Seth Woolley's Man Viewer

SSL_CTX_set_cert_verify_callback(3) - SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure - man 3 SSL_CTX_set_cert_verify_callback

([section] manual, -k keyword, -K [section] search, -f whatis)
man plain no title

SSL_CTX_set_cert_verify_callback(3) OpenSSLSSL_CTX_set_cert_verify_callback(3)

       SSL_CTX_set_cert_verify_callback - set(7,n,1 builtins) peer certificate verification

        #include <openssl/ssl.h>

        void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);

       SSL_CTX_set_cert_verify_callback() sets the verification callback func-
       tion for ctx. SSL objects that are created from ctx inherit the setting
       valid at the time(1,2,n) when SSL_new(3) is called.

       Whenever a certificate is verified during a SSL/TLS handshake, a veri-
       fication function is called. If the application does not explicitly
       specify a verification callback function, the built-in verification
       function is used.  If a verification callback callback is specified via
       SSL_CTX_set_cert_verify_callback(), the supplied callback function is
       called instead. By setting callback to NULL, the default behaviour is

       When the verification must be performed, callback will be called with
       the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
       argument arg is specified by the application when setting callback.

       callback should return 1 to indicate verification success and 0 to
       indicate verification failure. If SSL_VERIFY_PEER is set(7,n,1 builtins) and callback
       returns 0, the handshake will fail. As the verification procedure may
       allow to continue the connection in(1,8) case of failure (by always return-
       ing 1) the verification result must be set(7,n,1 builtins) in(1,8) any case using the error(8,n)
       member of x509_store_ctx so that the calling application will be
       informed about the detailed result of the verification procedure!

       Within x509_store_ctx, callback has access(2,5) to the verify_callback func-
       tion set(7,n,1 builtins) using SSL_CTX_set_verify(3).

       Do not mix the verification callback described in(1,8) this function with
       the verify_callback function called during the verification process.
       The latter is set(7,n,1 builtins) using the SSL_CTX_set_verify(3) family of functions.

       Providing a complete verification procedure including certificate pur-
       pose settings etc is a complex task. The built-in procedure is quite
       powerful and in(1,8) most cases it should be sufficient to modify its behav-
       iour using the verify_callback function.

       SSL_CTX_set_cert_verify_callback() does not provide diagnostic informa-

       ssl(3), SSL_CTX_set_verify(3), SSL_get_verify_result(3),

       Previous to OpenSSL 0.9.7, the arg argument to SSL_CTX_set_cert_ver-
       ify_callback was ignored, and callback was called simply as
        int (*callback)(X509_STORE_CTX *) To compile software written for pre-
       vious versions of OpenSSL, a dummy argument will have to be added to

0.9.7d                            2002-02-28SSL_CTX_set_cert_verify_callback(3)

References for this manual (incoming links)