| SSL_CTX_set_verify.3 (206048) | SSL_CTX_set_verify.3 (215698) |
|---|---|
| 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.37 | 1.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) |
| 2.\" 3.\" Standard preamble: 4.\" ======================================================================== | 2.\" 3.\" Standard preamble: 4.\" ======================================================================== |
| 5.de Sh \" Subsection heading 6.br 7.if t .Sp 8.ne 5 9.PP 10\fB\\$1\fR 11.PP 12.. | |
| 13.de Sp \" Vertical space (when we can't use .PP) 14.if t .sp .5v 15.if n .sp 16.. 17.de Vb \" Begin verbatim text 18.ft CW 19.nf 20.ne \\$1 21.. 22.de Ve \" End verbatim text 23.ft R 24.fi 25.. 26.\" Set up some character translations and predefined strings. \*(-- will 27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left | 5.de Sp \" Vertical space (when we can't use .PP) 6.if t .sp .5v 7.if n .sp 8.. 9.de Vb \" Begin verbatim text 10.ft CW 11.nf 12.ne \\$1 13.. 14.de Ve \" End verbatim text 15.ft R 16.fi 17.. 18.\" Set up some character translations and predefined strings. \*(-- will 19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
| 28.\" double quote, and \*(R" will give a right double quote. | will give a 29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to 30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' 31.\" expand to `' in nroff, nothing in troff, for use with C<>. 32.tr \(*W-|\(bv\*(Tr | 20.\" double quote, and \*(R" will give a right double quote. \*(C+ will 21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and 22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, 23.\" nothing in troff, for use with C<>. 24.tr \(*W- |
| 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 34.ie n \{\ 35. ds -- \(*W- 36. ds PI pi 37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 39. ds L" "" 40. ds R" "" 41. ds C` "" 42. ds C' "" 43'br\} 44.el\{\ 45. ds -- \|\(em\| 46. ds PI \(*p 47. ds L" `` 48. ds R" '' 49'br\} 50.\" | 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 26.ie n \{\ 27. ds -- \(*W- 28. ds PI pi 29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 31. ds L" "" 32. ds R" "" 33. ds C` "" 34. ds C' "" 35'br\} 36.el\{\ 37. ds -- \|\(em\| 38. ds PI \(*p 39. ds L" `` 40. ds R" '' 41'br\} 42.\" |
| 43.\" Escape single quotes in literal strings from groff's Unicode transform. 44.ie \n(.g .ds Aq \(aq 45.el .ds Aq ' 46.\" |
|
| 51.\" If the F register is turned on, we'll generate index entries on stderr for | 47.\" If the F register is turned on, we'll generate index entries on stderr for |
| 52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index | 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
| 53.\" entries marked with X<> in POD. Of course, you'll have to process the 54.\" output yourself in some meaningful fashion. | 49.\" entries marked with X<> in POD. Of course, you'll have to process the 50.\" output yourself in some meaningful fashion. |
| 55.if \nF \{\ | 51.ie \nF \{\ |
| 56. de IX 57. tm Index:\\$1\t\\n%\t"\\$2" 58.. 59. nr % 0 60. rr F 61.\} | 52. de IX 53. tm Index:\\$1\t\\n%\t"\\$2" 54.. 55. nr % 0 56. rr F 57.\} |
| 58.el \{\ 59. de IX 60.. 61.\} |
|
| 62.\" | 62.\" |
| 63.\" For nroff, turn off justification. Always turn off hyphenation; it makes 64.\" way too many mistakes in technical documents. 65.hy 0 66.if n .na 67.\" | |
| 68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 69.\" Fear. Run. Save yourself. No user-serviceable parts. 70. \" fudge factors for nroff and troff 71.if n \{\ 72. ds #H 0 73. ds #V .8m 74. ds #F .3m 75. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 124. ds Th \o'LP' 125. ds ae ae 126. ds Ae AE 127.\} 128.rm #[ #] #H #V #F C 129.\" ======================================================================== 130.\" 131.IX Title "SSL_CTX_set_verify 3" | 63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 64.\" Fear. Run. Save yourself. No user-serviceable parts. 65. \" fudge factors for nroff and troff 66.if n \{\ 67. ds #H 0 68. ds #V .8m 69. ds #F .3m 70. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 119. ds Th \o'LP' 120. ds ae ae 121. ds Ae AE 122.\} 123.rm #[ #] #H #V #F C 124.\" ======================================================================== 125.\" 126.IX Title "SSL_CTX_set_verify 3" |
| 132.TH SSL_CTX_set_verify 3 "2010-03-24" "0.9.8n" "OpenSSL" | 127.TH SSL_CTX_set_verify 3 "2010-11-16" "0.9.8p" "OpenSSL" 128.\" For nroff, turn off justification. Always turn off hyphenation; it makes 129.\" way too many mistakes in technical documents. 130.if n .ad l 131.nh |
