SSL_CTX_set_cert_verify_callback.pod 3.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192
  1. =pod
  2. =head1 NAME
  3. SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
  4. =head1 SYNOPSIS
  5. #include <openssl/ssl.h>
  6. void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
  7. int (*callback)(X509_STORE_CTX *, void *),
  8. void *arg);
  9. =head1 DESCRIPTION
  10. SSL_CTX_set_cert_verify_callback() sets the verification callback function for
  11. I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
  12. the time when L<SSL_new(3)> is called.
  13. =head1 NOTES
  14. Whenever a certificate is verified during a SSL/TLS handshake, a verification
  15. function is called. If the application does not explicitly specify a
  16. verification callback function, the built-in verification function is used.
  17. If a verification callback I<callback> is specified via
  18. SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
  19. instead. By setting I<callback> to NULL, the default behaviour is restored.
  20. When the verification must be performed, I<callback> will be called with
  21. the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
  22. argument I<arg> is specified by the application when setting I<callback>.
  23. I<callback> should return 1 to indicate verification success and 0 to
  24. indicate verification failure. If SSL_VERIFY_PEER is set and I<callback>
  25. returns 0, the handshake will fail.
  26. In client mode I<callback> may also return -1,
  27. typically on failure verifying the server certificate.
  28. This makes the handshake suspend and return control to the calling application
  29. with B<SSL_ERROR_WANT_RETRY_VERIFY>.
  30. The app can for instance fetch further certificates or cert status information
  31. needed for the verification.
  32. Calling L<SSL_connect(3)> again resumes the connection attempt
  33. by retrying the server certificate verification step.
  34. This process may even be repeated if need be.
  35. As the verification procedure may
  36. allow the connection to continue in the case of failure (by always
  37. returning 1) the verification result must be set in any case using the
  38. B<error> member of I<x509_store_ctx> so that the calling application
  39. will be informed about the detailed result of the verification procedure!
  40. Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
  41. function set using L<SSL_CTX_set_verify(3)>.
  42. =head1 RETURN VALUES
  43. SSL_CTX_set_cert_verify_callback() does not return a value.
  44. =head1 WARNINGS
  45. Do not mix the verification callback described in this function with the
  46. B<verify_callback> function called during the verification process. The
  47. latter is set using the L<SSL_CTX_set_verify(3)>
  48. family of functions.
  49. Providing a complete verification procedure including certificate purpose
  50. settings etc is a complex task. The built-in procedure is quite powerful
  51. and in most cases it should be sufficient to modify its behaviour using
  52. the B<verify_callback> function.
  53. =head1 BUGS
  54. SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
  55. =head1 SEE ALSO
  56. L<ssl(7)>, L<SSL_CTX_set_verify(3)>,
  57. L<SSL_get_verify_result(3)>,
  58. L<SSL_CTX_load_verify_locations(3)>
  59. =head1 COPYRIGHT
  60. Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
  61. Licensed under the Apache License 2.0 (the "License"). You may not use
  62. this file except in compliance with the License. You can obtain a copy
  63. in the file LICENSE in the source distribution or at
  64. L<https://www.openssl.org/source/license.html>.
  65. =cut