| 1 | .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 |
| 2 | .\" |
| 3 | .\" Standard preamble: |
| 4 | .\" ======================================================================== |
| 5 | .de Sh \" Subsection heading |
| 6 | .br |
| 7 | .if t .Sp |
| 8 | .ne 5 |
| 9 | .PP |
| 10 | \fB\\$1\fR |
| 11 | .PP |
| 12 | .. |
| 13 | .de Sp \" Vertical space (when we can't use .PP) |
| 14 | .if t .sp .5v |
| 15 | .if n .sp |
| 16 | .. |
| 17 | .de Vb \" Begin verbatim text |
| 18 | .ft CW |
| 19 | .nf |
| 20 | .ne \\$1 |
| 21 | .. |
| 22 | .de Ve \" End verbatim text |
| 23 | .ft R |
| 24 | .fi |
| 25 | .. |
| 26 | .\" Set up some character translations and predefined strings. \*(-- will |
| 27 | .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
| 28 | .\" double quote, and \*(R" will give a right double quote. | will give a |
| 29 | .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to |
| 30 | .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' |
| 31 | .\" expand to `' in nroff, nothing in troff, for use with C<>. |
| 32 | .tr \(*W-|\(bv\*(Tr |
| 33 | .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
| 34 | .ie n \{\ |
| 35 | . ds -- \(*W- |
| 36 | . ds PI pi |
| 37 | . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
| 38 | . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
| 39 | . ds L" "" |
| 40 | . ds R" "" |
| 41 | . ds C` "" |
| 42 | . ds C' "" |
| 43 | 'br\} |
| 44 | .el\{\ |
| 45 | . ds -- \|\(em\| |
| 46 | . ds PI \(*p |
| 47 | . ds L" `` |
| 48 | . ds R" '' |
| 49 | 'br\} |
| 50 | .\" |
| 51 | .\" If the F register is turned on, we'll generate index entries on stderr for |
| 52 | .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index |
| 53 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
| 54 | .\" output yourself in some meaningful fashion. |
| 55 | .if \nF \{\ |
| 56 | . de IX |
| 57 | . tm Index:\\$1\t\\n%\t"\\$2" |
| 58 | .. |
| 59 | . nr % 0 |
| 60 | . rr F |
| 61 | .\} |
| 62 | .\" |
| 63 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| 64 | .\" way too many mistakes in technical documents. |
| 65 | .hy 0 |
| 66 | .if n .na |
| 67 | .\" |
| 68 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
| 69 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
| 70 | . \" fudge factors for nroff and troff |
| 71 | .if n \{\ |
| 72 | . ds #H 0 |
| 73 | . ds #V .8m |
| 74 | . ds #F .3m |
| 75 | . ds #[ \f1 |
| 76 | . ds #] \fP |
| 77 | .\} |
| 78 | .if t \{\ |
| 79 | . ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
| 80 | . ds #V .6m |
| 81 | . ds #F 0 |
| 82 | . ds #[ \& |
| 83 | . ds #] \& |
| 84 | .\} |
| 85 | . \" simple accents for nroff and troff |
| 86 | .if n \{\ |
| 87 | . ds ' \& |
| 88 | . ds ` \& |
| 89 | . ds ^ \& |
| 90 | . ds , \& |
| 91 | . ds ~ ~ |
| 92 | . ds / |
| 93 | .\} |
| 94 | .if t \{\ |
| 95 | . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
| 96 | . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
| 97 | . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
| 98 | . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
| 99 | . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
| 100 | . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
| 101 | .\} |
| 102 | . \" troff and (daisy-wheel) nroff accents |
| 103 | .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
| 104 | .ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
| 105 | .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
| 106 | .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
| 107 | .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
| 108 | .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
| 109 | .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
| 110 | .ds ae a\h'-(\w'a'u*4/10)'e |
| 111 | .ds Ae A\h'-(\w'A'u*4/10)'E |
| 112 | . \" corrections for vroff |
| 113 | .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
