mirror of
https://github.com/openssl/openssl.git
synced 2026-01-25 11:07:00 +00:00
14ddbcee23
Using SSL_CTX_set_cert_verify_callback but still calling
X509_verify_cert is useful if applications want to dynamically
configure the X509_STORE_CTX, or postprocess the result, in a way that
does not quite fit the somewhat unpredictable behavior of the
SSL_CTX_set_verify callback. (In my experience, applications rarely
realize it is called multiple times. It's also too late at that point to
reconfigure the X509_STORE_CTX as verification has already started.)
There is one note in the docs that the callback needs to stash the
verify result with X509_STORE_CTX_set_error, but it is not immediately
obvious that X509_verify_cert will do so, or that it is the built-in
behavior. Add a paragraph discussing this.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28960)
(cherry picked from commit 069181d7f3)
OpenSSL Documentation
README.md This file
fingerprints.txt PGP fingerprints of authorised release signers
HOWTO/ A few how-to documents; not necessarily up-to-date
man1/ The openssl command-line tools; start with openssl.pod
man3/ The SSL library and the crypto library
man5/ File formats
man7/ Overviews; start with crypto.pod and ssl.pod, for example Algorithm specific EVP_PKEY documentation.
Formatted versions of the manpages (apps,ssl,crypto) can be found at https://docs.openssl.org/master/