X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/blobdiff_plain/50b33f0fa41002e8f234c952724f58dc08561fa3..aac4ff6fc8edf615df596debe627e13df2f0945e:/secure/lib/libssl/man/SSL_CTX_set_verify.3 diff --git a/secure/lib/libssl/man/SSL_CTX_set_verify.3 b/secure/lib/libssl/man/SSL_CTX_set_verify.3 index 2db253fb9c..0b9b077478 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_verify.3 +++ b/secure/lib/libssl/man/SSL_CTX_set_verify.3 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.12 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== @@ -25,11 +25,11 @@ .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- +.\" double quote, and \*(R" will give a right double quote. | will give a +.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to +.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' +.\" expand to `' in nroff, nothing in troff, for use with C<>. +.tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- @@ -60,6 +60,11 @@ . rr F .\} .\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff @@ -124,25 +129,25 @@ .\" ======================================================================== .\" .IX Title "SSL_CTX_set_verify 3" -.TH SSL_CTX_set_verify 3 "2007-10-24" "0.9.8g" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh +.TH SSL_CTX_set_verify 3 "2008-09-06" "0.9.8h" "OpenSSL" .SH "NAME" SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include -\& +.Ve +.PP +.Vb 6 \& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, \& int (*verify_callback)(int, X509_STORE_CTX *)); \& void SSL_set_verify(SSL *s, int mode, \& int (*verify_callback)(int, X509_STORE_CTX *)); \& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); \& void SSL_set_verify_depth(SSL *s, int depth); -\& +.Ve +.PP +.Vb 1 \& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); .Ve .SH "DESCRIPTION" @@ -295,7 +300,7 @@ into/retrieve application data from the \s-1SSL\s0 structure (see \fISSL_get_ex_new_index\fR\|(3), \&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)). .PP -.Vb 10 +.Vb 15 \& ... \& typedef struct { \& int verbose_mode; @@ -311,20 +316,28 @@ into/retrieve application data from the \s-1SSL\s0 structure \& int err, depth; \& SSL *ssl; \& mydata_t *mydata; -\& +.Ve +.PP +.Vb 3 \& err_cert = X509_STORE_CTX_get_current_cert(ctx); \& err = X509_STORE_CTX_get_error(ctx); \& depth = X509_STORE_CTX_get_error_depth(ctx); -\& +.Ve +.PP +.Vb 6 \& /* \& * Retrieve the pointer to the SSL of the connection currently treated \& * and the application specific data stored into the SSL object. \& */ \& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); \& mydata = SSL_get_ex_data(ssl, mydata_index); -\& +.Ve +.PP +.Vb 1 \& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); -\& +.Ve +.PP +.Vb 22 \& /* \& * Catch a too long certificate chain. The depth limit set using \& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so @@ -334,7 +347,7 @@ into/retrieve application data from the \s-1SSL\s0 structure \& * be found explicitly; only errors introduced by cutting off the \& * additional certificates would be logged. \& */ -\& if (depth > mydata\->verify_depth) { +\& if (depth > mydata->verify_depth) { \& preverify_ok = 0; \& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; \& X509_STORE_CTX_set_error(ctx, err); @@ -343,50 +356,66 @@ into/retrieve application data from the \s-1SSL\s0 structure \& printf("verify error:num=%d:%s:depth=%d:%s\en", err, \& X509_verify_cert_error_string(err), depth, buf); \& } -\& else if (mydata\->verbose_mode) +\& else if (mydata->verbose_mode) \& { \& printf("depth=%d:%s\en", depth, buf); \& } -\& +.Ve +.PP +.Vb 9 \& /* \& * At this point, err contains the last verification error. We can use \& * it for something special \& */ \& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) \& { -\& X509_NAME_oneline(X509_get_issuer_name(ctx\->current_cert), buf, 256); +\& X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); \& printf("issuer= %s\en", buf); \& } -\& -\& if (mydata\->always_continue) +.Ve +.PP +.Vb 6 +\& if (mydata->always_continue) \& return 1; \& else \& return preverify_ok; \& } \& ... -\& +.Ve +.PP +.Vb 1 \& mydata_t mydata; -\& +.Ve +.PP +.Vb 2 \& ... \& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); -\& +.Ve +.PP +.Vb 3 \& ... \& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, \& verify_callback); -\& +.Ve +.PP +.Vb 5 \& /* \& * Let the verify_callback catch the verify_depth error so that we get \& * an appropriate error in the logfile. \& */ \& SSL_CTX_set_verify_depth(verify_depth + 1); -\& +.Ve +.PP +.Vb 6 \& /* \& * Set up the SSL specific data into "mydata" and store it into th SSL \& * structure. \& */ \& mydata.verify_depth = verify_depth; ... \& SSL_set_ex_data(ssl, mydata_index, &mydata); -\& +.Ve +.PP +.Vb 9 \& ... \& SSL_accept(ssl); /* check of success left out for clarity */ \& if (peer = SSL_get_peer_certificate(ssl))