| 114 | .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
| 115 | . \" for low resolution devices (crt and lpr) |
| 116 | .if \n(.H>23 .if \n(.V>19 \ |
| 117 | \{\ |
| 118 | . ds : e |
| 119 | . ds 8 ss |
| 120 | . ds o a |
| 121 | . ds d- d\h'-1'\(ga |
| 122 | . ds D- D\h'-1'\(hy |
| 123 | . ds th \o'bp' |
| 124 | . ds Th \o'LP' |
| 125 | . ds ae ae |
| 126 | . ds Ae AE |
| 127 | .\} |
| 128 | .rm #[ #] #H #V #F C |
| 129 | .\" ======================================================================== |
| 130 | .\" |
| 131 | .IX Title "SSL_CTX_set_verify 3" |
| 132 | .TH SSL_CTX_set_verify 3 "2008-09-27" "0.9.8i" "OpenSSL" |
| 133 | .SH "NAME" |
| 134 | SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters |
| 135 | .SH "SYNOPSIS" |
| 136 | .IX Header "SYNOPSIS" |
| 137 | .Vb 1 |
| 138 | \& #include <openssl/ssl.h> |
| 139 | .Ve |
| 140 | .PP |
| 141 | .Vb 6 |
| 142 | \& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, |
| 143 | \& int (*verify_callback)(int, X509_STORE_CTX *)); |
| 144 | \& void SSL_set_verify(SSL *s, int mode, |
| 145 | \& int (*verify_callback)(int, X509_STORE_CTX *)); |
| 146 | \& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); |
| 147 | \& void SSL_set_verify_depth(SSL *s, int depth); |
| 148 | .Ve |
| 149 | .PP |
| 150 | .Vb 1 |
| 151 | \& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); |
| 152 | .Ve |
| 153 | .SH "DESCRIPTION" |
| 154 | .IX Header "DESCRIPTION" |
| 155 | \&\fISSL_CTX_set_verify()\fR sets the verification flags for \fBctx\fR to be \fBmode\fR and |
| 156 | specifies the \fBverify_callback\fR function to be used. If no callback function |
| 157 | shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. |
| 158 | .PP |
| 159 | \&\fISSL_set_verify()\fR sets the verification flags for \fBssl\fR to be \fBmode\fR and |
| 160 | specifies the \fBverify_callback\fR function to be used. If no callback function |
| 161 | shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. In |
| 162 | this case last \fBverify_callback\fR set specifically for this \fBssl\fR remains. If |
| 163 | no special \fBcallback\fR was set before, the default callback for the underlying |
| 164 | \&\fBctx\fR is used, that was valid at the the time \fBssl\fR was created with |
| 165 | \&\fISSL_new\fR\|(3). |
| 166 | .PP |
| 167 | \&\fISSL_CTX_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain |
| 168 | verification that shall be allowed for \fBctx\fR. (See the \s-1BUGS\s0 section.) |
| 169 | .PP |
| 170 | \&\fISSL_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain |
| 171 | verification that shall be allowed for \fBssl\fR. (See the \s-1BUGS\s0 section.) |
| 172 | .SH "NOTES" |
| 173 | .IX Header "NOTES" |
| 174 | The verification of certificates can be controlled by a set of logically |
| 175 | or'ed \fBmode\fR flags: |
| 176 | .IP "\s-1SSL_VERIFY_NONE\s0" 4 |
| 177 | .IX Item "SSL_VERIFY_NONE" |
| 178 | \&\fBServer mode:\fR the server will not send a client certificate request to the |
| 179 | client, so the client will not send a certificate. |
| 180 | .Sp |
| 181 | \&\fBClient mode:\fR if not using an anonymous cipher (by default disabled), the |
| 182 | server will send a certificate which will be checked. The result of the |
| 183 | certificate verification process can be checked after the \s-1TLS/SSL\s0 handshake |
| 184 | using the \fISSL_get_verify_result\fR\|(3) function. |
| 185 | The handshake will be continued regardless of the verification result. |
| 186 | .IP "\s-1SSL_VERIFY_PEER\s0" 4 |
| 187 | .IX Item "SSL_VERIFY_PEER" |
| 188 | \&\fBServer mode:\fR the server sends a client certificate request to the client. |
| 189 | The certificate returned (if any) is checked. If the verification process |
| 190 | fails, the \s-1TLS/SSL\s0 handshake is |
| 191 | immediately terminated with an alert message containing the reason for |
| 192 | the verification failure. |
| 193 | The behaviour can be controlled by the additional |
