=pod =head1 NAME X509_STORE_CTX_set_verify_cb - set verification callback =head1 SYNOPSIS #include void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); =head1 DESCRIPTION X509_STORE_CTX_set_verify_cb() sets the verification callback of B to B overwriting any existing callback. The verification callback can be used to customise the operation of certificate verification, either by overriding error conditions or logging errors for debugging purposes. However a verification callback is B essential and the default operation is often sufficient. The B parameter to the callback indicates the value the callback should return to retain the default behaviour. If it is zero then and error condition is indicated. If it is 1 then no error occurred. If the flag B is set then B is set to 2 to indicate the policy checking is complete. The B parameter to the callback is the B structure that is performing the verification operation. A callback can examine this structure and receive additional information about the error, for example by calling X509_STORE_CTX_get_current_cert(). Additional application data can be passed to the callback via the B mechanism. =head1 WARNING In general a verification callback should B unconditionally return 1 in all circumstances because this will allow verification to succeed no matter what the error. This effectively removes all security from the application because B certificate (including untrusted generated ones) will be accepted. =head1 NOTES The verification callback can be set and inherited from the parent structure performing the operation. In some cases (such as S/MIME verification) the B structure is created and destroyed internally and the only way to set a custom verification callback is by inheriting it from the associated B. =head1 RETURN VALUES X509_STORE_CTX_set_verify_cb() does not return a value. =head1 EXAMPLES Default callback operation: int verify_callback(int ok, X509_STORE_CTX *ctx) { return ok; } Simple example, suppose a certificate in the chain is expired and we wish to continue after this error: int verify_callback(int ok, X509_STORE_CTX *ctx) { /* Tolerate certificate expiration */ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) return 1; /* Otherwise don't override */ return ok; } More complex example, we don't wish to continue after B certificate has expired just one specific case: int verify_callback(int ok, X509_STORE_CTX *ctx) { int err = X509_STORE_CTX_get_error(ctx); X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); if (err == X509_V_ERR_CERT_HAS_EXPIRED) { if (check_is_acceptable_expired_cert(err_cert) return 1; } return ok; } Full featured logging callback. In this case the B is assumed to be a global logging B, an alternative would to store a BIO in B using B. int verify_callback(int ok, X509_STORE_CTX *ctx) { X509 *err_cert; int err,depth; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); BIO_printf(bio_err,"depth=%d ",depth); if (err_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); } else BIO_puts(bio_err, "\n"); if (!ok) BIO_printf(bio_err,"verify error:num=%d:%s\n",err, X509_verify_cert_error_string(err)); switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err,"issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(bio_err, ctx); break; } if (err == X509_V_OK && ok == 2) /* print out policies */ BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); } =head1 SEE ALSO L L L =head1 HISTORY X509_STORE_CTX_set_verify_cb() is available in all versions of SSLeay and OpenSSL. =cut