1=pod 2 3=head1 NAME 4 5SSL_get_ex_data_X509_STORE_CTX_idx, 6SSL_CTX_set_verify, SSL_set_verify, 7SSL_CTX_set_verify_depth, SSL_set_verify_depth, 8SSL_verify_cb, 9SSL_verify_client_post_handshake, 10SSL_set_post_handshake_auth, 11SSL_CTX_set_post_handshake_auth 12- set various SSL/TLS parameters for peer certificate verification 13 14=head1 SYNOPSIS 15 16 #include <openssl/ssl.h> 17 18 typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); 19 20 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback); 21 void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback); 22 SSL_get_ex_data_X509_STORE_CTX_idx(void); 23 24 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); 25 void SSL_set_verify_depth(SSL *ssl, int depth); 26 27 int SSL_verify_client_post_handshake(SSL *ssl); 28 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); 29 void SSL_set_post_handshake_auth(SSL *ssl, int val); 30 31=head1 DESCRIPTION 32 33SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and 34specifies the B<verify_callback> function to be used. If no callback function 35shall be specified, the NULL pointer can be used for B<verify_callback>. 36 37SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and 38specifies the B<verify_callback> function to be used. If no callback function 39shall be specified, the NULL pointer can be used for B<verify_callback>. In 40this case last B<verify_callback> set specifically for this B<ssl> remains. If 41no special B<callback> was set before, the default callback for the underlying 42B<ctx> is used, that was valid at the time B<ssl> was created with 43L<SSL_new(3)>. Within the callback function, 44B<SSL_get_ex_data_X509_STORE_CTX_idx> can be called to get the data index 45of the current SSL object that is doing the verification. 46 47In client mode B<verify_callback> may also call the L<SSL_set_retry_verify(3)> 48function on the B<SSL> object set in the I<x509_store_ctx> ex data (see 49L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>) and return 1. 50This would be typically done in case the certificate verification was not yet 51able to succeed. 52This makes the handshake suspend and return control to the calling application 53with B<SSL_ERROR_WANT_RETRY_VERIFY>. 54The application can for instance fetch further certificates or cert status 55information needed for the verification. 56Calling L<SSL_connect(3)> again resumes the connection attempt by retrying the 57server certificate verification step. 58This process may even be repeated if need be. 59Note that the handshake may still be aborted if a subsequent invocation of the 60callback (e.g., at a lower depth, or for a separate error condition) returns 0. 61 62SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain 63verification that shall be allowed for B<ctx>. 64 65SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain 66verification that shall be allowed for B<ssl>. 67 68SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the 69Post-Handshake Authentication extension to be added to the ClientHello such that 70post-handshake authentication can be requested by the server. If B<val> is 0 71then the extension is not sent, otherwise it is. By default the extension is not 72sent. A certificate callback will need to be set via 73SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization. 74 75SSL_verify_client_post_handshake() causes a CertificateRequest message to be 76sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must 77be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional. 78 79=head1 NOTES 80 81The verification of certificates can be controlled by a set of logically 82or'ed B<mode> flags: 83 84=over 4 85 86=item SSL_VERIFY_NONE 87 88B<Server mode:> the server will not send a client certificate request to the 89client, so the client will not send a certificate. 90 91B<Client mode:> if not using an anonymous cipher (by default disabled), the 92server will send a certificate which will be checked. The result of the 93certificate verification process can be checked after the TLS/SSL handshake 94using the L<SSL_get_verify_result(3)> function. 95The handshake will be continued regardless of the verification result. 96 97=item SSL_VERIFY_PEER 98 99B<Server mode:> the server sends a client certificate request to the client. 100The certificate returned (if any) is checked. If the verification process 101fails, the TLS/SSL handshake is 102immediately terminated with an alert message containing the reason for 103the verification failure. 104The behaviour can be controlled by the additional 105SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and 106SSL_VERIFY_POST_HANDSHAKE flags. 107 108B<Client mode:> the server certificate is verified. If the verification process 109fails, the TLS/SSL handshake is 110immediately terminated with an alert message containing the reason for 111the verification failure. If no server certificate is sent, because an 112anonymous cipher is used, SSL_VERIFY_PEER is ignored. 113 114=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT 115 116B<Server mode:> if the client did not return a certificate, the TLS/SSL 117handshake is immediately terminated with a "handshake failure" alert. 