1 files changed, 109 insertions, 0 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3
new file mode 100644
index 0000000000..b34d3a6003
--- /dev/null
+++ b/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3
@@ -0,0 +1,109 @@
+.Dd $Mdocdate: October 12 2014 $
+.Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set_cert_verify_callback
+.Nd set peer certificate verification procedure
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft void
+.Fo SSL_CTX_set_cert_verify_callback
+.Fa "SSL_CTX *ctx"
+.Fa "int (*callback)(X509_STORE_CTX *, void *)"
+.Fa "void *arg"
+.Fc
+.Sh DESCRIPTION
+.Fn SSL_CTX_set_cert_verify_callback
+sets the verification callback function for
+.Fa ctx .
+.Vt SSL
+objects that are created from
+.Fa ctx
+inherit the setting valid at the time when
+.Xr SSL_new 3
+is called.
+.Sh NOTES
+Whenever a certificate is verified during a SSL/TLS handshake,
+a verification function is called.
+If the application does not explicitly specify a verification callback
+function, the built-in verification function is used.
+If a verification callback
+.Fa callback
+is specified via
+.Fn SSL_CTX_set_cert_verify_callback ,
+the supplied callback function is called instead.
+By setting
+.Fa callback
+to
+.Dv NULL ,
+the default behaviour is restored.
+.Pp
+When the verification must be performed,
+.Fa callback
+will be called with the arguments
+.Fn callback "X509_STORE_CTX *x509_store_ctx" "void *arg" .
+The argument
+.Fa arg
+is specified by the application when setting
+.Fa callback .
+.Pp
+.Fa callback
+should return 1 to indicate verification success and 0 to indicate verification
+failure.
+If
+.Dv SSL_VERIFY_PEER
+is set and
+.Fa callback
+returns 0, the handshake will fail.
+As the verification procedure may allow the connection to continue in case of
+failure (by always returning 1) the verification result must be set in any case
+using the
+.Fa error
+member of
+.Fa x509_store_ctx
+so that the calling application will be informed about the detailed result of
+the verification procedure!
+.Pp
+Within
+.Fa x509_store_ctx ,
+.Fa callback
+has access to the
+.Fa verify_callback
+function set using
+.Xr SSL_CTX_set_verify 3 .
+.Sh WARNINGS
+Do not mix the verification callback described in this function with the
+.Fa verify_callback
+function called during the verification process.
+The latter is set using the
+.Xr SSL_CTX_set_verify 3
+family of functions.
+.Pp
+Providing a complete verification procedure including certificate purpose
+settings, etc., is a complex task.
+The built-in procedure is quite powerful and in most cases it should be
+sufficient to modify its behaviour using the
+.Fa verify_callback
+function.
+.Sh RETURN VALUES
+.Fn SSL_CTX_set_cert_verify_callback
+does not provide diagnostic information.
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_load_verify_locations 3 ,
+.Xr SSL_CTX_set_verify 3 ,
+.Xr SSL_get_verify_result 3
+.Sh HISTORY
+Previous to OpenSSL 0.9.7, the
+.Fa arg
+argument to
+.Fn SSL_CTX_set_cert_verify_callback
+was ignored, and
+.Fa callback
+was called
+simply as
+.Ft int
+.Fn (*callback) "X509_STORE_CTX *" .
+To compile software written for previous versions of OpenSSL,
+a dummy argument will have to be added to
+.Fa callback .

diff --git a/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3 new file mode 100644 index 0000000000..b34d3a6003 --- /dev/null +++ b/src/lib/libssl/doc/SSL_CTX_set_cert_verify_callback.3
@@ -0,0 +1,109 @@
	1	.Dd $Mdocdate: October 12 2014 $
	2	.Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
	3	.Os
	4	.Sh NAME
	5	.Nm SSL_CTX_set_cert_verify_callback
	6	.Nd set peer certificate verification procedure
	7	.Sh SYNOPSIS
	8	.In openssl/ssl.h
	9	.Ft void
	10	.Fo SSL_CTX_set_cert_verify_callback
	11	.Fa "SSL_CTX *ctx"
	12	.Fa "int (callback)(X509_STORE_CTX , void *)"
	13	.Fa "void *arg"
	14	.Fc
	15	.Sh DESCRIPTION
	16	.Fn SSL_CTX_set_cert_verify_callback
	17	sets the verification callback function for
	18	.Fa ctx .
	19	.Vt SSL
	20	objects that are created from
	21	.Fa ctx
	22	inherit the setting valid at the time when
	23	.Xr SSL_new 3
	24	is called.
	25	.Sh NOTES
	26	Whenever a certificate is verified during a SSL/TLS handshake,
	27	a verification function is called.
	28	If the application does not explicitly specify a verification callback
	29	function, the built-in verification function is used.
	30	If a verification callback
	31	.Fa callback
	32	is specified via
	33	.Fn SSL_CTX_set_cert_verify_callback ,
	34	the supplied callback function is called instead.
	35	By setting
	36	.Fa callback
	37	to
	38	.Dv NULL ,
	39	the default behaviour is restored.
	40	.Pp
	41	When the verification must be performed,
	42	.Fa callback
	43	will be called with the arguments
	44	.Fn callback "X509_STORE_CTX x509_store_ctx" "void arg" .
	45	The argument
	46	.Fa arg
	47	is specified by the application when setting
	48	.Fa callback .
	49	.Pp
	50	.Fa callback
	51	should return 1 to indicate verification success and 0 to indicate verification
	52	failure.
	53	If
	54	.Dv SSL_VERIFY_PEER
	55	is set and
	56	.Fa callback
	57	returns 0, the handshake will fail.
	58	As the verification procedure may allow the connection to continue in case of
	59	failure (by always returning 1) the verification result must be set in any case
	60	using the
	61	.Fa error
	62	member of
	63	.Fa x509_store_ctx
	64	so that the calling application will be informed about the detailed result of
	65	the verification procedure!
	66	.Pp
	67	Within
	68	.Fa x509_store_ctx ,
	69	.Fa callback
	70	has access to the
	71	.Fa verify_callback
	72	function set using
	73	.Xr SSL_CTX_set_verify 3 .
	74	.Sh WARNINGS
	75	Do not mix the verification callback described in this function with the
	76	.Fa verify_callback
	77	function called during the verification process.
	78	The latter is set using the
	79	.Xr SSL_CTX_set_verify 3
	80	family of functions.
	81	.Pp
	82	Providing a complete verification procedure including certificate purpose
	83	settings, etc., is a complex task.
	84	The built-in procedure is quite powerful and in most cases it should be
	85	sufficient to modify its behaviour using the
	86	.Fa verify_callback
	87	function.
	88	.Sh RETURN VALUES
	89	.Fn SSL_CTX_set_cert_verify_callback
	90	does not provide diagnostic information.
	91	.Sh SEE ALSO
	92	.Xr ssl 3 ,
	93	.Xr SSL_CTX_load_verify_locations 3 ,
	94	.Xr SSL_CTX_set_verify 3 ,
	95	.Xr SSL_get_verify_result 3
	96	.Sh HISTORY
	97	Previous to OpenSSL 0.9.7, the
	98	.Fa arg
	99	argument to
	100	.Fn SSL_CTX_set_cert_verify_callback
	101	was ignored, and
	102	.Fa callback
	103	was called
	104	simply as
	105	.Ft int
	106	.Fn (callback) "X509_STORE_CTX " .
	107	To compile software written for previous versions of OpenSSL,
	108	a dummy argument will have to be added to
	109	.Fa callback .