vibe.d beta banner
get vibe.d

Asynchronous I/O that doesn’t get in your way, written in D

Enum TLSPeerValidationMode

Specifies how rigorously TLS peer certificates are validated.

enum TLSPeerValidationMode : int { ... }

The individual options can be combined using a bitwise "or". Usually it is recommended to use trustedCert for full validation.

Enum members

checkCert Check the certificate for basic validity.

This verifies the validity of the certificate chain and some other general properties, such as expiration time. It doesn't verify either the peer name or the trust state of the certificate.

checkPeer Validate the actual peer name/address against the certificate.

Compares the name/address of the connected peer, as passed to createTLSStream to the list of patterns present in the certificate, if any. If no match is found, the connection is rejected.

checkTrust Requires that the certificate or any parent certificate is trusted.

Searches list of trusted certificates for a match of the certificate chain. If no match is found, the connection is rejected.

See also


none Accept any peer regardless if and which certificate is presented.

This mode is generally discouraged and should only be used with a custom validation callback set to do the verification.

requireCert Require the peer to always present a certificate.

Note that this option alone does not verify the certificate at all. It can be used together with the "check" options, or by using a custom validation callback to actually validate certificates.

trustedCert Require a valid and trusted certificate (strongly recommended).

Checks the certificate and peer name for validity and requires that the certificate chain originates from a trusted CA (based on the registered pool of certificate authorities).

This option is a combination validCert and checkTrust.

See also


validCert Require a valid certificate matching the peer name.

In this mode, the certificate is validated for general consistency and possible expiration, and the peer name is checked to see if the certificate actually applies.

However, the certificate chain is not matched against the system's pool of trusted certificate authorities, so a custom validation callback is still needed to get a secure validation process.

This option is a combination requireCert, checkCert and checkPeer.


Sönke Ludwig


© 2012-2014 RejectedSoftware e.K.


Subject to the terms of the MIT license, as written in the included LICENSE.txt file.