[SMO-SFO-ICO-PE-046-GU-

Transcription

1 Presentation This module contains all the SSL definitions. See also the SSL Security Guidance Introduction The package SSL is a static library which implements an API to use the dynamic SSL library. It must be linked with the application. It is composed of two API header files ( <SSL_.h>, <X509_.h>) and a library "SSL _.lib" compiled with the three compilers (GCC, RVD and SDT) supported by the Telium SDK. The package provides all the services to monitor the SSL client facility : SSL connection (simple or double authentication). SSL configuration profile monitoring X509 certificate management //... Developers shall read the [SMO-SFO-ICO-PE-046-GU- EN_PackSSL_SecurityGuidance_UserGuide.pdf] which describes best practises for implementing SSL/TLS enabled applications, according to the requirements of the POS Terminal Security Program (PTS). Be careful, do not forget to load the dynamic SSL library (3620xxxx.LDF/SGN) in your terminal. Each function makes a reset with EXIT_DLL_SSL_NOT_INITIALIZED value if the dynamic SSL library is not loaded in the terminal. Certificates A certificate is a digitally signed statement from an entity certifying that information about an other entity are true. A certificate is an information set, signed by an issuer entity. The signature algorithms are based on asymmetric key cryptography (generally RSA). The issuer entity signs by enciphering the information set with its private key (known only by itself). The other entities can verified the signature by deciphering the information set with the public key of the issuer. SSL uses the certificate principle to operate the authentication of the entities (client and server). These certificates are coded according to the X509 standard. This standard defines what information can contain a certificate, and describes the data format how to write it down. All X.509 certificates contain the following data, in addition to the signature: Version: This identifies which version of the X509 standard is used to code the certificate. It affects mainly what information can be stored in the certificate. Serial Number: This identifies the certificate. It is given by the issuer entity. It serves to distinguish the certificate from the other ones issued by the same issuer entity. This information is used for example when the certificate is revoked ; in this case, its serial number is placed in a Certificate Revocation List (CRL). Signature Algorithm Identifier: This identifies the algorithm used by the issuer entity to sign the certificate. Issuer Name: The name of the issuer entity. Normally, it corresponds to a Certification Authority (CA). Using this certificate implies trusting the entity that issued the certificate.

2 Validity Period: A certificate is valid only for a limited period of time. This period is described by a start date and an end date. The validity period is the expected period that the entities can rely on the information of the certificate. This period is chosen by the issuer. It depends on the strength of the signature algorithm, or mainly the willing of issuer to sell its certificates. Subject Name: The name of the entity whose the certificate identifies. Subject Public Key Information: This is the public key of the subject entity. This information identifies also the cryptographic algorithm associated to the key. The names of the issuer entity and of the subject entity are coded according to the X500 standard. They are intended to be unique across the Internet. A X500 name is composed of fields, for example : "CN=EFT30, OU=DSEC, O=Ingenico France, C=FR" refer respectively to the subject's Common Name, Organisational Unit, Company and Country). There are two ways to generate a certificate: SSL 1. You can create one yourself using special tools (for example those provided with OpenSSL) 2. You can ask a Certification Authority (CA) to get one directly or generate a request (named CSR for Certification Signature Request) and ask the CA for its signature. SSL stands for Secure Socket Layer. The protocol's name is now officially TLS but SSL is still the better known name. SSL was designed to permit applications and servers to exchange sensitive information and prevent programs that could access the network traffic from reading the sensitive data. SSL uses the notion of client and server. Its operational scheme does not require the client and the server to share a secrete key. SSL uses asymmetric encryption algorithms to secure the transaction. These algorithms uses pair of keys (public and private). The public key is freely available and known for anybody. The private key is only known by the entity (the client or the server). These keys have to main properties : 1. Data encrypted by the public key can only decrypted by the private key. As the public is freely known, anybody can transfer secured data to the entity owner of the private key. 2. Data encrypted by the private key can be only decrypted by using the public key. This property is used for authentication. Only the entity owner of the private key is able to generate a message which can be decrypted with the public key. In the SSL scheme, the client contacts the server and sends the first SSL message. This message starts the SSL negotiation : an encryption algorithm is chosen and a secured key is generated to the current connection. After the success of this negotiation, the two entities can exchange secured data at will. The SSL negotiation (named SSL Handshake) involves an authentication process. At least, the server is authenticated by the client (case of simple authentication). The server can also request the client to be authenticated (case of mutual authentication). The SSL authentication scheme is based on the use of certificates.

