NAME
CONF_modules_load_file,
CONF_modules_load,
X509_get_default_cert_area —
OpenSSL configuration
functions
SYNOPSIS
#include
<openssl/conf.h>
int
CONF_modules_load_file(const char
*filename, const char *appname,
unsigned long flags);
int
CONF_modules_load(const CONF
*cnf, const char *appname,
unsigned long flags);
#include
<openssl/x509.h>
const char *
X509_get_default_cert_area(void);
DESCRIPTION
The functionCONF_modules_load_file()
configures OpenSSL using the file filename in
openssl.cnf(5) format and the application name
appname. If filename is
NULL, the standard OpenSSL configuration file
/etc/ssl/openssl.cnf is used. If
appname is NULL, the standard
OpenSSL application name "openssl_conf" is used. The behaviour can
be customized using flags.
See the EXAMPLES section for additional functions that may need to be called. Calling configuration functions in the right order for the intended effect can be tricky because many configuration functions internally call each other.
CONF_modules_load()
is identical to CONF_modules_load_file() except it
reads configuration information from cnf.
The following flags are currently recognized:
CONF_MFLAGS_IGNORE_ERRORS- Ignore errors returned by individual configuration modules. By default, the first module error is considered fatal and no further modules are loaded.
CONF_MFLAGS_SILENT- Do not add any error information. By default, all module errors add error information to the error queue.
CONF_MFLAGS_NO_DSO- Disable loading of configuration modules from DSOs.
CONF_MFLAGS_IGNORE_MISSING_FILE- Let
CONF_modules_load_file() ignore missing configuration files. By default, a missing configuration file returns an error. - CONF_MFLAGS_DEFAULT_SECTION
- If appname is not
NULLbut does not exist, fall back to the default section "openssl_conf".
By using
CONF_modules_load_file()
with appropriate flags, an application can customise application
configuration to best suit its needs. In some cases the use of a
configuration file is optional and its absence is not an error: in this case
CONF_MFLAGS_IGNORE_MISSING_FILE would be set.
Errors during configuration may also be handled differently by different applications. For example in some cases an error may simply print out a warning message and the application may continue. In other cases an application might consider a configuration file error fatal and exit immediately.
Applications can use the
CONF_modules_load()
function if they wish to load a configuration file themselves and have finer
control over how errors are treated.
RETURN VALUES
CONF_modules_load_file() and
CONF_modules_load() return 1 for success and zero or
a negative value for failure. If module errors are not ignored, the return
code will reflect the return value of the failing module (this will always
be zero or negative).
X509_get_default_cert_area() returns a
pointer to the constant string "/etc/ssl".
FILES
- /etc/ssl
- standard configuration directory
- /etc/ssl/openssl.cnf
- standard configuration file
EXAMPLES
Load a configuration file and print out any errors and exit (missing file considered fatal):
if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
fprintf(stderr, "FATAL: error loading configuration file\n");
ERR_print_errors_fp(stderr);
exit(1);
}
Load default configuration file using the section indicated by "myapp", tolerate missing files, but exit on other errors:
if (CONF_modules_load_file(NULL, "myapp",
CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
fprintf(stderr, "FATAL: error loading configuration file\n");
ERR_print_errors_fp(stderr);
exit(1);
}
Load custom configuration file and section instead of the standard one, only print warnings on error, missing configuration file ignored:
OPENSSL_no_config();
ENGINE_load_builtin_engines();
OPENSSL_load_builtin_modules();
if (CONF_modules_load_file("/something/app.cnf", "myapp",
CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
fprintf(stderr, "WARNING: error loading configuration file\n");
ERR_print_errors_fp(stderr);
}
In the previous example, the call to OPENSSL_no_config(3) is required first to suppress automatic loading of the standard configuration file, and the calls to ENGINE_load_builtin_engines(3) and OPENSSL_load_builtin_modules(3) are needed so that the configuration of builtin modules and engines is also loaded in addition to the configuration of "myapp".
Load and parse configuration file manually, custom error handling:
FILE *fp;
CONF *cnf = NULL;
long eline;
fp = fopen("/somepath/app.cnf", "r");
if (fp == NULL) {
fprintf(stderr, "Error opening configuration file\n");
/* Other missing configuration file behaviour */
} else {
cnf = NCONF_new(NULL);
if (NCONF_load_fp(cnf, fp, &eline) == 0) {
fprintf(stderr, "Error on line %ld of configuration file\n",
eline);
ERR_print_errors_fp(stderr);
/* Other malformed configuration file behaviour */
} else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
fprintf(stderr, "Error configuring application\n");
ERR_print_errors_fp(stderr);
/* Other configuration error behaviour */
}
fclose(fp);
NCONF_free(cnf);
}
SEE ALSO
CONF_modules_free(3), ENGINE_load_builtin_engines(3), ERR(3), OPENSSL_config(3), OPENSSL_load_builtin_modules(3)
HISTORY
X509_get_default_cert_area() first
appeared in SSLeay 0.4.1 and has been available since
OpenBSD 2.4.
CONF_modules_load_file() and
CONF_modules_load() first appeared in OpenSSL 0.9.7
and have been available since OpenBSD 3.2.