Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ne_ssl_set_verify(3) [redhat man page]

NE_SSL_SET_VERIFY(3)						neon API reference					      NE_SSL_SET_VERIFY(3)

NAME

       ne_ssl_set_verify - register an SSL certificate verification callback

SYNOPSIS

       #include <ne_session.h>

       typedef int (*ne_ssl_verify_fn) (void *userdata, int failures, const ne_ssl_certificate *cert);

       void ne_ssl_set_verify (ne_session *session, ne_ssl_verify_fn verify_fn, void *userdata);

DESCRIPTION

       To  enable manual SSL certificate verification, a callback can be registered using ne_ssl_set_verify. If such a callback is not registered,
       when a connection is established to an SSL server which does not present a certificate signed by a trusted CA (see  ne_ssl_load_ca(3)),	or
       if the certificate presented is invalid in some way, the connection will fail.

       When  the callback is invoked, the failures parameter gives a bitmask indicating in what way the automatic certificate verification failed.
       The value is equal to the bit-wise OR of one or more of the following constants (and is guaranteed to be non-zero):

       NE_SSL_NOTYETVALID
	      The certificate is not yet valid.

       NE_SSL_EXPIRED
	      The certificate has expired.

       NE_SSL_CNMISMATCH
	      The hostname used for the session does not match the hostname to which the certificate was issued: this could mean that the  connec-
	      tion has been intercepted.

       NE_SSL_UNKNOWNCA
	      The Certificate Authority which signed the certificate is not trusted.

       The  cert  parameter passed to the callback describes the certificate which was presented by the server, see ne_ssl_certificate(3) for more
       details. The certificate object given is only valid until the callback returns.

RETURN VALUE

       The verification callback must return zero to indicate that the certificate should be trusted; and non-zero otherwise (in which	case,  the
       connection will fail).

EXAMPLES

       Manual certificate verification:

       static int
       my_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
       {
	  /* leak the return values of ne_ssl_readable_dname for simplicity! */
	  printf("Issuer: %s
", ne_ssl_readable_dname(cert->issuer);
	  printf("Subject: %s
", ne_ssl_readable_dname(cert->subject);
	  if (failures & NE_SSL_CNMISMATCH) {
	     printf("Server certificate was issued to `%s'; "
		    "connection may have been intercepted!
",
		    cert->subject->commonName);
	  }
	  if (failures & NE_SSL_EXPIRED) {
	     printf("Server certificate expired on %s!", cert->until);
	  }
	  /* ... check for other failures ... */
	  if (prompt_user())
	     return 1; /* fail verification */
	  else
	     return 0; /* trust certificate */
       }

       int
       main(...)
       {
	   ne_session *sess = ne_session_create("https", "some.host.name", 443);
	   ne_ssl_set_verify(sess, my_verify, NULL);
	   ...
       }

SEE ALSO

       ne_ssl_certificate(3), ne_ssl_load_ca(3), ne_ssl_dname(3), ne_ssl_readable_dname(3)

AUTHOR

       Joe Orton <neon@webdav.org>.

neon 0.23.5							   8 October 2002					      NE_SSL_SET_VERIFY(3)

Check Out this Related Man Page

NE_SSL_CERT_IDENTITY(3) 					neon API reference					   NE_SSL_CERT_IDENTITY(3)

NAME

       ne_ssl_cert_identity, ne_ssl_cert_signedby, ne_ssl_cert_issuer, ne_ssl_cert_subject - functions to access certificate properties

SYNOPSIS

       #include <ne_ssl.h>

       const char *ne_ssl_cert_identity(const ne_ssl_certificate *cert);

       const ne_ssl_certificate *ne_ssl_cert_signedby(const ne_ssl_certificate *cert);

       const ne_ssl_dname *ne_ssl_cert_subject(const ne_ssl_certificate *cert);

       const ne_ssl_dname *ne_ssl_cert_issuer(const ne_ssl_certificate *cert);

DESCRIPTION

       The function ne_ssl_cert_identity retrieves the "identity" of a certificate; for an SSL server certificate, this will be the hostname for
       which the certificate was issued. In PKI parlance, the identity is the common name attribute of the distinguished name of the certificate
       subject.

       The functions ne_ssl_cert_subject and ne_ssl_cert_issuer can be used to access the objects representing the distinguished name of the
       subject and of the issuer of a certificate, respectively.

       If a certificate object is part of a certificate chain, then ne_ssl_cert_signedby can be used to find the certificate which signed a
       particular certificate. For a self-signed certificate or a certificate for which the full chain is not available, this function will return
       NULL.

RETURN VALUE

       ne_ssl_cert_issuer and ne_ssl_cert_subject are guaranteed to never return NULL.	ne_ssl_cert_identity may return NULL if the certificate
       has no specific "identity".  ne_ssl_cert_signedby may return NULL as covered above.

EXAMPLES

       The following function could be used to display information about a given certificate:

	   void dump_cert(const ne_ssl_certificate *cert) {
	     const char *id = ne_ssl_cert_identity(cert);
	     char *dn;

	     if (id)
	       printf("Certificate was issued for '%s'.
", id);

	     dn = ne_ssl_readable_dname(ne_ssl_cert_subject(cert));
	     printf("Subject: %s
", dn);
	     free(dn);

	     dn = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert));
	     printf("Issuer: %s
", dn);
	     free(dn);
	   }

SEE ALSO

       ne_ssl_cert_cmp, ne_ssl_readable_dname

AUTHOR

       Joe Orton <neon@lists.manyfish.co.uk>
	   Author.

COPYRIGHT

neon 0.30.0							   31 July 2013 					   NE_SSL_CERT_IDENTITY(3)
Man Page