| 194 | \&\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0 and \s-1SSL_VERIFY_CLIENT_ONCE\s0 flags. |
| 195 | .Sp |
| 196 | \&\fBClient mode:\fR the server certificate is verified. If the verification process |
| 197 | fails, the \s-1TLS/SSL\s0 handshake is |
| 198 | immediately terminated with an alert message containing the reason for |
| 199 | the verification failure. If no server certificate is sent, because an |
| 200 | anonymous cipher is used, \s-1SSL_VERIFY_PEER\s0 is ignored. |
| 201 | .IP "\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0" 4 |
| 202 | .IX Item "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" |
| 203 | \&\fBServer mode:\fR if the client did not return a certificate, the \s-1TLS/SSL\s0 |
| 204 | handshake is immediately terminated with a \*(L"handshake failure\*(R" alert. |
| 205 | This flag must be used together with \s-1SSL_VERIFY_PEER\s0. |
| 206 | .Sp |
| 207 | \&\fBClient mode:\fR ignored |
| 208 | .IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4 |
| 209 | .IX Item "SSL_VERIFY_CLIENT_ONCE" |
| 210 | \&\fBServer mode:\fR only request a client certificate on the initial \s-1TLS/SSL\s0 |
| 211 | handshake. Do not ask for a client certificate again in case of a |
| 212 | renegotiation. This flag must be used together with \s-1SSL_VERIFY_PEER\s0. |
| 213 | .Sp |
| 214 | \&\fBClient mode:\fR ignored |
| 215 | .PP |
| 216 | Exactly one of the \fBmode\fR flags \s-1SSL_VERIFY_NONE\s0 and \s-1SSL_VERIFY_PEER\s0 must be |
| 217 | set at any time. |
| 218 | .PP |
| 219 | The actual verification procedure is performed either using the built-in |
| 220 | verification procedure or using another application provided verification |
| 221 | function set with |
| 222 | \&\fISSL_CTX_set_cert_verify_callback\fR\|(3). |
| 223 | The following descriptions apply in the case of the built-in procedure. An |
| 224 | application provided procedure also has access to the verify depth information |
| 225 | and the \fIverify_callback()\fR function, but the way this information is used |
| 226 | may be different. |
| 227 | .PP |
| 228 | \&\fISSL_CTX_set_verify_depth()\fR and \fISSL_set_verify_depth()\fR set the limit up |
| 229 | to which depth certificates in a chain are used during the verification |
| 230 | procedure. If the certificate chain is longer than allowed, the certificates |
| 231 | above the limit are ignored. Error messages are generated as if these |
| 232 | certificates would not be present, most likely a |
| 233 | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. |
| 234 | The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R", |
| 235 | \&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum |
| 236 | depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, |
| 237 | allowing for the peer certificate and additional 9 \s-1CA\s0 certificates. |
| 238 | .PP |
| 239 | The \fBverify_callback\fR function is used to control the behaviour when the |
| 240 | \&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and |
| 241 | receives two arguments: \fBpreverify_ok\fR indicates, whether the verification of |
| 242 | the certificate in question was passed (preverify_ok=1) or not |
| 243 | (preverify_ok=0). \fBx509_ctx\fR is a pointer to the complete context used |
| 244 | for the certificate chain verification. |
| 245 | .PP |
| 246 | The certificate chain is checked starting with the deepest nesting level |
| 247 | (the root \s-1CA\s0 certificate) and worked upward to the peer's certificate. |
| 248 | At each level signatures and issuer attributes are checked. Whenever |
| 249 | a verification error is found, the error number is stored in \fBx509_ctx\fR |
| 250 | and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying |
| 251 | X509_CTX_store_* functions \fBverify_callback\fR can locate the certificate |
| 252 | in question and perform additional steps (see \s-1EXAMPLES\s0). If no error is |
