2 ''' $RCSfile$$Revision$$Date$
20 .ie \\n(.$>=3 .ne \\$3
36 ''' Set up \*(-- to give an unbreakable dash;
37 ''' string Tr holds user defined translation string.
38 ''' Bell System Logo is used as a dummy character.
44 .if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
45 .if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
48 ''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
49 ''' \*(L" and \*(R", except that they are used on ".xx" lines,
50 ''' such as .IP and .SH, which do another additional levels of
51 ''' double-quote interpretation
80 .\" If the F register is turned on, we'll generate
81 .\" index entries out stderr for the following things:
86 .\" X<> Xref (embedded
87 .\" Of course, you have to process the output yourself
88 .\" in some meaninful fashion.
91 .tm Index:\\$1\t\\n%\t"\\$2"
96 .TH SSL_CTX_set_cert_verify_callback 3 "0.9.7d" "2/Sep/2004" "OpenSSL"
100 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
101 .de CQ \" put $1 in typewriter font
107 \\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
110 .\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
111 . \" AM - accent mark definitions
113 . \" fudge factors for nroff and troff
122 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
128 . \" simple accents for nroff and troff
141 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
142 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
143 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
144 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
145 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
146 . ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
147 . ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
148 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
149 . ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
151 . \" troff and (daisy-wheel) nroff accents
152 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
153 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
154 .ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
155 .ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
156 .ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
157 .ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
158 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
159 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
160 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
161 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
162 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
163 .ds ae a\h'-(\w'a'u*4/10)'e
164 .ds Ae A\h'-(\w'A'u*4/10)'E
165 .ds oe o\h'-(\w'o'u*4/10)'e
166 .ds Oe O\h'-(\w'O'u*4/10)'E
167 . \" corrections for vroff
168 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
169 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
170 . \" for low resolution devices (crt and lpr)
171 .if \n(.H>23 .if \n(.V>19 \
175 . ds v \h'-1'\o'\(aa\(ga'
191 SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
195 \& #include <openssl/ssl.h>
198 \& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);
201 \fISSL_CTX_set_cert_verify_callback()\fR sets the verification callback function for
202 \fIctx\fR. SSL objects that are created from \fIctx\fR inherit the setting valid at
203 the time when SSL_new(3) is called.
205 Whenever a certificate is verified during a SSL/TLS handshake, a verification
206 function is called. If the application does not explicitly specify a
207 verification callback function, the built-in verification function is used.
208 If a verification callback \fIcallback\fR is specified via
209 \fISSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
210 instead. By setting \fIcallback\fR to NULL, the default behaviour is restored.
212 When the verification must be performed, \fIcallback\fR will be called with
213 the arguments \fIcallback\fR\|(X509_STORE_CTX *x509_store_ctx, void *arg). The
214 argument \fIarg\fR is specified by the application when setting \fIcallback\fR.
216 \fIcallback\fR should return 1 to indicate verification success and 0 to
217 indicate verification failure. If SSL_VERIFY_PEER is set and \fIcallback\fR
218 returns 0, the handshake will fail. As the verification procedure may
219 allow to continue the connection in case of failure (by always returning 1)
220 the verification result must be set in any case using the \fBerror\fR
221 member of \fIx509_store_ctx\fR so that the calling application will be informed
222 about the detailed result of the verification procedure!
224 Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR
225 function set using SSL_CTX_set_verify(3).
227 Do not mix the verification callback described in this function with the
228 \fBverify_callback\fR function called during the verification process. The
229 latter is set using the SSL_CTX_set_verify(3)
232 Providing a complete verification procedure including certificate purpose
233 settings etc is a complex task. The built-in procedure is quite powerful
234 and in most cases it should be sufficient to modify its behaviour using
235 the \fBverify_callback\fR function.
238 \fISSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information.
240 ssl(3), SSL_CTX_set_verify(3),
241 SSL_get_verify_result(3),
242 SSL_CTX_load_verify_locations(3)
244 Previous to OpenSSL 0.9.7, the \fIarg\fR argument to \fBSSL_CTX_set_cert_verify_callback\fR
245 was ignored, and \fIcallback\fR was called simply as
246 int (*callback)(X509_STORE_CTX *)
247 To compile software written for previous versions of OpenSSL, a dummy
248 argument will have to be added to \fIcallback\fR.
251 .IX Title "SSL_CTX_set_cert_verify_callback 3"
252 .IX Name "SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure"
256 .IX Header "SYNOPSIS"
258 .IX Header "DESCRIPTION"
262 .IX Header "WARNINGS"
266 .IX Header "RETURN VALUES"
268 .IX Header "SEE ALSO"