3 Below is the description of the message sequence to operate the SSL handshake.

4 SSL Message Sequence Diagram

5 Profiles Management The SSL library defines the notion of profile. A profile is a data set which contains all the configuration useful to perform a connection SSL. The library allows to have several profiles. All the profiles are stored in a file in flash.

6 Profiles Management Illustration A profile is identified by a name. This name must be unique for all the profiles in the terminal. A profile contains the list of the enciphering algorithms supported, and the export mode mask. It contains also a list of CA certificates file names. And optionally, a key file name and a client certificate file name (case of mutual authentication). It contains also extra information about the last connection (result, IP address...). Capabilities The SSL library supports the following cipher suites : Cipher Suite Key Exchange Cipher Hash NULL_WITH_NULL_NULL NULL NULL NULL RSA_WITH_NULL_MD5 RSA NULL MD5 RSA_WITH_NULL_SHA RSA NULL SHA RSA_EXPORT_WITH_RC4_40_MD5 RSA_EXPORT RC4_40 MD5 RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5 RSA_WITH_RC4_128_SHA RSA RC4_128 SHA RSA_EXPORT_WITH_RC2_CBC_40_MD5 RSA_EXPORT RC2_CBC_40 MD5 RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_EXPORT DES40_CBC SHA RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CB C SHA DH_DSS_EXPORT_WITH_DES40_CBC_SHA DH_DSS_EXPORT DES40_CBC SHA DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CB C DH_RSA_EXPORT_WITH_DES40_CBC_SHA DH_RSA_EXPORT DES40_CBC DHE_DSS_EXPORT_WITH_DES40_CBC_SH A DHE_DSS_EXPOR T DES40_CBC SHA SHA SHA DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SH A DHE_DSS DHE_RSA_EXPOR T 3DES_EDE_CB C DES40_CBC SHA SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CB C SHA DH_anon_EXPORT_WITH_RC4_40_MD5 DH_anon_EXPORT RC4_40 MD5 DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5 DH_anon_EXPORT_WITH_DES40_CBC_SHA DH_anon DES40_CBC SHA DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CB SHA

7 C RSA_WITH_AES_128_CBC_SHA RSA AES_128_CBC SHA DH_DSS_WITH_AES_128_CBC_SHA DH_DSS AES_128_CBC SHA DH_RSA_WITH_AES_128_CBC_SHA DH_RSA AES_128_CBC SHA DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS AES_128_CBC SHA DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA AES_128_CBC SHA DH_anon_WITH_AES_128_CBC_SHA DH_anon AES_128_CBC SHA RSA_WITH_AES_256_CBC_SHA RSA AES_256_CBC SHA DH_DSS_WITH_AES_256_CBC_SHA DH_DSS AES_256_CBC SHA DH_RSA_WITH_AES_256_CBC_SHA DH_RSA AES_256_CBC SHA DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS AES_256_CBC SHA DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA AES_256_CBC SHA DH_anon_WITH_AES_256_CBC_SHA DH_anon AES_256_CBC SHA The maximum size of RSA keys for a certificate verification is 4096 bits (public key). The maximum size for the RSA private keys is 2048 bits. The SHA-2 hash algorithm is supported but only for certificate verification. The SSL library does not support this algorithm in cipher suites. Presentation Error codes returned by SSL API functions. Defines #define SSL_EOK 0 No error. #define SSL_EAGAIN -6 Resource temporarily unavailable. #define SSL_EINVAL -26 Invalid Argument. #define SSL_ENOBUFS -39 Out of Resources. #define SSL_ENOENT -41 No such file or directory. #define SSL_ENOMEM -44 Cannot allocate memory. #define SSL_ENOTCONN -50 socket not connected #define SSL_ESSL -500