| 253 | found for a certificate, \fBverify_callback\fR is called with \fBpreverify_ok\fR=1 |
| 254 | before advancing to the next level. |
| 255 | .PP |
| 256 | The return value of \fBverify_callback\fR controls the strategy of the further |
| 257 | verification process. If \fBverify_callback\fR returns 0, the verification |
| 258 | process is immediately stopped with \*(L"verification failed\*(R" state. If |
| 259 | \&\s-1SSL_VERIFY_PEER\s0 is set, a verification failure alert is sent to the peer and |
| 260 | the \s-1TLS/SSL\s0 handshake is terminated. If \fBverify_callback\fR returns 1, |
| 261 | the verification process is continued. If \fBverify_callback\fR always returns |
| 262 | 1, the \s-1TLS/SSL\s0 handshake will not be terminated with respect to verification |
| 263 | failures and the connection will be established. The calling process can |
| 264 | however retrieve the error code of the last verification error using |
| 265 | \&\fISSL_get_verify_result\fR\|(3) or by maintaining its |
| 266 | own error storage managed by \fBverify_callback\fR. |
| 267 | .PP |
| 268 | If no \fBverify_callback\fR is specified, the default callback will be used. |
| 269 | Its return value is identical to \fBpreverify_ok\fR, so that any verification |
| 270 | failure will lead to a termination of the \s-1TLS/SSL\s0 handshake with an |
| 271 | alert message, if \s-1SSL_VERIFY_PEER\s0 is set. |
| 272 | .SH "BUGS" |
| 273 | .IX Header "BUGS" |
| 274 | In client mode, it is not checked whether the \s-1SSL_VERIFY_PEER\s0 flag |
| 275 | is set, but whether \s-1SSL_VERIFY_NONE\s0 is not set. This can lead to |
| 276 | unexpected behaviour, if the \s-1SSL_VERIFY_PEER\s0 and \s-1SSL_VERIFY_NONE\s0 are not |
| 277 | used as required (exactly one must be set at any time). |
| 278 | .PP |
| 279 | The certificate verification depth set with SSL[_CTX]\fI_verify_depth()\fR |
| 280 | stops the verification at a certain depth. The error message produced |
| 281 | will be that of an incomplete certificate chain and not |
| 282 | X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. |
| 283 | .SH "RETURN VALUES" |
| 284 | .IX Header "RETURN VALUES" |
| 285 | The SSL*_set_verify*() functions do not provide diagnostic information. |
| 286 | .SH "EXAMPLES" |
| 287 | .IX Header "EXAMPLES" |
| 288 | The following code sequence realizes an example \fBverify_callback\fR function |
| 289 | that will always continue the \s-1TLS/SSL\s0 handshake regardless of verification |
| 290 | failure, if wished. The callback realizes a verification depth limit with |
| 291 | more informational output. |
| 292 | .PP |
| 293 | All verification errors are printed, informations about the certificate chain |
| 294 | are printed on request. |
| 295 | The example is realized for a server that does allow but not require client |
| 296 | certificates. |
| 297 | .PP |
| 298 | The example makes use of the ex_data technique to store application data |
| 299 | into/retrieve application data from the \s-1SSL\s0 structure |
| 300 | (see \fISSL_get_ex_new_index\fR\|(3), |
| 301 | \&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)). |
| 302 | .PP |
| 303 | .Vb 15 |
| 304 | \& ... |
| 305 | \& typedef struct { |
| 306 | \& int verbose_mode; |
| 307 | \& int verify_depth; |
| 308 | \& int always_continue; |
| 309 | \& } mydata_t; |
| 310 | \& int mydata_index; |
| 311 | \& ... |
| 312 | \& static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) |
| 313 | \& { |
| 314 | \& char buf[256]; |
| 315 | \& X509 *err_cert; |
| 316 | \& int err, depth; |
| 317 | \& SSL *ssl; |
| 318 | \& mydata_t *mydata; |
| 319 | .Ve |
| 320 | .PP |
| 321 | .Vb 3 |
| 322 | \& err_cert = X509_STORE_CTX_get_current_cert(ctx); |
| 323 | \& err = X509_STORE_CTX_get_error(ctx); |
| 324 | \& depth = X509_STORE_CTX_get_error_depth(ctx); |
| 325 | .Ve |
| 326 | .PP |
| 327 | .Vb 6 |
| 328 | \& /* |
