make-ssl-client-stream

Arguments: socket &key method certificate key certificate-password method verify max-depth ca-file ca-directory

The keyword arguments other than method were added in an update release in March 2007. The arguments of this function are now the same as the arguments to make-ssl-server-stream.

The method keyword argument was added in a 7.0 update but was inadvertantly not documented. The documentation was changed in a doc update released in September, 2006.

This function is not available in all versions. Generally, you must have an Enterprise license to use this function. Also, you must have the OpenSSL libraries installed for this facility to work. Note that shared library versions of the OpenSSL libraries (required by Allegro CL) are not available on all platforms. The SSL functionality is in the ssl module. To ensure it is loaded, evaluate (require :ssl). Calling this function automatically loads the module.

This function creates and returns a new SSL client socket stream that communicates using SSL via the given socket. Once this function is called and an SSL socket stream is returned, no I/O calls should be done directly to socket. Note that closing the SSL socket stream will result in the original socket file descriptor being closed as well. Therefore, the idiomatic way to establish an SSL client socket stream is:

  ;; SOCK is already a socket:
  (setf sock (make-ssl-client-stream sock ...))

Unless ssl-do-handshake is called, the secure connection isn't negotiated until the first byte is sent through the SSL socket stream to the underlying stream (and this will usually occur when the first force-output is done to the SSL socket stream). Calling ssl-do-handshake causes the secure connection to be negotiated immediately.

When that first write is done a negotiation process is begun that involves reads and writes. This negotiation process will not occur if the SSL socket on the other end of the connection is not sitting waiting for data to arrive. Thus if you create two connected sockets in a single Lisp process, and make one the client and the other the server, and then write to the client side the Lisp will hang since the server side socket isn't being read. You can make this work if you use the Lisp multiprocessing facility (see multiprocessing.htm) to cause the server socket to be read at the same time that the write to the client socket is being done.

The method keyword argument can be :sslv23 (the default) or :tlsv1. :sslv23 means that the client will negotiate either SSL version 2 or SSL version 3 with the server. The highest version that is common between the client and server will be selected. If you get unexpected disconnects after creating a secure stream using make-ssl-client-stream, you may need to use :tlsv1.

Use :tlsv1 when dealing with a server that speaks only TLS.

The keyword arguments other than method

make-ssl-client-stream's keyword arguments are the same as make-ssl-server-stream's. The remaining keyword arguments to make-ssl-client-stream are:

• certificate names a file which contains one or more PEM-encoded certificates. The first (or only) certificate in the file will be used to identify the client (in the case of make-ssl-client-stream) or server (in the case of make-ssl-server-stream). Optionally, subsequent entries in the file may be used to supply intermediate CA certificates (also known as a certificate chain).
• The key argument is a string or pathname naming a file containing the private RSA key corresponding the the public key in the certificate. The file must be in PEM format. The key can be stored in an encrypted form which requires a pass phrase to read, but in that case the certificate-password must also be specified. If the key is stored in the certificate file, then you needn't specify the key argument.
• The certificate-password argument, if specified, should be a string. If the private key stored with the certificate inside the file named by the certificate argument is encrypted, then this value is used as the key to decrypt it.
• verify can be nil, :optional, or :required. Due to the way OpenSSL is implemented, the behavior of peer verification differs for clients and servers. Here we describe the behavior for clients. See make-ssl-server-stream for a discussion of the server behavior.
  • :verify nil means that no automatic verification will occur on the server-supplied certificate. Manual verification can be done using get-ssl-peer-certificate and get-ssl-verify-result.
  • :verify :optional means that the server's certificate (if supplied) will be automatically verified during SSL handshake. If verification fails, an error will be generated during SSL handshake.
  • :verify :required means that the server's certificate will be automatically verified during SSL handshake. If the server does not supply a certificate or if verification of the supplied certificate fails, an error will be generated during SSL handshake.
• maxdepth must be an integer (which defaults to 10) which indicates the maximum allowable depth of the certificate verification chain. If the chain exceeds this depth, an error will be generated during SSL handshake.
• ca-file specifies the name of a file containing a series of trusted PEM-encoded Intermediate CA or Root CA certificates that will be used during peer certificate verification. A file containing certificates of well-known root CAs can be found in [acl directory]/examples/ssl/ca-bundle.crt.
• ca-directory specifies the name of a directory containing a series of trusted Intermediate CA or Root CA certificate files that will be used during peer certificate verification. Each file in the directory should contain one certificate. The files should be named based on the hash value of the certificate subject name. If more than one certificate with the same hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash (available via standard OpenSSL distributions) utility to create the necessary links.

See make-ssl-server-stream. See also socket.htm for information on sockets. For information on Secure Sockets, see the section Secure Socket Layer (SSL) in that document.

Copyright (c) 1998-2008, Franz Inc. Oakland, CA., USA. All rights reserved.
Documentation for Allegro CL version 8.0. This page was not revised from the 7.0 page.
Created 2005.12.9.