8 SSL error. #define SSL_EBADFORMAT -501 Define Documentation #define SSL_EOK 0 No error. #define SSL_EAGAIN -6 Resource temporarily unavailable. #define SSL_EINVAL -26 Invalid Argument. #define SSL_ENOBUFS -39 Out of Resources. #define SSL_ENOENT -41 No such file or directory. #define SSL_ENOMEM -44 Cannot allocate memory. #define SSL_ENOTCONN -50 socket not connected #define SSL_ESSL -500 SSL error. #define SSL_EBADFORMAT -501 bad certificate file or ca file format // RSA function error code #define SSL_RSA_EOK 0 /*!< No error*/ #define SSL_RSA_ENOK -1 /*!< RSA error*/ #define SSL_RSA_ENOKEY -2 /*!< Internal Rsa key not yet generated*/ #define SSL_RSA_EEXIST -3 /*!< File exist*/ // Profile function error code #define SSL_PROFILE_EOK 0 /*!< No error*/ #define SSL_PROFILE_EEXIST -1 /*!< Profile already exist*/ #define SSL_PROFILE_ENEXIST -2 /*!< Profile does not exist*/ #define SSL_PROFILE_ETOOMANY -3 /*!< Too many profile are loaded*/ #define SSL_PROFILE_ENOMEM -4 /*!< Allocation error*/ #define SSL_PROFILE_ELOADED -5 /*!< Profile already loaded*/ #define SSL_PROFILE_ENLOADED -6 /*!< Profile not loaded*/ #define SSL_PROFILE_ECAEXIST -7 /*!< ca already exist*/ #define SSL_PROFILE_ECANEXIST -8 /*!< ca does not exist in the profile*/ #define SSL_PROFILE_ECATOOMANY -9 /*!< Too many ca in the profile*/

9 #define SSL_PROFILE_EPARAM -10 /*!< A parameter is wrong*/ #define SSL_PROFILE_ENOCERT -11 /*!< There is no certificate*/ // Error code return by SSL_ProfileGetLastError function // SSL connection error code #define SSL_PROFILE_OK 0 /*!< SSL connection OK */ #define SSL_PROFILE_TCP_CONNECT_FAILED -1 /*!< TCP connection failed */ #define SSL_PROFILE_TCP_CONNECT_TIMEOUT -2 /*!< TCP connection timeout */ #define SSL_PROFILE_TCP_ADDR_NOT_AVAILABLE -3 /*!< TCP address is not reachable */ #define SSL_PROFILE_SSL_HANDSHAKE_FAILURE -4 /*!< SSL handshake failure */ #define SSL_PROFILE_DNS_FAILURE -5 /*!< DNS tranlation failure */ #define SSL_PROFILE_DOMAIN_NAME_FAILURE -6 /*!< Domain name check failure */ #define SSL_PROFILE_SSL_HANDSHAKE_TIMEOUT -7 /*!< SSL handshake timeout */ // Certificate verification error code #define SSL_PROFILE_UNABLE_TO_GET_ISSUER_CERT 2 /*! < Unable to get issuer */ #define SSL_PROFILE_UNABLE_TO_GET_CRL 3 /*!< Unable to get certificate revocation list */ #define SSL_PROFILE_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 /*!< Unable to decrypt certificate signature */ #define SSL_PROFILE_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 /*!< Unable to decrypt certificate revocation list signature */ #define SSL_PROFILE_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 /*!< Unable to decode issuer public key */ #define SSL_PROFILE_CERT_SIGNATURE_FAILURE 7 /*!< Certificate signature verification failure */ #define SSL_PROFILE_CRL_SIGNATURE_FAILURE 8 /*!< Certificate revocation list signature verification failure */ #define SSL_PROFILE_CERT_NOT_YET_VALID 9 /*!< Certificate is not yet valid */ #define SSL_PROFILE_CERT_HAS_EXPIRED 10 /*!< Certificate has expired */ #define SSL_PROFILE_CRL_NOT_YET_VALID 11 /*!< Certificate revocation list is not yet valid*/ #define SSL_PROFILE_CRL_HAS_EXPIRED 12 /*!< Certificate revocation list has expired */ #define SSL_PROFILE_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 /*!< Error in a validity date of certificate */ #define SSL_PROFILE_ERROR_IN_CERT_NOT_AFTER_FIELD 14 /*!< Error in a validity date of certificate*/ #define SSL_PROFILE_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 /*!< Error in a update date of certificate revocation list */ #define SSL_PROFILE_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 /*!< Error in a update date of certificate revocation list */

