189837Skris=pod 289837Skris 389837Skris=head1 NAME 489837Skris 589837SkrisSSL_CTX_set_cert_verify_callback - set peer certificate verification procedure 689837Skris 789837Skris=head1 SYNOPSIS 889837Skris 989837Skris #include <openssl/ssl.h> 1089837Skris 11109998Smarkm void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg); 1289837Skris 1389837Skris=head1 DESCRIPTION 1489837Skris 1589837SkrisSSL_CTX_set_cert_verify_callback() sets the verification callback function for 16109998SmarkmI<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at 17109998Smarkmthe time when L<SSL_new(3)|SSL_new(3)> is called. 1889837Skris 1989837Skris=head1 NOTES 2089837Skris 2189837SkrisWhenever a certificate is verified during a SSL/TLS handshake, a verification 2289837Skrisfunction is called. If the application does not explicitly specify a 2389837Skrisverification callback function, the built-in verification function is used. 24109998SmarkmIf a verification callback I<callback> is specified via 2589837SkrisSSL_CTX_set_cert_verify_callback(), the supplied callback function is called 26109998Smarkminstead. By setting I<callback> to NULL, the default behaviour is restored. 2789837Skris 28109998SmarkmWhen the verification must be performed, I<callback> will be called with 29109998Smarkmthe arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 30109998Smarkmargument I<arg> is specified by the application when setting I<callback>. 3189837Skris 32109998SmarkmI<callback> should return 1 to indicate verification success and 0 to 33109998Smarkmindicate verification failure. If SSL_VERIFY_PEER is set and I<callback> 3489837Skrisreturns 0, the handshake will fail. As the verification procedure may 3589837Skrisallow to continue the connection in case of failure (by always returning 1) 3689837Skristhe verification result must be set in any case using the B<error> 37109998Smarkmmember of I<x509_store_ctx> so that the calling application will be informed 3889837Skrisabout the detailed result of the verification procedure! 3989837Skris 40109998SmarkmWithin I<x509_store_ctx>, I<callback> has access to the I<verify_callback> 4189837Skrisfunction set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. 4289837Skris 4389837Skris=head1 WARNINGS 4489837Skris 4589837SkrisDo not mix the verification callback described in this function with the 4689837SkrisB<verify_callback> function called during the verification process. The 4789837Skrislatter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> 4889837Skrisfamily of functions. 4989837Skris 5089837SkrisProviding a complete verification procedure including certificate purpose 5189837Skrissettings etc is a complex task. The built-in procedure is quite powerful 5289837Skrisand in most cases it should be sufficient to modify its behaviour using 5389837Skristhe B<verify_callback> function. 5489837Skris 5589837Skris=head1 BUGS 5689837Skris 5789837Skris=head1 RETURN VALUES 5889837Skris 5989837SkrisSSL_CTX_set_cert_verify_callback() does not provide diagnostic information. 6089837Skris 6189837Skris=head1 SEE ALSO 6289837Skris 6389837SkrisL<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, 6489837SkrisL<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 6589837SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 6689837Skris 67109998Smarkm=head1 HISTORY 68109998Smarkm 69109998SmarkmPrevious to OpenSSL 0.9.7, the I<arg> argument to B<SSL_CTX_set_cert_verify_callback> 70109998Smarkmwas ignored, and I<callback> was called simply as 71109998Smarkm int (*callback)(X509_STORE_CTX *) 72109998SmarkmTo compile software written for previous versions of OpenSSL, a dummy 73109998Smarkmargument will have to be added to I<callback>. 74109998Smarkm 7589837Skris=cut 76