5 SSL_get_ex_data_X509_STORE_CTX_idx,
6 SSL_CTX_set_verify, SSL_set_verify,
7 SSL_CTX_set_verify_depth, SSL_set_verify_depth,
9 SSL_verify_client_post_handshake,
10 SSL_set_post_handshake_auth,
11 SSL_CTX_set_post_handshake_auth
12 - set various SSL/TLS parameters for peer certificate verification
16 #include <openssl/ssl.h>
18 typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
20 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback);
21 void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback);
22 SSL_get_ex_data_X509_STORE_CTX_idx(void);
24 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
25 void SSL_set_verify_depth(SSL *ssl, int depth);
27 int SSL_verify_client_post_handshake(SSL *ssl);
28 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
29 void SSL_set_post_handshake_auth(SSL *ssl, int val);
33 SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and
34 specifies the B<verify_callback> function to be used. If no callback function
35 shall be specified, the NULL pointer can be used for B<verify_callback>.
37 SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and
38 specifies the B<verify_callback> function to be used. If no callback function
39 shall be specified, the NULL pointer can be used for B<verify_callback>. In
40 this case last B<verify_callback> set specifically for this B<ssl> remains. If
41 no special B<callback> was set before, the default callback for the underlying
42 B<ctx> is used, that was valid at the time B<ssl> was created with
43 L<SSL_new(3)>. Within the callback function,
44 B<SSL_get_ex_data_X509_STORE_CTX_idx> can be called to get the data index
45 of the current SSL object that is doing the verification.
47 In client mode B<verify_callback> may also call the L<SSL_set_retry_verify(3)>
48 function on the B<SSL> object set in the I<x509_store_ctx> ex data (see
49 L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>) and return 1.
50 This would be typically done in case the certificate verification was not yet
52 This makes the handshake suspend and return control to the calling application
53 with B<SSL_ERROR_WANT_RETRY_VERIFY>.
54 The application can for instance fetch further certificates or cert status
55 information needed for the verification.
56 Calling L<SSL_connect(3)> again resumes the connection attempt by retrying the
57 server certificate verification step.
58 This process may even be repeated if need be.
59 Note that the handshake may still be aborted if a subsequent invocation of the
60 callback (e.g., at a lower depth, or for a separate error condition) returns 0.
62 SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
63 verification that shall be allowed for B<ctx>.
65 SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
66 verification that shall be allowed for B<ssl>.
68 SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the
69 Post-Handshake Authentication extension to be added to the ClientHello such that
70 post-handshake authentication can be requested by the server. If B<val> is 0
71 then the extension is not sent, otherwise it is. By default the extension is not
72 sent. A certificate callback will need to be set via
73 SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization.
75 SSL_verify_client_post_handshake() causes a CertificateRequest message to be
76 sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must
77 be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional.
81 The verification of certificates can be controlled by a set of logically
88 B<Server mode:> the server will not send a client certificate request to the
89 client, so the client will not send a certificate.
91 B<Client mode:> if not using an anonymous cipher (by default disabled), the
92 server will send a certificate which will be checked. The result of the
93 certificate verification process can be checked after the TLS/SSL handshake
94 using the L<SSL_get_verify_result(3)> function.
95 The handshake will be continued regardless of the verification result.
99 B<Server mode:> the server sends a client certificate request to the client.
100 The certificate returned (if any) is checked. If the verification process
101 fails, the TLS/SSL handshake is
102 immediately terminated with an alert message containing the reason for
103 the verification failure.
104 The behaviour can be controlled by the additional
105 SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and
106 SSL_VERIFY_POST_HANDSHAKE flags.
108 B<Client mode:> the server certificate is verified. If the verification process
109 fails, the TLS/SSL handshake is
110 immediately terminated with an alert message containing the reason for
111 the verification failure. If no server certificate is sent, because an
112 anonymous cipher is used, SSL_VERIFY_PEER is ignored.
114 =item SSL_VERIFY_FAIL_IF_NO_PEER_CERT
116 B<Server mode:> if the client did not return a certificate, the TLS/SSL
117 handshake is immediately terminated with a "handshake failure" alert.
