SSL_CTX_set_cert_verify_callback.pod revision 89837
1141296Sdas=pod 2141296Sdas 32116Sjkh=head1 NAME 42116Sjkh 5129980SdasSSL_CTX_set_cert_verify_callback - set peer certificate verification procedure 62116Sjkh 72116Sjkh=head1 SYNOPSIS 88870Srgrimes 92116Sjkh #include <openssl/ssl.h> 102116Sjkh 112116Sjkh void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(), 122116Sjkh char *arg); 13141296Sdas int (*callback)(); 14176451Sdas 15176451Sdas=head1 DESCRIPTION 162116Sjkh 172116SjkhSSL_CTX_set_cert_verify_callback() sets the verification callback function for 18151969SbdeB<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at 192116Sjkhthe time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored. 202116Sjkh 21141296Sdas=head1 NOTES 222116Sjkh 232116SjkhWhenever a certificate is verified during a SSL/TLS handshake, a verification 248870Srgrimesfunction is called. If the application does not explicitly specify a 25151969Sbdeverification callback function, the built-in verification function is used. 26151969SbdeIf a verification callback B<callback> is specified via 27151969SbdeSSL_CTX_set_cert_verify_callback(), the supplied callback function is called 28141296Sdasinstead. By setting B<callback> to NULL, the default behaviour is restored. 292116Sjkh 302116SjkhWhen the verification must be performed, B<callback> will be called with 312116Sjkhthe argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg> 322116Sjkhthat can be specified when setting B<callback> are currently ignored. 338870Srgrimes 342116SjkhB<callback> should return 1 to indicate verification success and 0 to 352116Sjkhindicate verification failure. If SSL_VERIFY_PEER is set and B<callback> 368870Srgrimesreturns 0, the handshake will fail. As the verification procedure may 378870Srgrimesallow to continue the connection in case of failure (by always returning 1) 382116Sjkhthe verification result must be set in any case using the B<error> 392116Sjkhmember of B<x509_store_ctx>, so that the calling application will be informed 408870Srgrimesabout the detailed result of the verification procedure! 412116Sjkh 422116SjkhWithin B<x509_store_ctx>, B<callback> has access to the B<verify_callback> 432116Sjkhfunction set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. 442116Sjkh 452116Sjkh=head1 WARNINGS 462116Sjkh 472116SjkhDo not mix the verification callback described in this function with the 482116SjkhB<verify_callback> function called during the verification process. The 492116Sjkhlatter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> 502116Sjkhfamily of functions. 512116Sjkh 522116SjkhProviding a complete verification procedure including certificate purpose 532116Sjkhsettings etc is a complex task. The built-in procedure is quite powerful 54141296Sdasand in most cases it should be sufficient to modify its behaviour using 55141296Sdasthe B<verify_callback> function. 56141296Sdas 57141296Sdas=head1 BUGS 58141296Sdas 59141296SdasIt is possible to specify arguments to be passed to the verification callback. 60141296SdasCurrently they are however not passed but ignored. 61141296Sdas 62141296SdasThe B<callback> function is not specified via a prototype, so that no 63141296Sdastype checking takes place. 64141296Sdas 65141296Sdas=head1 RETURN VALUES 66141296Sdas 67141296SdasSSL_CTX_set_cert_verify_callback() does not provide diagnostic information. 68141296Sdas 69141296Sdas=head1 SEE ALSO 70141296Sdas 712116SjkhL<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, 72141296SdasL<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 73141296SdasL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 74141296Sdas 75141296Sdas=cut 76141296Sdas