ltm rule command SSL verify result

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



SSL::verify_result
       Gets or sets the result code for peer certificate verification.

SYNOPSIS
       SSL::verify_result (RESULT_CODE)?

DESCRIPTION
       Gets or sets the result code for peer certificate verification. Result
       codes use the same values as those of OpenSSL's X509 verify_result
       (X509_V_ERR_*) definitions.

RETURN VALUE
       SSL::verify_result
	   Gets the result code from peer certificate verification. The
       returned code uses the same values as those of OpenSSL's X509
       verify_result (X509_V_ERR_) definitions.

       SSL::verify_result 
	   Sets the result code for peer certificate verification. The
       argument uses the same values as those of OpenSSL's X509 verify_result
       (X509_V_ERR_) definitions.

	   The values for OpenSSL's verify result codes are listed at the bottom of this page and can be found at: http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS

VALID DURING
       ANY_EVENT

EXAMPLES
	when CLIENTSSL_CLIENTCERT {
	    set cert [X509::verify_cert_error_string [SSL::verify_result]]
	}
	when HTTP_REQUEST {
	    if { [info exists cert] } {
		HTTP::header insert ClientCert $cert
	    }
	}

HINTS
       OpenSSL verify result codes 0	   X509_V_OK: ok   The operation was
       successful.  2	    X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to
       get issuer certificate  The issuer certificate of a looked up
       certificate could not be found. This normally means the list of trusted
       certificates is not complete.  3       X509_V_ERR_UNABLE_TO_GET_CRL:
       unable to get certificate CRL	 The CRL of a certificate could not be
       found.  4       X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to
       decrypt certificate's signature	The certificate signature could not be
       decrypted. This means that the actual signature value could not be
       determined rather than it not matching the expected value, this is only
       meaningful for RSA keys.  5
       X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's
       signature   The CRL signature could not be decrypted: this means that
       the actual signature value could not be determined rather than it not
       matching the expected value. Unused.  6
       X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer
       public key	The public key in the certificate SubjectPublicKeyInfo
       could not be read.  7	   X509_V_ERR_CERT_SIGNATURE_FAILURE:
       certificate signature failure	    The signature of the certificate
       is invalid.  8	    X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature
       failure The signature of the certificate is invalid.  9
       X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid     The
       certificate is not yet valid: the notBefore date is after the current
       time.  10      X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
       The certificate has expired: that is the notAfter date is before the
       current time.  11      X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet
       valid	  The CRL is not yet valid.  12
       X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired     The CRL has expired.
       13      X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
       certificate's notBefore field	    The certificate notBefore field
       contains an invalid time.  14
       X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's
       notAfter field  The certificate notAfter field contains an invalid
       time.  15      X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error
       in CRL's lastUpdate field       The CRL lastUpdate field contains an
       invalid time.  16      X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
       format error in CRL's nextUpdate field	    The CRL nextUpdate field
       contains an invalid time.  17	  X509_V_ERR_OUT_OF_MEM: out of memory
       An error occurred trying to allocate memory. This should never happen.
       18      X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
       The passed certificate is self signed and the same certificate cannot
       be found in the list of trusted certificates.  19
       X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
       certificate chain      The certificate chain could be built up using
       the untrusted certificates but the root could not be found locally.  20
       X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
       issuer certificate    The issuer certificate could not be found: this
       occurs if the issuer certificate of an untrusted certificate cannot be
       found.  21      X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to
       verify the first certificate	 no signatures could be verified
       because the chain contains only one certificate and it is not self
       signed.	22	X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too
       long	 The certificate chain length is greater than the supplied
       maximum depth. Unused.  23      X509_V_ERR_CERT_REVOKED: certificate
       revoked	  The certificate has been revoked.  24
       X509_V_ERR_INVALID_CA: invalid CA certificate   A CA certificate is
       invalid. Either it is not a CA or its extensions are not consistent
       with the supplied purpose.  25	   X509_V_ERR_PATH_LENGTH_EXCEEDED:
       path length constraint exceeded	      The basicConstraints pathlength
       parameter has been exceeded.  26      X509_V_ERR_INVALID_PURPOSE:
       unsupported certificate purpose	   The supplied certificate cannot be
       used for the specified purpose.	27	X509_V_ERR_CERT_UNTRUSTED:
       certificate not trusted	    The root CA is not marked as trusted for
       the specified purpose.  28      X509_V_ERR_CERT_REJECTED: certificate
       rejected  The root CA is marked to reject the specified purpose.  29
       X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch     The
       current candidate issuer certificate was rejected because its subject
       name did not match the issuer name of the current certificate. Only
       displayed when the -issuer_checks option is set.  30
       X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier
       mismatch    The current candidate issuer certificate was rejected
       because its subject key identifier was present and did not match the
       authority key identifier current certificate. Only displayed when the
       -issuer_checks option is set.  31
       X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial
       number mismatch	   The current candidate issuer certificate was
       rejected because its issuer name and serial number was present and did
       not match the authority key identifier of the current certificate. Only
       displayed when the -issuer_checks option is set.  32
       X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate
       signing	The current candidate issuer certificate was rejected because
       its keyUsage extension does not permit certificate signing.  50
       X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
       An application specific error. Unused.

SEE ALSO
CHANGE LOG
       @BIGIP-9.0.0 --First introduced the command.



BIG-IP				  2017-01-31			      iRule(1)