118 This flag must be used together with SSL_VERIFY_PEER.
120 B<Client mode:> ignored (see BUGS)
122 =item SSL_VERIFY_CLIENT_ONCE
124 B<Server mode:> only request a client certificate once during the
125 connection. Do not ask for a client certificate again during
126 renegotiation or post-authentication if a certificate was requested
127 during the initial handshake. This flag must be used together with
130 B<Client mode:> ignored (see BUGS)
132 =item SSL_VERIFY_POST_HANDSHAKE
134 B<Server mode:> the server will not send a client certificate request
135 during the initial handshake, but will send the request via
136 SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL
137 to be configured for post-handshake peer verification before the
138 handshake occurs. This flag must be used together with
139 SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections.
141 B<Client mode:> ignored (see BUGS)
145 If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set.
147 If verification flags are not modified explicitly by C<SSL_CTX_set_verify()>
148 or C<SSL_set_verify()>, the default value will be SSL_VERIFY_NONE.
150 The actual verification procedure is performed either using the built-in
151 verification procedure or using another application provided verification
153 L<SSL_CTX_set_cert_verify_callback(3)>.
154 The following descriptions apply in the case of the built-in procedure. An
155 application provided procedure also has access to the verify depth information
156 and the verify_callback() function, but the way this information is used
159 SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the
160 number of certificates between the end-entity and trust-anchor certificates.
162 end-entity nor the trust-anchor certificates count against B<depth>. If the
163 certificate chain needed to reach a trusted issuer is longer than B<depth+2>,
164 X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
165 The depth count is "level 0:peer certificate", "level 1: CA certificate",
166 "level 2: higher level CA certificate", and so on. Setting the maximum
167 depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
169 The default depth limit is 100,
170 allowing for the peer certificate, at most 100 intermediate CA certificates and
171 a final trust anchor certificate.
173 The B<verify_callback> function is used to control the behaviour when the
174 SSL_VERIFY_PEER flag is set. It must be supplied by the application and
175 receives two arguments: B<preverify_ok> indicates, whether the verification of
176 the certificate in question was passed (preverify_ok=1) or not
177 (preverify_ok=0). B<x509_ctx> is a pointer to the complete context used
178 for the certificate chain verification.
180 The certificate chain is checked starting with the deepest nesting level
181 (the root CA certificate) and worked upward to the peer's certificate.
182 At each level signatures and issuer attributes are checked. Whenever
183 a verification error is found, the error number is stored in B<x509_ctx>
184 and B<verify_callback> is called with B<preverify_ok>=0. By applying
185 X509_CTX_store_* functions B<verify_callback> can locate the certificate
186 in question and perform additional steps (see EXAMPLES). If no error is
187 found for a certificate, B<verify_callback> is called with B<preverify_ok>=1
188 before advancing to the next level.
190 The return value of B<verify_callback> controls the strategy of the further
191 verification process. If B<verify_callback> returns 0, the verification
192 process is immediately stopped with "verification failed" state. If
193 SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
194 the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
195 the verification process is continued. If B<verify_callback> always returns
196 1, the TLS/SSL handshake will not be terminated with respect to verification
197 failures and the connection will be established. The calling process can
198 however retrieve the error code of the last verification error using
199 L<SSL_get_verify_result(3)> or by maintaining its
200 own error storage managed by B<verify_callback>.
202 If no B<verify_callback> is specified, the default callback will be used.
203 Its return value is identical to B<preverify_ok>, so that any verification
204 failure will lead to a termination of the TLS/SSL handshake with an
205 alert message, if SSL_VERIFY_PEER is set.
207 After calling SSL_set_post_handshake_auth(), the client will need to add a
208 certificate or certificate callback to its configuration before it can
209 successfully authenticate. This must be called before SSL_connect().
211 SSL_verify_client_post_handshake() requires that verify flags have been
212 previously set, and that a client sent the post-handshake authentication
213 extension. When the client returns a certificate the verify callback will be
214 invoked. A write operation must take place for the Certificate Request to be
215 sent to the client, this can be done with SSL_do_handshake() or SSL_write_ex().
