SSL_CTX_set_verify.pod (72613) | SSL_CTX_set_verify.pod (89837) |
---|---|
1=pod 2 3=head1 NAME 4 5SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters 6 7=head1 SYNOPSIS 8 --- 45 unchanged lines hidden (view full) --- 54certificate verification process can be checked after the TLS/SSL handshake 55using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function. 56The handshake will be continued regardless of the verification result. 57 58=item SSL_VERIFY_PEER 59 60B<Server mode:> the server sends a client certificate request to the client. 61The certificate returned (if any) is checked. If the verification process | 1=pod 2 3=head1 NAME 4 5SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters 6 7=head1 SYNOPSIS 8 --- 45 unchanged lines hidden (view full) --- 54certificate verification process can be checked after the TLS/SSL handshake 55using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function. 56The handshake will be continued regardless of the verification result. 57 58=item SSL_VERIFY_PEER 59 60B<Server mode:> the server sends a client certificate request to the client. 61The certificate returned (if any) is checked. If the verification process |
62fails as indicated by B<verify_callback>, the TLS/SSL handshake is | 62fails, the TLS/SSL handshake is |
63immediately terminated with an alert message containing the reason for 64the verification failure. 65The behaviour can be controlled by the additional 66SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. 67 68B<Client mode:> the server certificate is verified. If the verification process | 63immediately terminated with an alert message containing the reason for 64the verification failure. 65The behaviour can be controlled by the additional 66SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. 67 68B<Client mode:> the server certificate is verified. If the verification process |
69fails as indicated by B<verify_callback>, the TLS/SSL handshake is | 69fails, the TLS/SSL handshake is |
70immediately terminated with an alert message containing the reason for 71the verification failure. If no server certificate is sent, because an 72anonymous cipher is used, SSL_VERIFY_PEER is ignored. 73 74=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT 75 76B<Server mode:> if the client did not return a certificate, the TLS/SSL 77handshake is immediately terminated with a "handshake failure" alert. --- 9 unchanged lines hidden (view full) --- 87 88B<Client mode:> ignored 89 90=back 91 92Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be 93set at any time. 94 | 70immediately terminated with an alert message containing the reason for 71the verification failure. If no server certificate is sent, because an 72anonymous cipher is used, SSL_VERIFY_PEER is ignored. 73 74=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT 75 76B<Server mode:> if the client did not return a certificate, the TLS/SSL 77handshake is immediately terminated with a "handshake failure" alert. --- 9 unchanged lines hidden (view full) --- 87 88B<Client mode:> ignored 89 90=back 91 92Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be 93set at any time. 94 |
95The actual verification procedure is performed either using the built-in 96verification procedure or using another application provided verification 97function set with 98L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>. 99The following descriptions apply in the case of the built-in procedure. An 100application provided procedure also has access to the verify depth information 101and the verify_callback() function, but the way this information is used 102may be different. 103 |
|
95SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up 96to which depth certificates in a chain are used during the verification 97procedure. If the certificate chain is longer than allowed, the certificates 98above the limit are ignored. Error messages are generated as if these 99certificates would not be present, most likely a 100X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. 101The depth count is "level 0:peer certificate", "level 1: CA certificate", 102"level 2: higher level CA certificate", and so on. Setting the maximum --- 170 unchanged lines hidden (view full) --- 273 274=head1 SEE ALSO 275 276L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, 277L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>, 278L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 279L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>, 280L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>, | 104SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up 105to which depth certificates in a chain are used during the verification 106procedure. If the certificate chain is longer than allowed, the certificates 107above the limit are ignored. Error messages are generated as if these 108certificates would not be present, most likely a 109X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. 110The depth count is "level 0:peer certificate", "level 1: CA certificate", 111"level 2: higher level CA certificate", and so on. Setting the maximum --- 170 unchanged lines hidden (view full) --- 282 283=head1 SEE ALSO 284 285L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, 286L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>, 287L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 288L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>, 289L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>, |
290L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>, |
|
281L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>, 282L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)> 283 284=cut | 291L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>, 292L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)> 293 294=cut |