1.\" Automatically generated by Pod::Man version 1.15
| 1.\" Automatically generated by Pod::Man version 1.15
|
2.\" Mon Jan 13 19:34:40 2003
| 2.\" Mon Feb 3 10:02:22 2003
|
3.\"
4.\" Standard preamble:
5.\" ======================================================================
6.de Sh \" Subsection heading
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
14.de Sp \" Vertical space (when we can't use .PP)
15.if t .sp .5v
16.if n .sp
17..
18.de Ip \" List item
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
24.de Vb \" Begin verbatim text
25.ft CW
26.nf
27.ne \\$1
28..
29.de Ve \" End verbatim text
30.ft R
31
32.fi
33..
34.\" Set up some character translations and predefined strings. \*(-- will
35.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36.\" double quote, and \*(R" will give a right double quote. | will give a
37.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38.\" to do unbreakable dashes and therefore won't be available. \*(C` and
39.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
40.tr \(*W-|\(bv\*(Tr
41.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
42.ie n \{\
43. ds -- \(*W-
44. ds PI pi
45. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47. ds L" ""
48. ds R" ""
49. ds C` ""
50. ds C' ""
51'br\}
52.el\{\
53. ds -- \|\(em\|
54. ds PI \(*p
55. ds L" ``
56. ds R" ''
57'br\}
58.\"
59.\" If the F register is turned on, we'll generate index entries on stderr
60.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61.\" index entries marked with X<> in POD. Of course, you'll have to process
62.\" the output yourself in some meaningful fashion.
63.if \nF \{\
64. de IX
65. tm Index:\\$1\t\\n%\t"\\$2"
66..
67. nr % 0
68. rr F
69.\}
70.\"
71.\" For nroff, turn off justification. Always turn off hyphenation; it
72.\" makes way too many mistakes in technical documents.
73.hy 0
74.if n .na
75.\"
76.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77.\" Fear. Run. Save yourself. No user-serviceable parts.
78.bd B 3
79. \" fudge factors for nroff and troff
80.if n \{\
81. ds #H 0
82. ds #V .8m
83. ds #F .3m
84. ds #[ \f1
85. ds #] \fP
86.\}
87.if t \{\
88. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89. ds #V .6m
90. ds #F 0
91. ds #[ \&
92. ds #] \&
93.\}
94. \" simple accents for nroff and troff
95.if n \{\
96. ds ' \&
97. ds ` \&
98. ds ^ \&
99. ds , \&
100. ds ~ ~
101. ds /
102.\}
103.if t \{\
104. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
110.\}
111. \" troff and (daisy-wheel) nroff accents
112.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119.ds ae a\h'-(\w'a'u*4/10)'e
120.ds Ae A\h'-(\w'A'u*4/10)'E
121. \" corrections for vroff
122.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
124. \" for low resolution devices (crt and lpr)
125.if \n(.H>23 .if \n(.V>19 \
126\{\
127. ds : e
128. ds 8 ss
129. ds o a
130. ds d- d\h'-1'\(ga
131. ds D- D\h'-1'\(hy
132. ds th \o'bp'
133. ds Th \o'LP'
134. ds ae ae
135. ds Ae AE
136.\}
137.rm #[ #] #H #V #F C
138.\" ======================================================================
139.\"
140.IX Title "SSL_CTX_set_cert_verify_callback 3"
| 3.\"
4.\" Standard preamble:
5.\" ======================================================================
6.de Sh \" Subsection heading
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
14.de Sp \" Vertical space (when we can't use .PP)
15.if t .sp .5v
16.if n .sp
17..
18.de Ip \" List item
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
24.de Vb \" Begin verbatim text
25.ft CW
26.nf
27.ne \\$1
28..
29.de Ve \" End verbatim text
30.ft R
31
32.fi
33..
34.\" Set up some character translations and predefined strings. \*(-- will
35.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36.\" double quote, and \*(R" will give a right double quote. | will give a
37.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38.\" to do unbreakable dashes and therefore won't be available. \*(C` and
39.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
40.tr \(*W-|\(bv\*(Tr
41.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
42.ie n \{\
43. ds -- \(*W-
44. ds PI pi
45. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47. ds L" ""
48. ds R" ""
49. ds C` ""
50. ds C' ""
51'br\}
52.el\{\
53. ds -- \|\(em\|
54. ds PI \(*p
55. ds L" ``
56. ds R" ''
57'br\}
58.\"
59.\" If the F register is turned on, we'll generate index entries on stderr
60.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61.\" index entries marked with X<> in POD. Of course, you'll have to process
62.\" the output yourself in some meaningful fashion.
