SSL_CTX_set_cert_verify_callbOpSeSnLS_SCTX_set_cert_verify_callback(3)

NAME    [Toc]    [Back]

       SSL_CTX_set_cert_verify_callback - set peer certificate
       verification procedure

LIBRARY    [Toc]    [Back]

       libcrypto, -lcrypto

SYNOPSIS    [Toc]    [Back]

        #include <openssl/ssl.h>

        void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),
                                              char *arg);
        int (*callback)();

DESCRIPTION    [Toc]    [Back]

       SSL_CTX_set_cert_verify_callback() sets the verification
       callback function for ctx. SSL objects, that are created
       from ctx inherit the setting valid at the time, SSL_new(3)
       is called. arg is currently ignored.

NOTES    [Toc]    [Back]

       Whenever a certificate is verified during a SSL/TLS handshake,
 a verification function is called. If the application
 does not explicitly specify a verification callback
       function, the built-in verification function is used.  If
       a verification callback callback is specified via
       SSL_CTX_set_cert_verify_callback(), the supplied callback
       function is called instead. By setting callback to NULL,
       the default behaviour is restored.

       When the verification must be performed, callback will be
       called with the argument callback(X509_STORE_CTX
       *x509_store_ctx). The arguments arg that can be specified
       when setting callback are currently ignored.

       callback should return 1 to indicate verification success
       and 0 to indicate verification failure. If SSL_VERIFY_PEER
       is set and callback returns 0, the handshake will fail. As
       the verification procedure may allow to continue the connection
 in case of failure (by always returning 1) the
       verification result must be set in any case using the
       error member of x509_store_ctx, so that the calling application
 will be informed about the detailed result of the
       verification procedure!

       Within x509_store_ctx, callback has access to the ver-
       ify_callback function set using SSL_CTX_set_verify(3).

WARNINGS    [Toc]    [Back]

       Do not mix the verification callback described in this
       function with the verify_callback function called during
       the verification process. The latter is set using the
       SSL_CTX_set_verify(3) family of functions.

       Providing a complete verification procedure including certificate
 purpose settings etc is a complex task. The
       built-in procedure is quite powerful and in most cases it
       should be sufficient to modify its behaviour using the
       verify_callback function.

BUGS    [Toc]    [Back]

       It is possible to specify arguments to be passed to the
       verification callback.  Currently they are however not
       passed but ignored.

       The callback function is not specified via a prototype, so
       that no type checking takes place.

RETURN VALUES    [Toc]    [Back]

       SSL_CTX_set_cert_verify_callback() does not provide diagnostic
 information.

SEE ALSO    [Toc]    [Back]

       ssl(3), SSL_CTX_set_verify(3), SSL_get_verify_result(3),
       SSL_CTX_load_verify_locations(3)



2002-08-05                    SSL_CTX_set_cert_verify_callback(3)