]>
Commit | Line | Data |
---|---|---|
553615f5 RL |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
9e183d22 | 5 | SSL_get_ex_data_X509_STORE_CTX_idx, |
121677b4 RS |
6 | SSL_CTX_set_verify, SSL_set_verify, |
7 | SSL_CTX_set_verify_depth, SSL_set_verify_depth, | |
9d75dce3 TS |
8 | SSL_verify_cb, |
9 | SSL_verify_client_post_handshake, | |
e97be718 MC |
10 | SSL_set_post_handshake_auth, |
11 | SSL_CTX_set_post_handshake_auth | |
121677b4 | 12 | - set peer certificate verification parameters |
553615f5 RL |
13 | |
14 | =head1 SYNOPSIS | |
15 | ||
16 | #include <openssl/ssl.h> | |
17 | ||
89a01e69 BB |
18 | typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); |
19 | ||
3adc41dd | 20 | void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback); |
9d75dce3 | 21 | void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback); |
9e183d22 RS |
22 | SSL_get_ex_data_X509_STORE_CTX_idx(void); |
23 | ||
aebb9aac | 24 | void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); |
9d75dce3 TS |
25 | void SSL_set_verify_depth(SSL *ssl, int depth); |
26 | ||
27 | int SSL_verify_client_post_handshake(SSL *ssl); | |
e97be718 | 28 | void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); |
32097b33 | 29 | void SSL_set_post_handshake_auth(SSL *ssl, int val); |
553615f5 | 30 | |
553615f5 RL |
31 | =head1 DESCRIPTION |
32 | ||
33 | SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and | |
34 | specifies the B<verify_callback> function to be used. If no callback function | |
35 | shall be specified, the NULL pointer can be used for B<verify_callback>. | |
36 | ||
37 | SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and | |
38 | specifies the B<verify_callback> function to be used. If no callback function | |
39 | shall be specified, the NULL pointer can be used for B<verify_callback>. In | |
40 | this case last B<verify_callback> set specifically for this B<ssl> remains. If | |
41 | no special B<callback> was set before, the default callback for the underlying | |
477fd459 | 42 | B<ctx> is used, that was valid at the time B<ssl> was created with |
9e183d22 RS |
43 | L<SSL_new(3)>. Within the callback function, |
44 | B<SSL_get_ex_data_X509_STORE_CTX_idx> can be called to get the data index | |
45 | of the current SSL object that is doing the verification. | |
553615f5 RL |
46 | |
47 | SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain | |
800b5dac | 48 | verification that shall be allowed for B<ctx>. |
553615f5 RL |
49 | |
50 | SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain | |
800b5dac | 51 | verification that shall be allowed for B<ssl>. |
553615f5 | 52 | |
e97be718 MC |
53 | SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the |
54 | Post-Handshake Authentication extension to be added to the ClientHello such that | |
55 | post-handshake authentication can be requested by the server. If B<val> is 0 | |
56 | then the extension is not sent, otherwise it is. By default the extension is not | |
57 | sent. A certificate callback will need to be set via | |
58 | SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization. | |
9d75dce3 | 59 | |
658e4879 | 60 | SSL_verify_client_post_handshake() causes a CertificateRequest message to be |
9d75dce3 | 61 | sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must |
658e4879 | 62 | be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional. |
9d75dce3 | 63 | |
553615f5 RL |
64 | =head1 NOTES |
65 | ||
66 | The verification of certificates can be controlled by a set of logically | |
67 | or'ed B<mode> flags: | |
68 | ||
69 | =over 4 | |
70 | ||
71 | =item SSL_VERIFY_NONE | |
72 | ||
73 | B<Server mode:> the server will not send a client certificate request to the | |
74 | client, so the client will not send a certificate. | |
75 | ||
76 | B<Client mode:> if not using an anonymous cipher (by default disabled), the | |
77 | server will send a certificate which will be checked. The result of the | |
78 | certificate verification process can be checked after the TLS/SSL handshake | |
9b86974e | 79 | using the L<SSL_get_verify_result(3)> function. |
553615f5 RL |
80 | The handshake will be continued regardless of the verification result. |
81 | ||
82 | =item SSL_VERIFY_PEER | |
83 | ||
84 | B<Server mode:> the server sends a client certificate request to the client. | |
85 | The certificate returned (if any) is checked. If the verification process | |
c4068186 | 86 | fails, the TLS/SSL handshake is |
