X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=doc%2Fman3%2FX509_STORE_CTX_set_verify_cb.pod;h=fefe6a25a0fef942e5750cdc93931d2503807d22;hb=bf973d0697e61a44dc46d08b0421a08a8cb61887;hp=f8e5501bbc8220c99577f121c86bf6c2a5309934;hpb=2947af32a0ec6666efd5b287ac4609ba3a984f0d;p=openssl.git diff --git a/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/doc/man3/X509_STORE_CTX_set_verify_cb.pod index f8e5501bbc..fefe6a25a0 100644 --- a/doc/man3/X509_STORE_CTX_set_verify_cb.pod +++ b/doc/man3/X509_STORE_CTX_set_verify_cb.pod @@ -14,14 +14,16 @@ X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, -X509_STORE_CTX_verify_cb -- get and set verification callback +X509_STORE_CTX_verify_cb, +X509_STORE_CTX_print_verify_cb +- get and set X509_STORE_CTX components such as verification callback =head1 SYNOPSIS #include typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); + int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx); X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); @@ -45,10 +47,10 @@ X509_STORE_CTX_set_verify_cb() sets the verification callback of B to B overwriting any existing callback. The verification callback can be used to customise the operation of certificate -verification, either by overriding error conditions or logging errors for +verification, for instance by overriding error conditions or logging errors for debugging purposes. -However a verification callback is B essential and the default operation +However, a verification callback is B essential and the default operation is often sufficient. The B parameter to the callback indicates the value the callback should @@ -63,6 +65,12 @@ structure and receive additional information about the error, for example by calling X509_STORE_CTX_get_current_cert(). Additional application data can be passed to the callback via the B mechanism. +X509_STORE_CTX_print_verify_cb() is a verification callback function that, +when a certificate verification has failed, adds an entry to the error queue +with code B and with diagnostic details, +including the most relevant fields of the target certificate that failed to +verify and, if appropriate, of the available untrusted and trusted certificates. + X509_STORE_CTX_get_verify_cb() returns the value of the current callback for the specific B. @@ -76,7 +84,7 @@ from the corresponding B, please see L for more information. -=head1 WARNING +=head1 WARNINGS In general a verification callback should B unconditionally return 1 in all circumstances because this will allow verification to succeed no matter @@ -122,6 +130,7 @@ expired just one specific case: { int err = X509_STORE_CTX_get_error(ctx); X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); + if (err == X509_V_ERR_CERT_HAS_EXPIRED) { if (check_is_acceptable_expired_cert(err_cert) return 1; @@ -191,18 +200,21 @@ L =head1 HISTORY +The X509_STORE_CTX_get_get_issuer(), X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(), X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(), X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(), X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls() -and X509_STORE_CTX_get_cleanup() were added in OpenSSL 1.1.0. +and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0. + +X509_STORE_CTX_print_verify_cb() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. -Licensed under the OpenSSL license (the "License"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at L.