X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fman3%2FX509_VERIFY_PARAM_set_flags.pod;h=61b52efeea84f05c4d1e4cd11890611482731c6e;hb=55a6250f1e7336e8a7d89fb609eb23398715ff6f;hp=48c2fdfa08c6060de82fb1835799c33d7af72a59;hpb=cc94da4ea38cc2a4a47e0a14ef9e361a2d723eff;p=oweals%2Fopenssl.git diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 48c2fdfa08..61b52efeea 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -11,7 +11,9 @@ X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, -X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, +X509_VERIFY_PARAM_set_hostflags, +X509_VERIFY_PARAM_get_hostflags, +X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters @@ -54,6 +56,7 @@ X509_VERIFY_PARAM_set1_ip_asc const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); + unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen); @@ -130,14 +133,32 @@ B clearing any previously specified host name or names. If B is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If B is NUL-terminated, B may be zero, otherwise B -must be set to the length of B. When a hostname is specified, +must be set to the length of B. + +When a hostname is specified, certificate verification automatically invokes L with flags equal to the B argument given to X509_VERIFY_PARAM_set_hostflags() (default zero). Applications are strongly advised to use this interface in preference to explicitly -calling L, hostname checks are out of scope +calling L, hostname checks may be out of scope with the DANE-EE(3) certificate usage, and the internal check will -be suppressed as appropriate when DANE support is added to OpenSSL. +be suppressed as appropriate when DANE verification is enabled. + +When the subject CommonName will not be ignored, whether as a result of the +B host flag, or because no DNS subject +alternative names are present in the certificate, any DNS name constraints in +issuer certificates apply to the subject CommonName as well as the subject +alternative name extension. + +When the subject CommonName will be ignored, whether as a result of the +B host flag, or because some DNS subject +alternative names are present in the certificate, DNS name constraints in +issuer certificates will not be applied to the subject DN. +As described in X509_check_host(3) the B +flag takes precendence over the B flag. + +X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a +call to X509_VERIFY_PARAM_set_hostflags(). X509_VERIFY_PARAM_add1_host() adds B as an additional reference identifier that can match the peer's certificate. Any previous names @@ -186,6 +207,8 @@ failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. +X509_VERIFY_PARAM_get_hostflags() returns any current host flags. + X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return @@ -349,9 +372,11 @@ The B flag was added in OpenSSL 1.1.0 The flag B was deprecated in OpenSSL 1.1.0, and has no effect. +X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i. + =head1 COPYRIGHT -Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy