gtpc1m6aTransmission Control Protocol/Internet Protocol

SSL_set_verify

The SSL_set_verify function indicates whether to verify the identity of the remote application or not when the Secure Sockets Layer (SSL) session is started.

Format

#include <openssl/ssl.h>
void SSL_set_verify(SSL *ssl, int mode, int (*cb)
                   (int ok,X509_STORE_CTX *ctx))

ssl
A pointer to a token returned on the SSL_new call.

mode
One or more of the following verify options:

SSL_VERIFY_NONE
Use this option if you do not want to verify the identity of the remote peer. This option must be used alone; no other options can be specified. Consider the following when using this option:
  • If the application is a server, the application will not request the certificate for the remote client application when the SSL session is started.
  • If the application is a client, the certificate for the remote server application will be validated; however, the SSL session will be started regardless of whether or not the certificate for the remote server application is valid. Issue the SSL_get_verify_result function to check whether or not the certificate for the server is valid.

SSL_VERIFY_PEER
Use this option to verify the identify of the remote peer when the SSL session is started. Consider the following when using this option:
  • If the application is a server, the application will request and verify the certificate for the remote client application when the SSL session is started. If the remote client application provides a certificate that is not valid, the SSL session fails.
  • If the application is a client, the certificate for the remote server application is validated. If the certificate for the remote server application is not valid, the SSL session fails.

SSL_VERIFY_FAIL_IF_NO_PEER_CERT
Use this option to request that the remote client application send its certificate when the SSL session is starting, and to end the SSL session if no certificate is provided. This option only has meaning if the SSL_VERIFY_PEER option is also set. Do not use this option when your application is the client.

SSL_VERIFY_CLIENT_ONCE
Use this option to verify the identity of the remote client application when the SSL session is first started. If the SSL session is renegotiated, do not verify the identify of the client application again. This option only has meaning if the SSL_VERIFY_PEER option is also set. Do not use this option when your application is the client.

cb
A pointer set to NULL.

Normal Return

None.

Error Return

None.

Programming Considerations

The default value for the verify mode is SSL_VERIFY_NONE when the CTX structure is created. You must issue the SSL_set_verify function or the SSL_CTX_set_verify function with the SSL_VERIFY_PEER option if you want to authenticate remote peers when SSL sessions are started.

Examples

For sample SSL applications, go to http://www.ibm.com/tpf/pubs/tpfpubs.htm, click SSL for the TPF 4.1 System: An Online User's Guide, and click Examples from the left navigation bar.

Related Information