SSL_set_retry_verify.3ossl - Man Page

indicate that certificate verification should be retried


 #include <openssl/ssl.h>

 int SSL_set_retry_verify(SSL *ssl);


SSL_set_retry_verify() should be called from the certificate verification callback on a client when the application wants to indicate that the handshake should be suspended and the control should be returned to the application. SSL_want_retry_verify(3) will return 1 as a consequence until the handshake is resumed again by the application, retrying the verification step.

Please refer to SSL_CTX_set_cert_verify_callback(3) for further details.


The effect of calling SSL_set_retry_verify() outside of the certificate verification callback on the client side is undefined.

Return Values

SSL_set_retry verify() returns 1 on success, 0 otherwise.


The following code snippet shows how to obtain the SSL object associated with the X509_STORE_CTX to call the SSL_set_retry_verify() function:

    int idx = SSL_get_ex_data_X509_STORE_CTX_idx();
    SSL *ssl;

    /* this should not happen but check anyway */
    if (idx < 0
        || (ssl = X509_STORE_CTX_get_ex_data(ctx, idx)) == NULL) 
        return 0;

    if (/* we need to retry verification callback */)
        return SSL_set_retry_verify(ssl);

    /* do normal processing of the verification callback */

See Also

ssl(7), SSL_connect(3), SSL_CTX_set_cert_verify_callback(3), SSL_want_retry_verify(3)


SSL_set_retry_verify() was added in OpenSSL 3.0.2 to replace backwards incompatible handling of a negative return value from the verification callback.

Referenced By

SSL_CTX_set_cert_verify_callback.3ossl(3), SSL_CTX_set_verify.3ossl(3), SSL_want.3ossl(3).

2024-02-09 3.2.1 OpenSSL