This WSAIoctl command is used to get/set the certificate authentication hook that SSL will use for the socket. The lpvInBuffer points to the following structure:
struct sslauthcertopts {
int type;
int (*func)(void *arg, char *cert, int len);
void *arg;
};
The SSL implementation will invoke the function with the supplied argument when a certificate arrives (either for server or client authentication). Only certificates of type will be authenticated using this function (see the SSL specification for a list of the supported certificate types). If no function exists for a given certificate type presented to the SSL implementation, the connection/handshake attempt will fail. Otherwise, the function authenticates the certificate and returns one of the following values:
#define SSL_ACH_OK 0
#define SSL_ACH_WEAK_OK 1
#define SSL_ACH_SHORT_DATA 2
#define SSL_ACH_LONG_DATA 3
#define SSL_ACH_BAD_DATA 4
#define SSL_ACH_BAD_SIG 5
#define SSL_ACH_CERT_EXPIRED 6
The SSL_ACH_OK value is returned when the certificate is good (the signature and validity periods are acceptable) and when the certificate has been verified through some external mechanism (for example, an online check with a certificate authority). The SSL_ACH_WEAK_OK value is returned under the same circumstances, except that no online verification has been performed.
The remaining values represent the kind of error conditions that might occur during certificate verification. SSL_ACH_BAD_DATA is returned when the data presented is improperly formatted. SSL_ACH_BAD_SIG is returned if the signature check fails. SSL_ACH_CERT_EXPIRED is returned if the certificate has expired.