A foreign pointer of type
ssl-pointer
or
ssl-ctx-pointer
.
:server
or
:client
.
An integer, one of the symbols
:never
,
:always
,
:once
, or a list of keywords.
A foreign function.
The function
set-verification-mode
sets the verification mode for CTX according to arguments
ssl-side
and
mode
.
When
ssl-side
is
:server
,
mode
can be:
mode
is passed directly to
SSL_set_verify
or
SSL_CTX_set_verify
.
The server will not send a client certificate request to the client, so the client will not send a certificate.
The server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure.
Same as
:always
except that the client certificate is checked only on the initial TLS/SSL handshake, and not again in case of renegotiation.
The list contains (some of) the keywords
:verify-client-once
,
:verify-peer
and :
fail-if-no-peer-cert
. These keywords map to the corresponding C constants
VERIFY_CLIENT_ONCE
,
VERIFY_PEER
and
FAIL_IF_NO_PEER_CERT
respectively. See the manual entry for
SSL_CTX_set_verify
for the meaning of the constants.
When
ssl-side
is
:client
,
mode
can be:
mode
is passed directly as for
ssl-side
:server
.
If not using an anonymous cipher, the server will send a certificate which will be checked by the client. The handshake will be continued regardless of the verification result.
The server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent because an anonymous cipher is used, verification is ignored.
The list contains keywords as described above for
ssl-side
:server
.
If non-nil
callback
should be a symbol, function, string or foreign pointer designating a foreign function that is called to perform verification. The default value of
callback
is
nil
.