From: Matt Caswell Date: Tue, 27 Jan 2015 11:15:15 +0000 (+0000) Subject: Add documentation for the -no_alt_chains option for various apps, as well as the... X-Git-Tag: OpenSSL_1_0_1n~49 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1c687ff4dd5dcc0f05f1d062effdb40e4e41f24f;p=oweals%2Fopenssl.git Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: Dr. Stephen Henson Reviewed-by: Kurt Roeckx Conflicts: doc/apps/cms.pod doc/apps/ocsp.pod doc/apps/s_client.pod doc/apps/s_server.pod doc/apps/smime.pod doc/apps/verify.pod --- diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 75b698834a..9a24082ba2 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -406,7 +407,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -614,4 +615,6 @@ The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 2372b373cd..fdb900c3c4 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-no_alt_chains>]] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -143,6 +144,10 @@ connection timeout to the OCSP responder in seconds file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-no_alt_chains> + +See L|verify(1)> manual page for details. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate @@ -379,3 +384,9 @@ second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + +=cut diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index b021c730c0..d92ec9367f 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -116,7 +117,7 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -347,4 +348,8 @@ information whenever a session is renegotiated. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 2105b603b7..491038eca3 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -178,6 +179,10 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-no_alt_chains> + +See the L|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. @@ -398,4 +403,8 @@ unknown cipher suites a client says it supports. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index d39a59a90d..94a8823852 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -15,6 +15,7 @@ B B [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various options of certificate chain verification. See L|verify(1)> manual page for details. @@ -441,5 +442,6 @@ structures may cause parsing errors. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. =cut diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 0c8e4926cc..18eeee04b9 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -22,6 +22,7 @@ B B [B<-extended_crl>] [B<-use_deltas>] [B<-policy_print>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -108,6 +109,14 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of previous OpenSSL versions. + =item B<-policy_print> Print out diagnostics related to policy processing. @@ -409,4 +418,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 46cac2bea2..9d86d4642c 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -133,6 +133,12 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. +The B flag suppresses checking for alternative +chains. By default, when building a certificate chain, if the first certificate +chain found is not trusted, then OpenSSL will continue to check to see if an +alternative chain can be found that is trusted. With this flag set the behaviour +will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -166,6 +172,6 @@ L =head1 HISTORY -TBA +The B flag was added in OpenSSL 1.0.1n and 1.0.2b =cut