553615f5 RL |
87 | immediately terminated with an alert message containing the reason for |
88 | the verification failure. | |
89 | The behaviour can be controlled by the additional | |
9d75dce3 TS |
90 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and |
91 | SSL_VERIFY_POST_HANDSHAKE flags. | |
553615f5 RL |
92 | |
93 | B<Client mode:> the server certificate is verified. If the verification process | |
c4068186 | 94 | fails, the TLS/SSL handshake is |
553615f5 RL |
95 | immediately terminated with an alert message containing the reason for |
96 | the verification failure. If no server certificate is sent, because an | |
97 | anonymous cipher is used, SSL_VERIFY_PEER is ignored. | |
98 | ||
99 | =item SSL_VERIFY_FAIL_IF_NO_PEER_CERT | |
100 | ||
101 | B<Server mode:> if the client did not return a certificate, the TLS/SSL | |
102 | handshake is immediately terminated with a "handshake failure" alert. | |
103 | This flag must be used together with SSL_VERIFY_PEER. | |
104 | ||
105 | B<Client mode:> ignored | |
106 | ||
107 | =item SSL_VERIFY_CLIENT_ONCE | |
108 | ||
9d75dce3 TS |
109 | B<Server mode:> only request a client certificate once during the |
110 | connection. Do not ask for a client certificate again during | |
111 | renegotiation or post-authentication if a certificate was requested | |
112 | during the initial handshake. This flag must be used together with | |
113 | SSL_VERIFY_PEER. | |
114 | ||
115 | B<Client mode:> ignored | |
116 | ||
117 | =item SSL_VERIFY_POST_HANDSHAKE | |
118 | ||
119 | B<Server mode:> the server will not send a client certificate request | |
120 | during the initial handshake, but will send the request via | |
121 | SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL | |
122 | to be configured for post-handshake peer verification before the | |
123 | handshake occurs. This flag must be used together with | |
124 | SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections. | |
553615f5 RL |
125 | |
126 | B<Client mode:> ignored | |
127 | ||
128 | =back | |
129 | ||
c636c1c4 | 130 | If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set. |
553615f5 | 131 | |
c4068186 LJ |
132 | The actual verification procedure is performed either using the built-in |
133 | verification procedure or using another application provided verification | |
134 | function set with | |
9b86974e | 135 | L<SSL_CTX_set_cert_verify_callback(3)>. |
c4068186 LJ |
136 | The following descriptions apply in the case of the built-in procedure. An |
137 | application provided procedure also has access to the verify depth information | |
138 | and the verify_callback() function, but the way this information is used | |
139 | may be different. | |
140 | ||
800b5dac TA |
141 | SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the |
142 | number of certificates between the end-entity and trust-anchor certificates. | |
143 | Neither the | |
144 | end-entity nor the trust-anchor certificates count against B<depth>. If the | |
145 | certificate chain needed to reach a trusted issuer is longer than B<depth+2>, | |
146 | X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. | |
553615f5 RL |
147 | The depth count is "level 0:peer certificate", "level 1: CA certificate", |
148 | "level 2: higher level CA certificate", and so on. Setting the maximum | |
800b5dac TA |
149 | depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the |
150 | trust-anchor). | |
151 | The default depth limit is 100, | |
152 | allowing for the peer certificate, at most 100 intermediate CA certificates and | |
153 | a final trust anchor certificate. | |
553615f5 RL |
154 | |
155 | The B<verify_callback> function is used to control the behaviour when the | |
156 | SSL_VERIFY_PEER flag is set. It must be supplied by the application and | |
157 | receives two arguments: B<preverify_ok> indicates, whether the verification of | |
158 | the certificate in question was passed (preverify_ok=1) or not | |
159 | (preverify_ok=0). B<x509_ctx> is a pointer to the complete context used | |
160 | for the certificate chain verification. | |
161 | ||
162 | The certificate chain is checked starting with the deepest nesting level | |
163 | (the root CA certificate) and worked upward to the peer's certificate. | |
164 | At each level signatures and issuer attributes are checked. Whenever | |
165 | a verification error is found, the error number is stored in B<x509_ctx> | |
