generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.

Browse Source 
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod
This commit is contained in:
Matt Caswell 2015-01-27 11:15:15 +00:00 committed by Kurt Roeckx
parent c6a39046f5
commit 1c687ff4dd
7 changed files with 53 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/apps/cms.pod
View File

@ -35,6 +35,7 @@ B<openssl> B<cms>
[B<-print>] [B<-print>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-no_alt_chains>]
[B<-md digest>] [B<-md digest>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-nointern>] [B<-nointern>]
@ -406,7 +407,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address. address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
@ -614,4 +615,6 @@ The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0 added in OpenSSL 1.0.0
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut =cut

11
doc/apps/ocsp.pod
View File

@ -29,6 +29,7 @@ B<openssl> B<ocsp>
[B<-path>] [B<-path>]
[B<-CApath dir>] [B<-CApath dir>]
[B<-CAfile file>] [B<-CAfile file>]
[B<-no_alt_chains>]]
[B<-VAfile file>] [B<-VAfile file>]
[B<-validity_period n>] [B<-validity_period n>]
[B<-status_age n>] [B<-status_age n>]
@ -143,6 +144,10 @@ connection timeout to the OCSP responder in seconds
file or pathname containing trusted CA certificates. These are used to verify file or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response. the signature on the OCSP response.
=item B<-no_alt_chains>
See L<B<verify>|verify(1)> manual page for details.
=item B<-verify_other file> =item B<-verify_other file>
file containing additional certificates to search when attempting to locate file containing additional certificates to search when attempting to locate
@ -379,3 +384,9 @@ second file.
openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
-reqin req.der -respout resp.der -reqin req.der -respout resp.der
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut

7
doc/apps/s_client.pod
View File

@ -19,6 +19,7 @@ B<openssl> B<s_client>
[B<-pass arg>] [B<-pass arg>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
[B<-no_alt_chains>]
[B<-reconnect>] [B<-reconnect>]
[B<-pause>] [B<-pause>]
[B<-showcerts>] [B<-showcerts>]
@ -116,7 +117,7 @@ also used when building the client certificate chain.
A file containing trusted certificates to use during server authentication A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain. and to use when attempting to build the client certificate chain.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
Set various certificate chain valiadition option. See the Set various certificate chain valiadition option. See the
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
@ -347,4 +348,8 @@ information whenever a session is renegotiated.
L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)> L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut =cut

9
doc/apps/s_server.pod
View File

@ -33,6 +33,7 @@ B<openssl> B<s_server>
[B<-state>] [B<-state>]
[B<-CApath directory>] [B<-CApath directory>]
[B<-CAfile filename>] [B<-CAfile filename>]
[B<-no_alt_chains>]
[B<-nocert>] [B<-nocert>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] [B<-serverpref>]
@ -178,6 +179,10 @@ and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when is also used in the list of acceptable client CAs passed to the client when
a certificate is requested. a certificate is requested.
=item B<-no_alt_chains>
See the L<B<verify>|verify(1)> manual page for details.
=item B<-state> =item B<-state>
prints out the SSL session states. prints out the SSL session states.
@ -398,4 +403,8 @@ unknown cipher suites a client says it supports.
L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)> L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut =cut

4
doc/apps/smime.pod
View File

@ -15,6 +15,7 @@ B<openssl> B<smime>
[B<-pk7out>] [B<-pk7out>]
[B<-[cipher]>] [B<-[cipher]>]
[B<-in file>] [B<-in file>]
[B<-no_alt_chains>]
[B<-certfile file>] [B<-certfile file>]
[B<-signer file>] [B<-signer file>]
[B<-recip file>] [B<-recip file>]
@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address. address matches that specified in the From: address.
=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> =item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
Set various options of certificate chain verification. See Set various options of certificate chain verification. See
L<B<verify>|verify(1)> manual page for details. L<B<verify>|verify(1)> manual page for details.
@ -441,5 +442,6 @@ structures may cause parsing errors.
The use of multiple B<-signer> options and the B<-resign> command were first The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0 added in OpenSSL 1.0.0
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut =cut

13
doc/apps/verify.pod
View File

@ -22,6 +22,7 @@ B<openssl> B<verify>
[B<-extended_crl>] [B<-extended_crl>]
[B<-use_deltas>] [B<-use_deltas>]
[B<-policy_print>] [B<-policy_print>]
[B<-no_alt_chains>]
[B<-untrusted file>] [B<-untrusted file>]
[B<-help>] [B<-help>]
[B<-issuer_checks>] [B<-issuer_checks>]
@ -108,6 +109,14 @@ Set policy variable inhibit-any-policy (see RFC5280).
Set policy variable inhibit-policy-mapping (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280).
=item B<-no_alt_chains>
When building a certificate chain, if the first certificate chain found is not
trusted, then OpenSSL will continue to check to see if an alternative chain can
be found that is trusted. With this option that behaviour is suppressed so that
only the first chain found is ever used. Using this option will force the
behaviour to match that of previous OpenSSL versions.
=item B<-policy_print> =item B<-policy_print>
Print out diagnostics related to policy processing. Print out diagnostics related to policy processing.
@ -409,4 +418,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
L<x509(1)|x509(1)> L<x509(1)|x509(1)>
=head1 HISTORY
The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b.
=cut =cut

8
doc/crypto/X509_VERIFY_PARAM_set_flags.pod
View File

@ -133,6 +133,12 @@ verification. If this flag is set then additional status codes will be sent
to the verification callback and it B<must> be prepared to handle such cases to the verification callback and it B<must> be prepared to handle such cases
without assuming they are hard errors. without assuming they are hard errors.
The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
chains. By default, when building a certificate chain, if the first certificate
chain found is not trusted, then OpenSSL will continue to check to see if an
alternative chain can be found that is trusted. With this flag set the behaviour
will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b.
=head1 NOTES =head1 NOTES
The above functions should be used to manipulate verification parameters The above functions should be used to manipulate verification parameters
@ -166,6 +172,6 @@ L<X509_verify_cert(3)|X509_verify_cert(3)>
=head1 HISTORY =head1 HISTORY
TBA The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.1n and 1.0.2b
=cut =cut