aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3')
-rw-r--r--secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.337
1 files changed, 20 insertions, 17 deletions
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
index 52dea0e935f2..f65fd87806df 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
@@ -1,5 +1,5 @@
.\" -*- mode: troff; coding: utf-8 -*-
-.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -52,10 +52,13 @@
. \}
.\}
.rr rF
+.\"
+.\" Required to disable full justification in groff 1.23.0.
+.if n .ds AD l
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_VERIFY 3ossl"
-.TH SSL_CTX_SET_VERIFY 3ossl 2025-09-30 3.5.4 OpenSSL
+.TH SSL_CTX_SET_VERIFY 3ossl 2026-04-07 3.5.6 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -125,8 +128,8 @@ verification that shall be allowed for \fBctx\fR.
verification that shall be allowed for \fBssl\fR.
.PP
\&\fBSSL_CTX_set_post_handshake_auth()\fR and \fBSSL_set_post_handshake_auth()\fR enable the
-Post-Handshake Authentication extension to be added to the ClientHello such that
-post-handshake authentication can be requested by the server. If \fBval\fR is 0
+Post\-Handshake Authentication extension to be added to the ClientHello such that
+post\-handshake authentication can be requested by the server. If \fBval\fR is 0
then the extension is not sent, otherwise it is. By default the extension is not
sent. A certificate callback will need to be set via
\&\fBSSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization.
@@ -137,7 +140,7 @@ be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional.
.SH NOTES
.IX Header "NOTES"
The verification of certificates can be controlled by a set of logically
-or'ed \fBmode\fR flags:
+or\*(Aqed \fBmode\fR flags:
.IP SSL_VERIFY_NONE 4
.IX Item "SSL_VERIFY_NONE"
\&\fBServer mode:\fR the server will not send a client certificate request to the
@@ -175,7 +178,7 @@ This flag must be used together with SSL_VERIFY_PEER.
.IX Item "SSL_VERIFY_CLIENT_ONCE"
\&\fBServer mode:\fR only request a client certificate once during the
connection. Do not ask for a client certificate again during
-renegotiation or post-authentication if a certificate was requested
+renegotiation or post\-authentication if a certificate was requested
during the initial handshake. This flag must be used together with
SSL_VERIFY_PEER.
.Sp
@@ -185,7 +188,7 @@ SSL_VERIFY_PEER.
\&\fBServer mode:\fR the server will not send a client certificate request
during the initial handshake, but will send the request via
\&\fBSSL_verify_client_post_handshake()\fR. This allows the SSL_CTX or SSL
-to be configured for post-handshake peer verification before the
+to be configured for post\-handshake peer verification before the
handshake occurs. This flag must be used together with
SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre\-TLSv1.3 connections.
.Sp
@@ -196,25 +199,25 @@ If the \fBmode\fR is SSL_VERIFY_NONE none of the other flags may be set.
If verification flags are not modified explicitly by \f(CWSSL_CTX_set_verify()\fR
or \f(CWSSL_set_verify()\fR, the default value will be SSL_VERIFY_NONE.
.PP
-The actual verification procedure is performed either using the built-in
+The actual verification procedure is performed either using the built\-in
verification procedure or using another application provided verification
function set with
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3).
-The following descriptions apply in the case of the built-in procedure. An
+The following descriptions apply in the case of the built\-in procedure. An
application provided procedure also has access to the verify depth information
and the \fBverify_callback()\fR function, but the way this information is used
may be different.
.PP
\&\fBSSL_CTX_set_verify_depth()\fR and \fBSSL_set_verify_depth()\fR set a limit on the
-number of certificates between the end-entity and trust-anchor certificates.
+number of certificates between the end\-entity and trust\-anchor certificates.
Neither the
-end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the
+end\-entity nor the trust\-anchor certificates count against \fBdepth\fR. If the
certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR,
X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
The depth count is "level 0:peer certificate", "level 1: CA certificate",
"level 2: higher level CA certificate", and so on. Setting the maximum
-depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
-trust-anchor).
+depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end\-entity and 3 the
+trust\-anchor).
The default depth limit is 100,
allowing for the peer certificate, at most 100 intermediate CA certificates and
a final trust anchor certificate.
@@ -227,7 +230,7 @@ the certificate in question was passed (preverify_ok=1) or not
for the certificate chain verification.
.PP
The certificate chain is checked starting with the deepest nesting level
-(the root CA certificate) and worked upward to the peer's certificate.
+(the root CA certificate) and worked upward to the peer\*(Aqs certificate.
At each level signatures and issuer attributes are checked. Whenever
a verification error is found, the error number is stored in \fBx509_ctx\fR
and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying
@@ -258,16 +261,16 @@ certificate or certificate callback to its configuration before it can
successfully authenticate. This must be called before \fBSSL_connect()\fR.
.PP
\&\fBSSL_verify_client_post_handshake()\fR requires that verify flags have been
-previously set, and that a client sent the post-handshake authentication
+previously set, and that a client sent the post\-handshake authentication
extension. When the client returns a certificate the verify callback will be
invoked. A write operation must take place for the Certificate Request to be
sent to the client, this can be done with \fBSSL_do_handshake()\fR or \fBSSL_write_ex()\fR.
Only one certificate request may be outstanding at any time.
.PP
-When post-handshake authentication occurs, a refreshed NewSessionTicket
+When post\-handshake authentication occurs, a refreshed NewSessionTicket
message is sent to the client.
.PP
-Post-handshake authentication cannot be used with QUIC.
+Post\-handshake authentication cannot be used with QUIC.
\&\fBSSL_set_post_handshake_auth()\fR has no effect if called on a QUIC SSL object.
.SH BUGS
.IX Header "BUGS"
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-23 11:15:32 +0000