10 #define SSL_PROFILE_OUT_OF_MEM 17 /*!< Out of memory */ #define SSL_PROFILE_DEPTH_ZERO_SELF_SIGNED_CERT 18 /*!< Certificate is self signed */ #define SSL_PROFILE_SELF_SIGNED_CERT_IN_CHAIN 19 /*!< Certificate is self signed */ #define SSL_PROFILE_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 /*!< Unable to get issuer */ #define SSL_PROFILE_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 /*!< Unable to verify leaf signature */ #define SSL_PROFILE_CERT_CHAIN_TOO_LONG 22 /*!< Certificate chain is too long */ #define SSL_PROFILE_CERT_REVOKED 23 /*!< Certificate is revoked */ #define SSL_PROFILE_INVALID_CA 24 /*!< Invalid CA */ #define SSL_PROFILE_PATH_LENGTH_EXCEEDED 25 /*!< Path length too long */ #define SSL_PROFILE_INVALID_PURPOSE 26 /*!< Invalid purpose of certificate */ #define SSL_PROFILE_CERT_UNTRUSTED 27 /*!< Untrusted certificate */ #define SSL_PROFILE_CERT_REJECTED 28 /*!< Rejected certificate */ #define SSL_PROFILE_SUBJECT_ISSUER_MISMATCH 29 /*!< Certificate subject mismatch */ #define SSL_PROFILE_AKID_SKID_MISMATCH 30 /*!< AKID SKID mismatch */ #define SSL_PROFILE_AKID_ISSUER_SERIAL_MISMATCH 31 /*!< AKID issuer serial mismatch*/ #define SSL_PROFILE_KEYUSAGE_NO_CERTSIGN 32 /*!< Invalid purpose of certificate */ #define SSL_PROFILE_UNABLE_TO_GET_CRL_ISSUER 33 /*!< Unable to get certificate revocation list issuer */ #define SSL_PROFILE_UNHANDLED_CRITICAL_EXTENSION 34 /*!< Unhandled critical extension */ #define SSL_PROFILE_KEYUSAGE_NO_CRL_SIGN 35 /*!< Issuer can't sign a certificate revocation list */ #define SSL_PROFILE_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /*!< Unhandled critical extension in certificate revocation list */ /** \cond avoid dox documentation */ // SSL Handshake error code #define SSL_PROFILE_E_APP_DATA_IN_HANDSHAKE 100 #define SSL_PROFILE_E_BAD_ALERT_RECORD 101 #define SSL_PROFILE_E_BAD_AUTHENTICATION_TYPE 102 #define SSL_PROFILE_E_BAD_CHANGE_CIPHER_SPEC 103 #define SSL_PROFILE_E_BAD_CHECKSUM 104 #define SSL_PROFILE_E_BAD_HELLO_REQUEST 105

11 #define SSL_PROFILE_E_BAD_DATA_RETURNED_BY_CALLBACK 106 #define SSL_PROFILE_E_BAD_DECOMPRESSION 107 #define SSL_PROFILE_E_BAD_DH_G_LENGTH 108 #define SSL_PROFILE_E_BAD_DH_PUB_KEY_LENGTH 109 #define SSL_PROFILE_E_BAD_DH_P_LENGTH 110 #define SSL_PROFILE_E_BAD_DIGEST_LENGTH 111 #define SSL_PROFILE_E_BAD_DSA_SIGNATURE 112 #define SSL_PROFILE_E_BAD_MAC_DECODE 113 #define SSL_PROFILE_E_BAD_MESSAGE_TYPE 114 #define SSL_PROFILE_E_BAD_PACKET_LENGTH 115 #define SSL_PROFILE_E_BAD_PROTOCOL_VERSION_NUMBER 116 #define SSL_PROFILE_E_BAD_RESPONSE_ARGUMENT 117 #define SSL_PROFILE_E_BAD_RSA_DECRYPT 118 #define SSL_PROFILE_E_BAD_RSA_ENCRYPT 119 #define SSL_PROFILE_E_BAD_RSA_E_LENGTH 120 #define SSL_PROFILE_E_BAD_RSA_MODULUS_LENGTH 121 #define SSL_PROFILE_E_BAD_RSA_SIGNATURE 122 #define SSL_PROFILE_E_BAD_SIGNATURE 123 #define SSL_PROFILE_E_BAD_SSL_FILETYPE 124 #define SSL_PROFILE_E_BAD_SSL_SESSION_ID_LENGTH 125 #define SSL_PROFILE_E_BAD_STATE 126 #define SSL_PROFILE_E_BAD_WRITE_RETRY 127 #define SSL_PROFILE_E_BIO_NOT_SET 128 #define SSL_PROFILE_E_BLOCK_CIPHER_PAD_IS_WRONG 129 #define SSL_PROFILE_E_BN_LIB 130 #define SSL_PROFILE_E_CA_DN_LENGTH_MISMATCH 131 #define SSL_PROFILE_E_CA_DN_TOO_LONG 132 #define SSL_PROFILE_E_CCS_RECEIVED_EARLY 133 #define SSL_PROFILE_E_CERTIFICATE_VERIFY_FAILED 134 #define SSL_PROFILE_E_CERT_LENGTH_MISMATCH 135 #define SSL_PROFILE_E_CHALLENGE_IS_DIFFERENT 136 #define SSL_PROFILE_E_CIPHER_CODE_WRONG_LENGTH 137 #define SSL_PROFILE_E_CIPHER_OR_HASH_UNAVAILABLE 138 #define SSL_PROFILE_E_CIPHER_TABLE_SRC_ERROR 139 #define SSL_PROFILE_E_COMPRESSED_LENGTH_TOO_LONG 140 #define SSL_PROFILE_E_COMPRESSION_FAILURE 141 #define SSL_PROFILE_E_COMPRESSION_LIBRARY_ERROR 142 #define SSL_PROFILE_E_CONNECTION_ID_IS_DIFFERENT 143 #define SSL_PROFILE_E_CONNECTION_TYPE_NOT_SET 144