166 | and B<verify_callback> is called with B<preverify_ok>=0. By applying | |
167 | X509_CTX_store_* functions B<verify_callback> can locate the certificate | |
168 | in question and perform additional steps (see EXAMPLES). If no error is | |
169 | found for a certificate, B<verify_callback> is called with B<preverify_ok>=1 | |
170 | before advancing to the next level. | |
171 | ||
172 | The return value of B<verify_callback> controls the strategy of the further | |
173 | verification process. If B<verify_callback> returns 0, the verification | |
174 | process is immediately stopped with "verification failed" state. If | |
175 | SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and | |
176 | the TLS/SSL handshake is terminated. If B<verify_callback> returns 1, | |
177 | the verification process is continued. If B<verify_callback> always returns | |
9d19fbc4 LJ |
178 | 1, the TLS/SSL handshake will not be terminated with respect to verification |
179 | failures and the connection will be established. The calling process can | |
180 | however retrieve the error code of the last verification error using | |
9b86974e | 181 | L<SSL_get_verify_result(3)> or by maintaining its |
553615f5 RL |
182 | own error storage managed by B<verify_callback>. |
183 | ||
184 | If no B<verify_callback> is specified, the default callback will be used. | |
185 | Its return value is identical to B<preverify_ok>, so that any verification | |
186 | failure will lead to a termination of the TLS/SSL handshake with an | |
187 | alert message, if SSL_VERIFY_PEER is set. | |
188 | ||
9d75dce3 | 189 | After calling SSL_force_post_handshake_auth(), the client will need to add a |
658e4879 TS |
190 | certificate or certificate callback to its configuration before it can |
191 | successfully authenticate. This must be called before SSL_connect(). | |
9d75dce3 TS |
192 | |
193 | SSL_verify_client_post_handshake() requires that verify flags have been | |
194 | previously set, and that a client sent the post-handshake authentication | |
195 | extension. When the client returns a certificate the verify callback will be | |
196 | invoked. A write operation must take place for the Certificate Request to be | |
197 | sent to the client, this can be done with SSL_do_handshake() or SSL_write_ex(). | |
198 | Only one certificate request may be outstanding at any time. | |
199 | ||
658e4879 | 200 | When post-handshake authentication occurs, a refreshed NewSessionTicket |
9d75dce3 TS |
201 | message is sent to the client. |
202 | ||
c8e2f98c MC |
203 | =head1 BUGS |
204 | ||
205 | In client mode, it is not checked whether the SSL_VERIFY_PEER flag | |
206 | is set, but whether any flags are set. This can lead to | |
207 | unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as | |
208 | required. | |
209 | ||
553615f5 RL |
210 | =head1 RETURN VALUES |
211 | ||
212 | The SSL*_set_verify*() functions do not provide diagnostic information. | |
213 | ||
9d75dce3 TS |
214 | The SSL_verify_client_post_handshake() function returns 1 if the request |
215 | succeeded, and 0 if the request failed. The error stack can be examined | |
216 | to determine the failure reason. | |
217 | ||
553615f5 RL |
218 | =head1 EXAMPLES |
219 | ||
220 | The following code sequence realizes an example B<verify_callback> function | |
221 | that will always continue the TLS/SSL handshake regardless of verification | |
222 | failure, if wished. The callback realizes a verification depth limit with | |
223 | more informational output. | |
224 | ||
2b4ffc65 SS |
225 | All verification errors are printed; information about the certificate chain |
226 | is printed on request. | |
553615f5 RL |
227 | The example is realized for a server that does allow but not require client |
228 | certificates. | |
229 | ||
b5a6f0a9 LJ |
230 | The example makes use of the ex_data technique to store application data |
231 | into/retrieve application data from the SSL structure | |
9e183d22 | 232 | (see L<CRYPTO_get_ex_new_index(3)>, |
9b86974e | 233 | L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). |
b5a6f0a9 | 234 | |
553615f5 | 235 | ... |
b5a6f0a9 LJ |
236 | typedef struct { |
237 | int verbose_mode; | |
238 | int verify_depth; | |
239 | int always_continue; | |
240 | } mydata_t; | |
241 | int mydata_index; | |
2947af32 | 242 | |
553615f5 RL |
243 | ... |
244 | static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) | |
