Clarify docs.

[oweals/openssl.git] / doc / apps / verify.pod

diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 90455525d117a23b6f37e6ecefc2bb071a28174b..3985d2c5791b9b956da62c753fa26bb8172ee945 100644 (file)
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.
 
+=item B<-check_ss_sig>
+
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
+
 =item B<->
 
 marks the last option. All arguments following this are assumed to be
@@ -166,10 +171,10 @@ the operation was successful.
 
 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
+the issuer certificate of a looked up certificate could not be found. This
+normally means the list of trusted certificates is not complete.
 
-=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL>
+=item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
 
 the CRL of a certificate could not be found. Unused.
 
@@ -200,13 +205,13 @@ the signature of the certificate is invalid. Unused.
 
 the certificate is not yet valid: the notBefore date is after the current time.
 
-=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
+=item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
 
-the CRL is not yet valid. Unused.
+the certificate has expired: that is the notAfter date is before the current time.
 
-=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired>
+=item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
 
-the certificate has expired: that is the notAfter date is before the current time.
+the CRL is not yet valid. Unused.
 
 =item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
 
@@ -244,8 +249,8 @@ be found locally.
 
 =item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
 
-the issuer certificate of a locally looked up certificate could not be found. This normally means
-the list of trusted certificates is not complete.
+the issuer certificate could not be found: this occurs if the issuer
+certificate of an untrusted certificate cannot be found.
 
 =item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
 
@@ -312,7 +317,7 @@ an application specific error. Unused.
 
 =head1 BUGS
 
-Although the issuer checks are a considerably improvement over the old technique they still
+Although the issuer checks are a considerable improvement over the old technique they still
 suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
 trusted certificates with matching subject name must either appear in a file (as specified by the
 B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
@@ -321,6 +326,10 @@ the certificates in the file will be recognised.
 Previous versions of OpenSSL assume certificates with matching subject name are identical and
 mishandled them.
 
+Previous versions of this documentation swapped the meaning of the
+B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
+B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
+
 =head1 SEE ALSO
 
 L<x509(1)|x509(1)>