12 #define SSL_PROFILE_E_DATA_BETWEEN_CCS_AND_FINISHED 145 #define SSL_PROFILE_E_DATA_LENGTH_TOO_LONG 146 #define SSL_PROFILE_E_DECRYPTION_FAILED 147 #define SSL_PROFILE_E_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_PROFILE_E_DIGEST_CHECK_FAILED 149 #define SSL_PROFILE_E_ENCRYPTED_LENGTH_TOO_LONG 150 #define SSL_PROFILE_E_ERROR_IN_RECEIVED_CIPHER_LIST 151 #define SSL_PROFILE_E_EXCESSIVE_MESSAGE_SIZE 152 #define SSL_PROFILE_E_EXTRA_DATA_IN_MESSAGE 153 #define SSL_PROFILE_E_GOT_A_FIN_BEFORE_A_CCS 154 #define SSL_PROFILE_E_HTTPS_PROXY_REQUEST 155 #define SSL_PROFILE_E_HTTP_REQUEST 156 #define SSL_PROFILE_E_INTERNAL_ERROR 157 #define SSL_PROFILE_E_INVALID_CHALLENGE_LENGTH 158 #define SSL_PROFILE_E_LENGTH_MISMATCH 159 #define SSL_PROFILE_E_LENGTH_TOO_SHORT 160 #define SSL_PROFILE_E_LIBRARY_HAS_NO_CIPHERS 161 #define SSL_PROFILE_E_MISSING_DH_DSA_CERT 162 #define SSL_PROFILE_E_MISSING_DH_KEY 163 #define SSL_PROFILE_E_MISSING_DH_RSA_CERT 164 #define SSL_PROFILE_E_MISSING_DSA_SIGNING_CERT 165 #define SSL_PROFILE_E_MISSING_EXPORT_TMP_DH_KEY 166 #define SSL_PROFILE_E_MISSING_EXPORT_TMP_RSA_KEY 167 #define SSL_PROFILE_E_MISSING_RSA_CERTIFICATE 168 #define SSL_PROFILE_E_MISSING_RSA_ENCRYPTING_CERT 169 #define SSL_PROFILE_E_MISSING_RSA_SIGNING_CERT 170 #define SSL_PROFILE_E_MISSING_TMP_DH_KEY 171 #define SSL_PROFILE_E_MISSING_TMP_RSA_KEY 172 #define SSL_PROFILE_E_MISSING_TMP_RSA_PKEY 173 #define SSL_PROFILE_E_MISSING_VERIFY_MESSAGE 174 #define SSL_PROFILE_E_NON_SSLV2_INITIAL_PACKET 175 #define SSL_PROFILE_E_NO_CERTIFICATES_RETURNED 176 #define SSL_PROFILE_E_NO_CERTIFICATE_ASSIGNED 177 #define SSL_PROFILE_E_NO_CERTIFICATE_RETURNED 178 #define SSL_PROFILE_E_NO_CERTIFICATE_SET 179 #define SSL_PROFILE_E_NO_CERTIFICATE_SPECIFIED 180 #define SSL_PROFILE_E_NO_CIPHERS_AVAILABLE 181 #define SSL_PROFILE_E_NO_CIPHERS_PASSED 182 #define SSL_PROFILE_E_NO_CIPHERS_SPECIFIED 183 #define SSL_PROFILE_E_NO_CIPHER_LIST 184 #define SSL_PROFILE_E_NO_CIPHER_MATCH 185 #define SSL_PROFILE_E_NO_CLIENT_CERT_RECEIVED 186 #define SSL_PROFILE_E_NO_COMPRESSION_SPECIFIED 187