| 133.SH "NAME" 134SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters 135.SH "SYNOPSIS" 136.IX Header "SYNOPSIS" 137.Vb 1 138\& #include <openssl/ssl.h> | 132.SH "NAME" 133SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters 134.SH "SYNOPSIS" 135.IX Header "SYNOPSIS" 136.Vb 1 137\& #include <openssl/ssl.h> |
| 139.Ve 140.PP 141.Vb 6 | 138\& |
| 142\& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, 143\& int (*verify_callback)(int, X509_STORE_CTX *)); 144\& void SSL_set_verify(SSL *s, int mode, 145\& int (*verify_callback)(int, X509_STORE_CTX *)); 146\& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); 147\& void SSL_set_verify_depth(SSL *s, int depth); | 139\& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, 140\& int (*verify_callback)(int, X509_STORE_CTX *)); 141\& void SSL_set_verify(SSL *s, int mode, 142\& int (*verify_callback)(int, X509_STORE_CTX *)); 143\& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); 144\& void SSL_set_verify_depth(SSL *s, int depth); |
| 148.Ve 149.PP 150.Vb 1 | 145\& |
| 151\& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); 152.Ve 153.SH "DESCRIPTION" 154.IX Header "DESCRIPTION" 155\&\fISSL_CTX_set_verify()\fR sets the verification flags for \fBctx\fR to be \fBmode\fR and 156specifies the \fBverify_callback\fR function to be used. If no callback function 157shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. 158.PP --- 136 unchanged lines hidden (view full) --- 295The example is realized for a server that does allow but not require client 296certificates. 297.PP 298The example makes use of the ex_data technique to store application data 299into/retrieve application data from the \s-1SSL\s0 structure 300(see \fISSL_get_ex_new_index\fR\|(3), 301\&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)). 302.PP | 146\& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); 147.Ve 148.SH "DESCRIPTION" 149.IX Header "DESCRIPTION" 150\&\fISSL_CTX_set_verify()\fR sets the verification flags for \fBctx\fR to be \fBmode\fR and 151specifies the \fBverify_callback\fR function to be used. If no callback function 152shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. 153.PP --- 136 unchanged lines hidden (view full) --- 290The example is realized for a server that does allow but not require client 291certificates. 292.PP 293The example makes use of the ex_data technique to store application data 294into/retrieve application data from the \s-1SSL\s0 structure 295(see \fISSL_get_ex_new_index\fR\|(3), 296\&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)). 297.PP |
| 303.Vb 15 | 298.Vb 10 |
| 304\& ... 305\& typedef struct { 306\& int verbose_mode; 307\& int verify_depth; 308\& int always_continue; 309\& } mydata_t; 310\& int mydata_index; 311\& ... 312\& static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) 313\& { 314\& char buf[256]; 315\& X509 *err_cert; 316\& int err, depth; 317\& SSL *ssl; 318\& mydata_t *mydata; | 299\& ... 300\& typedef struct { 301\& int verbose_mode; 302\& int verify_depth; 303\& int always_continue; 304\& } mydata_t; 305\& int mydata_index; 306\& ... 307\& static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) 308\& { 309\& char buf[256]; 310\& X509 *err_cert; 311\& int err, depth; 312\& SSL *ssl; 313\& mydata_t *mydata; |
| 319.Ve 320.PP 321.Vb 3 | 314\& |
| 322\& err_cert = X509_STORE_CTX_get_current_cert(ctx); 323\& err = X509_STORE_CTX_get_error(ctx); 324\& depth = X509_STORE_CTX_get_error_depth(ctx); | 315\& err_cert = X509_STORE_CTX_get_current_cert(ctx); 316\& err = X509_STORE_CTX_get_error(ctx); 317\& depth = X509_STORE_CTX_get_error_depth(ctx); |
| 325.Ve 326.PP 327.Vb 6 | 318\& |
| 328\& /* 329\& * Retrieve the pointer to the SSL of the connection currently treated 330\& * and the application specific data stored into the SSL object. 331\& */ 332\& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); 333\& mydata = SSL_get_ex_data(ssl, mydata_index); | 319\& /* 320\& * Retrieve the pointer to the SSL of the connection currently treated 321\& * and the application specific data stored into the SSL object. 322\& */ 323\& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); 324\& mydata = SSL_get_ex_data(ssl, mydata_index); |
| 334.Ve 335.PP 336.Vb 1 | 325\& |
| 337\& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); | 326\& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); |
| 338.Ve 339.PP 340.Vb 22 | 327\& |
