5 SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
9 #include <openssl/ssl.h>
11 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
12 int (*callback)(X509_STORE_CTX *, void *),
17 SSL_CTX_set_cert_verify_callback() sets the verification callback function for
18 I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
19 the time when L<SSL_new(3)> is called.
23 When a peer certificate has been received during a SSL/TLS handshake,
24 a verification function is called regardless of the verification mode.
25 If the application does not explicitly specify a verification callback function,
26 the built-in verification function is used.
27 If a verification callback I<callback> is specified via
28 SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
29 instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg).
30 The argument I<arg> is specified by the application when setting I<callback>.
31 By setting I<callback> to NULL, the default behaviour is restored.
33 I<callback> should return 1 to indicate verification success
34 and 0 to indicate verification failure.
35 In server mode, a return value other than 1 leads to handshake failure.
36 In client mode, the behaviour is as follows.
37 A return value greater than 1 leads to handshake failure.
38 Other values are ignored if the verification mode is B<SSL_VERIFY_NONE>.
39 On return value 0 the handshake will fail.
41 In client mode I<callback> may also return -1,
42 typically on failure verifying the server certificate.
43 This makes the handshake suspend and return control to the calling application
44 with B<SSL_ERROR_WANT_RETRY_VERIFY>.
45 The app can for instance fetch further certificates or cert status information
46 needed for the verification.
47 Calling L<SSL_connect(3)> again resumes the connection attempt
48 by retrying the server certificate verification step.
49 This process may even be repeated if need be.
51 In any case a viable verification result value must be reflected
52 in the B<error> member of I<x509_store_ctx>,
53 which can be done using L<X509_STORE_CTX_set_error(3)>.
54 This is particularly important in case
55 the I<callback> allows the connection to continue (by returning 1).
56 Note that the verification status in the store context is a possibly durable
57 indication of the chain's validity!
58 This gets recorded in the SSL session (and thus also in session tickets)
59 and the validity of the originally presented chain is then visible
60 on resumption, even though no chain is presented int that case.
61 Moreover, the calling application will be informed about the detailed result of
62 the verification procedure and may elect to base further decisions on it.
64 Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
65 function set using L<SSL_CTX_set_verify(3)>.
69 SSL_CTX_set_cert_verify_callback() does not return a value.
73 Do not mix the verification callback described in this function with the
74 B<verify_callback> function called during the verification process. The
75 latter is set using the L<SSL_CTX_set_verify(3)>
78 Providing a complete verification procedure including certificate purpose
79 settings etc is a complex task. The built-in procedure is quite powerful
80 and in most cases it should be sufficient to modify its behaviour using
81 the B<verify_callback> function.
85 SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
89 L<ssl(7)>, L<SSL_CTX_set_verify(3)>,
90 L<X509_STORE_CTX_set_error(3)>,
91 L<SSL_get_verify_result(3)>,
92 L<SSL_CTX_load_verify_locations(3)>
96 Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
98 Licensed under the Apache License 2.0 (the "License"). You may not use
99 this file except in compliance with the License. You can obtain a copy
100 in the file LICENSE in the source distribution or at
101 L<https://www.openssl.org/source/license.html>.
projects / openssl.git / blob