63.if \nF \{\
64. de IX
65. tm Index:\\$1\t\\n%\t"\\$2"
66..
67. nr % 0
68. rr F
69.\}
70.\"
71.\" For nroff, turn off justification. Always turn off hyphenation; it
72.\" makes way too many mistakes in technical documents.
73.hy 0
74.if n .na
75.\"
76.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77.\" Fear. Run. Save yourself. No user-serviceable parts.
78.bd B 3
79. \" fudge factors for nroff and troff
80.if n \{\
81. ds #H 0
82. ds #V .8m
83. ds #F .3m
84. ds #[ \f1
85. ds #] \fP
86.\}
87.if t \{\
88. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89. ds #V .6m
90. ds #F 0
91. ds #[ \&
92. ds #] \&
93.\}
94. \" simple accents for nroff and troff
95.if n \{\
96. ds ' \&
97. ds ` \&
98. ds ^ \&
99. ds , \&
100. ds ~ ~
101. ds /
102.\}
103.if t \{\
104. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
110.\}
111. \" troff and (daisy-wheel) nroff accents
112.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119.ds ae a\h'-(\w'a'u*4/10)'e
120.ds Ae A\h'-(\w'A'u*4/10)'E
121. \" corrections for vroff
122.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
124. \" for low resolution devices (crt and lpr)
125.if \n(.H>23 .if \n(.V>19 \
126\{\
127. ds : e
128. ds 8 ss
129. ds o a
130. ds d- d\h'-1'\(ga
131. ds D- D\h'-1'\(hy
132. ds th \o'bp'
133. ds Th \o'LP'
134. ds ae ae
135. ds Ae AE
136.\}
137.rm #[ #] #H #V #F C
138.\" ======================================================================
139.\"
140.IX Title "SSL_CTX_set_cert_verify_callback 3"
|
141.TH SSL_CTX_set_cert_verify_callback 3 "0.9.7" "2003-01-13" "OpenSSL"
| 141.TH SSL_CTX_set_cert_verify_callback 3 "0.9.7" "2003-02-03" "OpenSSL"
|
142.UC
143.SH "NAME"
144SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
145.SH "SYNOPSIS"
146.IX Header "SYNOPSIS"
147.Vb 1
148\& #include <openssl/ssl.h>
149.Ve
150.Vb 1
151\& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
152.Ve
153.SH "DESCRIPTION"
154.IX Header "DESCRIPTION"
155\&\fISSL_CTX_set_cert_verify_callback()\fR sets the verification callback function for
156\&\fIctx\fR. \s-1SSL\s0 objects that are created from \fIctx\fR inherit the setting valid at
157the time when SSL_new(3) is called.
158.SH "NOTES"
159.IX Header "NOTES"
160Whenever a certificate is verified during a \s-1SSL/TLS\s0 handshake, a verification
161function is called. If the application does not explicitly specify a
162verification callback function, the built-in verification function is used.
163If a verification callback \fIcallback\fR is specified via
164\&\fISSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
165instead. By setting \fIcallback\fR to \s-1NULL\s0, the default behaviour is restored.
166.PP
167When the verification must be performed, \fIcallback\fR will be called with
168the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
169argument \fIarg\fR is specified by the application when setting \fIcallback\fR.
170.PP
171\&\fIcallback\fR should return 1 to indicate verification success and 0 to
172indicate verification failure. If \s-1SSL_VERIFY_PEER\s0 is set and \fIcallback\fR
173returns 0, the handshake will fail. As the verification procedure may
174allow to continue the connection in case of failure (by always returning 1)
175the verification result must be set in any case using the \fBerror\fR
176member of \fIx509_store_ctx\fR so that the calling application will be informed
177about the detailed result of the verification procedure!
178.PP
179Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR
180function set using SSL_CTX_set_verify(3).
