luasec/doc/context.md

Functions

context.create

ctxt = context.create(method)

Creates a new context. Can fail, in which case it returns nil, followed by an error.

context.locations

success, error = context.locations(ctxt, [cafile], [capath])

Set the location of either the CA certificate file, or the directory which contains said file(s).

context.loadcert

success, error = context.loadcert(ctxt, filename)

Load a certificate from a file into this context.

context.loadkey

success, error = context.loadkey(ctxt, filename)
success, error = context.loadkey(ctxt, filename, string)
success, error = context.loadkey(ctxt, filename, function() -> string)

Loads a private key from a PEM-format file. The third argument can be either a string, or a function returning a string producing the password for the key.

context.checkkey

success = context.checkkey(ctxt)

Returns true if the certificate loaded matches the key loaded.

context.setcipher

success, error = context.setcipher(ctxt, cipherlist)

Sets the ciphers used when negotiation. For the format of the string cipherlist, see the openssl documentation, and in particular the openssl ciphers command line tool.

context.setdepth

success = context.setdepth(ctxt)

Set the maximum verification depth for checking certificate chains.

context.setdhparam

context.setdhparam(ctxt, function(isExport, keyLength) -> params)

Sets a callback to obtain Diffie-Hellman parameters on this context. Once these parameters are required, the callback gets called with a flag (isExport) indicating whether export-level security is used, and a key length (keyLength). It is then expected to produce a string containg parameters.

For the format of the parameters string, see the openssl documentation.

context.setcurve

success, error = context.setcurve(ctxt, curve)

Set the curve to use for Elliptic Curve cryptography.

The curve can be one of:

• secp112r1
• secp112r2
• secp128r1
• secp128r2
• secp160k1
• secp160r1
• secp160r2
• secp192k1
• secp224k1
• secp224r1
• secp256k1
• secp384r1
• secp521r1
• sect113r1
• sect113r2
• sect131r1
• sect131r2
• sect163k1
• sect163r1
• sect163r2
• sect193r1
• sect193r2
• sect233k1
• sect233r1
• sect239k1
• sect283k1
• sect283r1
• sect409k1
• sect409r1
• sect571k1
• sect571r1
• prime192v1
• prime192v2
• prime192v3
• prime239v1
• prime239v2
• prime239v3
• prime256v1

context.setverify

success, error = context.setverify(ctxt, options...)

Sets verification options for this context.

The following options are valid:

• none
• peer
• client_once
• fail_if_no_peer_cert

context.setoptions

success, error = context.setoptions(ctxt, options...)

Set generic context options for this context.

The following options are valid:

• all
• allow_unsafe_legacy_renegotiation
• cipher_server_preference
• cisco_anyconnect
• cookie_exchange
• cryptopro_tlsext_bug
• dont_insert_empty_fragments
• ephemeral_rsa
• legacy_server_connect
• microsoft_big_sslv3_buffer
• microsoft_sess_id_bug
• msie_sslv2_rsa_padding
• netscape_ca_dn_bug
• netscape_challenge_bug
• netscape_demo_cipher_change_bug
• netscape_reuse_cipher_change_bug
• no_compression
• no_query_mtu
• no_session_resumption_on_renegotiation
• no_sslv2
• no_sslv3
• no_ticket
• no_tlsv1
• no_tlsv1_1
• no_tlsv1_2
• pkcs1_check_1
• pkcs1_check_2
• single_dh_use
• single_ecdh_use
• ssleay_080_client_dh_bug
• sslref2_reuse_cert_type_bug
• tls_block_padding_bug
• tls_d5_bug
• tls_rollback_bug

context.setmode

success = context.setmode(ctxt, mode)

Set the mode for this context.

Mode can be one of:

• client
• server

Methods

ctxt:setverifyext

success, error = ctxt:setverifyext(flags...)

Set which extra verification steps to use.

The following flags are valid:

• lsec_continue: Continue with verification errors
• lsec_ignore_purpose: Ignore this certificate's purpose (like server/client)
• crl_check: Check Certification Revocation Lists
• crl_check_chain: Check CRLs for the entire chain