diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-28 03:01:45 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-31 21:23:23 -0500 |
commit | 0daccd4dc1f1ac62181738a91714f35472e50f3c (patch) | |
tree | 5b7c2b6c5db0c2caf223ea978db03559b5eb90f8 /doc/crypto | |
parent | 1b4cf96f9b82ec3b06e7902bb21620a09cadd94e (diff) | |
download | openssl-0daccd4dc1f1ac62181738a91714f35472e50f3c.zip openssl-0daccd4dc1f1ac62181738a91714f35472e50f3c.tar.gz openssl-0daccd4dc1f1ac62181738a91714f35472e50f3c.tar.bz2 |
Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'doc/crypto')
-rw-r--r-- | doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index a2219d2..53a063a 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -197,11 +197,20 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B<must> be prepared to handle such cases without assuming they are hard errors. +If B<X509_V_FLAG_TRUSTED_FIRST> is set, when constructing the certificate chain, +L<X509_verify_cert(3)> will search the trust store for issuer certificates before +searching the provided untrusted certificates. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. + The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative -chains. By default, when building a certificate chain, if the first certificate -chain found is not trusted, then OpenSSL will continue to check to see if an -alternative chain can be found that is trusted. With this flag set the behaviour -will match that of OpenSSL versions prior to 1.1.0. +chains. +By default, unless B<X509_V_FLAG_TRUSTED_FIRST> is set, when building a +certificate chain, if the first certificate chain found is not trusted, then +OpenSSL will attempt to replace untrusted certificates supplied by the peer +with certificates from the trust store to see if an alternative chain can be +found that is trusted. +As of OpenSSL 1.1.0, with B<X509_V_FLAG_TRUSTED_FIRST> always set, this option +has no effect. The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() |