xref: /openssl/doc/man3/SSL_CTX_set_verify.pod (revision 5d632274)
1=pod
2
3=head1 NAME
4
5SSL_get_ex_data_X509_STORE_CTX_idx,
6SSL_CTX_set_verify, SSL_set_verify,
7SSL_CTX_set_verify_depth, SSL_set_verify_depth,
8SSL_verify_cb,
9SSL_verify_client_post_handshake,
10SSL_set_post_handshake_auth,
11SSL_CTX_set_post_handshake_auth
12- set various SSL/TLS parameters for peer certificate verification
13
14=head1 SYNOPSIS
15
16 #include <openssl/ssl.h>
17
18 typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
19
20 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback);
21 void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback);
22 SSL_get_ex_data_X509_STORE_CTX_idx(void);
23
24 void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
25 void SSL_set_verify_depth(SSL *ssl, int depth);
26
27 int SSL_verify_client_post_handshake(SSL *ssl);
28 void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
29 void SSL_set_post_handshake_auth(SSL *ssl, int val);
30
31=head1 DESCRIPTION
32
33SSL_CTX_set_verify() sets the verification flags for B<ctx> to be B<mode> and
34specifies the B<verify_callback> function to be used. If no callback function
35shall be specified, the NULL pointer can be used for B<verify_callback>. B<ctx> B<MUST NOT> be NULL.
36
37SSL_set_verify() sets the verification flags for B<ssl> to be B<mode> and
38specifies the B<verify_callback> function to be used. If no callback function
39shall be specified, the NULL pointer can be used for B<verify_callback>. In
40this case last B<verify_callback> set specifically for this B<ssl> remains. If
41no special B<callback> was set before, the default callback for the underlying
42B<ctx> is used, that was valid at the time B<ssl> was created with
43L<SSL_new(3)>. Within the callback function,
44B<SSL_get_ex_data_X509_STORE_CTX_idx> can be called to get the data index
45of the current SSL object that is doing the verification.
46
47In client mode B<verify_callback> may also call the L<SSL_set_retry_verify(3)>
48function on the B<SSL> object set in the I<x509_store_ctx> ex data (see
49L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>) and return 1.
50This would be typically done in case the certificate verification was not yet
51able to succeed.
52This makes the handshake suspend and return control to the calling application
53with B<SSL_ERROR_WANT_RETRY_VERIFY>.
54The application can for instance fetch further certificates or cert status
55information needed for the verification.
56Calling L<SSL_connect(3)> again resumes the connection attempt by retrying the
57server certificate verification step.
58This process may even be repeated if need be.
59Note that the handshake may still be aborted if a subsequent invocation of the
60callback (e.g., at a lower depth, or for a separate error condition) returns 0.
61
62SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
63verification that shall be allowed for B<ctx>.
64
65SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
66verification that shall be allowed for B<ssl>.
67
68SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the
69Post-Handshake Authentication extension to be added to the ClientHello such that
70post-handshake authentication can be requested by the server. If B<val> is 0
71then the extension is not sent, otherwise it is. By default the extension is not
72sent. A certificate callback will need to be set via
73SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization.
74
75SSL_verify_client_post_handshake() causes a CertificateRequest message to be
76sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must
77be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional.
78
79=head1 NOTES
80
81The verification of certificates can be controlled by a set of logically
82or'ed B<mode> flags:
83
84=over 4
85
86=item SSL_VERIFY_NONE
87
88B<Server mode:> the server will not send a client certificate request to the
89client, so the client will not send a certificate.
90
91B<Client mode:> if not using an anonymous cipher (by default disabled), the
92server will send a certificate which will be checked. The result of the
93certificate verification process can be checked after the TLS/SSL handshake
94using the L<SSL_get_verify_result(3)> function.
95The handshake will be continued regardless of the verification result.
96
97=item SSL_VERIFY_PEER
98
99B<Server mode:> the server sends a client certificate request to the client.
100The certificate returned (if any) is checked. If the verification process
101fails, the TLS/SSL handshake is
102immediately terminated with an alert message containing the reason for
103the verification failure.
104The behaviour can be controlled by the additional
105SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and
106SSL_VERIFY_POST_HANDSHAKE flags.
107
108B<Client mode:> the server certificate is verified. If the verification process
109fails, the TLS/SSL handshake is
110immediately terminated with an alert message containing the reason for
111the verification failure. If no server certificate is sent, because an
112anonymous cipher is used, SSL_VERIFY_PEER is ignored.
113
114=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT
115
116B<Server mode:> if the client did not return a certificate, the TLS/SSL
117handshake is immediately terminated with a "handshake failure" alert.
