usage for more information on BIO types.
HOSTNAME if specified, will be sent by client during TLS negotiation,
according to the Server Name Indication (SNI) extension to the TLS.
If we connect to a server handling multiple domain names,
this extension enables such server to choose certificate for the
right domain. Also the HOSTNAME is used for hostname verification
(if verification is enabled by VERIFY).
CLOSE-CALLBACK - a function to be called when the created
ssl stream is CL:CLOSE’ed. The only argument is this ssl stream.
EXTERNAL-FORMAT - if NIL (the default), a plain (UNSIGNED-BYTE 8)
ssl stream is returned. With a non-NIL external-format, a flexi-stream
capable of character I/O will be returned instead, with the specified
value as its initial external format.
VERIFY can be specified either as NIL if no check should be performed,
:OPTIONAL to verify the server’s certificate if server presents one or
:REQUIRED to verify the server’s certificate and fail if an invalid
or no certificate was presented. Defaults to
*MAKE-SSL-CLIENT-STREAM-VERIFY-DEFAULT* which is initialized
to :REQUIRED
The verification includes verifying the HOSTNAME against the server
ceritificate, using the VERIFY-HOSTNAME function.
An error is signalled in case of the certificate or hostname
verification failure.
Note, the VERIFY logic expects that the global
SSL_CTX object does not have the SSL_VERIFY_PEER
flag enabled - the default for the cl+ssl’s global SSL_CTX.
If the current global SSL_CTX object has SSL_VERIFY_PEER enabled,
the SSL_Connect will perform certificate (but not hostname)
verification on its own, and an error will be signalled for a
bad certificate even with :VERIFY NIL.
ALPN-PROTOCOLS, if specified, should be a list of alpn protocol names,
such as "h2", that will be offered to the server. The protocol
selected by the server can be retrieved with
GET-SELECTED-ALPN-PROTOCOL.
CERTIFICATE is the path to a file containing a PEM-encoded certificate.
Note, if one certificate will be used for multiple TLS connections,
it’s better to load it into a common SSL_CTX (context) object rather
than reading it for every new connection.
KEY is the path to a PEM-encoded private key file of that certificate.
PASSWORD the password to use for decryptipon of the KEY (if encrypted).
CIPHER-LIST - If not NIL, must be a string to pass to SSL_set_cipher_list.
An ERROR is signalled if SSL_CTX_set_cipher_list fails.
Defaults to *DEFAULT-CIPHER-LIST* which is initialized to NIL.
METHOD - usually you want to leave the default value. It is used
to compute the parameter for OpenSSL function SSL_CTX_new when
creating the global SSL_CTX object for cl+ssl. This parameter only has
effect on the first call, when the global SSL_CTX is not yet created.
The default value is TLS_method on OpenSSL > 1.1.0 and SSLv23_method
for older OpenSSL versions.
BUFFER-SIZE - default value for both the INPUT-BUFFER-SIZE and
OUTPUT-BUFFER-SIZE parameters. In turn defaults to the
*DEFAULT-BUFFER-SIZE* special variable.
INPUT-BUFFER-SIZE - size of the input buffer of the ssl stream.
Defaults to the BUFFER-SIZE parameter.
OUTPUT-BUFFER-SIZE - size of the output buffer of the ssl stream.
Defaults to the BUFFER-SIZE parameter.
Performs server-side TLS handshake over the specified SOCKET using
the SSL_accept OpenSSL function and returns a Lisp stream that
uses OpenSSL library to encrypt the output data when sending
it to the socket and to decrypt the input received.
Uses a global SSL_CTX instance, which can be overriden
by WITH-GLOBAL-CONTEXT. (The global SSL_CTX is
passed as a parameter to an internall call of SSL_new.)
All parameters have the same meaning as documented
for MAKE-SSL-CLIENT-STREAM.
Generates COUNT cryptographically strong pseudo-random bytes. Returns the bytes as a SIMPLE-ARRAY with ELEMENT-TYPE ’(UNSIGNED-BYTE 8). Signals an ERROR in case of problems; for example, when the OpenSSL random number generator has not been seeded with enough randomness to ensure an unpredictable byte sequence.
If you save your application as a Lisp image,
call this function when that image is loaded,
to perform the necessary CL+SSL re-initialization
(unless your lisp implementation automatically
re-loads foreign libraries and preserves their
memory accross image reloads).
This should work fine if the location and version of the
OpenSSL shared libraries have not changed.
If they have changed, you may get errors, as users report:
https://github.com/cl-plus-ssl/cl-plus-ssl/issues/167
DEPRECATED. Use the (MAKE-SSL-CLIENT-STREAM .. :VERIFY ?) to enable/disable verification.
Also, MAKE-CONTEXT has :VERIFY-MODE option.
Return true if SSL connections will error if the certificate doesn’t verify.
DEPRECATED. Use the (MAKE-SSL-CLIENT-STREAM .. :VERIFY ?) to enable/disable verification.