| 341\& /* 342\& * Catch a too long certificate chain. The depth limit set using 343\& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so 344\& * that whenever the "depth>verify_depth" condition is met, we 345\& * have violated the limit and want to log this error condition. 346\& * We must do it here, because the CHAIN_TOO_LONG error would not 347\& * be found explicitly; only errors introduced by cutting off the 348\& * additional certificates would be logged. 349\& */ | 328\& /* 329\& * Catch a too long certificate chain. The depth limit set using 330\& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so 331\& * that whenever the "depth>verify_depth" condition is met, we 332\& * have violated the limit and want to log this error condition. 333\& * We must do it here, because the CHAIN_TOO_LONG error would not 334\& * be found explicitly; only errors introduced by cutting off the 335\& * additional certificates would be logged. 336\& */ |
| 350\& if (depth > mydata->verify_depth) { | 337\& if (depth > mydata\->verify_depth) { |
| 351\& preverify_ok = 0; 352\& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; 353\& X509_STORE_CTX_set_error(ctx, err); 354\& } 355\& if (!preverify_ok) { 356\& printf("verify error:num=%d:%s:depth=%d:%s\en", err, 357\& X509_verify_cert_error_string(err), depth, buf); 358\& } | 338\& preverify_ok = 0; 339\& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; 340\& X509_STORE_CTX_set_error(ctx, err); 341\& } 342\& if (!preverify_ok) { 343\& printf("verify error:num=%d:%s:depth=%d:%s\en", err, 344\& X509_verify_cert_error_string(err), depth, buf); 345\& } |
| 359\& else if (mydata->verbose_mode) | 346\& else if (mydata\->verbose_mode) |
| 360\& { 361\& printf("depth=%d:%s\en", depth, buf); 362\& } | 347\& { 348\& printf("depth=%d:%s\en", depth, buf); 349\& } |
| 363.Ve 364.PP 365.Vb 9 | 350\& |
| 366\& /* 367\& * At this point, err contains the last verification error. We can use 368\& * it for something special 369\& */ 370\& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) 371\& { | 351\& /* 352\& * At this point, err contains the last verification error. We can use 353\& * it for something special 354\& */ 355\& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) 356\& { |
| 372\& X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); | 357\& X509_NAME_oneline(X509_get_issuer_name(ctx\->current_cert), buf, 256); |
| 373\& printf("issuer= %s\en", buf); 374\& } | 358\& printf("issuer= %s\en", buf); 359\& } |
| 375.Ve 376.PP 377.Vb 6 378\& if (mydata->always_continue) | 360\& 361\& if (mydata\->always_continue) |
| 379\& return 1; 380\& else 381\& return preverify_ok; 382\& } 383\& ... | 362\& return 1; 363\& else 364\& return preverify_ok; 365\& } 366\& ... |
| 384.Ve 385.PP 386.Vb 1 | 367\& |
| 387\& mydata_t mydata; | 368\& mydata_t mydata; |
| 388.Ve 389.PP 390.Vb 2 | 369\& |
| 391\& ... 392\& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); | 370\& ... 371\& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); |
| 393.Ve 394.PP 395.Vb 3 | 372\& |
| 396\& ... 397\& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, 398\& verify_callback); | 373\& ... 374\& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, 375\& verify_callback); |
| 399.Ve 400.PP 401.Vb 5 | 376\& |
| 402\& /* 403\& * Let the verify_callback catch the verify_depth error so that we get 404\& * an appropriate error in the logfile. 405\& */ 406\& SSL_CTX_set_verify_depth(verify_depth + 1); | 377\& /* 378\& * Let the verify_callback catch the verify_depth error so that we get 379\& * an appropriate error in the logfile. 380\& */ 381\& SSL_CTX_set_verify_depth(verify_depth + 1); |
| 407.Ve 408.PP 409.Vb 6 | 382\& |
| 410\& /* 411\& * Set up the SSL specific data into "mydata" and store it into th SSL 412\& * structure. 413\& */ 414\& mydata.verify_depth = verify_depth; ... 415\& SSL_set_ex_data(ssl, mydata_index, &mydata); | 383\& /* 384\& * Set up the SSL specific data into "mydata" and store it into th SSL 385\& * structure. 386\& */ 387\& mydata.verify_depth = verify_depth; ... 388\& SSL_set_ex_data(ssl, mydata_index, &mydata); |
| 416.Ve 417.PP 418.Vb 9 | 389\& |
| 419\& ... 420\& SSL_accept(ssl); /* check of success left out for clarity */ 421\& if (peer = SSL_get_peer_certificate(ssl)) 422\& { 423\& if (SSL_get_verify_result(ssl) == X509_V_OK) 424\& { 425\& /* The client sent a certificate which verified OK */ 426\& } --- 12 unchanged lines hidden --- | 390\& ... 391\& SSL_accept(ssl); /* check of success left out for clarity */ 392\& if (peer = SSL_get_peer_certificate(ssl)) 393\& { 394\& if (SSL_get_verify_result(ssl) == X509_V_OK) 395\& { 396\& /* The client sent a certificate which verified OK */ 397\& } --- 12 unchanged lines hidden --- |