181.SH "WARNINGS"
182.IX Header "WARNINGS"
183Do not mix the verification callback described in this function with the
184\&\fBverify_callback\fR function called during the verification process. The
185latter is set using the SSL_CTX_set_verify(3)
186family of functions.
187.PP
188Providing a complete verification procedure including certificate purpose
189settings etc is a complex task. The built-in procedure is quite powerful
190and in most cases it should be sufficient to modify its behaviour using
191the \fBverify_callback\fR function.
192.SH "BUGS"
193.IX Header "BUGS"
194.SH "RETURN VALUES"
195.IX Header "RETURN VALUES"
196\&\fISSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information.
197.SH "SEE ALSO"
198.IX Header "SEE ALSO"
199ssl(3), SSL_CTX_set_verify(3),
200SSL_get_verify_result(3),
201SSL_CTX_load_verify_locations(3)
202.SH "HISTORY"
203.IX Header "HISTORY"
204Previous to OpenSSL 0.9.7, the \fIarg\fR argument to \fBSSL_CTX_set_cert_verify_callback\fR
205was ignored, and \fIcallback\fR was called simply as
206 int (*callback)(X509_STORE_CTX *)
207To compile software written for previous versions of OpenSSL, a dummy
208argument will have to be added to \fIcallback\fR.
| 142.UC
143.SH "NAME"
144SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
145.SH "SYNOPSIS"
146.IX Header "SYNOPSIS"
147.Vb 1
148\& #include <openssl/ssl.h>
149.Ve
150.Vb 1
151\& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
152.Ve
153.SH "DESCRIPTION"
154.IX Header "DESCRIPTION"
155\&\fISSL_CTX_set_cert_verify_callback()\fR sets the verification callback function for
156\&\fIctx\fR. \s-1SSL\s0 objects that are created from \fIctx\fR inherit the setting valid at
157the time when SSL_new(3) is called.
158.SH "NOTES"
159.IX Header "NOTES"
160Whenever a certificate is verified during a \s-1SSL/TLS\s0 handshake, a verification
161function is called. If the application does not explicitly specify a
162verification callback function, the built-in verification function is used.
163If a verification callback \fIcallback\fR is specified via
164\&\fISSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
165instead. By setting \fIcallback\fR to \s-1NULL\s0, the default behaviour is restored.
166.PP
167When the verification must be performed, \fIcallback\fR will be called with
168the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
169argument \fIarg\fR is specified by the application when setting \fIcallback\fR.
170.PP
171\&\fIcallback\fR should return 1 to indicate verification success and 0 to
172indicate verification failure. If \s-1SSL_VERIFY_PEER\s0 is set and \fIcallback\fR
173returns 0, the handshake will fail. As the verification procedure may
174allow to continue the connection in case of failure (by always returning 1)
175the verification result must be set in any case using the \fBerror\fR
176member of \fIx509_store_ctx\fR so that the calling application will be informed
177about the detailed result of the verification procedure!
178.PP
179Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR
180function set using SSL_CTX_set_verify(3).
181.SH "WARNINGS"
182.IX Header "WARNINGS"
183Do not mix the verification callback described in this function with the
184\&\fBverify_callback\fR function called during the verification process. The
185latter is set using the SSL_CTX_set_verify(3)
186family of functions.
187.PP
188Providing a complete verification procedure including certificate purpose
189settings etc is a complex task. The built-in procedure is quite powerful
190and in most cases it should be sufficient to modify its behaviour using
191the \fBverify_callback\fR function.
192.SH "BUGS"
193.IX Header "BUGS"
194.SH "RETURN VALUES"
195.IX Header "RETURN VALUES"
196\&\fISSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information.
197.SH "SEE ALSO"
198.IX Header "SEE ALSO"
199ssl(3), SSL_CTX_set_verify(3),
200SSL_get_verify_result(3),
201SSL_CTX_load_verify_locations(3)
202.SH "HISTORY"
203.IX Header "HISTORY"
204Previous to OpenSSL 0.9.7, the \fIarg\fR argument to \fBSSL_CTX_set_cert_verify_callback\fR
205was ignored, and \fIcallback\fR was called simply as
206 int (*callback)(X509_STORE_CTX *)
207To compile software written for previous versions of OpenSSL, a dummy
208argument will have to be added to \fIcallback\fR.
|