118This flag must be used together with SSL_VERIFY_PEER.
119
120B<Client mode:> ignored (see BUGS)
121
122=item SSL_VERIFY_CLIENT_ONCE
123
124B<Server mode:> only request a client certificate once during the
125connection. Do not ask for a client certificate again during
126renegotiation or post-authentication if a certificate was requested
127during the initial handshake. This flag must be used together with
128SSL_VERIFY_PEER.
129
130B<Client mode:> ignored (see BUGS)
131
132=item SSL_VERIFY_POST_HANDSHAKE
133
134B<Server mode:> the server will not send a client certificate request
135during the initial handshake, but will send the request via
136SSL_verify_client_post_handshake(). This allows the SSL_CTX or SSL
137to be configured for post-handshake peer verification before the
138handshake occurs. This flag must be used together with
139SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections.
140
141B<Client mode:> ignored (see BUGS)
142
143=back
144
145If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set.
146
147If verification flags are not modified explicitly by C<SSL_CTX_set_verify()>
148or C<SSL_set_verify()>, the default value will be SSL_VERIFY_NONE.
149
150The actual verification procedure is performed either using the built-in
151verification procedure or using another application provided verification
152function set with
153L<SSL_CTX_set_cert_verify_callback(3)>.
154The following descriptions apply in the case of the built-in procedure. An
155application provided procedure also has access to the verify depth information
156and the verify_callback() function, but the way this information is used
157may be different.
158
159SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set a limit on the
160number of certificates between the end-entity and trust-anchor certificates.
161Neither the
162end-entity nor the trust-anchor certificates count against B<depth>. If the
163certificate chain needed to reach a trusted issuer is longer than B<depth+2>,
164X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
165The depth count is "level 0:peer certificate", "level 1: CA certificate",
166"level 2: higher level CA certificate", and so on. Setting the maximum
167depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
168trust-anchor).
169The default depth limit is 100,
170allowing for the peer certificate, at most 100 intermediate CA certificates and
171a final trust anchor certificate.
172
173The B<verify_callback> function is used to control the behaviour when the
174SSL_VERIFY_PEER flag is set. It must be supplied by the application and
175receives two arguments: B<preverify_ok> indicates, whether the verification of
176the certificate in question was passed (preverify_ok=1) or not
177(preverify_ok=0). B<x509_ctx> is a pointer to the complete context used
178for the certificate chain verification.
179
180The certificate chain is checked starting with the deepest nesting level
181(the root CA certificate) and worked upward to the peer's certificate.
182At each level signatures and issuer attributes are checked. Whenever
183a verification error is found, the error number is stored in B<x509_ctx>
184and B<verify_callback> is called with B<preverify_ok>=0. By applying
185X509_CTX_store_* functions B<verify_callback> can locate the certificate
186in question and perform additional steps (see EXAMPLES). If no error is
187found for a certificate, B<verify_callback> is called with B<preverify_ok>=1
188before advancing to the next level.
189
190The return value of B<verify_callback> controls the strategy of the further
191verification process. If B<verify_callback> returns 0, the verification
192process is immediately stopped with "verification failed" state. If
193SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
194the TLS/SSL handshake is terminated. If B<verify_callback> returns 1,
195the verification process is continued. If B<verify_callback> always returns
1961, the TLS/SSL handshake will not be terminated with respect to verification
197failures and the connection will be established. The calling process can
198however retrieve the error code of the last verification error using
199L<SSL_get_verify_result(3)> or by maintaining its
200own error storage managed by B<verify_callback>.
201
202If no B<verify_callback> is specified, the default callback will be used.
203Its return value is identical to B<preverify_ok>, so that any verification
204failure will lead to a termination of the TLS/SSL handshake with an
205alert message, if SSL_VERIFY_PEER is set.
206
207After calling SSL_set_post_handshake_auth(), the client will need to add a
208certificate or certificate callback to its configuration before it can
209successfully authenticate. This must be called before SSL_connect().
210
211SSL_verify_client_post_handshake() requires that verify flags have been
212previously set, and that a client sent the post-handshake authentication
213extension. When the client returns a certificate the verify callback will be
214invoked. A write operation must take place for the Certificate Request to be
215sent to the client, this can be done with SSL_do_handshake() or SSL_write_ex().
216Only one certificate request may be outstanding at any time.
217
218When post-handshake authentication occurs, a refreshed NewSessionTicket
219message is sent to the client.
220
221Post-handshake authentication cannot be used with QUIC.
222SSL_set_post_handshake_auth() has no effect if called on a QUIC SSL object.
223
224=head1 BUGS
225
226In client mode, it is not checked whether the SSL_VERIFY_PEER flag
227is set, but whether any flags other than SSL_VERIFY_NONE are set. This can
228lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as
229required.
