Value | Meaning |
---|---|
none0 | Accept any peer regardless if and which certificate is presented. This mode is generally discouraged and should only be used with a custom validation callback set to do the verification. |
requireCert1 << 0 | Require the peer to always present a certificate. Note that this option alone does not verify the certificate at all. It can be used together with the "check" options, or by using a custom validation callback to actually validate certificates. |
checkCert1 << 1 | Check the certificate for basic validity. This verifies the validity of the certificate chain and some other general properties, such as expiration time. It doesn't verify either the peer name or the trust state of the certificate. |
checkPeer1 << 2 | Validate the actual peer name/address against the certificate. Compares the name/address of the connected peer, as passed to createTLSStream to the list of patterns present in the certificate, if any. If no match is found, the connection is rejected. |
checkTrust1 << 3 | Requires that the certificate or any parent certificate is trusted. Searches list of trusted certificates for a match of the certificate chain. If no match is found, the connection is rejected. See_also: useTrustedCertificateFile |
validCertrequireCert | checkCert | checkPeer | Require a valid certificate matching the peer name. In this mode, the certificate is validated for general consistency and possible expiration, and the peer name is checked to see if the certificate actually applies. However, the certificate chain is not matched against the system's pool of trusted certificate authorities, so a custom validation callback is still needed to get a secure validation process. This option is a combination requireCert, checkCert and checkPeer. |
trustedCertvalidCert | checkTrust | Require a valid and trusted certificate (strongly recommended). Checks the certificate and peer name for validity and requires that the certificate chain originates from a trusted CA (based on the registered pool of certificate authorities). This option is a combination validCert and checkTrust. See_also: useTrustedCertificateFile |
Specifies how rigorously TLS peer certificates are validated.
The individual options can be combined using a bitwise "or". Usually it is recommended to use trustedCert for full validation.