Added more notes / comments on own_cert, trust_ca purposes

commit: 1f9d02dc90c6c69ff34ce7250a5c8b47de28b850 [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Tue Nov 20 10:30:55 2012 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Nov 20 10:30:55 2012 +0100
tree: f8e29a943f73fb749c22cad053b048abf32a3e38
parent: e44ec108bea03837fa72714ca33e6dc557c1189b [diff]
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 5a1e7fc..2020d31 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -720,20 +720,22 @@
  * \brief          Set the data required to verify peer certificate
  *
  * \param ssl      SSL context
- * \param ca_chain trusted CA chain
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
  * \param ca_crl   trusted CA CRLs
  * \param peer_cn  expected peer CommonName (or NULL)
- *
- * \note           TODO: add two more parameters: depth and crl
  */
 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
                        x509_crl *ca_crl, const char *peer_cn );
 
 /**
- * \brief          Set own certificate and private key
+ * \brief          Set own certificate chain and private key
+ *
+ *                 Note: own_cert should contain IN order from the bottom
+ *                 up your certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
  *
  * \param ssl      SSL context
- * \param own_cert own public certificate
+ * \param own_cert own public certificate chain
  * \param rsa_key  own private RSA key
  */
 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
@@ -747,8 +749,12 @@
  *                 of the callback parameters, with the only change being
  *                 that the rsa_context * is a void * in the callbacks)
  *
+ *                 Note: own_cert should contain IN order from the bottom
+ *                 up your certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
  * \param ssl      SSL context
- * \param own_cert own public certificate
+ * \param own_cert own public certificate chain
  * \param rsa_key  alternate implementation private RSA key
  * \param rsa_decrypt_func  alternate implementation of \c rsa_pkcs1_decrypt()
  * \param rsa_sign_func     alternate implementation of \c rsa_pkcs1_sign()

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 6e047dc..0d7a418 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -127,9 +127,12 @@
 
 #if defined(POLARSSL_FS_IO)
 #define USAGE_IO \
-    "    ca_file=%%s          default: \"\" (pre-loaded)\n" \
-    "    ca_path=%%s          default: \"\" (pre-loaded) (overrides ca_file)\n" \
-    "    crt_file=%%s         default: \"\" (pre-loaded)\n" \
+    "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
+    "                        default: \"\" (pre-loaded)\n" \
+    "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
+    "                        default: \"\" (pre-loaded) (overrides ca_file)\n" \
+    "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
+    "                        default: \"\" (pre-loaded)\n" \
     "    key_file=%%s         default: \"\" (pre-loaded)\n"
 #else
 #define USAGE_IO \

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index f6cf487..cc94e5c 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c

@@ -184,9 +184,12 @@
 
 #if defined(POLARSSL_FS_IO)
 #define USAGE_IO \
-    "    ca_file=%%s          default: \"\" (pre-loaded)\n" \
-    "    ca_path=%%s          default: \"\" (pre-loaded) (overrides ca_file)\n" \
-    "    crt_file=%%s         default: \"\" (pre-loaded)\n" \
+    "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
+    "                        default: \"\" (pre-loaded)\n" \
+    "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
+    "                        default: \"\" (pre-loaded) (overrides ca_file)\n" \
+    "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
+    "                        default: \"\" (pre-loaded)\n" \
     "    key_file=%%s         default: \"\" (pre-loaded)\n"
 #else
 #define USAGE_IO \
commit	1f9d02dc90c6c69ff34ce7250a5c8b47de28b850	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Tue Nov 20 10:30:55 2012 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Nov 20 10:30:55 2012 +0100
tree	f8e29a943f73fb749c22cad053b048abf32a3e38
parent	e44ec108bea03837fa72714ca33e6dc557c1189b [diff]