As an SSL server the first thing to present to an SSL client is a certificate/key pair, thus a call to the 'setup_key' callback is made. It is expected that by the time this callback returns the attributes ssl.client_local_privatekey and ssl.client_local_certificate are filled appropriately.

If peer authentication is enabled (by setting the attribute ssl.client_verify_type) a list of trusted CA certificates must be set up (stored in the hash ssl.client_local_ca_list). The list can be set up by the 'setup_ca_list' function call. Peer certificates are verified against the trusted CA list and their associated revocation lists. Revocations can be set up in the 'setup_crl_list' callback.

At the end of the verification another callback named 'verify_cert' is called which can either ACCEPT or DENY the certificate possibly overriding the verification against the local CA database.