13 #define SSL_PROFILE_E_NO_METHOD_SPECIFIED 188 #define SSL_PROFILE_E_NO_PRIVATEKEY 189 #define SSL_PROFILE_E_NO_PRIVATE_KEY_ASSIGNED 190 #define SSL_PROFILE_E_NO_PROTOCOLS_AVAILABLE 191 #define SSL_PROFILE_E_NO_PUBLICKEY 192 #define SSL_PROFILE_E_NO_SHARED_CIPHER 193 #define SSL_PROFILE_E_NO_VERIFY_CALLBACK 194 #define SSL_PROFILE_E_NULL_SSL_CTX 195 #define SSL_PROFILE_E_NULL_SSL_METHOD_PASSED 196 #define SSL_PROFILE_E_OLD_SESSION_CIPHER_NOT_RETURNED 197 #define SSL_PROFILE_E_PACKET_LENGTH_TOO_LONG 198 #define SSL_PROFILE_E_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 #define SSL_PROFILE_E_PEER_ERROR 200 #define SSL_PROFILE_E_PEER_ERROR_CERTIFICATE 201 #define SSL_PROFILE_E_PEER_ERROR_NO_CERTIFICATE 202 #define SSL_PROFILE_E_PEER_ERROR_NO_CIPHER 203 #define SSL_PROFILE_E_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 #define SSL_PROFILE_E_PRE_MAC_LENGTH_TOO_LONG 205 #define SSL_PROFILE_E_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 #define SSL_PROFILE_E_PROTOCOL_IS_SHUTDOWN 207 #define SSL_PROFILE_E_PUBLIC_KEY_ENCRYPT_ERROR 208 #define SSL_PROFILE_E_PUBLIC_KEY_IS_NOT_RSA 209 #define SSL_PROFILE_E_PUBLIC_KEY_NOT_RSA 210 #define SSL_PROFILE_E_READ_BIO_NOT_SET 211 #define SSL_PROFILE_E_READ_WRONG_PACKET_TYPE 212 #define SSL_PROFILE_E_RECORD_LENGTH_MISMATCH 213 #define SSL_PROFILE_E_RECORD_TOO_LARGE 214 #define SSL_PROFILE_E_REQUIRED_CIPHER_MISSING 215 #define SSL_PROFILE_E_REUSE_CERT_LENGTH_NOT_ZERO 216 #define SSL_PROFILE_E_REUSE_CERT_TYPE_NOT_ZERO 217 #define SSL_PROFILE_E_REUSE_CIPHER_LIST_NOT_ZERO 218 #define SSL_PROFILE_E_SHORT_READ 219 #define SSL_PROFILE_E_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_PROFILE_E_SSL23_DOING_SESSION_ID_REUSE 221 #define SSL_PROFILE_E_SSL3_SESSION_ID_TOO_SHORT 222

14 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 #define SSL_PROFILE_E_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_PROFILE_E_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_PROFILE_E_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_PROFILE_E_SSL_HANDSHAKE_FAILURE 229 #define SSL_PROFILE_E_SSL_LIBRARY_HAS_NO_CIPHERS 230 #define SSL_PROFILE_E_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_PROFILE_E_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_PROFILE_E_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 #define SSL_PROFILE_E_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 #define SSL_PROFILE_E_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 #define SSL_PROFILE_E_UNABLE_TO_DECODE_DH_CERTS 236 #define SSL_PROFILE_E_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 #define SSL_PROFILE_E_UNABLE_TO_FIND_DH_PARAMETERS 238 #define SSL_PROFILE_E_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 #define SSL_PROFILE_E_UNABLE_TO_FIND_SSL_METHOD 240 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 #define SSL_PROFILE_E_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 #define SSL_PROFILE_E_UNEXPECTED_MESSAGE 244 #define SSL_PROFILE_E_UNEXPECTED_RECORD 245 #define SSL_PROFILE_E_UNKNOWN_ALERT_TYPE 246 #define SSL_PROFILE_E_UNKNOWN_CERTIFICATE_TYPE 247 #define SSL_PROFILE_E_UNKNOWN_CIPHER_RETURNED 248 #define SSL_PROFILE_E_UNKNOWN_CIPHER_TYPE 249 #define SSL_PROFILE_E_UNKNOWN_KEY_EXCHANGE_TYPE 250 #define SSL_PROFILE_E_UNKNOWN_PKEY_TYPE 251 #define SSL_PROFILE_E_UNKNOWN_PROTOCOL 252

