From: Lutz Jänicke Date: Thu, 23 Aug 2001 15:01:36 +0000 (+0000) Subject: As discussed recently on openssl-users. X-Git-Tag: OpenSSL_0_9_6c~134 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=187ebb98ad21bdd0edfd54bed4fd7df41f000df2;p=oweals%2Fopenssl.git As discussed recently on openssl-users. --- diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index fc0b76118f..5bb21ca535 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result. B the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. B the server certificate is verified. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored. @@ -92,6 +92,15 @@ B ignored Exactly one of the B flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be set at any time. +The actual verification procedure is performed either using the built-in +verification procedure or using another application provided verification +function set with +L. +The following descriptions apply in the case of the built-in procedure. An +application provided procedure also has access to the verify depth information +and the verify_callback() function, but the way this information is used +may be different. + SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up to which depth certificates in a chain are used during the verification procedure. If the certificate chain is longer than allowed, the certificates @@ -278,6 +287,7 @@ L, L, L, L, +L, L, L diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 8021bdcade..9fc24a37b8 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -299,7 +299,7 @@ protocol context defined in the B structure. =item void B(SSL_CTX *ctx, X509_STORE *cs); -=item void B(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg) +=item void B(SSL_CTX *ctx, int (*cb)(), char *arg) =item int B(SSL_CTX *ctx, char *str); @@ -663,6 +663,7 @@ L, L, L, L, +L, L, L, L,