]>
Commit | Line | Data |
---|---|---|
1 | =pod | |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/ssl.h> | |
10 | ||
11 | void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, | |
12 | int (*callback)(X509_STORE_CTX *, void *), | |
13 | void *arg); | |
14 | ||
15 | =head1 DESCRIPTION | |
16 | ||
17 | SSL_CTX_set_cert_verify_callback() sets the verification callback function for | |
18 | I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at | |
19 | the time when L<SSL_new(3)> is called. | |
20 | ||
21 | =head1 NOTES | |
22 | ||
23 | Whenever a certificate is verified during a SSL/TLS handshake, a verification | |
24 | function is called. If the application does not explicitly specify a | |
25 | verification callback function, the built-in verification function is used. | |
26 | If a verification callback I<callback> is specified via | |
27 | SSL_CTX_set_cert_verify_callback(), the supplied callback function is called | |
28 | instead. By setting I<callback> to NULL, the default behaviour is restored. | |
29 | ||
30 | When the verification must be performed, I<callback> will be called with | |
31 | the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The | |
32 | argument I<arg> is specified by the application when setting I<callback>. | |
33 | ||
34 | I<callback> should return 1 to indicate verification success and 0 to | |
35 | indicate verification failure. If SSL_VERIFY_PEER is set and I<callback> | |
36 | returns 0, the handshake will fail. As the verification procedure may | |
37 | allow the connection to continue in the case of failure (by always | |
38 | returning 1) the verification result must be set in any case using the | |
39 | B<error> member of I<x509_store_ctx> so that the calling application | |
40 | will be informed about the detailed result of the verification procedure! | |
41 | ||
42 | Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> | |
43 | function set using L<SSL_CTX_set_verify(3)>. | |
44 | ||
45 | =head1 RETURN VALUES | |
46 | ||
47 | SSL_CTX_set_cert_verify_callback() does not return a value. | |
48 | ||
49 | =head1 WARNINGS | |
50 | ||
51 | Do not mix the verification callback described in this function with the | |
52 | B<verify_callback> function called during the verification process. The | |
53 | latter is set using the L<SSL_CTX_set_verify(3)> | |
54 | family of functions. | |
55 | ||
56 | Providing a complete verification procedure including certificate purpose | |
57 | settings etc is a complex task. The built-in procedure is quite powerful | |
58 | and in most cases it should be sufficient to modify its behaviour using | |
59 | the B<verify_callback> function. | |
60 | ||
61 | =head1 BUGS | |
62 | ||
63 | SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. | |
64 | ||
65 | =head1 SEE ALSO | |
66 | ||
67 | L<ssl(7)>, L<SSL_CTX_set_verify(3)>, | |
68 | L<SSL_get_verify_result(3)>, | |
69 | L<SSL_CTX_load_verify_locations(3)> | |
70 | ||
71 | =head1 COPYRIGHT | |
72 | ||
73 | Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. | |
74 | ||
75 | Licensed under the Apache License 2.0 (the "License"). You may not use | |
76 | this file except in compliance with the License. You can obtain a copy | |
77 | in the file LICENSE in the source distribution or at | |
78 | L<https://www.openssl.org/source/license.html>. | |
79 | ||
80 | =cut |