15 #define SSL_PROFILE_E_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_PROFILE_E_UNKNOWN_SSL_VERSION 254 #define SSL_PROFILE_E_UNKNOWN_STATE 255 #define SSL_PROFILE_E_UNSUPPORTED_CIPHER 256 #define SSL_PROFILE_E_UNSUPPORTED_COMPRESSION_ALGORITHM 257 #define SSL_PROFILE_E_UNSUPPORTED_PROTOCOL 258 #define SSL_PROFILE_E_UNSUPPORTED_SSL_VERSION 259 #define SSL_PROFILE_E_WRITE_BIO_NOT_SET 260 #define SSL_PROFILE_E_WRONG_CIPHER_RETURNED 261 #define SSL_PROFILE_E_WRONG_MESSAGE_TYPE 262 #define SSL_PROFILE_E_WRONG_NUMBER_OF_KEY_BITS 263 #define SSL_PROFILE_E_WRONG_SIGNATURE_LENGTH 264 #define SSL_PROFILE_E_WRONG_SIGNATURE_SIZE 265 #define SSL_PROFILE_E_WRONG_SSL_VERSION 266 #define SSL_PROFILE_E_WRONG_VERSION_NUMBER 267 #define SSL_PROFILE_E_X509_LIB 268 #define SSL_PROFILE_E_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_PROFILE_E_PATH_TOO_LONG 270 #define SSL_PROFILE_E_BAD_LENGTH 271 #define SSL_PROFILE_E_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 #define SSL_PROFILE_E_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 #define SSL_PROFILE_E_LIBRARY_BUG 274 #define SSL_PROFILE_E_UNINITIALIZED 276 #define SSL_PROFILE_E_SESSION_ID_CONTEXT_UNINITIALIZED 277 #define SSL_PROFILE_E_INVALID_PURPOSE 278 #define SSL_PROFILE_E_INVALID_TRUST 279 #define SSL_PROFILE_E_INVALID_COMMAND 280 #define SSL_PROFILE_E_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_PROFILE_E_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_PROFILE_E_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_PROFILE_E_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_PROFILE_E_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030 #define SSL_PROFILE_E_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_PROFILE_E_SSLV3_ALERT_NO_CERTIFICATE 1041 #define SSL_PROFILE_E_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_PROFILE_E_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_REVOKED 1044

16 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 #define SSL_PROFILE_E_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046 #define SSL_PROFILE_E_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_PROFILE_E_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_PROFILE_E_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_PROFILE_E_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_PROFILE_E_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_PROFILE_E_TLSV1_ALERT_EXPORT_RESTRICTION 1060 #define SSL_PROFILE_E_TLSV1_ALERT_PROTOCOL_VERSION 1070 #define SSL_PROFILE_E_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_PROFILE_E_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_PROFILE_E_TLSV1_ALERT_USER_CANCELLED 1090 #define SSL_PROFILE_E_UNSUPPORTED_OPTION 1091 #define SSL_PROFILE_E_ERROR_GENERATING_TMP_RSA_KEY 1092 #define SSL_PROFILE_E_RECORD_TOO_SMALL 1093 #define SSL_PROFILE_E_TLSV1_ALERT_NO_RENEGOTIATION 1100 #define SSL_PROFILE_E_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109 #define SSL_PROFILE_E_ILLEGAL_PADDING 1110 #define SSL_PROFILE_E_MESSAGE_TOO_LONG 1111 #define SSL_PROFILE_E_KEY_ARG_TOO_LONG 1112 #define SSL_PROFILE_E_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_PROFILE_E_SSL2_CONNECTION_ID_TOO_LONG 1114 /** \endcond */

17