SSL_CTX_set_cert_verify_callback 3 2003-07-24 0.9.9-dev OpenSSL

NAME

SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure

LIBRARY

libcrypto, -lcrypto

SYNOPSIS


 #include 


 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);

DESCRIPTION

_S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_) sets the verification callback function for _c_t_x. SSL objects that are created from _c_t_x inherit the setting valid at the time when _S_S_L___n_e_w(3) is called.

NOTES

Whenever a certificate is verified during a SSL/TLS handshake, a verification function is called. If the application does not explicitly specify a verification callback function, the built-in verification function is used. If a verification callback _c_a_l_l_b_a_c_k is specified via _S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_), the supplied callback function is called instead. By setting _c_a_l_l_b_a_c_k to NULL, the default behaviour is restored.

When the verification must be performed, _c_a_l_l_b_a_c_k will be called with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The argument _a_r_g is specified by the application when setting _c_a_l_l_b_a_c_k.

_c_a_l_l_b_a_c_k should return 1 to indicate verification success and 0 to indicate verification failure. If SSL_VERIFY_PEER is set and _c_a_l_l_b_a_c_k returns 0, the handshake will fail. As the verification procedure may allow to continue the connection in case of failure (by always returning 1) the verification result must be set in any case using the eerrrroorr member of _x_5_0_9___s_t_o_r_e___c_t_x so that the calling application will be informed about the detailed result of the verification procedure!

Within _x_5_0_9___s_t_o_r_e___c_t_x, _c_a_l_l_b_a_c_k has access to the _v_e_r_i_f_y___c_a_l_l_b_a_c_k function set using _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3).

WARNINGS

Do not mix the verification callback described in this function with the vveerriiffyy__ccaallllbbaacckk function called during the verification process. The latter is set using the _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3) family of functions.

Providing a complete verification procedure including certificate purpose settings etc is a complex task. The built-in procedure is quite powerful and in most cases it should be sufficient to modify its behaviour using the vveerriiffyy__ccaallllbbaacckk function.

BUGS

RETURN VALUES

_S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_) does not provide diagnostic information.

SEE ALSO

_s_s_l(3), _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3), _S_S_L___g_e_t___v_e_r_i_f_y___r_e_s_u_l_t(3), _S_S_L___C_T_X___l_o_a_d___v_e_r_i_f_y___l_o_c_a_t_i_o_n_s(3)

HISTORY

Previous to OpenSSL 0.9.7, the _a_r_g argument to SSSSLL__CCTTXX__sseett__cceerrtt__vveerriiffyy__ccaallllbbaacckk was ignored, and _c_a_l_l_b_a_c_k was called simply as int (*callback)(X509_STORE_CTX *) To compile software written for previous versions of OpenSSL, a dummy argument will have to be added to _c_a_l_l_b_a_c_k.