This optional parameter specifies a Perl function that will be
called if verifying the peer certificate fails. It is passed the
certificate (if present), and various other details.
The peer
certificate $cert is not always present. An example
of such case is a policy OID mismatch .
Note
This parameter is
currently available only for servers such as
ServerRADSEC.
TLS_CertificateVerifyFailedHook
is passed the following arguments:
$_[0]: $verify_errorThis is the OpenSSL
store context verification code.
$_[1]: $x509_store_ctxThis is the OpenSSSL
store context.
$_[2]: $certThis is the current
certificate. May be undefined.
$_[3]: $subject_nameThis is the
certificate's subject name. Undefined when $cert
is undefined.
$_[4]: $subjectThis is the certificate
subject. Undefined when $cert is
undefined.
$_[5]: $objectThis is the Stream object
created for this connection.
TLS_CertificateVerifyFailedHook must return
a single value. This value is used as an OpenSSL error code to set the
verify result code as follows:
- > 0: Non-zero error code
This is a new verification result
code.
- 0
This changes verification failure to verification
success.
- < 0
The verification process is immediately stopped with
"verification failed" state.
- Undefined
This is handled as an OpenSSL error
X509_V_ERR_APPLICATION_VERIFICATION.
Here are examples of using
TLS_CertificateVerifyFailedHook.
<ServerRADSEC>
...
# Accept all certificates
# TLS_CertificateVerifyFailedHook sub { return 0; }
# Allow expired certificates: 10 is X509_V_ERR_CERT_HAS_EXPIRED
TLS_CertificateVerifyFailedHook sub { \
if ($_[0] == 10) { return 0; } else { return $_[0]; } }
</ServerRADSEC>
Note
This parameter may cause security
issues if not used properly. Use it only in special
cases.
