1=pod 2 3=head1 NAME 4 5SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure 6 7=head1 SYNOPSIS 8 9 #include <openssl/ssl.h> 10 11 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg); 12 13=head1 DESCRIPTION 14 15SSL_CTX_set_cert_verify_callback() sets the verification callback function for 16I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at 17the time when L<SSL_new(3)|SSL_new(3)> is called. 18 19=head1 NOTES 20 21Whenever a certificate is verified during a SSL/TLS handshake, a verification 22function is called. If the application does not explicitly specify a 23verification callback function, the built-in verification function is used. 24If a verification callback I<callback> is specified via 25SSL_CTX_set_cert_verify_callback(), the supplied callback function is called 26instead. By setting I<callback> to NULL, the default behaviour is restored. 27 28When the verification must be performed, I<callback> will be called with 29the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 30argument I<arg> is specified by the application when setting I<callback>. 31 32I<callback> should return 1 to indicate verification success and 0 to 33indicate verification failure. If SSL_VERIFY_PEER is set and I<callback> 34returns 0, the handshake will fail. As the verification procedure may 35allow to continue the connection in case of failure (by always returning 1) 36the verification result must be set in any case using the B<error> 37member of I<x509_store_ctx> so that the calling application will be informed 38about the detailed result of the verification procedure! 39 40Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> 41function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>. 42 43=head1 WARNINGS 44 45Do not mix the verification callback described in this function with the 46B<verify_callback> function called during the verification process. The 47latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> 48family of functions. 49 50Providing a complete verification procedure including certificate purpose 51settings etc is a complex task. The built-in procedure is quite powerful 52and in most cases it should be sufficient to modify its behaviour using 53the B<verify_callback> function. 54 55=head1 BUGS 56 57=head1 RETURN VALUES 58 59SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. 60 61=head1 SEE ALSO 62 63L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, 64L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, 65L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 66 67=head1 HISTORY 68 69Previous to OpenSSL 0.9.7, the I<arg> argument to B<SSL_CTX_set_cert_verify_callback> 70was ignored, and I<callback> was called simply as 71 int (*callback)(X509_STORE_CTX *) 72To compile software written for previous versions of OpenSSL, a dummy 73argument will have to be added to I<callback>. 74 75=cut 76