1=pod
2
3=head1 NAME
4
5SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
6
7=head1 SYNOPSIS
8
9 #include <openssl/ssl.h>
10
11 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
12                                       int (*callback)(X509_STORE_CTX *, void *),
13                                       void *arg);
14
15=head1 DESCRIPTION
16
17SSL_CTX_set_cert_verify_callback() sets the verification callback function for
18I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
19the time when L<SSL_new(3)> is called.
20
21=head1 NOTES
22
23When a peer certificate has been received during an SSL/TLS handshake,
24a verification function is called regardless of the verification mode.
25If the application does not explicitly specify a verification callback function,
26the built-in verification function is used.
27If a verification callback I<callback> is specified via
28SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
29instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg).
30The argument I<arg> is specified by the application when setting I<callback>.
31By setting I<callback> to NULL, the default behaviour is restored.
32
33I<callback> should return 1 to indicate verification success
34and 0 to indicate verification failure.
35In server mode, a return value of 0 leads to handshake failure.
36In client mode, the behaviour is as follows.
37All values, including 0, are ignored
38if the verification mode is B<SSL_VERIFY_NONE>.
39Otherwise, when the return value is less than or equal to 0, the handshake will
40fail.
41
42In client mode I<callback> may also call the L<SSL_set_retry_verify(3)>
43function on the B<SSL> object set in the I<x509_store_ctx> ex data (see
44L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>) and return 1. This would be
45typically done in case the certificate verification was not yet able
46to succeed. This makes the handshake suspend and return control to the
47calling application with B<SSL_ERROR_WANT_RETRY_VERIFY>. The app can for
48instance fetch further certificates or cert status information needed for
49the verification. Calling L<SSL_connect(3)> again resumes the connection
50attempt by retrying the server certificate verification step.
51This process may even be repeated if need be.
52
53In any case a viable verification result value must be reflected
54in the B<error> member of I<x509_store_ctx>,
55which can be done using L<X509_STORE_CTX_set_error(3)>.
56This is particularly important in case
57the I<callback> allows the connection to continue (by returning 1).
58Note that the verification status in the store context is a possibly durable
59indication of the chain's validity!
60This gets recorded in the SSL session (and thus also in session tickets)
61and the validity of the originally presented chain is then visible
62on resumption, even though no chain is presented int that case.
63Moreover, the calling application will be informed about the detailed result of
64the verification procedure and may elect to base further decisions on it.
65
66Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
67function set using L<SSL_CTX_set_verify(3)>.
68
69=head1 RETURN VALUES
70
71SSL_CTX_set_cert_verify_callback() does not return a value.
72
73=head1 WARNINGS
74
75Do not mix the verification callback described in this function with the
76B<verify_callback> function called during the verification process. The
77latter is set using the L<SSL_CTX_set_verify(3)>
78family of functions.
79
80Providing a complete verification procedure including certificate purpose
81settings etc is a complex task. The built-in procedure is quite powerful
82and in most cases it should be sufficient to modify its behaviour using
83the B<verify_callback> function.
84
85=head1 BUGS
86
87SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
88
89=head1 SEE ALSO
90
91L<ssl(7)>, L<SSL_CTX_set_verify(3)>,
92L<X509_STORE_CTX_set_error(3)>,
93L<SSL_get_verify_result(3)>,
94L<SSL_set_retry_verify(3)>,
95L<SSL_CTX_load_verify_locations(3)>
96
97=head1 COPYRIGHT
98
99Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
100
101Licensed under the Apache License 2.0 (the "License").  You may not use
102this file except in compliance with the License.  You can obtain a copy
103in the file LICENSE in the source distribution or at
104L<https://www.openssl.org/source/license.html>.
105
106=cut
107