3.10.38. EAPTLS_CertificateVerifyFailedHook Previous topic Parent topic Child topic Next topic

EAPTLS_CertificateVerifyFailedHook specifies a Perl function that is called if the certificate cannot be verified. It is an optional parameter and is used with EAP-TLS authentication. It is passed the certificate (if present), and various other details.
The peer certificate $cert is not always present. An example of such case is a policy OID mismatch .
EAPTLS_CertificateVerifyFailedHook is passed the following arguments:
  • $_[0]: $verify_error
    This is the EAP SSLEAY store context verification code.
  • $_[1]: $x509_store_ctx
    This is the EAP SSLEAY store context.
  • $_[2]: $cert
    This is the current certificate. May be undefined.
  • $_[3]: $subject_name
    This is the certificate's subject name. Undefined when $cert is undefined.
  • $_[4]: $subject
    This is the certificate subject. Undefined when $cert is undefined.
  • $_[5]: $p
    This is the current Radius::Radius request.
EAPTLS_CertificateVerifyFailedHook must return a single value. This value is used as an OpenSSL error code to set the verify result code as follows:
  • > 0: Non-zero error code
    This is a new verification result code.
  • 0
    This changes verification failure to verification success.
  • < 0
    The verification process is immediately stopped with "verification failed" state.
  • Undefined
    This is handled as an OpenSSL error X509_V_ERR_APPLICATION_VERIFICATION.
Here is a example of using EAPTLS_CertificateVerifyFailedHook. This configuration accepts all certificates. Any additional authorisation must be done later.
EAPTLS_CertificateVerifyFailedHook sub { return 0; }
The following example allows expired certificates. 10 is X509_V_ERR_CERT_HAS_EXPIRED.
EAPTLS_CertificateVerifyFailedHook sub { \
                if ($_[0] == 10) { return 0; } else { return $_[0]; } }
Note
This parameter may cause security issues if not used properly. Use it only in special cases.