Previous page Section 3.11.26. TLS_CertificateFingerprint Section 3.11.27. TLS_CertificateVerifyHook (249 / 1718)   Table of Contents Section 3.11.28. TLS_CertificateVerifyFailedHook Next page

3.11.27. TLS_CertificateVerifyHook Previous topic Parent topic Child topic Next topic

This optional parameter specifies a Perl function that will be called for a custom verification of the peer certificate. It is passed the certificate, and various other details, and returns 0 for verification success, a new verification result code or < 0 for a failure, or an undefined value to continue Radiator builtin certificate verification.
Note
This parameter is currently available only for servers such as ServerRADSEC.
The function is passed the following arguments:
  • $_[0]: $hostname, for servers, such as ServerRADSEC, the peer's IP address
  • $_[1]: $x509_store_ctx, the OpenSSL store context (you can pass this to Net::SSLeay::X509_STORE_CTX_get_current_cert)
  • $_[2]: $cert, the current certificate, result of Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx)
  • $_[3]: $subject_name, the certificates subject name, result of Net::SSLeay::X509_get_subject_name($cert)
  • $_[4]: $subject, the certificate subject, result of Net::SSLeay::X509_NAME_oneline($subject_name)
  • $_[5]: $object, the Stream object created for this connection
<ServerRADSEC>
    ...
    # Accept immediately all certificates with O='OSC Demo Certificates'
    TLS_CertificateVerifyHook sub { my $subject = $_[4]; \
        my ($org) = $subject =~ /O=([^\/]*)/; \
        return unless $org eq 'OSC Demo Certificates'; return 0; }

</ServerRADSEC>
Previous page Section 3.11.26. TLS_CertificateFingerprint Section 3.11.27. TLS_CertificateVerifyHook (249 / 1718)   Table of Contents Section 3.11.28. TLS_CertificateVerifyFailedHook Next page