216 Only one certificate request may be outstanding at any time.
218 When post-handshake authentication occurs, a refreshed NewSessionTicket
219 message is sent to the client.
221 Post-handshake authentication cannot be used with QUIC.
222 SSL_set_post_handshake_auth() has no effect if called on a QUIC SSL object.
226 In client mode, it is not checked whether the SSL_VERIFY_PEER flag
227 is set, but whether any flags other than SSL_VERIFY_NONE are set. This can
228 lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as
233 The SSL*_set_verify*() functions do not provide diagnostic information.
235 The SSL_verify_client_post_handshake() function returns 1 if the request
236 succeeded, and 0 if the request failed. The error stack can be examined
237 to determine the failure reason.
241 The following code sequence realizes an example B<verify_callback> function
242 that will always continue the TLS/SSL handshake regardless of verification
243 failure, if wished. The callback realizes a verification depth limit with
244 more informational output.
246 All verification errors are printed; information about the certificate chain
247 is printed on request.
248 The example is realized for a server that does allow but not require client
251 The example makes use of the ex_data technique to store application data
252 into/retrieve application data from the SSL structure
253 (see L<CRYPTO_get_ex_new_index(3)>,
254 L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
265 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
273 err_cert = X509_STORE_CTX_get_current_cert(ctx);
274 err = X509_STORE_CTX_get_error(ctx);
275 depth = X509_STORE_CTX_get_error_depth(ctx);
278 * Retrieve the pointer to the SSL of the connection currently treated
279 * and the application specific data stored into the SSL object.
281 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
282 mydata = SSL_get_ex_data(ssl, mydata_index);
284 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
287 * Catch a too long certificate chain. The depth limit set using
288 * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
289 * that whenever the "depth>verify_depth" condition is met, we
290 * have violated the limit and want to log this error condition.
291 * We must do it here, because the CHAIN_TOO_LONG error would not
292 * be found explicitly; only errors introduced by cutting off the
293 * additional certificates would be logged.
295 if (depth > mydata->verify_depth) {
297 err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
298 X509_STORE_CTX_set_error(ctx, err);
301 printf("verify error:num=%d:%s:depth=%d:%s\n", err,
302 X509_verify_cert_error_string(err), depth, buf);
303 } else if (mydata->verbose_mode) {
304 printf("depth=%d:%s\n", depth, buf);
308 * At this point, err contains the last verification error. We can use
309 * it for something special
311 if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
312 X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
313 printf("issuer= %s\n", buf);
316 if (mydata->always_continue)
326 mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
329 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
333 * Let the verify_callback catch the verify_depth error so that we get
334 * an appropriate error in the logfile.
336 SSL_CTX_set_verify_depth(verify_depth + 1);
339 * Set up the SSL specific data into "mydata" and store it into th SSL
342 mydata.verify_depth = verify_depth; ...
343 SSL_set_ex_data(ssl, mydata_index, &mydata);
346 SSL_accept(ssl); /* check of success left out for clarity */
347 if (peer = SSL_get_peer_certificate(ssl)) {
348 if (SSL_get_verify_result(ssl) == X509_V_OK) {
349 /* The client sent a certificate which verified OK */
355 L<ssl(7)>, L<SSL_new(3)>,
356 L<SSL_CTX_get_verify_mode(3)>,
357 L<SSL_get_verify_result(3)>,
358 L<SSL_CTX_load_verify_locations(3)>,
359 L<SSL_get_peer_certificate(3)>,
360 L<SSL_CTX_set_cert_verify_callback(3)>,
361 L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
362 L<SSL_CTX_set_client_cert_cb(3)>,
363 L<CRYPTO_get_ex_new_index(3)>
367 The SSL_VERIFY_POST_HANDSHAKE option, and the SSL_verify_client_post_handshake()
368 and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1.
372 Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
374 Licensed under the Apache License 2.0 (the "License"). You may not use
375 this file except in compliance with the License. You can obtain a copy
376 in the file LICENSE in the source distribution or at
377 L<https://www.openssl.org/source/license.html>.