From 08327bfb261eea4a3c356d6ebff81d838f063d1b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 19 Jun 2016 10:55:43 +0200 Subject: [PATCH] Allow proxy certs to be present when verifying a chain Reviewed-by: Rich Salz (cherry picked from commit 6ad8c48291622a6ccc51489b9a230c9a05ca5614) --- apps/apps.c | 2 ++ doc/apps/verify.pod | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apps/apps.c b/apps/apps.c index 8ab4833668..ca9179e9a5 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else if (!strcmp(arg, "-no_alt_chains")) flags |= X509_V_FLAG_NO_ALT_CHAINS; + else if (!strcmp(arg, "-allow_proxy_certs")) + flags |= X509_V_FLAG_ALLOW_PROXY_CERTS; else return 0; diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 18eeee04b9..450dd7d809 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -23,6 +23,7 @@ B B [B<-use_deltas>] [B<-policy_print>] [B<-no_alt_chains>] +[B<-allow_proxy_certs>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -117,6 +118,10 @@ be found that is trusted. With this option that behaviour is suppressed so that only the first chain found is ever used. Using this option will force the behaviour to match that of previous OpenSSL versions. +=item B<-allow_proxy_certs> + +Allow the verification of proxy certificates. + =item B<-policy_print> Print out diagnostics related to policy processing. -- 2.25.1