set-verification-mode

set-verification-mode Function

Summary

Sets the verification mode for CTX.

Package

comm

Signature

set-verification-mode ssl-ctx ssl-side mode &optional callback

Arguments

`ssl-ctx`⇩	A foreign pointer of type ssl-pointer, ssl-ctx-pointer or ssl-context-ref.
`ssl-side`⇩	`:server` or `:client`.
`mode`⇩	An integer, one of the symbols `:never`, `:always`, `:once`, or a list of keywords.
`callback`⇩	A foreign function.

Description

The function set-verification-mode sets the verification mode for ssl-ctx according to ssl-side and mode.

When ssl-side is :server, mode can be:

An integer	`mode` is passed directly to `SSL_set_verify` or `SSL_CTX_set_verify`.
`:never`	The server will not send a client certificate request to the client, so the client will not send a certificate.
`:always`	The server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure.
`:once`	Same as `:always` except that the client certificate is checked only on the initial TLS/SSL handshake, and not again in case of renegotiation.
A list	The list contains (some of) the keywords `:verify-client-once`, `:verify-peer` and :`fail-if-no-peer-cert`. These keywords map to the corresponding C constants `VERIFY_CLIENT_ONCE`, `VERIFY_PEER` and `FAIL_IF_NO_PEER_CERT` respectively. See the manual entry for `SSL_CTX_set_verify` for the meaning of the constants.

When ssl-side is :client, mode can be:

An integer	`mode` is passed directly as for `ssl-side` `:server`.
`:never`	If not using an anonymous cipher, the server will send a certificate which will be checked by the client. The handshake will be continued regardless of the verification result.
`:always`	The server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent because an anonymous cipher is used, verification is ignored.
A list	The list contains keywords as described above for `ssl-side` `:server`.

If non-nil callback should be a symbol, function, string or foreign pointer designating a foreign function that is called to perform verification. The default value of callback is nil.