1=pod 2 3=head1 NAME 4 5SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure 6 7=head1 SYNOPSIS 8 9 #include <openssl/ssl.h> 10 11 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, 12 int (*callback)(X509_STORE_CTX *, void *), 13 void *arg); 14 15=head1 DESCRIPTION 16 17SSL_CTX_set_cert_verify_callback() sets the verification callback function for 18I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at 19the time when L<SSL_new(3)> is called. 20 21=head1 NOTES 22 23Whenever a certificate is verified during a SSL/TLS handshake, a verification 24function is called. If the application does not explicitly specify a 25verification callback function, the built-in verification function is used. 26If a verification callback I<callback> is specified via 27SSL_CTX_set_cert_verify_callback(), the supplied callback function is called 28instead. By setting I<callback> to NULL, the default behaviour is restored. 29 30When the verification must be performed, I<callback> will be called with 31the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 32argument I<arg> is specified by the application when setting I<callback>. 33 34I<callback> should return 1 to indicate verification success and 0 to 35indicate verification failure. If SSL_VERIFY_PEER is set and I<callback> 36returns 0, the handshake will fail. As the verification procedure may 37allow the connection to continue in the case of failure (by always 38returning 1) the verification result must be set in any case using the 39B<error> member of I<x509_store_ctx> so that the calling application 40will be informed about the detailed result of the verification procedure! 41 42Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> 43function set using L<SSL_CTX_set_verify(3)>. 44 45=head1 RETURN VALUES 46 47SSL_CTX_set_cert_verify_callback() does not return a value. 48 49=head1 WARNINGS 50 51Do not mix the verification callback described in this function with the 52B<verify_callback> function called during the verification process. The 53latter is set using the L<SSL_CTX_set_verify(3)> 54family of functions. 55 56Providing a complete verification procedure including certificate purpose 57settings etc is a complex task. The built-in procedure is quite powerful 58and in most cases it should be sufficient to modify its behaviour using 59the B<verify_callback> function. 60 61=head1 BUGS 62 63SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. 64 65=head1 SEE ALSO 66 67L<ssl(7)>, L<SSL_CTX_set_verify(3)>, 68L<SSL_get_verify_result(3)>, 69L<SSL_CTX_load_verify_locations(3)> 70 71=head1 COPYRIGHT 72 73Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. 74 75Licensed under the OpenSSL license (the "License"). You may not use 76this file except in compliance with the License. You can obtain a copy 77in the file LICENSE in the source distribution or at 78L<https://www.openssl.org/source/license.html>. 79 80=cut 81