118This flag must be used together with SSL_VERIFY_PEER. 119 120B<Client mode:> ignored (see BUGS) 121 122=item SSL_VERIFY_CLIENT_ONCE 123 124B<Server mode:> only request a client certificate once during the 125connection. Do not ask for a client certificate again during 126renegotiation or post-authentication if a certificate was requested 127during the initial handshake. This flag must be used together with 128SSL_VERIFY_PEER. 129 130B<Client mode:> ignored (see BUGS) 131 132=item SSL_VERIFY_POST_HANDSHAKE 133 134B<Server mode:> the server will not send a client certificate request 135during the initial handshake, but will send the request via 136SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL 137to be configured for post-handshake peer verification before the 138handshake occurs. This flag must be used together with 139SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections. 140 141B<Client mode:> ignored (see BUGS) 142 143=back 144 145If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set. 146 147If verification flags are not modified explicitly by C<SSL_CTX_set_verify()> 148or C<SSL_set_verify()>, the default value will be SSL_VERIFY_NONE. 149 150The actual verification procedure is performed either using the built-in 151verification procedure or using another application provided verification 152function set with 153L<SSL_CTX_set_cert_verify_callback(3)>. 154The following descriptions apply in the case of the built-in procedure. An 155application provided procedure also has access to the verify depth information 156and the verify_callback() function, but the way this information is used 157may be different. 158 159SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the 160number of certificates between the end-entity and trust-anchor certificates. 161Neither the 162end-entity nor the trust-anchor certificates count against B<depth>. If the 163certificate chain needed to reach a trusted issuer is longer than B<depth+2>, 164X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. 165The depth count is "level 0:peer certificate", "level 1: CA certificate", 166"level 2: higher level CA certificate", and so on. Setting the maximum 167depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the 168trust-anchor). 169The default depth limit is 100, 170allowing for the peer certificate, at most 100 intermediate CA certificates and 171a final trust anchor certificate. 172 173The B<verify_callback> function is used to control the behaviour when the 174SSL_VERIFY_PEER flag is set. It must be supplied by the application and 175receives two arguments: B<preverify_ok> indicates, whether the verification of 176the certificate in question was passed (preverify_ok=1) or not 177(preverify_ok=0). B<x509_ctx> is a pointer to the complete context used 178for the certificate chain verification. 179 180The certificate chain is checked starting with the deepest nesting level 181(the root CA certificate) and worked upward to the peer's certificate. 182At each level signatures and issuer attributes are checked. Whenever 183a verification error is found, the error number is stored in B<x509_ctx> 184and B<verify_callback> is called with B<preverify_ok>=0. By applying 185X509_CTX_store_* functions B<verify_callback> can locate the certificate 186in question and perform additional steps (see EXAMPLES). If no error is 187found for a certificate, B<verify_callback> is called with B<preverify_ok>=1 188before advancing to the next level. 189 190The return value of B<verify_callback> controls the strategy of the further 191verification process. If B<verify_callback> returns 0, the verification 192process is immediately stopped with "verification failed" state. If 193SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and 194the TLS/SSL handshake is terminated. If B<verify_callback> returns 1, 195the verification process is continued. If B<verify_callback> always returns 1961, the TLS/SSL handshake will not be terminated with respect to verification 197failures and the connection will be established. The calling process can 198however retrieve the error code of the last verification error using 199L<SSL_get_verify_result(3)> or by maintaining its 200own error storage managed by B<verify_callback>. 201 202If no B<verify_callback> is specified, the default callback will be used. 203Its return value is identical to B<preverify_ok>, so that any verification 204failure will lead to a termination of the TLS/SSL handshake with an 205alert message, if SSL_VERIFY_PEER is set. 206 207After calling SSL_set_post_handshake_auth(), the client will need to add a 208certificate or certificate callback to its configuration before it can 209successfully authenticate. This must be called before SSL_connect(). 210 211SSL_verify_client_post_handshake() requires that verify flags have been 212previously set, and that a client sent the post-handshake authentication 213extension. When the client returns a certificate the verify callback will be 214invoked. A write operation must take place for the Certificate Request to be 215sent to the client, this can be done with SSL_do_handshake() or SSL_write_ex(). 