gtpc1m5x | Transmission Control Protocol/Internet Protocol |
The SSL_get_verify_result function returns the result of the
remote peer certificate validation.
Format
#include <openssl/ssl.h>
long SSL_get_verify_result(SSL *ssl)
- ssl
- A pointer to a token returned on the SSL_new call
Normal Return
Returns one of the following values:
- X509_V_OK
- The certificate was valid or no certificate was provided. Use the
SSL_get_peer_certificate function to determine whether the
certificate was provided or not.
- X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
- Unable to find the certificate for one of the certificate authorities
(CAs) in the signing hierarchy and that CA is not trusted by the local
application.
- X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
- Unable to decrypt the signature of the certificate.
- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
- The public key in the certificate could not be read.
- X509_V_ERR_CERT_SIGNATURE_FAILURE
- The signature of the certificate is not valid.
- X509_V_ERR_CERT_NOT_YET_VALID
- The certificate is not valid until a date in the future.
- X509_V_ERR_CERT_HAS_EXPIRED
- The certificate has expired.
- X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
- There is a format error in the notBefore field of the certificate.
- X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
- There is a format error in the notAfter field of the certificate.
- X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
- The passed certificate is self-signed and the same certificate cannot be
found in the list of trusted certificates.
- X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
- A self-signed certificate exists in the certificate chain. The
certificate chain could be built up using the untrusted certificates, but the
root CA could not be found locally.
- X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
- The issuer certificate of a locally looked up certificate could not be
found. This normally means that the list of trusted certificates is not
complete.
- X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
- No signatures could be verified because the certificate chain contains
only one certificate, it is not self-signed, and the issuer is not
trusted.
- X509_V_ERR_INVALID_CA
- A CA certificate is not valid because it is not a CA or its extensions are
not consistent with the intended purpose.
- X509_V_ERR_PATH_LENGTH_EXCEEDED
- The basicConstraints pathlength parameter was exceeded.
- X509_V_ERR_INVALID_PURPOSE
- The certificate that was provided cannot be used for its intended
purpose.
- X509_V_ERR_CERT_UNTRUSTED
- The root CA is not marked as trusted for its intended purpose.
- X509_V_ERR_CERT_REJECTED
- The root CA is marked to reject the purpose specified.
- X509_V_ERR_SUBJECT_ISSUER_MISMATCH
- The issuer certificate was rejected because its subject name did not match
the issuer name of the current certificate.
- X509_V_ERR_AKID_SKID_MISMATCH
- The issuer certificate was rejected because its subject key identifier was
present and did not match the authority key identifier of the current
certificate.
- X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
- The issuer certificate was rejected because its issuer name and serial
number was present and did not match the authority key identifier of the
current certificate.
- X509_V_ERR_KEYUSAGE_NO_CERTSIGN
- The issuer certificate was rejected because its keyUsage extension does
not permit certificate signing.
- X509_V_ERR_CERT_REVOKED
- The certificate was revoked by the issuer.
Error Return
None.
Programming Considerations
Client applications that have a verify mode of SSL_VERIFY_NONE must use the
SSL_get_verify_result function to determine whether the certificate
for the server application is valid or not.
Examples
For sample SSL applications, go to http://www.ibm.com/tpf/pubs/tpfpubs.htm,
click SSL for the TPF 4.1 System: An Online User's
Guide, and click Examples from the left navigation
bar.
Related Information