| 329 | \& * Retrieve the pointer to the SSL of the connection currently treated |
| 330 | \& * and the application specific data stored into the SSL object. |
| 331 | \& */ |
| 332 | \& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); |
| 333 | \& mydata = SSL_get_ex_data(ssl, mydata_index); |
| 334 | .Ve |
| 335 | .PP |
| 336 | .Vb 1 |
| 337 | \& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); |
| 338 | .Ve |
| 339 | .PP |
| 340 | .Vb 22 |
| 341 | \& /* |
| 342 | \& * Catch a too long certificate chain. The depth limit set using |
| 343 | \& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so |
| 344 | \& * that whenever the "depth>verify_depth" condition is met, we |
| 345 | \& * have violated the limit and want to log this error condition. |
| 346 | \& * We must do it here, because the CHAIN_TOO_LONG error would not |
| 347 | \& * be found explicitly; only errors introduced by cutting off the |
| 348 | \& * additional certificates would be logged. |
| 349 | \& */ |
| 350 | \& if (depth > mydata->verify_depth) { |
| 351 | \& preverify_ok = 0; |
| 352 | \& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; |
| 353 | \& X509_STORE_CTX_set_error(ctx, err); |
| 354 | \& } |
| 355 | \& if (!preverify_ok) { |
| 356 | \& printf("verify error:num=%d:%s:depth=%d:%s\en", err, |
| 357 | \& X509_verify_cert_error_string(err), depth, buf); |
| 358 | \& } |
| 359 | \& else if (mydata->verbose_mode) |
| 360 | \& { |
| 361 | \& printf("depth=%d:%s\en", depth, buf); |
| 362 | \& } |
| 363 | .Ve |
| 364 | .PP |
| 365 | .Vb 9 |
| 366 | \& /* |
| 367 | \& * At this point, err contains the last verification error. We can use |
| 368 | \& * it for something special |
| 369 | \& */ |
| 370 | \& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) |
| 371 | \& { |
| 372 | \& X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); |
| 373 | \& printf("issuer= %s\en", buf); |
| 374 | \& } |
| 375 | .Ve |
| 376 | .PP |
| 377 | .Vb 6 |
| 378 | \& if (mydata->always_continue) |
| 379 | \& return 1; |
| 380 | \& else |
| 381 | \& return preverify_ok; |
| 382 | \& } |
| 383 | \& ... |
| 384 | .Ve |
| 385 | .PP |
| 386 | .Vb 1 |
| 387 | \& mydata_t mydata; |
| 388 | .Ve |
| 389 | .PP |
| 390 | .Vb 2 |
| 391 | \& ... |
| 392 | \& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); |
| 393 | .Ve |
| 394 | .PP |
| 395 | .Vb 3 |
| 396 | \& ... |
| 397 | \& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, |
| 398 | \& verify_callback); |
| 399 | .Ve |
| 400 | .PP |
| 401 | .Vb 5 |
| 402 | \& /* |
| 403 | \& * Let the verify_callback catch the verify_depth error so that we get |
| 404 | \& * an appropriate error in the logfile. |
| 405 | \& */ |
| 406 | \& SSL_CTX_set_verify_depth(verify_depth + 1); |
| 407 | .Ve |
| 408 | .PP |
| 409 | .Vb 6 |
| 410 | \& /* |
| 411 | \& * Set up the SSL specific data into "mydata" and store it into th SSL |
| 412 | \& * structure. |
| 413 | \& */ |
| 414 | \& mydata.verify_depth = verify_depth; ... |
| 415 | \& SSL_set_ex_data(ssl, mydata_index, &mydata); |
| 416 | .Ve |
| 417 | .PP |
| 418 | .Vb 9 |
| 419 | \& ... |
| 420 | \& SSL_accept(ssl); /* check of success left out for clarity */ |
| 421 | \& if (peer = SSL_get_peer_certificate(ssl)) |
| 422 | \& { |
| 423 | \& if (SSL_get_verify_result(ssl) == X509_V_OK) |
| 424 | \& { |
| 425 | \& /* The client sent a certificate which verified OK */ |
| 426 | \& } |
| 427 | \& } |
| 428 | .Ve |
| 429 | .SH "SEE ALSO" |
| 430 | .IX Header "SEE ALSO" |
| 431 | \&\fIssl\fR\|(3), \fISSL_new\fR\|(3), |
| 432 | \&\fISSL_CTX_get_verify_mode\fR\|(3), |
| 433 | \&\fISSL_get_verify_result\fR\|(3), |
| 434 | \&\fISSL_CTX_load_verify_locations\fR\|(3), |
| 435 | \&\fISSL_get_peer_certificate\fR\|(3), |
| 436 | \&\fISSL_CTX_set_cert_verify_callback\fR\|(3), |
| 437 | \&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3), |
| 438 | \&\fISSL_get_ex_new_index\fR\|(3) |