230
231=head1 RETURN VALUES
232
233The SSL*_set_verify*() functions do not provide diagnostic information.
234
235The SSL_verify_client_post_handshake() function returns 1 if the request
236succeeded, and 0 if the request failed. The error stack can be examined
237to determine the failure reason.
238
239=head1 EXAMPLES
240
241The following code sequence realizes an example B<verify_callback> function
242that will always continue the TLS/SSL handshake regardless of verification
243failure, if wished. The callback realizes a verification depth limit with
244more informational output.
245
246All verification errors are printed; information about the certificate chain
247is printed on request.
248The example is realized for a server that does allow but not require client
249certificates.
250
251The example makes use of the ex_data technique to store application data
252into/retrieve application data from the SSL structure
253(see L<CRYPTO_get_ex_new_index(3)>,
254L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
255
256 ...
257 typedef struct {
258   int verbose_mode;
259   int verify_depth;
260   int always_continue;
261 } mydata_t;
262 int mydata_index;
263
264 ...
265 static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
266 {
267     char    buf[256];
268     X509   *err_cert;
269     int     err, depth;
270     SSL    *ssl;
271     mydata_t *mydata;
272
273     err_cert = X509_STORE_CTX_get_current_cert(ctx);
274     err = X509_STORE_CTX_get_error(ctx);
275     depth = X509_STORE_CTX_get_error_depth(ctx);
276
277     /*
278      * Retrieve the pointer to the SSL of the connection currently treated
279      * and the application specific data stored into the SSL object.
280      */
281     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
282     mydata = SSL_get_ex_data(ssl, mydata_index);
283
284     X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
285
286     /*
287      * Catch a too long certificate chain. The depth limit set using
288      * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
289      * that whenever the "depth>verify_depth" condition is met, we
290      * have violated the limit and want to log this error condition.
291      * We must do it here, because the CHAIN_TOO_LONG error would not
292      * be found explicitly; only errors introduced by cutting off the
293      * additional certificates would be logged.
294      */
295     if (depth > mydata->verify_depth) {
296         preverify_ok = 0;
297         err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
298         X509_STORE_CTX_set_error(ctx, err);
299     }
300     if (!preverify_ok) {
301         printf("verify error:num=%d:%s:depth=%d:%s\n", err,
302                X509_verify_cert_error_string(err), depth, buf);
303     } else if (mydata->verbose_mode) {
304         printf("depth=%d:%s\n", depth, buf);
305     }
306
307     /*
308      * At this point, err contains the last verification error. We can use
309      * it for something special
310      */
311     if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
312         X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
313         printf("issuer= %s\n", buf);
314     }
315
316     if (mydata->always_continue)
317         return 1;
318     else
319         return preverify_ok;
320 }
321 ...
322
323 mydata_t mydata;
324
325 ...
326 mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
327
328 ...
329 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
330                    verify_callback);
331
332 /*
333  * Let the verify_callback catch the verify_depth error so that we get
334  * an appropriate error in the logfile.
335  */
336 SSL_CTX_set_verify_depth(verify_depth + 1);
337
338 /*
339  * Set up the SSL specific data into "mydata" and store it into th SSL
340  * structure.
341  */
342 mydata.verify_depth = verify_depth; ...
343 SSL_set_ex_data(ssl, mydata_index, &mydata);
344
345 ...
346 SSL_accept(ssl);       /* check of success left out for clarity */
347 if (peer = SSL_get_peer_certificate(ssl)) {
348     if (SSL_get_verify_result(ssl) == X509_V_OK) {
349         /* The client sent a certificate which verified OK */
350     }
351 }
352
353=head1 SEE ALSO
354
355L<ssl(7)>, L<SSL_new(3)>,
356L<SSL_CTX_get_verify_mode(3)>,
357L<SSL_get_verify_result(3)>,
358L<SSL_CTX_load_verify_locations(3)>,
359L<SSL_get_peer_certificate(3)>,
360L<SSL_CTX_set_cert_verify_callback(3)>,
361L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
362L<SSL_CTX_set_client_cert_cb(3)>,
363L<CRYPTO_get_ex_new_index(3)>
364
365=head1 HISTORY
366
367The SSL_VERIFY_POST_HANDSHAKE option, and the SSL_verify_client_post_handshake()
368and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1.
369
370=head1 COPYRIGHT
371
372Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
373
374Licensed under the Apache License 2.0 (the "License").  You may not use
375this file except in compliance with the License.  You can obtain a copy
376in the file LICENSE in the source distribution or at
377L<https://www.openssl.org/source/license.html>.
378
379=cut
380