Enum TLSPeerValidationMode
Specifies how rigorously TLS peer certificates are validated.
enum TLSPeerValidationMode
: int { ... }
The individual options can be combined using a bitwise "or". Usually it is
recommended to use trustedCert
for full validation.
Enum members
Name | Description |
---|---|
checkCert
|
Check the certificate for basic validity.
This verifies the validity of the certificate chain and some other general properties, such as expiration time. It doesn't verify either the peer name or the trust state of the certificate. |
checkPeer
|
Validate the actual peer name/address against the certificate.
Compares the name/address of the connected peer, as passed to
|
checkTrust
|
Requires that the certificate or any parent certificate is trusted.
Searches list of trusted certificates for a match of the certificate chain. If no match is found, the connection is rejected. See also
|
none
|
Accept any peer regardless if and which certificate is presented.
This mode is generally discouraged and should only be used with a custom validation callback set to do the verification. |
requireCert
|
Require the peer to always present a certificate.
Note that this option alone does not verify the certificate at all. It can be used together with the "check" options, or by using a custom validation callback to actually validate certificates. |
trustedCert
|
Require a valid and trusted certificate (strongly recommended).
Checks the certificate and peer name for validity and requires that the certificate chain originates from a trusted CA (based on the registered pool of certificate authorities). This option is a combination See also
|
validCert
|
Require a valid certificate matching the peer name.
In this mode, the certificate is validated for general consistency and possible expiration, and the peer name is checked to see if the certificate actually applies. However, the certificate chain is not matched against the system's pool of trusted certificate authorities, so a custom validation callback is still needed to get a secure validation process. This option is a combination |