Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
c4068186
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
大约 1 年 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
c4068186
编写于
8月 23, 2001
作者:
L
Lutz Jänicke
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
As discussed recently on openssl-users.
上级
0a93a680
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
89 addition
and
3 deletion
+89
-3
doc/ssl/SSL_CTX_set_cert_verify_callback.pod
doc/ssl/SSL_CTX_set_cert_verify_callback.pod
+75
-0
doc/ssl/SSL_CTX_set_verify.pod
doc/ssl/SSL_CTX_set_verify.pod
+12
-2
doc/ssl/ssl.pod
doc/ssl/ssl.pod
+2
-1
未找到文件。
doc/ssl/SSL_CTX_set_cert_verify_callback.pod
0 → 100644
浏览文件 @
c4068186
=pod
=head1 NAME
SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),
char *arg);
int (*callback)();
=head1 DESCRIPTION
SSL_CTX_set_cert_verify_callback() sets the verification callback function for
B<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at
the time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored.
=head1 NOTES
Whenever a certificate is verified during a SSL/TLS handshake, a verification
function is called. If the application does not explicitly specify a
verification callback function, the built-in verification function is used.
If a verification callback B<callback> is specified via
SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
instead. By setting B<callback> to NULL, the default behaviour is restored.
When the verification must be performed, B<callback> will be called with
the argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg>
that can be specified when setting B<callback> are currently ignored.
B<callback> should return 1 to indicate verification success and 0 to
indicate verification failure. If SSL_VERIFY_PEER is set and B<callback>
returns 0, the handshake will fail. As the verification procedure may
allow to continue the connection in case of failure (by always returning 1)
the verification result must be set in any case using the B<error>
member of B<x509_store_ctx>, so that the calling application will be informed
about the detailed result of the verification procedure!
Within B<x509_store_ctx>, B<callback> has access to the B<verify_callback>
function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
=head1 WARNINGS
Do not mix the verification callback described in this function with the
B<verify_callback> function called during the verification process. The
latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
family of functions.
Providing a complete verification procedure including certificate purpose
settings etc is a complex task. The built-in procedure is quite powerful
and in most cases it should be sufficient to modify its behaviour using
the B<verify_callback> function.
=head1 BUGS
It is possible to specify arguments to be passed to the verification callback.
Currently they are however not passed but ignored.
The B<callback> function is not specified via a prototype, so that no
type checking takes place.
=head1 RETURN VALUES
SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
=cut
doc/ssl/SSL_CTX_set_verify.pod
浏览文件 @
c4068186
...
...
@@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result.
B<Server mode:> the server sends a client certificate request to the client.
The certificate returned (if any) is checked. If the verification process
fails
as indicated by B<verify_callback>
, the TLS/SSL handshake is
fails, the TLS/SSL handshake is
immediately terminated with an alert message containing the reason for
the verification failure.
The behaviour can be controlled by the additional
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
B<Client mode:> the server certificate is verified. If the verification process
fails
as indicated by B<verify_callback>
, the TLS/SSL handshake is
fails, the TLS/SSL handshake is
immediately terminated with an alert message containing the reason for
the verification failure. If no server certificate is sent, because an
anonymous cipher is used, SSL_VERIFY_PEER is ignored.
...
...
@@ -92,6 +92,15 @@ B<Client mode:> ignored
Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
set at any time.
The actual verification procedure is performed either using the built-in
verification procedure or using another application provided verification
function set with
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>.
The following descriptions apply in the case of the built-in procedure. An
application provided procedure also has access to the verify depth information
and the verify_callback() function, but the way this information is used
may be different.
SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up
to which depth certificates in a chain are used during the verification
procedure. If the certificate chain is longer than allowed, the certificates
...
...
@@ -278,6 +287,7 @@ L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>
...
...
doc/ssl/ssl.pod
浏览文件 @
c4068186
...
...
@@ -299,7 +299,7 @@ protocol context defined in the B<SSL_CTX> structure.
=item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(
SSL_CTX *
), char *arg)
=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(), char *arg)
=item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
...
...
@@ -663,6 +663,7 @@ L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>,
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录