gtpc1m5xTransmission Control Protocol/Internet Protocol

SSL_get_verify_result

The SSL_get_verify_result function returns the result of the remote peer certificate validation.

Format

#include <openssl/ssl.h>
long SSL_get_verify_result(SSL *ssl)

ssl
A pointer to a token returned on the SSL_new call

Normal Return

Returns one of the following values:

X509_V_OK
The certificate was valid or no certificate was provided. Use the SSL_get_peer_certificate function to determine whether the certificate was provided or not.

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
Unable to find the certificate for one of the certificate authorities (CAs) in the signing hierarchy and that CA is not trusted by the local application.

X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
Unable to decrypt the signature of the certificate.

X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
The public key in the certificate could not be read.

X509_V_ERR_CERT_SIGNATURE_FAILURE
The signature of the certificate is not valid.

X509_V_ERR_CERT_NOT_YET_VALID
The certificate is not valid until a date in the future.

X509_V_ERR_CERT_HAS_EXPIRED
The certificate has expired.

X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
There is a format error in the notBefore field of the certificate.

X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
There is a format error in the notAfter field of the certificate.

X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
The passed certificate is self-signed and the same certificate cannot be found in the list of trusted certificates.

X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
A self-signed certificate exists in the certificate chain. The certificate chain could be built up using the untrusted certificates, but the root CA could not be found locally.

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
The issuer certificate of a locally looked up certificate could not be found. This normally means that the list of trusted certificates is not complete.

X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
No signatures could be verified because the certificate chain contains only one certificate, it is not self-signed, and the issuer is not trusted.

X509_V_ERR_INVALID_CA
A CA certificate is not valid because it is not a CA or its extensions are not consistent with the intended purpose.

X509_V_ERR_PATH_LENGTH_EXCEEDED
The basicConstraints pathlength parameter was exceeded.

X509_V_ERR_INVALID_PURPOSE
The certificate that was provided cannot be used for its intended purpose.

X509_V_ERR_CERT_UNTRUSTED
The root CA is not marked as trusted for its intended purpose.

X509_V_ERR_CERT_REJECTED
The root CA is marked to reject the purpose specified.

X509_V_ERR_SUBJECT_ISSUER_MISMATCH
The issuer certificate was rejected because its subject name did not match the issuer name of the current certificate.

X509_V_ERR_AKID_SKID_MISMATCH
The issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier of the current certificate.

X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
The issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate.

X509_V_ERR_KEYUSAGE_NO_CERTSIGN
The issuer certificate was rejected because its keyUsage extension does not permit certificate signing.

X509_V_ERR_CERT_REVOKED
The certificate was revoked by the issuer.

Error Return

None.

Programming Considerations

Client applications that have a verify mode of SSL_VERIFY_NONE must use the SSL_get_verify_result function to determine whether the certificate for the server application is valid or not.

Examples

For sample SSL applications, go to http://www.ibm.com/tpf/pubs/tpfpubs.htm, click SSL for the TPF 4.1 System: An Online User's Guide, and click Examples from the left navigation bar.

Related Information