SSL_CTX_set_cert_verify_callback.pod revision 89837 
1141296Sdas=pod
2141296Sdas
32116Sjkh=head1 NAME
42116Sjkh
5129980SdasSSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
62116Sjkh
72116Sjkh=head1 SYNOPSIS
88870Srgrimes
92116Sjkh #include <openssl/ssl.h>
102116Sjkh
112116Sjkh void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),
122116Sjkh                                       char *arg);
13141296Sdas int (*callback)();
14176451Sdas
15176451Sdas=head1 DESCRIPTION
162116Sjkh
172116SjkhSSL_CTX_set_cert_verify_callback() sets the verification callback function for
18151969SbdeB<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at
192116Sjkhthe time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored.
202116Sjkh
21141296Sdas=head1 NOTES
222116Sjkh
232116SjkhWhenever a certificate is verified during a SSL/TLS handshake, a verification
248870Srgrimesfunction is called. If the application does not explicitly specify a
25151969Sbdeverification callback function, the built-in verification function is used.
26151969SbdeIf a verification callback B<callback> is specified via
27151969SbdeSSL_CTX_set_cert_verify_callback(), the supplied callback function is called
28141296Sdasinstead. By setting B<callback> to NULL, the default behaviour is restored.
292116Sjkh
302116SjkhWhen the verification must be performed, B<callback> will be called with
312116Sjkhthe argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg>
322116Sjkhthat can be specified when setting B<callback> are currently ignored.
338870Srgrimes
342116SjkhB<callback> should return 1 to indicate verification success and 0 to
352116Sjkhindicate verification failure. If SSL_VERIFY_PEER is set and B<callback>
368870Srgrimesreturns 0, the handshake will fail. As the verification procedure may
378870Srgrimesallow to continue the connection in case of failure (by always returning 1)
382116Sjkhthe verification result must be set in any case using the B<error>
392116Sjkhmember of B<x509_store_ctx>, so that the calling application will be informed
408870Srgrimesabout the detailed result of the verification procedure! 
412116Sjkh
422116SjkhWithin B<x509_store_ctx>, B<callback> has access to the B<verify_callback>
432116Sjkhfunction set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
442116Sjkh
452116Sjkh=head1 WARNINGS
462116Sjkh
472116SjkhDo not mix the verification callback described in this function with the
482116SjkhB<verify_callback> function called during the verification process. The
492116Sjkhlatter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
502116Sjkhfamily of functions.
512116Sjkh
522116SjkhProviding a complete verification procedure including certificate purpose
532116Sjkhsettings etc is a complex task. The built-in procedure is quite powerful
54141296Sdasand in most cases it should be sufficient to modify its behaviour using
55141296Sdasthe B<verify_callback> function.
56141296Sdas
57141296Sdas=head1 BUGS
58141296Sdas
59141296SdasIt is possible to specify arguments to be passed to the verification callback.
60141296SdasCurrently they are however not passed but ignored.
61141296Sdas
62141296SdasThe B<callback> function is not specified via a prototype, so that no
63141296Sdastype checking takes place.
64141296Sdas
65141296Sdas=head1 RETURN VALUES
66141296Sdas
67141296SdasSSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
68141296Sdas
69141296Sdas=head1 SEE ALSO
70141296Sdas
712116SjkhL<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
72141296SdasL<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
73141296SdasL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
74141296Sdas
75141296Sdas=cut
76141296Sdas