X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fssl%2FSSL_CTX_set_verify.pod;h=ca8d81b82c818d08f209c73a98ebd7def83ac257;hb=5a84b7fc2db33cdefc5a7b62f0169f2c08fb3d9b;hp=fc0b76118fd168ae43dcd4485e932838ccc2eaaa;hpb=b5a6f0a92d89ac586fc007ebe69ebc985551f366;p=oweals%2Fopenssl.git diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index fc0b76118f..ca8d81b82c 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result. B the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. B the server certificate is verified. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored. @@ -92,6 +92,15 @@ B ignored Exactly one of the B flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be set at any time. +The actual verification procedure is performed either using the built-in +verification procedure or using another application provided verification +function set with +L. +The following descriptions apply in the case of the built-in procedure. An +application provided procedure also has access to the verify depth information +and the verify_callback() function, but the way this information is used +may be different. + SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up to which depth certificates in a chain are used during the verification procedure. If the certificate chain is longer than allowed, the certificates @@ -126,9 +135,9 @@ process is immediately stopped with "verification failed" state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If B returns 1, the verification process is continued. If B always returns -1, the TLS/SSL handshake will never be terminated because of this application -experiencing a verification failure. The calling process can however -retrieve the error code of the last verification error using +1, the TLS/SSL handshake will not be terminated with respect to verification +failures and the connection will be established. The calling process can +however retrieve the error code of the last verification error using L or by maintaining its own error storage managed by B. @@ -226,7 +235,7 @@ L). * At this point, err contains the last verification error. We can use * it for something special */ - if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); printf("issuer= %s\n", buf); @@ -278,6 +287,7 @@ L, L, L, L, +L, L, L