From fa7b01115bc33d9b40936688bb3c952dc93b645a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 27 Jan 2015 11:15:15 +0000 Subject: [PATCH] Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: Dr. Stephen Henson --- doc/apps/cms.pod | 11 +++++++---- doc/apps/ocsp.pod | 13 ++++++++++--- doc/apps/s_client.pod | 14 +++++++++----- doc/apps/s_server.pod | 9 +++++++-- doc/apps/smime.pod | 8 +++++--- doc/apps/verify.pod | 13 +++++++++++++ doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 8 +++++++- 7 files changed, 58 insertions(+), 18 deletions(-) diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 4dabd3ba2b..af1240a210 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -54,6 +54,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -459,11 +460,11 @@ address matches that specified in the From: address. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> -Set various certificate chain valiadition options. See the +Set various certificate chain validation options. See the L|verify(1)> manual page for details. =back @@ -697,4 +698,6 @@ Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index b32086cd2a..d5565c9361 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -48,6 +48,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -173,9 +174,9 @@ the signature on the OCSP response. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different certificate verification options. See L|verify(1)> manual page for details. @@ -416,3 +417,9 @@ second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + +=cut diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 17308b4801..92f6e4a6dd 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -19,7 +19,6 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] -[B<-trusted_first>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] @@ -39,6 +38,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -155,11 +155,11 @@ and to use when attempting to build the client certificate chain. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> -Set various certificate chain valiadition options. See the +Set various certificate chain validation options. See the L|verify(1)> manual page for details. =item B<-reconnect> @@ -411,4 +411,8 @@ information whenever a session is renegotiated. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 1cc965f3e9..a4424521b8 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -51,6 +51,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_return_error>] @@ -218,8 +219,8 @@ anonymous ciphersuite or PSK) this option has no effect. B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, -B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, -B<-verify_ip>, B<-verify_name>, B<-x509_strict> +B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>, +B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different peer certificate verification options. See the L|verify(1)> manual page for details. @@ -481,4 +482,8 @@ unknown cipher suites a client says it supports. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index c85a44b923..31a85fbcc3 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -36,6 +36,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-use_deltas>] [B<-verify_depth num>] [B<-verify_email email>] @@ -291,9 +292,9 @@ address matches that specified in the From: address. B, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, -B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-no_alt_chains>, +B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set various options of certificate chain verification. See L|verify(1)> manual page for details. @@ -475,5 +476,6 @@ structures may cause parsing errors. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.1.0. =cut diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index a5a00638be..d422913c08 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -30,6 +30,7 @@ B B [B<-suiteB_128_only>] [B<-suiteB_192>] [B<-trusted_first>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-use_deltas>] [B<-verbose>] @@ -164,6 +165,14 @@ Use certificates in CA file or CA directory before certificates in untrusted file when building the trust chain to verify certificates. This is mainly useful in environments with Bridge CA or Cross-Certified CAs. +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of OpenSSL versions prior to 1.1.0. + =item B<-untrusted file> A file of untrusted certificates. The file should contain multiple certificates @@ -469,4 +478,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.1.0. + =cut diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 347d48dfec..d19dc1218c 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -197,6 +197,12 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. +The B flag suppresses checking for alternative +chains. By default, when building a certificate chain, if the first certificate +chain found is not trusted, then OpenSSL will continue to check to see if an +alternative chain can be found that is trusted. With this flag set the behaviour +will match that of OpenSSL versions prior to 1.1.0. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -233,6 +239,6 @@ L =head1 HISTORY -TBA +The B flag was added in OpenSSL 1.1.0 =cut -- 2.25.1