Also, MAKE-CONTEXT has :VERIFY-MODE option.
If CHECK-VERIFY-P is true, signal connection errors if the server certificate doesn’t verify.
PATHNAMES is a list of pathnames to PEM files containing server and CA certificates.
Install these certificates to use for verifying on all SSL connections.
After RELOAD, you need to call this again.
Load the system default verification certificates. After RELOAD, you need to call this again.
Applies OpenSSL function SSL_CTX_use_certificate_chain_file
to the cl+ssl’s global SSL_CTX object and the specified
CERTIFICATE-CHAIN-FILE.
OpenSSL requires the certificates in the file to be sorted
starting with the subject’s certificate (actual client or
server certificate), followed by intermediate CA certificates
if applicable, and ending at the highest level (root) CA.
Note: the RELOAD function clears the global context and in particular the loaded certificate chain.
Verifies the HOSTNAME against the specified
CERT. Implemented for all OpenSSL versions,
using custom Lisp code (without relying on the functions
provided by newer OpenSSl versions, like SSL_set_verify).
Signals an error in case of verification failure.
Otherwise returns true
The BYTES must be created by CFFI:MAKE-SHAREABLE-BYTE-VECTOR (because we are going to pass them to CFFI:WITH-POINTER-TO-VECTOR-DATA)
ssl-error-verify)) ¶ssl-error-verify)) ¶The STREAM’s file descriptor as an integer,
if known / implemented for the current lisp.
Otherwise the STREAM itself. The result of this function can be
passed to MAKE-SSL-CLIENT-STREAM and MAKE-SSL-SERVER-STREAM.
ssl-stream) &key abort) ¶ssl-stream) &key buffer-size input-buffer-size output-buffer-size &allow-other-keys) ¶ssl-stream)) ¶ssl-stream) stream) ¶ssl-stream)) ¶ssl-stream)) ¶sb-gray.
ssl-stream)) ¶sb-gray.
ssl-stream)) ¶sb-gray.
ssl-stream)) ¶sb-gray.
ssl-stream) seq start end &key) ¶trivial-gray-streams.
ssl-stream) b) ¶sb-gray.
ssl-stream) seq start end &key) ¶trivial-gray-streams.
:reason
This slot is read-only.
This condition is signalled on SSL connection when a peer certificate doesn’t verify.
The SSL stream whose peer certificate didn’t verify.
common-lisp.
:stream
This slot is read-only.
The peer certificate verification error code
(as returned by functions like SSL_get_verify_result or X509_STORE_CTX_get_error).
:error-code
This slot is read-only.
The callback registered with SSL_CTX_set_default_passwd_cb will use this value.
DEPRECATED.
Use the (MAKE-SSL-CLIENT-STREAM .. :VERIFY ?) to enable/disable verification.
MAKE-CONTEXT also allows to enab/disable verification.
Evaluate BODY with BIO bound to a SSL BIO structure that reads from a Common Lisp STRING.
Evaluate BODY with BIO bound to a SSL BIO structure that writes to a Common Lisp string. The string is returned.
buffer-elt (function).
set-buffer-elt (function).
Builds a version number to compare with the version returned by OpenSSL.
The integer representation of OpenSSL version has bit fields
for major, minor, fix, patch and status varlues.
Versions before OpenSSL 3 have user readable representations
for all those fields. For example, 0.9.6b beta 3. Here
0 - major, 9 - minor, 6 - fix, b - patch, beta 3 - status.
https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_VERSION_NUMBER.html
Since OpenSSL 3, the third number in user readable repersentation
is patch. The fix and status are not used and have 0 in the corresponding
bit fields.
https://www.openssl.org/docs/man3.0/man3/OPENSSL_VERSION_NUMBER.html
https://www.openssl.org/policies/general/versioning-policy.html
As usually with OpenSSL docs, if the above links disappear becuase those OpenSSL versions are out of maintenance, use the Wayback Machine.
Note: the _really_ old formats (<= 0.9.4) are not supported.
STREAM-DESIGNATOR is the same as CL:FORMAT accepts: T, NIL, or a stream.
QUEUE-DESIGNATOR is either a list of error codes (as returned
by READ-SSL-ERROR-QUEUE) or an SSL-ERROR condition.
Convert list of protocol names to the wire-format byte string.
Returns a sequence containing the STREAM bytes; the sequence is created by CFFI:MAKE-SHAREABLE-BYTE-VECTOR, therefore it can safely be passed to CFFI:WITH-POINTER-TO-VECTOR-DATA.
RET is return value of the failed SYSCALL (like SSL_read, SSL_connect,
SSL_shutdown, etc - most of them designate failure by returning
RET <= 0, althought SSL_shutdow fails with RET < 0.
ERROR-CODE is return value of SSL_get_error - an explanation of the failure.
DEPRECATED.
Use the (MAKE-SSL-CLIENT-STREAM .. :VERIFY ?) to enable/disable verification.
