SSL_CTX_set_cert_verify_callback 3 2003-07-24 0.9.9-dev OpenSSL
NAME
SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
LIBRARY
libcrypto, -lcrypto
SYNOPSIS
#include
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
DESCRIPTION
_S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_) sets the verification callback function for
_c_t_x. SSL objects that are created from _c_t_x inherit the setting valid at
the time when _S_S_L___n_e_w(3) is called.
NOTES
Whenever a certificate is verified during a SSL/TLS handshake, a verification
function is called. If the application does not explicitly specify a
verification callback function, the built-in verification function is used.
If a verification callback _c_a_l_l_b_a_c_k is specified via
_S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_), the supplied callback function is called
instead. By setting _c_a_l_l_b_a_c_k to NULL, the default behaviour is restored.
When the verification must be performed, _c_a_l_l_b_a_c_k will be called with
the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
argument _a_r_g is specified by the application when setting _c_a_l_l_b_a_c_k.
_c_a_l_l_b_a_c_k should return 1 to indicate verification success and 0 to
indicate verification failure. If SSL_VERIFY_PEER is set and _c_a_l_l_b_a_c_k
returns 0, the handshake will fail. As the verification procedure may
allow to continue the connection in case of failure (by always returning 1)
the verification result must be set in any case using the eerrrroorr
member of _x_5_0_9___s_t_o_r_e___c_t_x so that the calling application will be informed
about the detailed result of the verification procedure!
Within _x_5_0_9___s_t_o_r_e___c_t_x, _c_a_l_l_b_a_c_k has access to the _v_e_r_i_f_y___c_a_l_l_b_a_c_k
function set using _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3).
WARNINGS
Do not mix the verification callback described in this function with the
vveerriiffyy__ccaallllbbaacckk function called during the verification process. The
latter is set using the _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3)
family of functions.
Providing a complete verification procedure including certificate purpose
settings etc is a complex task. The built-in procedure is quite powerful
and in most cases it should be sufficient to modify its behaviour using
the vveerriiffyy__ccaallllbbaacckk function.
BUGS
RETURN VALUES
_S_S_L___C_T_X___s_e_t___c_e_r_t___v_e_r_i_f_y___c_a_l_l_b_a_c_k_(_) does not provide diagnostic information.
SEE ALSO
_s_s_l(3), _S_S_L___C_T_X___s_e_t___v_e_r_i_f_y(3),
_S_S_L___g_e_t___v_e_r_i_f_y___r_e_s_u_l_t(3),
_S_S_L___C_T_X___l_o_a_d___v_e_r_i_f_y___l_o_c_a_t_i_o_n_s(3)
HISTORY
Previous to OpenSSL 0.9.7, the _a_r_g argument to SSSSLL__CCTTXX__sseett__cceerrtt__vveerriiffyy__ccaallllbbaacckk
was ignored, and _c_a_l_l_b_a_c_k was called simply as
int (*callback)(X509_STORE_CTX *)
To compile software written for previous versions of OpenSSL, a dummy
argument will have to be added to _c_a_l_l_b_a_c_k.