"Fossies" - the Fresh Open Source Software Archive

Member "neon-0.31.2/doc/man/ne_ssl_set_verify.3" (20 Jun 2020, 4971 Bytes) of package /linux/www/neon-0.31.2.tar.gz:


Caution: As a special service "Fossies" has tried to format the requested manual source page into HTML format but links to other man pages may be missing or even erroneous. Alternatively you can here view or download the uninterpreted manual source code. A member file download can also be achieved by clicking within a package contents listing on the according byte size field. See also the latest Fossies "Diffs" side-by-side code changes report for "ne_ssl_set_verify.3": 0.31.1_vs_0.31.2.

NE_SSL_SET_VERIFY

NAME
SYNOPSIS
DESCRIPTION
RETURN VALUE
EXAMPLES
SEE ALSO
AUTHOR
COPYRIGHT

NAME

ne_ssl_set_verify − register an SSL certificate verification callback

SYNOPSIS

#include <ne_session.h>

typedef int ne_ssl_verify_fn(void *userdata, int failures, const ne_ssl_certificate *cert);

void ne_ssl_set_verify(ne_session *session, ne_ssl_verify_fn verify_fn, void *userdata);

DESCRIPTION

To enable manual SSL certificate verification, a callback can be registered using ne_ssl_set_verify. If such a callback is not registered, when a connection is established to an SSL server which does not present a certificate signed by a trusted CA (see ne_ssl_trust_cert), or if the certificate presented is invalid in some way, the connection will fail.

When the callback is invoked, the failures parameter gives a bitmask indicating in what way the automatic certificate verification failed. The value is equal to the bit−wise OR of one or more of the following constants (and is guaranteed to be non−zero):

NE_SSL_NOTYETVALID

The certificate is not yet valid.

NE_SSL_EXPIRED

The certificate has expired.

NE_SSL_IDMISMATCH

The hostname used for the session does not match the hostname to which the certificate was issued.

NE_SSL_UNTRUSTED

The Certificate Authority which signed the certificate is not trusted.

Note that if either of the NE_SSL_IDMISMATCH or NE_SSL_UNTRUSTED failures is given, the connection may have been intercepted by a third party, and must not be presumed to be “secure”.

The cert parameter passed to the callback represents the certificate which was presented by the server. If the server presented a chain of certificates, the chain can be accessed using ne_ssl_cert_signedby. The cert object given is not valid after the callback returns.

RETURN VALUE

The verification callback must return zero to indicate that the certificate should be trusted; and non−zero otherwise (in which case, the connection will fail).

EXAMPLES

The following code implements an example verification callback, using the dump_cert function from ne_ssl_cert_subject to display certification information. Notice that the hostname of the server used for the session is passed as the userdata parameter to the callback.

static int
my_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
{
const char *hostname = userdata;

dump_cert(cert);

puts("Certificate verification failed − the connection may have been "
"intercepted by a third party!");

if (failures & NE_SSL_IDMISMATCH) {
const char *id = ne_ssl_cert_identity(cert);
if (id)
printf("Server certificate was issued to '%s' not '%s'.\n",
id, hostname);
else
printf("The certificate was not issued for '%s'\n", hostname);
}

if (failures & NE_SSL_UNTRUSTED)
puts("The certificate is not signed by a trusted Certificate Authority.");

/* ... check for validity failures ... */

if (prompt_user())
return 1; /* fail verification */
else
return 0; /* trust the certificate anyway */
}

int
main(...)
{
ne_session *sess = ne_session_create("https", "some.host.name", 443);
ne_ssl_set_verify(sess, my_verify, "some.host.name");
...
}

SEE ALSO

ne_ssl_trust_cert, ne_ssl_readable_dname, ne_ssl_cert_subject

AUTHOR

Joe Orton <neon@lists.manyfish.co.uk>

Author.

COPYRIGHT