| | 1 | =pod |
| | 2 | |
| | 3 | =head1 NAME |
| | 4 | |
| | 5 | SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure |
| | 6 | |
| | 7 | =head1 SYNOPSIS |
| | 8 | |
| | 9 | #include <openssl/ssl.h> |
| | 10 | |
| | 11 | void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, |
| | 12 | int (*callback)(X509_STORE_CTX *, void *), |
| | 13 | void *arg); |
| | 14 | |
| | 15 | =head1 DESCRIPTION |
| | 16 | |
| | 17 | SSL_CTX_set_cert_verify_callback() sets the verification callback function for |
| | 18 | I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at |
| | 19 | the time when L<SSL_new(3)> is called. |
| | 20 | |
| | 21 | =head1 NOTES |
| | 22 | |
| | 23 | Whenever a certificate is verified during a SSL/TLS handshake, a verification |
| | 24 | function is called. If the application does not explicitly specify a |
| | 25 | verification callback function, the built-in verification function is used. |
| | 26 | If a verification callback I<callback> is specified via |
| | 27 | SSL_CTX_set_cert_verify_callback(), the supplied callback function is called |
| | 28 | instead. By setting I<callback> to NULL, the default behaviour is restored. |
| | 29 | |
| | 30 | When the verification must be performed, I<callback> will be called with |
| | 31 | the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The |
| | 32 | argument I<arg> is specified by the application when setting I<callback>. |
| | 33 | |
| | 34 | I<callback> should return 1 to indicate verification success and 0 to |
| | 35 | indicate verification failure. If SSL_VERIFY_PEER is set and I<callback> |
| | 36 | returns 0, the handshake will fail. As the verification procedure may |
| | 37 | allow the connection to continue in the case of failure (by always |
| | 38 | returning 1) the verification result must be set in any case using the |
| | 39 | B<error> member of I<x509_store_ctx> so that the calling application |
| | 40 | will be informed about the detailed result of the verification procedure! |
| | 41 | |
| | 42 | Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> |
| | 43 | function set using L<SSL_CTX_set_verify(3)>. |
| | 44 | |
| | 45 | =head1 RETURN VALUES |
| | 46 | |
| | 47 | SSL_CTX_set_cert_verify_callback() does not return a value. |
| | 48 | |
| | 49 | =head1 WARNINGS |
| | 50 | |
| | 51 | Do not mix the verification callback described in this function with the |
| | 52 | B<verify_callback> function called during the verification process. The |
| | 53 | latter is set using the L<SSL_CTX_set_verify(3)> |
| | 54 | family of functions. |
| | 55 | |
| | 56 | Providing a complete verification procedure including certificate purpose |
| | 57 | settings etc is a complex task. The built-in procedure is quite powerful |
| | 58 | and in most cases it should be sufficient to modify its behaviour using |
| | 59 | the B<verify_callback> function. |
| | 60 | |
| | 61 | =head1 BUGS |
| | 62 | |
| | 63 | SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. |
| | 64 | |
| | 65 | =head1 SEE ALSO |
| | 66 | |
| | 67 | L<ssl(7)>, L<SSL_CTX_set_verify(3)>, |
| | 68 | L<SSL_get_verify_result(3)>, |
| | 69 | L<SSL_CTX_load_verify_locations(3)> |
| | 70 | |
| | 71 | =head1 COPYRIGHT |
| | 72 | |
| | 73 | Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. |
| | 74 | |
| | 75 | Licensed under the Apache License 2.0 (the "License"). You may not use |
| | 76 | this file except in compliance with the License. You can obtain a copy |
| | 77 | in the file LICENSE in the source distribution or at |
| | 78 | L<https://www.openssl.org/source/license.html>. |
| | 79 | |
| | 80 | =cut |
projects / thirdparty / openssl.git / blame_incremental