Use (MAKE-CONTEXT ... :VERIFY-LOCATION ? :VERIFY-DEPTH ?) to control the verification depth and locations.
MAKE-CONTEXT also allows to enab/disable verification.
(eql 30))) ¶(eql 20))) ¶(eql 28))) ¶(eql 12))) ¶(eql 19))) ¶(eql 22))) ¶ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-error/handle)) ¶ssl-error-initialize)) ¶ssl-error/handle)) ¶ret.
ssl-error-ssl)) ¶ssl-error-ssl)) ¶ssl-server-stream)) ¶automatically generated reader method
ssl-server-stream)) ¶automatically generated writer method
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
flexi-stream)) ¶ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-server-stream)) ¶automatically generated reader method
key.
ssl-server-stream)) ¶automatically generated writer method
key.
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
ssl-stream)) ¶automatically generated reader method
ssl-stream)) ¶automatically generated writer method
Asn1 syntax error
error.
error.
ASN.1 string parsing/validation error
common-lisp.
(quote nil)
:type
SSL server didn’t present a certificate
cl+ssl-error.
simple-error.
A failure in the SSL library occurred..
:message
The TLS/SSL I/O operation completed. This result code is returned if and only if ret > 0.
A failure in the SSL library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error.
(quote nil)
Some I/O error occurred. The OpenSSL error queue may contain more
information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0),
ret can be used to find out more about the error: If ret == 0, an EOF was observed that
violates the protocol. If ret == -1, the underlying BIO reported an I/O error (for socket
I/O on Unix systems, consult errno for details).
:syscall
The operation did not complete; the same TLS/SSL I/O function should be
called again later. The underlying BIO was not connected yet to the peer
and the call would block in connect()/accept(). The SSL
function should be called again when the connection is established. These
messages can only appear with a BIO_s_connect() or
BIO_s_accept() BIO, respectively. In order to find out, when
the connection has been successfully established, on many platforms
select() or poll() for writing on the socket file
descriptor can be used.
The operation did not complete; the same TLS/SSL I/O function should be called again later. If, by then, the underlying BIO has data available for reading (if the result code is SSL_ERROR_WANT_READ) or allows writing data (SSL_ERROR_WANT_WRITE), then some TLS/SSL protocol progress will take place, i.e. at least part of an TLS/SSL record will be read or written. Note that the retry may again lead to a SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition. There is no fixed upper limit for the number of iterations that may be necessary until progress becomes visible at application protocol level.
The operation did not complete; the same TLS/SSL I/O function should be called again later. If, by then, the underlying BIO has data available for reading (if the result code is SSL_ERROR_WANT_READ) or allows writing data (SSL_ERROR_WANT_WRITE), then some TLS/SSL protocol progress will take place, i.e. at least part of an TLS/SSL record will be read or written. Note that the retry may again lead to a SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition. There is no fixed upper limit for the number of iterations that may be necessary until progress becomes visible at application protocol level.
The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again. The TLS/SSL I/O function should be called again later. Details depend on the application.
The TLS/SSL connection has been closed. If the protocol version is SSL 3.0
or TLS 1.0, this result code is returned only if a closure alert has
occurred in the protocol, i.e. if the connection has been closed cleanly.
Note that in this case SSL_ERROR_ZERO_RETURN
does not necessarily indicate that the underlying transport has been
closed.
Base condition for lisp wrappers of SSL_get_error return values.
Unable to find verify locations
:location
fundamental-binary-input-stream.
fundamental-binary-output-stream.
trivial-gray-stream-mixin.
close.
initialize-instance.
open-stream-p.
print-object.
(setf ssl-close-callback).
ssl-close-callback.
(setf ssl-stream-deadline).
ssl-stream-deadline.
(setf ssl-stream-handle).
ssl-stream-handle.
(setf ssl-stream-input-buffer).
ssl-stream-input-buffer.
(setf ssl-stream-output-buffer).
ssl-stream-output-buffer.
(setf ssl-stream-output-pointer).
ssl-stream-output-pointer.
(setf ssl-stream-peeked-byte).
ssl-stream-peeked-byte.
(setf ssl-stream-socket).
ssl-stream-socket.
stream-element-type.
stream-finish-output.
stream-force-output.
stream-listen.
stream-read-byte.
stream-read-sequence.
stream-write-byte.
stream-write-sequence.
:socket
:close-callback
:deadline
0
| Jump to: | (
A B C D E F G H I L M N O P R S T U V W X |
|---|
| Jump to: | (
A B C D E F G H I L M N O P R S T U V W X |
|---|
| Jump to: | *
+
C D E H I K L M O P Q R S T V |
|---|
| Jump to: | *
+
C D E H I K L M O P Q R S T V |
|---|
| Jump to: | A B C F G H I M O P R S T U V X |
|---|
| Jump to: | A B C F G H I M O P R S T U V X |
|---|