From: David Benjamin Date: Mon, 20 Oct 2025 21:38:14 +0000 (-0400) Subject: doc: Discuss calling X509_verify_cert in cert_verify_callback X-Git-Tag: 3.3-PRE-CLANG-FORMAT-WEBKIT~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f16f9708fe7ac7f241427cd843bc16c4cf3ff349;p=thirdparty%2Fopenssl.git doc: Discuss calling X509_verify_cert in cert_verify_callback Using SSL_CTX_set_cert_verify_callback but still calling X509_verify_cert is useful if applications want to dynamically configure the X509_STORE_CTX, or postprocess the result, in a way that does not quite fit the somewhat unpredictable behavior of the SSL_CTX_set_verify callback. (In my experience, applications rarely realize it is called multiple times. It's also too late at that point to reconfigure the X509_STORE_CTX as verification has already started.) There is one note in the docs that the callback needs to stash the verify result with X509_STORE_CTX_set_error, but it is not immediately obvious that X509_verify_cert will do so, or that it is the built-in behavior. Add a paragraph discussing this. Reviewed-by: Tim Hudson Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28960) (cherry picked from commit 069181d7f39beaae22bfa67bcba3c5fe93acafd4) --- diff --git a/doc/man3/SSL_CTX_set_cert_verify_callback.pod b/doc/man3/SSL_CTX_set_cert_verify_callback.pod index be59a548cbd..9e8b524a7df 100644 --- a/doc/man3/SSL_CTX_set_cert_verify_callback.pod +++ b/doc/man3/SSL_CTX_set_cert_verify_callback.pod @@ -63,6 +63,11 @@ on resumption, even though no chain is presented int that case. Moreover, the calling application will be informed about the detailed result of the verification procedure and may elect to base further decisions on it. +I may call L to run the built-in verification +function. This may be useful if application wishes to dynamically reconfigure +I before verification, or postprocess the result. In this case, +L will set the B member as described above. + Within I, I has access to the I function set using L.