The callback must not capture any of the pointers in its
rustls_verify_server_cert_params.
If userdata has been set with rustls_connection_set_userdata, it
will be passed to the callback. Otherwise the userdata param passed to
the callback will be NULL.
The callback must be safe to call on any thread at any time, including
multiple concurrent calls. So, for instance, if the callback mutates
userdata (or other shared state), it must use synchronization primitives
to make such mutation safe.
The callback receives certificate chain information as raw bytes.
Currently this library offers no functions for C code to parse the
certificates, so you'll need to bring your own certificate parsing library
if you need to parse them.
If you intend to write a verifier that accepts all certificates, be aware
that special measures are required for IP addresses. Rustls currently
(0.20.0) doesn't support building a ClientConnection with an IP address
(because it's not a valid DnsNameRef). One workaround is to detect IP
addresses and rewrite them to example.invalid, and _also_ to disable
SNI via rustls_client_config_builder_set_enable_sni (IP addresses don't
need SNI).
If the custom verifier accepts the certificate, it should return
RUSTLS_RESULT_OK. Otherwise, it may return any other rustls_result error.
Feel free to use an appropriate error from the RUSTLS_RESULT_CERT_*
section.
Set a custom server certificate verifier.
The callback must not capture any of the pointers in its rustls_verify_server_cert_params. If userdata has been set with rustls_connection_set_userdata, it will be passed to the callback. Otherwise the userdata param passed to the callback will be NULL.
The callback must be safe to call on any thread at any time, including multiple concurrent calls. So, for instance, if the callback mutates userdata (or other shared state), it must use synchronization primitives to make such mutation safe.
The callback receives certificate chain information as raw bytes. Currently this library offers no functions for C code to parse the certificates, so you'll need to bring your own certificate parsing library if you need to parse them.
If you intend to write a verifier that accepts all certificates, be aware that special measures are required for IP addresses. Rustls currently (0.20.0) doesn't support building a ClientConnection with an IP address (because it's not a valid DnsNameRef). One workaround is to detect IP addresses and rewrite them to example.invalid, and _also_ to disable SNI via rustls_client_config_builder_set_enable_sni (IP addresses don't need SNI).
If the custom verifier accepts the certificate, it should return RUSTLS_RESULT_OK. Otherwise, it may return any other rustls_result error. Feel free to use an appropriate error from the RUSTLS_RESULT_CERT_* section.
<https://docs.rs/rustls/0.20.0/rustls/client/struct.DangerousClientConfig.html#method.set_certificate_verifier>