216Only one certificate request may be outstanding at any time. 217 218When post-handshake authentication occurs, a refreshed NewSessionTicket 219message is sent to the client. 220 221=head1 BUGS 222 223In client mode, it is not checked whether the SSL_VERIFY_PEER flag 224is set, but whether any flags other than SSL_VERIFY_NONE are set. This can 225lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as 226required. 227 228=head1 RETURN VALUES 229 230The SSL*_set_verify*() functions do not provide diagnostic information. 231 232The SSL_verify_client_post_handshake() function returns 1 if the request 233succeeded, and 0 if the request failed. The error stack can be examined 234to determine the failure reason. 235 236=head1 EXAMPLES 237 238The following code sequence realizes an example B<verify_callback> function 239that will always continue the TLS/SSL handshake regardless of verification 240failure, if wished. The callback realizes a verification depth limit with 241more informational output. 242 243All verification errors are printed; information about the certificate chain 244is printed on request. 245The example is realized for a server that does allow but not require client 246certificates. 247 248The example makes use of the ex_data technique to store application data 249into/retrieve application data from the SSL structure 250(see L<CRYPTO_get_ex_new_index(3)>, 251L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). 252 253 ... 254 typedef struct { 255 int verbose_mode; 256 int verify_depth; 257 int always_continue; 258 } mydata_t; 259 int mydata_index; 260 261 ... 262 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) 263 { 264 char buf[256]; 265 X509 *err_cert; 266 int err, depth; 267 SSL *ssl; 268 mydata_t *mydata; 269 270 err_cert = X509_STORE_CTX_get_current_cert(ctx); 271 err = X509_STORE_CTX_get_error(ctx); 272 depth = X509_STORE_CTX_get_error_depth(ctx); 273 274 /* 275 * Retrieve the pointer to the SSL of the connection currently treated 276 * and the application specific data stored into the SSL object. 277 */ 278 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); 279 mydata = SSL_get_ex_data(ssl, mydata_index); 280 281 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); 282 283 /* 284 * Catch a too long certificate chain. The depth limit set using 285 * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so 286 * that whenever the "depth>verify_depth" condition is met, we 287 * have violated the limit and want to log this error condition. 288 * We must do it here, because the CHAIN_TOO_LONG error would not 289 * be found explicitly; only errors introduced by cutting off the 290 * additional certificates would be logged. 291 */ 292 if (depth > mydata->verify_depth) { 293 preverify_ok = 0; 294 err = X509_V_ERR_CERT_CHAIN_TOO_LONG; 295 X509_STORE_CTX_set_error(ctx, err); 296 } 297 if (!preverify_ok) { 298 printf("verify error:num=%d:%s:depth=%d:%s\n", err, 299 X509_verify_cert_error_string(err), depth, buf); 300 } else if (mydata->verbose_mode) { 301 printf("depth=%d:%s\n", depth, buf); 302 } 303 304 /* 305 * At this point, err contains the last verification error. We can use 306 * it for something special 307 */ 308 if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { 309 X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); 310 printf("issuer= %s\n", buf); 311 } 312 313 if (mydata->always_continue) 314 return 1; 315 else 316 return preverify_ok; 317 } 318 ... 319 320 mydata_t mydata; 321 322 ... 323 mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); 324 325 ... 326 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 327 verify_callback); 328 329 /* 330 * Let the verify_callback catch the verify_depth error so that we get 331 * an appropriate error in the logfile. 332 */ 333 SSL_CTX_set_verify_depth(verify_depth + 1); 334 335 /* 336 * Set up the SSL specific data into "mydata" and store it into th SSL 337 * structure. 338 */ 339 mydata.verify_depth = verify_depth; ... 340 SSL_set_ex_data(ssl, mydata_index, &mydata); 341 342 ... 343 SSL_accept(ssl); /* check of success left out for clarity */ 344 if (peer = SSL_get_peer_certificate(ssl)) { 345 if (SSL_get_verify_result(ssl) == X509_V_OK) { 346 /* The client sent a certificate which verified OK */ 347 } 348 } 349 350=head1 SEE ALSO 351 352L<ssl(7)>, L<SSL_new(3)>, 353L<SSL_CTX_get_verify_mode(3)>, 354L<SSL_get_verify_result(3)>, 355L<SSL_CTX_load_verify_locations(3)>, 356L<SSL_get_peer_certificate(3)>, 357L<SSL_CTX_set_cert_verify_callback(3)>, 358L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>, 359L<SSL_CTX_set_client_cert_cb(3)>, 360L<CRYPTO_get_ex_new_index(3)> 361 362=head1 HISTORY 363 364The SSL_VERIFY_POST_HANDSHAKE option, and the SSL_verify_client_post_handshake() 365and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. 366 367=head1 COPYRIGHT 368 369Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. 370 371Licensed under the Apache License 2.0 (the "License"). You may not use 372this file except in compliance with the License. You can obtain a copy 373in the file LICENSE in the source distribution or at 374L<https://www.openssl.org/source/license.html>. 375 376=cut 377