redhat man page for ne_ssl_set_verify

Redhat Man Pages All Man Pages Latest Topics Forum Categories

Query: ne_ssl_set_verify

OS: redhat

Section: 3

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

NE_SSL_SET_VERIFY(3)						neon API reference					      NE_SSL_SET_VERIFY(3)


NAME

       ne_ssl_set_verify - register an SSL certificate verification callback


SYNOPSIS

       #include <ne_session.h>

       typedef int (*ne_ssl_verify_fn) (void *userdata, int failures, const ne_ssl_certificate *cert);

       void ne_ssl_set_verify (ne_session *session, ne_ssl_verify_fn verify_fn, void *userdata);


DESCRIPTION

       To  enable manual SSL certificate verification, a callback can be registered using ne_ssl_set_verify. If such a callback is not registered,
       when a connection is established to an SSL server which does not present a certificate signed by a trusted CA (see  ne_ssl_load_ca(3)),	or
       if the certificate presented is invalid in some way, the connection will fail.

       When  the callback is invoked, the failures parameter gives a bitmask indicating in what way the automatic certificate verification failed.
       The value is equal to the bit-wise OR of one or more of the following constants (and is guaranteed to be non-zero):

       NE_SSL_NOTYETVALID
	      The certificate is not yet valid.

       NE_SSL_EXPIRED
	      The certificate has expired.

       NE_SSL_CNMISMATCH
	      The hostname used for the session does not match the hostname to which the certificate was issued: this could mean that the  connec-
	      tion has been intercepted.

       NE_SSL_UNKNOWNCA
	      The Certificate Authority which signed the certificate is not trusted.

       The  cert  parameter passed to the callback describes the certificate which was presented by the server, see ne_ssl_certificate(3) for more
       details. The certificate object given is only valid until the callback returns.


RETURN VALUE

       The verification callback must return zero to indicate that the certificate should be trusted; and non-zero otherwise (in which	case,  the
       connection will fail).


EXAMPLES

       Manual certificate verification:

       static int
       my_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
       {
	  /* leak the return values of ne_ssl_readable_dname for simplicity! */
	  printf("Issuer: %s
", ne_ssl_readable_dname(cert->issuer);
	  printf("Subject: %s
", ne_ssl_readable_dname(cert->subject);
	  if (failures & NE_SSL_CNMISMATCH) {
	     printf("Server certificate was issued to `%s'; "
		    "connection may have been intercepted!
",
		    cert->subject->commonName);
	  }
	  if (failures & NE_SSL_EXPIRED) {
	     printf("Server certificate expired on %s!", cert->until);
	  }
	  /* ... check for other failures ... */
	  if (prompt_user())
	     return 1; /* fail verification */
	  else
	     return 0; /* trust certificate */
       }

       int
       main(...)
       {
	   ne_session *sess = ne_session_create("https", "some.host.name", 443);
	   ne_ssl_set_verify(sess, my_verify, NULL);
	   ...
       }


SEE ALSO

       ne_ssl_certificate(3), ne_ssl_load_ca(3), ne_ssl_dname(3), ne_ssl_readable_dname(3)


AUTHOR

       Joe Orton <neon@webdav.org>.

neon 0.23.5							   8 October 2002					      NE_SSL_SET_VERIFY(3)
Related Man Pages
ne_ssl_set_verify(3) - redhat
ne_ssl_set_verify(3) - opensolaris
ne_ssl_cert_identity(3) - debian
ne_ssl_cert_signedby(3) - debian
ne_ssl_cert_issuer(3) - centos
Similar Topics in the Unix Linux Community
SSL certificate
Query: How to install commercial cert into AIX and use it for FTPS connection
WebLogic SSL enabling ignoring CA certificate
Finding SSL Cert Info