SSL_get_verify_result.3ossl - Man Page

get result of peer certificate verification

Synopsis

 #include <openssl/ssl.h>

 long SSL_get_verify_result(const SSL *ssl);

Description

SSL_get_verify_result() returns the result of the verification of the X509 certificate presented by the peer, if any.

Notes

SSL_get_verify_result() can only return one error code while the verification of a certificate can fail because of many reasons at the same time. Only the last verification error that occurred during the processing is available from SSL_get_verify_result().

Sometimes there can be a sequence of errors leading to the verification failure as reported by SSL_get_verify_result(). To get the errors, it is necessary to setup a verify callback via SSL_CTX_set_verify(3) or SSL_set_verify(3) and retrieve the errors from the error stack there, because once SSL_connect(3) returns, these errors may no longer be available.

The verification result is part of the established session and is restored when a session is reused.

Bugs

If no peer certificate was presented, the returned result code is X509_V_OK. This is because no verification error occurred, it does however not indicate success. SSL_get_verify_result() is only useful in connection with SSL_get_peer_certificate(3).

Return Values

The following return values can currently occur:

X509_V_OK

The verification succeeded or no peer certificate was presented.

Any other value

Documented in openssl-verify(1).

See Also

ssl(7), SSL_set_verify_result(3), SSL_get_peer_certificate(3), openssl-verify(1)

Referenced By

ossl-guide-tls-client-block.7ossl(7), SSL_CTX_dane_enable.3ossl(3), SSL_CTX_set_cert_verify_callback.3ossl(3), SSL_CTX_set_ct_validation_callback.3ossl(3), SSL_CTX_set_verify.3ossl(3), SSL_get0_peer_rpk.3ossl(3), SSL_get_peer_certificate.3ossl(3), SSL_set1_host.3ossl(3), SSL_set_verify_result.3ossl(3), X509_check_host.3ossl(3).

2024-03-07 3.2.1 OpenSSL