TLS_CONFIG_VERIFY(3) | Library Functions Manual | TLS_CONFIG_VERIFY(3) |
tls_config_verify
,
tls_config_insecure_noverifycert
,
tls_config_insecure_noverifyname
,
tls_config_insecure_noverifytime
—
insecure TLS configuration
#include
<tls.h>
void
tls_config_verify
(struct
tls_config *config);
void
tls_config_insecure_noverifycert
(struct
tls_config *config);
void
tls_config_insecure_noverifyname
(struct
tls_config *config);
void
tls_config_insecure_noverifytime
(struct
tls_config *config);
These functions disable parts of the normal certificate verification process, resulting in insecure configurations. Be very careful when using them.
tls_config_insecure_noverifycert
()
disables certificate verification and OCSP validation.
tls_config_insecure_noverifyname
()
disables server name verification (client only).
tls_config_insecure_noverifytime
()
disables validity checking of certificates and OCSP validation.
tls_config_verify
()
reenables server name and certificate verification.
tls_client(3), tls_config_ocsp_require_stapling(3), tls_config_set_protocols(3), tls_conn_version(3), tls_connect(3), tls_handshake(3), tls_init(3)
tls_config_verify
() appeared in
OpenBSD 5.6 and got its final name in
OpenBSD 5.7.
tls_config_insecure_noverifycert
() and
tls_config_insecure_noverifyname
() appeared in
OpenBSD 5.7 and
tls_config_insecure_noverifytime
in
OpenBSD 5.9.
Joel Sing
<jsing@openbsd.org>
Ted Unangst
<tedu@openbsd.org>
March 2, 2017 | x86_64 |