on [<modes>]server_ssl_eval [<serial#>] [-|^]<match> { <action> }
This hook is triggered when the client is evaluating an SSL connection to decide whether to accept or reject it. It has made a provisional decision, and offers you an opportunity to review and possibly overrule it. Your handler is not obligated to make any change, but if it does make a decision, it will be final and binding.
| $0 | The server refnum |
| $1 | The “ourname” of the server (what you /server'd to) |
| $2 | Was there any error at all? 0 = no errors of any kind 1 = some kind of error |
| $3 | Was there a hostname mismatch? 0 = no error, 1 = error |
| $4 | Was there a self-signed error? 0 = no error, 1 = error |
| $5 | Was there another (serious) error? 0 = no other error, 1 = other error |
| $6 | What does the client suggest? 0 = reject certificate, 1 = accept certificate |
Using $serverctl() to get info about the certificate Use $serverctl(GET <refnum> <item>) where <item> is:
| SSL_CIPHER | The encryption cipher being used |
| SSL_PEM | The certificate (in PEM format) |
| SSL_CERT_HASH | The certificate's hash |
| SSL_PKEY_BITS | The bits in the public key |
| SSL_SUBJECT | Who the cert was issued to |
| SSL_SUBJECT_URL | Who the cert was issued to (url-encoded) |
| SSL_ISSUER | Who issued the cert |
| SSL_ISSUER_URL | Who issued the cert (url-encoded) |
| SSL_VERSION | What version of SSL being used (ie, TLSv1.2) |
| SSL_SANS | Subject Alternate Names in the cert |
| SSL_CHECKHOST_ERROR | Hostname Mismatch error - 0 (no) 1 (yes) |
| SSL_SELF_SIGNED_ERROR | Self-signed error - 0 (no) 1 (yes) |
| SSL_OTHER_ERROR | Any other (serious) error - 0 (no) 1 (yes) |
| SSL_MOST_SERIOUS_ERROR | The OpenSSL error code of the most serious error 18 (self-signed) and 62 (hostname mismatch) are considered non-serious (routine) errors |
| SSL_VERIFY_ERROR | Any error at all - 0 (no) 1 (yes) |
| SSL_ACCEPT_CERT | Is this cert headed for acceptance? 0 (no) 1 (yes) |
To reject the cert:
$serverctl(SET $0 SSL_ACCEPT_CERT 0)
To accept the cert:
$serverctl(SET $0 SSL_ACCEPT_CERT 1)
Or, you can do nothing, and the server will do the most reasonable thing.
ON SERVER_SSL_EVAL first appeared in EPIC5-2.1.6