245 | { | |
2947af32 BB |
246 | char buf[256]; |
247 | X509 *err_cert; | |
248 | int err, depth; | |
249 | SSL *ssl; | |
250 | mydata_t *mydata; | |
251 | ||
252 | err_cert = X509_STORE_CTX_get_current_cert(ctx); | |
253 | err = X509_STORE_CTX_get_error(ctx); | |
254 | depth = X509_STORE_CTX_get_error_depth(ctx); | |
255 | ||
256 | /* | |
257 | * Retrieve the pointer to the SSL of the connection currently treated | |
258 | * and the application specific data stored into the SSL object. | |
259 | */ | |
260 | ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); | |
261 | mydata = SSL_get_ex_data(ssl, mydata_index); | |
262 | ||
263 | X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); | |
264 | ||
265 | /* | |
266 | * Catch a too long certificate chain. The depth limit set using | |
267 | * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so | |
268 | * that whenever the "depth>verify_depth" condition is met, we | |
269 | * have violated the limit and want to log this error condition. | |
270 | * We must do it here, because the CHAIN_TOO_LONG error would not | |
271 | * be found explicitly; only errors introduced by cutting off the | |
272 | * additional certificates would be logged. | |
273 | */ | |
274 | if (depth > mydata->verify_depth) { | |
275 | preverify_ok = 0; | |
276 | err = X509_V_ERR_CERT_CHAIN_TOO_LONG; | |
277 | X509_STORE_CTX_set_error(ctx, err); | |
278 | } | |
279 | if (!preverify_ok) { | |
280 | printf("verify error:num=%d:%s:depth=%d:%s\n", err, | |
281 | X509_verify_cert_error_string(err), depth, buf); | |
282 | } else if (mydata->verbose_mode) { | |
283 | printf("depth=%d:%s\n", depth, buf); | |
284 | } | |
285 | ||
286 | /* | |
287 | * At this point, err contains the last verification error. We can use | |
288 | * it for something special | |
289 | */ | |
290 | if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { | |
291 | X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); | |
292 | printf("issuer= %s\n", buf); | |
293 | } | |
294 | ||
295 | if (mydata->always_continue) | |
296 | return 1; | |
297 | else | |
298 | return preverify_ok; | |
553615f5 | 299 | } |
b5a6f0a9 LJ |
300 | ... |
301 | ||
302 | mydata_t mydata; | |
303 | ||
304 | ... | |
305 | mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); | |
306 | ||
553615f5 | 307 | ... |
2947af32 | 308 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, |
553615f5 RL |
309 | verify_callback); |
310 | ||
311 | /* | |
312 | * Let the verify_callback catch the verify_depth error so that we get | |
313 | * an appropriate error in the logfile. | |
314 | */ | |
315 | SSL_CTX_set_verify_depth(verify_depth + 1); | |
b5a6f0a9 LJ |
316 | |
317 | /* | |
318 | * Set up the SSL specific data into "mydata" and store it into th SSL | |
319 | * structure. | |
320 | */ | |
321 | mydata.verify_depth = verify_depth; ... | |
322 | SSL_set_ex_data(ssl, mydata_index, &mydata); | |
dccd20d1 | 323 | |
553615f5 | 324 | ... |
1bc74519 | 325 | SSL_accept(ssl); /* check of success left out for clarity */ |
2947af32 BB |
326 | if (peer = SSL_get_peer_certificate(ssl)) { |
327 | if (SSL_get_verify_result(ssl) == X509_V_OK) { | |
328 | /* The client sent a certificate which verified OK */ | |
329 | } | |
553615f5 RL |
330 | } |
331 | ||
332 | =head1 SEE ALSO | |
333 | ||
b97fdb57 | 334 | L<ssl(7)>, L<SSL_new(3)>, |
9b86974e RS |
335 | L<SSL_CTX_get_verify_mode(3)>, |
336 | L<SSL_get_verify_result(3)>, | |
337 | L<SSL_CTX_load_verify_locations(3)>, | |
338 | L<SSL_get_peer_certificate(3)>, | |
339 | L<SSL_CTX_set_cert_verify_callback(3)>, | |
340 | L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>, | |
9d75dce3 | 341 | L<SSL_CTX_set_client_cert_cb(3)>, |
9e183d22 | 342 | L<CRYPTO_get_ex_new_index(3)> |
553615f5 | 343 | |
9d75dce3 TS |
344 | =head1 HISTORY |
345 | ||
346 | The SSL_VERIFY_POST_HANDSHAKE option, and the SSL_verify_client_post_handshake() | |
32097b33 | 347 | and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. |
9d75dce3 | 348 | |
e2f92610 RS |
349 | =head1 COPYRIGHT |
350 | ||
6738bf14 | 351 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
352 | |
353 | Licensed under the OpenSSL license (the "License"). You may not use | |
354 | this file except in compliance with the License. You can obtain a copy | |
355 | in the file LICENSE in the source distribution or at | |
356 | L<https://www.openssl.org/source/license.html>. | |
357 | ||
358 | =cut |