SSL_CTX_set_cert_verify_callback.pod revision 89837
189837Skris=pod 289837Skris 389837Skris=head1 NAME 489837Skris 589837SkrisSSL_CTX_set_cert_verify_callback - set peer certificate verification procedure 689837Skris 789837Skris=head1 SYNOPSIS 889837Skris 989837Skris #include <openssl/ssl.h> 1089837Skris 1189837Skris void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(), 1289837Skris char *arg); 1389837Skris int (*callback)(); 1489837Skris 1589837Skris=head1 DESCRIPTION 1689837Skris 1789837SkrisSSL_CTX_set_cert_verify_callback() sets the verification callback function for 1889837SkrisB<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at 1989837Skristhe time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored. 2089837Skris 2189837Skris=head1 NOTES 2289837Skris 2389837SkrisWhenever a certificate is verified during a SSL/TLS handshake, a verification 2489837Skrisfunction is called. If the application does not explicitly specify a 2589837Skrisverification callback function, the built-in verification function is used. 2689837SkrisIf a verification callback B<callback> is specified via 2789837SkrisSSL_CTX_set_cert_verify_callback(), the supplied callback function is called 2889837Skrisinstead. By setting B<callback> to NULL, the default behaviour is restored. 2989837Skris 3089837SkrisWhen the verification must be performed, B<callback> will be called with 3189837Skristhe argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg> 3289837Skristhat can be specified when setting B<callback> are currently ignored. 3389837Skris 3489837SkrisB<callback> should return 1 to indicate verification success and 0 to 3589837Skrisindicate verification failure. If SSL_VERIFY_PEER is set and B<callback> 3689837Skrisreturns 0, the handshake will fail. As the verification procedure may 3789837Skrisallow to continue the connection in case of failure (by always returning 1) 3889837Skristhe verification result must be set in any case using the B<error> 3989837Skrismember of B<x509_store_ctx>, so that the calling application will be informed 4089837Skrisabout the detailed result of the verification procedure! 4189837Skris 4289837SkrisWithin B<x509_store_ctx>, B<callback> has access to the B<verify_callback> 4389837Skrisfunction set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. 4489837Skris 4589837Skris=head1 WARNINGS 4689837Skris 4789837SkrisDo not mix the verification callback described in this function with the 4889837SkrisB<verify_callback> function called during the verification process. The 4989837Skrislatter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> 5089837Skrisfamily of functions. 5189837Skris 5289837SkrisProviding a complete verification procedure including certificate purpose 5389837Skrissettings etc is a complex task. The built-in procedure is quite powerful 5489837Skrisand in most cases it should be sufficient to modify its behaviour using 5589837Skristhe B<verify_callback> function. 5689837Skris 5789837Skris=head1 BUGS 5889837Skris 5989837SkrisIt is possible to specify arguments to be passed to the verification callback. 6089837SkrisCurrently they are however not passed but ignored. 6189837Skris 6289837SkrisThe B<callback> function is not specified via a prototype, so that no 6389837Skristype checking takes place. 6489837Skris 6589837Skris=head1 RETURN VALUES 6689837Skris 6789837SkrisSSL_CTX_set_cert_verify_callback() does not provide diagnostic information. 6889837Skris 6989837Skris=head1 SEE ALSO 7089837Skris 7189837SkrisL<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, 7289837SkrisL<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 7389837SkrisL<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 7489837Skris 7589837Skris=cut 76